Deployment to Azure Function Apps with VNet integration not working

Zlatko Lovcevic 21 Reputation points

We have Azure Function Apps with VNet integration configured in order to be able to access other Azure resources that have network restrictions (databases, key vaults, storage accounts) using service endpoints. Storage accounts that are created while creating Function Apps don't have network restrictions configured (Allow access from all networks). Service plans on which Function Apps are hosted are S1 and EP1. We have Azure DevOps Release Pipelines that do the deployment to Function Apps using Run from package method. First time we did the deployment the VNet integration wasn't configured and everything worked fine. Next time we tried deploying to release pipelines finished successfully but the new code was not deployed. It looks like nothing happened. In Kudu eventlog there are errors "Failed to open siteversion.txt. ZipFS setup failed. Error: 0x80070002" and "Failed to copy zip from remote source". We figured out that only if we disable VNet integration that the release pipelines actually deploy the files. Are we doing something wrong or missing something? Everything seems to be according to official documentation as far as we can tell.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,471 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Pramod Valavala 20,601 Reputation points Microsoft Employee

    @Zlatko Lovcevic Based on the settings mentioned here, if you have WEBSITE_VNET_ROUTE_ALL set to 1, all outbound traffic will go through the VNET and subject them to Network Security Groups on your VNET which can block requests required to copy the ZIP from the remote source as mentioned in the error message.

    When disabling VNET Integration, this is no longer the case allowing for deployment to go through as usual.

  2. Daniel H 6 Reputation points

    Hi folks, I'm experiencing an identical problem but I do have a Vnet integration with ROUTE ALL enabled. Our Function App has outbound restrictions as part of the security requirements (default no outbound unless we explicitly add rules etc.).

    When using ZipDeploy with RUN FROM PACKAGE, I'm seeing the task that is supposed to mount the Zip package to a virtual mount is failing, so the code never updates from the last successful deployment. Turning Vnet integration off allows for a successful deployment.

    I cannot keep switching vnet integration off each time we need to perform a deployment.

    Alternatively a working method is to NOT use RUN FROM PACKAGE and ZipDeploy mostly works (KuduSync.NET runs and extracts the zip contents into wwwroot/ ), looking at the logs I can see it seems the deploy process is able to restart and therefore re-sync triggers, but I still get a superficial failure - i'm assuming because the deploy process on the Functions host is trying to make an API call to get status and fails because outbound is blocked. (There's no documentation i can find to suggest exactly what the deployment process is doing so its a guessing game).

    However I'd like to be able to use RUN FROM PACKAGE feature if I can.

    0 comments No comments

  3. Myers, Rick 1 Reputation point

    I'm also experiencing the same issue. Does anyone have a solution?