Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,930 questions
How to secure access to host storage account for Function Apps on Windows Elastic Premium Plan with VNET Integration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 47%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
ZQadir
195
Reputation points
Background / Setup:
- Function Apps on Windows Elastic Premium Plan (EP1) with Zone Redundancy and Auto Scaling from 3 to x nodes
- Inbound access control on main site and advanced tool site of the Function App. Deny all for advanced tool site with temporary whitelisting of IP of the deployment agent at the time of new deployments.
- VNET integration for outbound access. Relevant service endpoints enabled on the subnet used for VNET Integration. Target resources (business data storage accounts, Key Vault, SQL Servers, Service Bus etc.) have Network ACLs to allow access through specific subnet used for VNET integration. Access to those target resources is also protected via Managed Identity of Function App (as our aim is to go for secret-less functions).
- The functions are coded in C# on .NET6.
- Function Apps have FUNCTIONS_EXTENSION_VERSION = ~4, FUNCTIONS_WORKER_RUNTIME = dotnet, WEBSITE_CONTENTOVERVNET= 1, have vnetRouteAllEnabled and without multiple deployment slots.
- Zip Deployment through Azure DevOps Pipelines
- Separate Host Storage Account for each Function App on Windows EP1 Plan. Each storage account used is standard, general purpose v2, with ZRS.
Question:
- How to best secure the host storage account for the function app? What's supported from network access control perspective in context of above set up? What's supported from authentication and authorization (account keys based access only OR system assigned managed identity) perspective in context of above set up?
Our preferred solution for this will be:
- Secure the access on Host Storage Account of Each Function through Network ACLs allowing the Subnet that has VNET integration for Function Apps, and IAM/RBAC via Managed Identity of respective Function App (i.e., no need to rotate keys).
Hurdles in our preferred solution:
- Managed identity based access to secure access to host storage account for Function Apps is in Preview. We have tried to make it work in the above setup, but our function app reports errors with it as the setting required for Windows Elastic Premium Plans i.e., WEBSITE_CONTENTAZUREFILECONNECTIONSTRING doesn't support managed identity as yet. So, we haven't explored it further as its still a preview feature (as outlined here [https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob#connecting-to-host-storage-with-an-identity-preview] and [https://github.com/MicrosoftDocs/azure-docs/issues/86604]). So, we have to fall back to typical Storage Account Keys based access to Host Storage Account for each Function App.
- Official documentation from Microsoft to restrict network access to the Host Storage Account of Function App follows a two step process i.e., deploy the function app with a host storage account without any Network ACLs and then move/replace that with a storage account with Network ACLs (as outlined here [https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to#restrict-your-storage-account-to-a-virtual-network]) We are unable to find any Microsoft Documentation which outlines the logical one step process i.e., when we provision the host storage account for our function apps, we have the Network ACLs on it upfront, as the Function App to use that Host Storage Account has VNET integration anyways. We have tried this one step process, and its functionally working, but we noticed a few errors in the Host Storage Account diagnostic logs for files. So, we are concerned that even though the function is working in test environments, but we may well face issues from a non-functional perspective down the line. Is that one step process not officially supported by Microsoft and we must follow the two step process?
With the above context/background, what's the officially supported way (can be different from our preferred solution) of securing access to host storage account for Function Apps on Windows Elastic Premium Plans with VNET Integration.
Azure Functions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Ben Gimblett 4,560 Reputation points Microsoft Employee2023-06-15T11:05:02.2666667+00:00 Hi Thanks for the question - to the part of the question regarding securing the functions host storage with the network: The article you cite recommends using Private Endpoints - and this makes a lot of sense for a VNET integrated function. By design the private endpoint is only accessible from resources which are attached to or existing within the VNET or attached network. However, private endpoints are independent of the default public endpoints (for example your storage account access via the default host name and public IP). The point being that the network ACLs are for the public endpoint and not the private endpoint. (You can now NSG or firewall based filtering to control access into private endpoints in the same way you control access to a VMs private endpoint in a subnet). The sample here is a one shot/one step template for deploying a function with storage account behind private endpoints and access to the public endpoint turned off. Does this help?
-
ZQadir 195 Reputation points
2023-06-16T11:03:54.76+00:00 Thanks for your feedback and suggestion regarding the option to use private endpoint.
Our overall solution uses Service Endpoints instead of Private Endpoint; as our use cases don't mandate the need of using Private Endpoints and the associated complexity and costs that comes with the use of Private Endpoints; while still maintaining an improved security posture through the use of Service Endpoints.
Please note that this question is a duplicate of https://learn.microsoft.com/en-us/answers/questions/1162721/how-to-secure-access-to-host-storage-account-for-f. Somehow this question was automatically deleted, and reappeared recently. However, in the mean time I posted the above referenced question. That's why the latest updates on this topic is on the question, comments and answer in the link above.
In summary, we ended up concluding the following is the supported way to secure host storage accounts of Function Apps:
- Use Account Keys based access to storage account (support for managed identity is in preview)
- Secure the host storage account with Network ACLs and Service Endpoints (we noticed quite a lot of errors in the diagnostic logs for host storage account, but were advised that we can safely ignore those for as long we don't get "Azure functions runtime unreachable" error in the Function app)
-
Ben Gimblett 4,560 Reputation points Microsoft Employee
2023-06-16T12:27:09.5533333+00:00 Service endpoints are valid indeed if they meet your requirements
I dont know the reason (without researching it) why you cannot secure the storage account for an existing function , but as far as I am aware there should be no problem with having an existing secured storage account and creating a new function app pointed to that. Based on your comment I believe you've tested and concluded works for you (as the runtime can reach the storage account). Its of course not exactly one step in the literal meaning but can be part of a CD workflow.
Sign in to comment
Sign in to answer