Tam Duc Ha Vo Thanks for posting your question in Microsoft Q&A. If you disable public access in the storage account, only selected IP ranges based on firewall rules or private endpoints configured can access the storage account. This is why the deployment of Azure Function also failed with 403
error since it was not authorized to access the storage account.
When you create a new function app, you can secure a new storage account via private endpoint as described in doc: Restrict your storage account to a virtual network and Secure storage account linked to Function App with private endpoint (this feature is not supported in Consumption plans). However, if you want to link existing storage account, then this cannot be done via azure portal. Instead, you need to modify ARM template for just creating a new file share in the storage account (new file share creation still needed), do VNET integration, configure WEBSITE_CONTENTSHARE
, WEBSITE_CONTENTOVERVNET
etc. to point to the file share.
Unfortunately, this is a current limitation and there is a feature request: Deploy function app and storage account with network restrictions posted in our feedback forum and suggest you sharing the feedback in the link. I will also share your feedback internally with our product team. Check out similar discussion related to this issue and sharing it for reference.
I hope this helps and let me know if you have any questions.
If you found the answer to your question helpful, please take a moment to mark it as Yes
for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.