Objective: I am trying to set up an Azure Function with restricted Virtual Network (VNet) integration to securely call an Azure Key Vault and retrieve database connection strings. The network should be as secure as possible and resources should only be accessible by specific resources. Design is meant to be in line with Microsofts advice for restricted network access on storage accounts where service endpoints and managed identities ensure no public access.
- Azure Function app within a dedicated subnet.
- VNet integration enabled on the Azure Function in same subnet and network.
- Azure Function app granted access to a Key Vault via an access policy.
- Subnet configured with service endpoints for Azure Storage and Key Vault.
- Function code stored in Azure Blob Storage with dependencies installed through a pip install of requirements.txt in a local Python 3.10 env before compression. Python packages are part of upload zip.
- Runtime: Python 3.10 on Linux OS in Azure Functions.
- Service Plan: Basic (due to VNet integration requirement).
- Storage account is designed to only allow access from service endpoint by the time template goes to production but is currently set to allow access from all networks while debugging and set to use Microsoft network routing. Issues remain.
Azure Function Application Settings:
WEBSITE_RUN_FROM_PACKAGE: [Storage blob URL with SAS]
KEY_VAULT_URL: [Key Vault name from Terraform variable]
- The Azure Function is created in the Function App via Terraform but fails to run or download dependencies. Specifically Azure-identity and dependencies.
- Uncertain if dependencies are correctly installed in the Azure Storage setup.
- Encountering difficulties in ensuring the Azure Function can securely and successfully communicate with the Key Vault while adhering to the restricted VNet setup.
Specific Questions/Assistance Needed:
- How can I ensure that my Azure Function correctly accesses and downloads dependencies from Azure Blob Storage in a restricted VNet environment without manual intervention and commands? Why is this recommended approach not working?
- Are there any known issues or considerations with Terraform configurations for Azure Functions with VNet integration and Key Vault access utilising service endpoints and managed identities?
- Recommendations or best practices for deploying Azure Functions with these requirements using Terraform.
- The setup is following Microsoft's documentation for restricted network access.
- The goal is to maintain a high level of security while ensuring functionality and be able to deploy directly via terraform or an azure DevOps repository.