Azure Private Endpoint not working for Service Bus and Azure Function

Stephen Parker 6 Reputation points
2022-05-19T15:19:32.787+00:00

I have the following scenario:

  • A VNet with two subnets
  • An Azure Service Bus namespace connected to one of the subnets using a Private Endpoint. The Service Bus has a Topic and Subscription to be used by an Azure Function.
  • An Azure Function using a Service Bus trigger, connected to the other subnet via a Private Endpoint. This is using the RootSharedAccessKey to connect to the ServiceBus and pull messages off the Subscription.

With this set-up the Function fails to pull messages from the subscription. In Azure Monitor for the Function I see repeated exceptions with the message "Ip has been prevented to connect to the endpoint".

(I am able to connect a second HTTP triggered Function to the Service Bus, using VNet Integration on a third subnet, to push messages into the Service Bus - this works fine.)

If I change Networking settings on the Service Bus to enable "All networks" then messages are successfully processed by the Function - so it is not an issue with the Shared Access key. However, clearly I do not wish to open Service Bus up publicly in any way.

I have also tried enabling "Runtime Scale Monitoring" on the "Function runtime settings", based on a recommendation in this article thebestcsharpprogrammerintheworld.com/2020/10/22/consumption-vs-runtime-scaling-in-azure-functions/ . However this did not solve the issue.

On spinning up a VM inside the VNet I have established that the out-of-the-box private DNS for the VNet is working and all the domains resolve to the correct private IP addresses (including the .privatelink. domains).

I have now run out of ideas on what to try next, and useful documentation to guide me. This seems like a relatively vanilla scenario - a basic Service Bus <--> Function integration using Private Endpoints and out-of-the-box functionality wherever possible, but it just doesn't seem to work.

Is there something I have missed in the set-up process?

Thanks.

Azure Service Bus
Azure Service Bus
An Azure service that provides cloud messaging as a service and hybrid integration.
542 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,211 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
461 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stephen Parker 6 Reputation points
    2022-06-24T15:44:15.533+00:00

    For those here with a similar issue, I have worked through this with Microsoft support and this was solved as follows:

    Firstly, a Private Endpoint is for incoming requests. In the case of a Function App receiving messages from Service Bus, this is an outgoing request from the Function. This requires VNet integration, not a Private Endpoint.

    Secondly, the POC solution already has VNet integration to a different Function App (the one pushing messages to Service Bus). In this scenario, if the Function Apps are on the same Plan, they must integrate via the same subnet. See here, in particular "All the apps in the same App Service plan can only use the same virtual network integration to a specific subnet".

    So the solution is to replace the Private Endpoint with VNet Integration, and integrate with the same subnet for all Function Apps (in the same plan).

    1 person found this answer helpful.
    0 comments