Deploying Azure Function with Network Restricted Storage

The Issue

I recently worked with a customer whom was trying to deploy an Azure function but continued to get a ‘Forbidden Error 403’ when trying to modify the app configuration settings and getting an error message ‘”Azure Function runtime is unavailble’ when testing/running the app code. The issue turned out to be that the storage acocunt that the app service was applied to had restricted access to only specified virtual networks.

The Fix

Extra configuration settings had to be added to overwrite the udnerlying app service infrastructure componenets.

  1. Update the Application Settings under Configuration for the function app to the following:
    • Create a new setting with the name WEBSITE_CONTENTOVERVNET and value of 1. -With this setting, the path taken to reach the storage account is via the Vnet and not from the underlying infrastructure components.
    • Verify or add the following settings
      • WEBSITE_VNET_ROUTE_ALL with a value of 1.
      • WEBSITE_DNS_SERVER with a value of 168.63.129.16
      • AzureWebJobsStorage to the connection string for the secured storage account.
  2. Then add/update these Application Settings
    • WEBSITE_CONTENTAZUREFILECONNECTIONSTRING to the connection string for the secured storage account.
    • WEBSITE_CONTENTSHARE to the name of the file share created in the secured storage account.