Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,167 questions
VNet integrated flex consumption app unable to connect to KeyVault via service endpoint
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 85%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
David
20
Reputation points
Hi,
I have a question about vnet integrated flex function apps and accessing other resources privately using service endpoints
Situation:
I have Flex consumption app successfully deployed and vnet integrated so all outbound traffic is via the virtual network
The subnet is delegated to Microsoft.App/environments as required for Flex apps and ive also added service endpoints for Storage, KeyVault and AzureCosmosDB
I have a Key Vault that is set up to "Allow public access from specific virtual networks and IP addresses" and have added a rule to allow the virtual network and subnet used by the Flex app to access the Key Vault
Issue:
Key Vault references in app settings are not able to resolve and I get the following error:
Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.
Thoughts:
- When i set the Key Vault networking configuration to "Allow public access from all networks" the references resolve and everything works - which suggests maybe my function app outbound traffic is not going via the vnet
- Im unclear if service endpoints are allowed to use with vnet integrated flex apps.
In Microsoft's documentation it mentions:
*"The subnet you choose can't already be used for other purposes, such as with private endpoints or service endpoints, or be delegated to any other hosting plan or service."
*
However, if i make the Key Vault public to overcome my reference errors, my connections to Storage and Cosmos via service endpoints work fine
Also the solution to a previous question i raised regarding flex apps advised to add a service endpoint for storage to the subnet used by the flex function app:
"Service Endpoint for Storage. To ensure that your Function App subnet has a service endpoint for Microsoft.Storage, you can add the "Microsoft.Storage" service endpoint to your Function App subnet"
My questions:
- Is it ok to use service endpoints with the subnet delegated for my flex function app?
- What is the correct way for a vnet integrated flex function app to privately communicate with other Azure resources?
Azure Key Vault
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,543 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,079 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,252 questions