Intermittent Azure Function Connectivity Issue with Restricted Key Vault Using Managed Identity

Richard Haigh 45 Reputation points
2023-10-31T15:47:13.5366667+00:00

I am experiencing intermittent connectivity issues between an Azure Function and Azure Key Vault. My setup is as follows:

Azure Function with Virtual Network (VNet) integration, set to route traffic through a specific subnet. It is set to use a linux runtime and python stack. Confirmed with local deploys and test runs that requirements and runtime are not the cause. Requirements file is also correctly building dependencies.

The Function is configured to retrieve storage vault connection keys from Azure Key Vault using dynamic key URIs in the format @Microsoft.Keyvault(SecretUri=https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/). These are passed in the application settings of the configuration.

The Key Vault has a service endpoint that restricts access to the subnet used by the Azure Function and trusted Microsoft services.

The Azure Function is assigned a Managed Identity with Key Vault Secret User role.

Function has been running successfully without any virtual network changes for approximately one year.

Despite this setup, which aligns with Microsoft's documentation and best practices confirmed by colleagues, the Azure Function randomly loses access to the Key Vault. The issue is temporarily resolved by removing and re-adding the Key Vault URI in the application settings, followed by restarting the app.

I am trying to understand:

  1. Is it normal for Azure Functions to experience such blips in connectivity after continuous operation? Is the "turn it off and on again" approach a legitimate long-term solution that is sometimes required?
  2. Have there been recent updates to the treatment of managed identities or trusted service traffic that could account for this?
  3. If no to 1 and 2, is it more likely an unseen cascade effect is what resolved this?
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,256 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,884 questions
{count} vote

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 70,136 Reputation points
    2023-11-01T11:26:22.7466667+00:00

    @Richard Haigh Thanks for reaching out.

    Based on the information that you have provided it is not normal for Azure Functions to experience such blips in connectivity after continuous operation until and unless any configuration changed at the key vault, network or function end and there could be several reasons why this is happening.

    Regarding your question about the "turn it off and on again" approach, while it may temporarily resolve the issue, it is not a legitimate long-term solution. It is important to identify the root cause of the issue and address it accordingly.

    For your second point this could confirm post reviewing the logs. It is difficult to determine the exact cause of the issue without further investigation. I recommend checking the network and firewall settings, validate operation logs of your function app, key vault if there was any update operation was performed and in case if you are not able to find the root cause then this would need one on one support to review the logs if we can find the root cause. I suggest you to create a support ticket to assist you further. In case if you don't have the support plan then please let me know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.