VNet integrated flex consumption app unable to connect to KeyVault via service endpoint

Question

Hi,

I have a question about vnet integrated flex function apps and accessing other resources privately using service endpoints

Situation:

I have Flex consumption app successfully deployed and vnet integrated so all outbound traffic is via the virtual network

The subnet is delegated to Microsoft.App/environments as required for Flex apps and ive also added service endpoints for Storage, KeyVault and AzureCosmosDB

I have a Key Vault that is set up to "Allow public access from specific virtual networks and IP addresses" and have added a rule to allow the virtual network and subnet used by the Flex app to access the Key Vault

Issue:

Key Vault references in app settings are not able to resolve and I get the following error:

Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.

Thoughts:

1. When i set the Key Vault networking configuration to "Allow public access from all networks" the references resolve and everything works - which suggests maybe my function app outbound traffic is not going via the vnet
2. Im unclear if service endpoints are allowed to use with vnet integrated flex apps.

In Microsoft's documentation it mentions:

*"The subnet you choose can't already be used for other purposes, such as with private endpoints or service endpoints, or be delegated to any other hosting plan or service."
*
However, if i make the Key Vault public to overcome my reference errors, my connections to Storage and Cosmos via service endpoints work fine

Also the solution to a previous question i raised regarding flex apps advised to add a service endpoint for storage to the subnet used by the flex function app:

"Service Endpoint for Storage. To ensure that your Function App subnet has a service endpoint for Microsoft.Storage, you can add the "Microsoft.Storage" service endpoint to your Function App subnet"

My questions:

1. Is it ok to use service endpoints with the subnet delegated for my flex function app?
2. What is the correct way for a vnet integrated flex function app to privately communicate with other Azure resources?

Answer 1

Hello @David,

Thank you for posting your query on Microsoft Q&A.

Issue: Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.

It seems like you're experiencing some issues with using service endpoints with your VNet-integrated Flex Consumption app.

You can use service endpoints with the subnet delegated for your Flex function app. In fact, the solution to your previous question advised adding a service endpoint for Storage to the subnet used by the Flex function app.

The correct way for a VNet-integrated Flex function app to privately communicate with other Azure resources is to use regional virtual network integration, which enables your function app to reach Azure services that are secured with service endpoints.

It seems like there might be some configuration issues that are preventing your app from accessing the Key Vault via the service endpoint.

Please refer the below documents and configure the Key vault to Grant access to trusted Azure services and allow traffic from that VNET/Subnet.

https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services

https://learn.microsoft.com/en-us/azure/key-vault/general/network-security#key-vault-firewall-enabled-trusted-services-only

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks,
Raja Pothuraju.

Answer 2

Any updates on this issue? I am still encountering the same problem despite trying various solutions, none of which have resolved it. The issue persists with the Flexible Consumption Plan, but switching to the Premium Plan resolves it perfectly. It seems there is a specific issue with the Flex Consumption Plan.