Unable to deploy flex function app with vnet integration

Question

Hi,

Ive recently started exploring flex function apps using this GitHub repo as a reference

Im automating the deployment using ADO pipelines and bicep files

It successfully deploys the flex consumption app but when I try integrate it in a vnet(setting virtualNetworkSubnetIdin the bicep) the deployment fails with a not very useful error - "There was an unexpected InternalServerError. Please try again later"

Has anyone else experienced this or know what im doing wrong?

*Also its worth mentioning ive tried manually adding the vnet integration after the function app has been deployed via the portal and this also fails

*Ive also seen Microsoft's post mentioning that "the subnet used for VNet integration can't already be in use for other purposes like private or service endpoints, or delegated to any other hosting plan or service" - source

Error message:

{
    "status": "Failed",
    "error": {
        "code": "InternalServerError",
        "message": "There was an unexpected InternalServerError.  Please try again later.  x-ms-correlation-request-id: 7020662b-7eb1-4a4f-9377-16713028fcf8"
    }
}

Function app bicep:

resource flexFunctionApp 'Microsoft.Web/sites@2023-12-01' = {
  name: flexFunctionAppName
  location: location
  tags: tags
  kind: 'functionapp,linux'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    httpsOnly: true
    publicNetworkAccess: 'Disabled'
    serverFarmId: flexFunctionPlan.id
    virtualNetworkSubnetId: subnet.id
    siteConfig: {
      appSettings: appSettings
      httpLoggingEnabled: true
      minTlsVersion: '1.3'
      use32BitWorkerProcess: false
    }
    functionAppConfig: {
      deployment: {
        storage: {
          type: 'blobContainer'
          value: 'https://stalykefuncdev.blob.core.windows.net/${storageAccountFuncFlexPackageContainerName}'
          authentication: {
            type: 'SystemAssignedIdentity'
          }
        }
      }
      scaleAndConcurrency: {
        maximumInstanceCount: maximumInstanceCount
        instanceMemoryMB: instanceMemoryMB
      }
      runtime: { 
        name: functionAppRuntime
        version: functionAppRuntimeVersion
      }
    }
  }
}

Subnet bicep:

  {
        name: appSubnetName
        id: resourceId('Microsoft.Network/virtualNetworks/subnets', vNetName, 'app')
        properties: {
          addressPrefixes: [
            '10.0.2.0/23'
          ]
          delegations: [
            {
              name: 'delegation'
              id: '${resourceId('Microsoft.Network/virtualNetworks/subnets', vNetName, 'app')}/delegations/delegation'
              properties: {
                //Microsoft.App/environments is the correct delegation for Flex Consumption VNet integration
                serviceName: 'Microsoft.App/environments'
              }
              type: 'Microsoft.Network/virtualNetworks/subnets/delegations'
            }
          ]
          privateEndpointNetworkPolicies: 'Disabled'
          privateLinkServiceNetworkPolicies: 'Enabled'
        }
        type: 'Microsoft.Network/virtualNetworks/subnets'
      }

Answer 1

Hello David,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you are having an issue when deploying a flex function app with VNet integration

Solution

The error message you received, "InternalServerError," can be quite complex to troubleshoot. But, based on the information you've provided, there are four things I would like us to check and the links provided will guide you in more detail steps:

1. Service Endpoint for Storage. To ensure that your Function App subnet has a service endpoint for Microsoft.Storage, you can add the "Microsoft.Storage" service endpoint to your Function App subnet. Navigate to your Virtual Network resource, go to "Settings," and select "Service endpoints" to configure this: https://www.reddit.com/r/AZURE/comments/1dkliw5/unable_to_deploy_flex_function_app_with_vnet/
2. Let's check your Subnet Delegation, the subnet used for VNet integration cannot already be in use for other purposes (e.g., private or service endpoints) or delegated to any other hosting plan or service and in your Bicep file, make sure you're delegating the correct service for Flex Consumption VNet integration. The correct delegation is "Microsoft.App/environments". https://stackoverflow.com/questions/63791349/unable-to-connect-to-azure-function-app-after-integrating-into-vnet
3. You will need to verify that the private endpoint network policies are set to "Disabled" and the private link service network policies are set to "Enabled" for your subnet. https://stackoverflow.com/questions/63791349/unable-to-connect-to-azure-function-app-after-integrating-into-vnet
4. Outbound Traffic Restrictions can be another challenge, so, if you're restricting outbound traffic from your Function App, ensure that it still has access to the necessary resources during deployment. For example, Oryx build commands need access to the internet for successful builds. https://stackoverflow.com/questions/78588084/error-when-assigning-virtual-network-to-the-azure-function

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam