What would cause restricting traffic to whitelisted IP and VNET on a storage account to break the deployment of a related Azure Function, but only some of the time?

Question

What would cause restricting traffic to whitelisted IP and VNET on a storage account to break the deployment of a related Azure Function, but only some of the time?

Demougin, Matthew W 25

I have several dozen Azure Blob Storage accounts tied to Azure functions. I am in the process of restricting traffic to these accounts to VNET and whitelisted IP. I've successfully set this and been able to deploy the azure function, through an Azure DevOps Release Pipeline, through adding the WEBSITE_CONTENTOVERVNET environment variable, set to 1, to the associated Azure Function, and adding the following CIDRs to the whitelist block of the storage account:

13.107.6.0/24

13.107.9.0/24

13.107.42.0/24

13.107.43.0/24

This has worked for over 50 storage accounts, yet I have 2 that still fail to deploy. I get the following error:

Failed to deploy web package to App Service.

KuduStackTraceURL https://:@func.scm.azurewebsites.net/api/vfs/LogFiles/kudu/trace

Error: Error: Failed to deploy web package to App Service. Internal Server Error (CODE: 500)

I can't find any meaningful details on this 500 error. I compared the JSON for the functions and storage accounts that are working fine versus the ones that are not and do not see any impactful differences. Does anyone know what I can look for to determine the cause of this failure?

RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-03-24T11:07:58.63+00:00

The outbound IPs of the Function App will change randomly, as this is normal behavior. As a better approach to maintaining a constant IP, you can use a NAT gateway and allow the same NAT public IP in the storage account.

Note:

1. The NAT gateway will only be used for outbound traffic.
2. Disable the service endpoint if you are using the NAT gateway.

1 answer

Your answer

RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator

2025-03-24T11:07:58.63+00:00

The outbound IPs of the Function App will change randomly, as this is normal behavior. As a better approach to maintaining a constant IP, you can use a NAT gateway and allow the same NAT public IP in the storage account.

Note:

1. The NAT gateway will only be used for outbound traffic.
2. Disable the service endpoint if you are using the NAT gateway.

Answer 1

Deepanshu katara 16,945 MVP Moderator

Hello , Welcome to MS Q&A

Each function app has a set of available outbound IP addresses.

Azure Functions use dynamic outbound IPs, so whitelisting a few won't work.

Use Virtual Network (VNet) Integration instead of IP whitelisting

Switch to Private Endpoints for secure access

If you must whitelist, get all outbound IPs from az functionapp show --query outboundIpAddresses and add them Or just allow all traffic and move on

Kindly check and let us know with further details

Please accept answer if it helps

Thanks

Deepanshu

Demougin, Matthew W 25 Reputation points

2025-03-03T18:16:41.9466667+00:00

I am using VNET integration, which is why I allowed VNET traffic.
Deepanshu katara 16,945 Reputation points MVP Moderator

2025-03-04T05:53:35.77+00:00
If you are using VNET Integration and have enabled Route All, all outbound traffic from your Function App will be routed through your virtual network. Ideally, this setup should work.

As the next step in troubleshooting, please check the following:

Ensure that both storage accounts are in the same region and virtual network.

Verify the NSG (Network Security Group) attached to the integration subnet to see if there are any rules blocking access to the storage accounts.

If the issue persists, kindly review these settings and update us. If further troubleshooting is required, we can connect privately to resolve the issue.
Demougin, Matthew W 25 Reputation points

2025-03-04T19:44:45.8966667+00:00

I verified that the Function's integrated VNET and Subnet was in the allowed list on the Azure Storage. Both the function and storage account are in the same region. There is no NSG attached to the subnet, and the Microsoft.Storage service endpoints are enabled on the Subnet. I ran the az command and added all of the outbound IP address from the list to the storage account's allowed IP addresses. The problem remains.
Demougin, Matthew W 25 Reputation points

2025-03-04T20:01:39.8433333+00:00

I have confirmed that the Function's Integrated VNET and Subnet are included in the allowed list for the storage account. The Subnet has no NSG applied and has Microsoft.Storage service endpoints enabled.

I ran the aforementioned az command in the cloud shell and added the IP addresses presented in the output. The issue remains on the 2 problem storage accounts. I have confirmed that the functions and storage accounts are all in the same region.The problem remains after these checks. Please guide on next steps.
Demougin, Matthew W 25 Reputation points

2025-03-04T20:02:25.17+00:00

Sorry for the duplicate comments, the original did not display after submission.
Deepanshu katara 16,945 Reputation points MVP Moderator

2025-03-05T12:13:16.31+00:00

I think we need to connect and debug this.Please let me know a suitable time when we can connect to discuss this further. Looking forward to your response.

Thanks
Demougin, Matthew W 25 Reputation points

2025-03-05T12:46:18.33+00:00

I can meet pretty much any time between 11AM and 4PM Eastern any day this week.
Demougin, Matthew W 25 Reputation points

2025-03-10T21:05:26.6366667+00:00

Wanted to follow up to see if you were still open to setting up a meeting. I can meet Wednesday after 1PM or Thursday or Friday after 11AM, all Eastern time.
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-03-11T05:46:53.94+00:00

Deepanshu katara

Could you confirm a suitable time for Demougin, Matthew W
Deepanshu katara 16,945 Reputation points MVP Moderator

2025-03-11T05:57:28.51+00:00

@Demougin, Matthew W , Tomorrow 1PM Eastern Time , I will send you invite.

Thanks
Deepanshu katara 16,945 Reputation points MVP Moderator

2025-03-11T06:00:49.7466667+00:00

Pls share your mail ID as well
Demougin, Matthew W 25 Reputation points

2025-03-11T12:21:18.2466667+00:00

My email is ******@ascension.org
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-03-14T08:19:47.9733333+00:00

Demougin, Matthew W / Deepanshu katara

Could you please confirm whether the issue has been resolved? If it has been resolved, could you please share the workaround so it will be beneficial for others facing the same issue.
Demougin, Matthew W 25 Reputation points

2025-03-14T11:45:41.4733333+00:00

We never met, so this issue remains.
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-03-21T09:34:07.98+00:00

Demougin, Matthew W

Could you please check my private message and respond accordingly?

Deepanshu katara Do you have any plans to connect with Demougin, Matthew W

Share via

What would cause restricting traffic to whitelisted IP and VNET on a storage account to break the deployment of a related Azure Function, but only some of the time?

1 answer

Your answer