I have the following scenario:
- A VNet with two subnets
- An Azure Service Bus namespace connected to one of the subnets using a Private Endpoint. The Service Bus has a Topic and Subscription to be used by an Azure Function.
- An Azure Function using a Service Bus trigger, connected to the other subnet via a Private Endpoint. This is using the RootSharedAccessKey to connect to the ServiceBus and pull messages off the Subscription.
With this set-up the Function fails to pull messages from the subscription. In Azure Monitor for the Function I see repeated exceptions with the message "Ip has been prevented to connect to the endpoint".
(I am able to connect a second HTTP triggered Function to the Service Bus, using VNet Integration on a third subnet, to push messages into the Service Bus - this works fine.)
If I change Networking settings on the Service Bus to enable "All networks" then messages are successfully processed by the Function - so it is not an issue with the Shared Access key. However, clearly I do not wish to open Service Bus up publicly in any way.
I have also tried enabling "Runtime Scale Monitoring" on the "Function runtime settings", based on a recommendation in this article thebestcsharpprogrammerintheworld.com/2020/10/22/consumption-vs-runtime-scaling-in-azure-functions/ . However this did not solve the issue.
On spinning up a VM inside the VNet I have established that the out-of-the-box private DNS for the VNet is working and all the domains resolve to the correct private IP addresses (including the .privatelink. domains).
I have now run out of ideas on what to try next, and useful documentation to guide me. This seems like a relatively vanilla scenario - a basic Service Bus <--> Function integration using Private Endpoints and out-of-the-box functionality wherever possible, but it just doesn't seem to work.
Is there something I have missed in the set-up process?
Thanks.