Unable to Create Service Connector Between Azure Function App and MySQL Flexible Server in Virtual Network

Ofek Waiz 0 Reputation points
2024-11-26T15:11:36.5933333+00:00

Hi Azure Community,

I'm trying to create a service connector between my Azure Function App and an Azure MySQL Flexible Server, which resides in a Virtual Network. Here’s the setup and the challenges I’m facing:

Setup:

  • Function App: Hosted in Azure with Managed Identity (System Assigned) enabled.
  • MySQL Server: Azure Flexible Server inside a Virtual Network.
  • Goal: Use the service connector to allow the Function App to securely access the MySQL database without secrets.

What I Tried:

  1. Azure CLI from Web Portal: I attempted to create the service connector using this command:
       
       az functionapp connection create mysql-flexible \
        --connection mysql_94d84 \
        --source-id /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{functionAppName} \
        --target-id /subscriptions/{subscriptionId}/resourceGroups/{mysqlResourceGroupName}/providers/Microsoft.DBforMySQL/flexibleServers/{mysqlServerName}/databases/{databaseName} \
        --client-type nodejs \
        --system-identity
    
    Error:
       
       The database server 
    
  2. Running CLI Commands from Within the Virtual Network: To work around this, I deployed a containerized app within the same Virtual Network. This app was configured to run Azure CLI commands. However, when I ran the az functionapp connection create command, I encountered the following error:
       
       ERROR: Service principal 
    
    Managed Identity Permissions: I verified that the Function App has a System Assigned Managed Identity enabled, but I suspect there’s a missing step to properly link it to the MySQL Flexible Server or configure permissions for the Virtual Network.

Questions:

  1. What is the correct way to create a service connector for a Function App and MySQL Flexible Server in a Virtual Network?
  2. How can I ensure that the Function App’s managed identity has the required permissions to access the database?
  3. Is there an alternative method (e.g., using an Azure SDK or REST API) to create this service connector if Azure CLI is unable to execute the command due to network restrictions?

Any guidance or step-by-step instructions would be greatly appreciated. Thank you in advance!Hi Azure Community,

I'm trying to create a service connector between my Azure Function App and an Azure MySQL Flexible Server, which resides in a Virtual Network. Here’s the setup and the challenges I’m facing:

Setup:

  • Function App: Hosted in Azure with Managed Identity (System Assigned) enabled.
  • MySQL Server: Azure Flexible Server inside a Virtual Network.
  • Goal: Use the service connector to allow the Function App to securely access the MySQL database without secrets.

What I Tried:

  1. Azure CLI from Web Portal:
    I attempted to create the service connector using this command:
       bash
       
       az functionapp connection create mysql-flexible \
        --connection mysql_94d84 \
        --source-id /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{functionAppName} \
        --target-id /subscriptions/{subscriptionId}/resourceGroups/{mysqlResourceGroupName}/providers/Microsoft.DBforMySQL/flexibleServers/{mysqlServerName}/databases/{databaseName} \
        --client-type nodejs \
        --system-identity
    
    Error:
       
       The database server 
    
  2. Running CLI Commands from Within the Virtual Network:
    To work around this, I deployed a containerized app within the same Virtual Network. This app was configured to run Azure CLI commands. However, when I ran the az functionapp connection create command, I encountered the following error:
       
       ERROR: Service principal 
    
    Managed Identity Permissions:
    I verified that the Function App has a System Assigned Managed Identity enabled, but I suspect there’s a missing step to properly link it to the MySQL Flexible Server or configure permissions for the Virtual Network.

Questions:

  1. What is the correct way to create a service connector for a Function App and MySQL Flexible Server in a Virtual Network?
  2. How can I ensure that the Function App’s managed identity has the required permissions to access the database?
  3. Is there an alternative method (e.g., using an Azure SDK or REST API) to create this service connector if Azure CLI is unable to execute the command due to network restrictions?

Any guidance or step-by-step instructions would be greatly appreciated. Thank you in advance!

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,200 questions
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
866 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
472 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pinaki Ghatak 5,305 Reputation points Microsoft Employee
    2024-11-27T10:08:35.6133333+00:00

    Hello @Ofek Waiz

    Happy to help.

    To create a service connector for a Function App and MySQL Flexible Server in a Virtual Network, you can follow these 4 steps:

    1. Ensure that your Function App has a System Assigned Managed Identity enabled.
    2. Grant the Function App's managed identity access to the Virtual Network where the MySQL Flexible Server resides.
    3. Create a service endpoint for the Virtual Network.
    4. Create a service connection between the Function App and the MySQL Flexible Server using the service endpoint.

    To grant the Function App's managed identity access to the Virtual Network, you can follow these 6 steps:

    1. Go to the Virtual Network where the MySQL Flexible Server resides.
    2. Go to the "Access control (IAM)" tab.
    3. Click on "Add" and select "Add role assignment".
    4. In the "Add role assignment" pane, select the "Virtual Network Contributor" role.
    5. In the "Select" pane, search for the Function App's managed identity and select it.
    6. Click on "Save" to add the role assignment.

    To create a service endpoint for the Virtual Network, you can follow these 4 steps:

    1. Go to the Virtual Network where the MySQL Flexible Server resides.
    2. Go to the "Service endpoints" tab.
    3. Click on "Add" and select "Microsoft.DBforMySQL".
    4. Click on "Add" to add the service endpoint.

    To create a service connection between the Function App and the MySQL Flexible Server using the service endpoint, you can follow these 14 steps:

    1. Go to the Function App.
    2. Go to the "Platform features" tab.
    3. Click on "Networking".
    4. Click on "Add inbound IP rule".
    5. In the "Add inbound IP rule" pane, select the "Service tag" option.
    6. In the "Service tag" field, select "AzureDBforMySQL".
    7. Click on "Add" to add the inbound IP rule.
    8. Go to the "Platform features" tab.
    9. Click on "Connections".
    10. Click on "Add".
    11. In the "Add connection" pane, select "Azure Database for MySQL".
    12. Enter the required information, including the server name, database name, and credentials.
    13. Select the "Use a system-assigned managed identity" option.
    14. Click on "Create" to create the service connection.

    This should get you started.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.