Create Function App and private endpoint-secured Storage

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Visualize

This sample Azure Resource Manager template deploys an Azure Function App that communicates with the Azure Storage account referenced by the AzureWebJobsStorage and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING app settings, via private endpoints.

Function App with Storage Private Endpoints

Azure Function App

The Function App uses the AzureWebJobsStorage and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING app settings to connect to a private endpoint-secured Storage Account.

Elastic Premium Plan

The Azure Function app provisioned in this sample uses an Azure Functions Elastic Premium plan.

Azure Storage account

The Storage account that the Function uses for operation and for file contents.

Virtual Network

Azure resources in this sample either integrate with or are placed within a virtual network. The use of private endpoints keeps network traffic contained with the virtual network.

The sample uses two subnets:

  • Subnet for Azure Function virtual network integration. This subnet is delegated to the Function App.
  • Subnet for private endpoints. Private IP addresses are allocated from this subnet.

Private Endpoints

Azure Private Endpoints are used to connect to specific Azure resources using a private IP address This ensures that network traffic remains within the designated virtual network, and access is available only for specific resources. This sample configures private endpoints for the following Azure resources:

  • Azure Storage
    • Azure File storage
    • Azure Blob storage
    • Azure Queue storage
    • Azure Table storage

Private DNS Zones

Using a private endpoint to connect to Azure resources means connecting to a private IP address instead of the public endpoint. Existing Azure services are configured to use existing DNS to connect to the public endpoint. The DNS configuration will need to be overridden to connect to the private endpoint.

A private DNS zone will be created for each Azure resource configured with a private endpoint. A DNS A record is created for each private IP address associated with the private endpoint.

The following DNS zones are created in this sample:

  • privatelink.queue.core.windows.net
  • privatelink.blob.core.windows.net
  • privatelink.table.core.windows.net
  • privatelink.file.core.windows.net

Application Insights

Application Insights is used to monitor the Azure Function.

Tags: Microsoft.Network/privateDnsZones/virtualNetworkLinks, Microsoft.Network/privateEndpoints/privateDnsZoneGroups, Microsoft.Web/sites/config, Microsoft.Network/virtualNetworks, Microsoft.Network/privateDnsZones, Microsoft.Network/privateEndpoints, Microsoft.Storage/storageAccounts, Microsoft.Storage/storageAccounts/fileServices/shares, Microsoft.Insights/components, Microsoft.Web/serverfarms, Microsoft.Web/sites