Share via

Azure Function App unable to access Oryx

Haubein, Ted 0 Reputation points
2023-10-13T14:55:38.36+00:00

We have an ExpressRoute connection to Data Center for access to our on prem resources. The FunctionApp has VNET integration along with DNS, Private Endpoint, Private Endpoint NIC etc. When we use kudo to troubleshoot issues we're unable to resolve DNS correct, and the traceroutes aren't working either. I have provisioned a Test Linux VM in the same subscription as the FunctionApp and it works perfactly no issues.

Developer comments below...

The Oryx deployment issue doesn't happen if I enable the function application VNET integration to route only private communication through the virtual network, if outbound public is able to happen directly from the function app it can connect to Oryx for the build dependencies.  The documentation says that to route all communication through the VNET and still access Oryx we have to explicitly allow it. Our VNET doesn't have a Firewall, and the NSG doesn't seem to have any effect - my guess is that we either must have a firewall on our VNET and then allow access to Oryx using FQDN, or we toggle the VNET integration to only send private comms through. Ideally, we can leave all traffic going through the VNET and we correctly allow the Oryx FQDN, which must be done on the Azure Firewall it seems? Documentation is sparse here but at least we found that not forcing all traffic through VNET resolves build issues. 

We can reach inbound to our function app with no problem, although our function app cannot reach back into our network. We shouldn't have to establish a route table, and when I compare our function app to a VM with NIC deployed in the same region the VM is able to connect to our on-prem data center with no problem. In Kudu, on our function app, I also cannot tcpping on-prem servers. With our VM, I ran the network troubleshooter and it successfully connects all the way. 

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,678 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,276 Reputation points
    2023-10-18T15:44:07.0766667+00:00

    Haubein, Ted Thanks for posting your question in Microsoft Q&A. From the description above, Azure Function app is unable to connect to Oryx via VNET however, if you establish a Test VM in the same VNET, it works fine. Correct?

    This appears to be due to Outbound IP restrictions and if you have Route All enabled, then all outbound traffic will be sent through Virtual Network. Then in that case you can configure NSG to allow traffic to Oryx (or other resources) and you don't need Azure Firewall. However, if Route All isn't enabled, NSGs are only applied to RFC1918 traffic. Similarly, the same case applies to route table as well. I suggest you review the docs and validate how it is configured so that you NSG (as well as route table) rules are in effect.

    Also, you mentioned about DNS issues via Kudu. Do you face the issue when following the steps in https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli#tools? Make sure DNS server is accessible via nameresolver like described in Debug access to virtual network-hosted resources.

    Also, validate the reasons described here and if it doesn't help, let me know. We might need to investigate the backend logs to find the cause.

    If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    0 comments