AzureFunction returns 403 when deploying to Azure. Works locally

Question

I have an AzureFunction that accesses a blob-storage. The blob storage account has allowed only specific vnet and specific IPs (also my IP at home). Also I manually allowed all IPs that are listed for the AzureFunction.

But when taking a look into the LogStream of the AzureFunction, I see this error:

2023-04-20T17:01:19Z [Verbose] Host instance '00000000000000000000000ABCDEF failed to acquire host lock lease: Azure.Storage.Blobs: Service request failed.
Status: 403 (This request is not authorized to perform this operation.) 
ErrorCode: AuthorizationFailure

This is from inside AzurePortal for the currently deployed function.

When I now try to deploy an updated version of my function, I also get a 403, although the code didn't even execute, hence there was never made a call to the Azure.Storage.Blobs Service (or was there? )

I figured out, that when allowing "Public network access" for the Storage, it works again. When looking into the LogStream, I can see when toggling the storage firewall on/off, it works, doesn't work, works, doesn't .....
Here's the logs in the moment of toggling the firewall on:

2023-04-20T17:10:43Z [Verbose] Received request to drain the host
2023-04-20T17:10:43Z [Information] DrainMode mode enabled
2023-04-20T17:10:43Z [Information] Calling StopAsync on the registered listeners
2023-04-20T17:10:43Z [Information] Call to StopAsync complete, registered listeners are now stopped
2023-04-20T17:11:09Z [Information] Host lock lease acquired by instance ID '000000000000000000000000ABCDEF'.
2023-04-20T17:11:33Z [Error] Singleton lock renewal failed for blob 'my-function/host' with error code 403: AuthorizationFailure. The last successful renewal completed at 2023-04-20T17:11:21.192Z (11995 milliseconds ago) with a duration of 13 milliseconds. The lease period was 15000 milliseconds.
2023-04-20T17:11:33Z [Information] Failed to renew host lock lease: Another host has acquired the lease. The last successful renewal completed at 2023-04-20T17:11:21.192Z (11996 milliseconds ago) with a duration of 14 milliseconds.
2023-04-20T17:11:38Z [Verbose] Host instance '000000000000000000000000ABCDEF' failed to acquire host lock lease: Azure.Storage.Blobs: Service request failed. Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure

I have read, that It coud be because of the fact that both, the function and the storage are in the same region, thus using some microsoft-internal IP-Address instead of the actual pulic IP (which I have whitelisted manually in the firewall-settings for the storage). That's why I created a new function in UK-South, and a new storage in France-Central.
But still I have the 403. As soon as I allow Public network access, it starts working again. I also have added a private endpoint, but this seems to not work, as I still get the 403. Is there any way to even use a Storage within an AzureFunction without using the PremiumPlan with VNET-integration?

Answer 1

previousversiondocs Sorry for the delay in response. Based on your description, you are looking to restrict Storage access via IP/firewall rules and adding Azure Function outbound IP addresses didn't help. The outbound IP addresses may change due to auto scale behavior; hence we suggest not relying on the outbound IP addresses. Refer doc: Function app outbound IP addresses.

You need to add Function app's data center (Azure region) to an allowlist (instead of outbound IP) and check out Data center outbound IP addresses for more info on this.

Other options are available for Premium, Dedicated or App Service plans and see similar discussion in thread: https://learn.microsoft.com/en-us/answers/questions/844771/outbound-ip-addresses-for-azure-function-app.

I hope this helps and let me know if you have any questions.