Assistance Needed with Azure Function VNet Integration and Key Vault Access using Terraform

Richard Haigh 45 Reputation points
2023-11-13T17:37:59.5233333+00:00

Objective: I am trying to set up an Azure Function with restricted Virtual Network (VNet) integration to securely call an Azure Key Vault and retrieve database connection strings. The network should be as secure as possible and resources should only be accessible by specific resources. Design is meant to be in line with Microsofts advice for restricted network access on storage accounts where service endpoints and managed identities ensure no public access.

Environment Setup:

  • Azure Function app within a dedicated subnet.
  • VNet integration enabled on the Azure Function in same subnet and network.
  • Azure Function app granted access to a Key Vault via an access policy.
  • Subnet configured with service endpoints for Azure Storage and Key Vault.
  • Function code stored in Azure Blob Storage with dependencies installed through a pip install of requirements.txt in a local Python 3.10 env before compression. Python packages are part of upload zip.
  • Runtime: Python 3.10 on Linux OS in Azure Functions.
  • Service Plan: Basic (due to VNet integration requirement).
  • Storage account is designed to only allow access from service endpoint by the time template goes to production but is currently set to allow access from all networks while debugging and set to use Microsoft network routing. Issues remain.

Azure Function Application Settings:

  • FUNCTIONS_WORKER_RUNTIME: "python"
  • WEBSITE_RUN_FROM_PACKAGE: [Storage blob URL with SAS]
  • KEY_VAULT_URL: [Key Vault name from Terraform variable]
  • SCM_DO_BUILD_DURING_DEPLOYMENT: true
  • ENABLE_ORYX_BUILD: true

Issues Encountered:

  • The Azure Function is created in the Function App via Terraform but fails to run or download dependencies. Specifically Azure-identity and dependencies.
  • Uncertain if dependencies are correctly installed in the Azure Storage setup.
  • Encountering difficulties in ensuring the Azure Function can securely and successfully communicate with the Key Vault while adhering to the restricted VNet setup.

Specific Questions/Assistance Needed:

  1. How can I ensure that my Azure Function correctly accesses and downloads dependencies from Azure Blob Storage in a restricted VNet environment without manual intervention and commands? Why is this recommended approach not working?
  2. Are there any known issues or considerations with Terraform configurations for Azure Functions with VNet integration and Key Vault access utilising service endpoints and managed identities?
  3. Recommendations or best practices for deploying Azure Functions with these requirements using Terraform.

Additional Context:

  • The setup is following Microsoft's documentation for restricted network access.
  • The goal is to maintain a high level of security while ensuring functionality and be able to deploy directly via terraform or an azure DevOps repository.
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,008 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,863 questions
0 comments No comments
{count} votes

Accepted answer
  1. Mike Urnun 9,811 Reputation points Microsoft Employee
    2023-11-16T22:19:45.03+00:00

    Per Azure function unable to install azure-identity dependencies thread, the root cause might have been caused by the deprecation of azurerm_function_app Terraform resource:User's image

    @Richard Haigh If this is a separate issue that's still blocking, pls let me know.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.