Azure ARM/Bicep VNet Integration stops function from working after recent change for vnetRouteAllEnabled at portal

Gavin Wun 6 Reputation points
2021-08-10T03:36:12.637+00:00

Hello,

The bicep that we used to deploy/update a function resource on Azure has stopped working this week.

Since the end of last week, there was a new change where the flag vnetrouteAllEnabled was added to the portal under vnet integrations settings page - https://learn.microsoft.com/en-us/answers/questions/503122/is-website-vnet-route-all-redundant-or-soon-to-be.html

Whenever I try to deploy a function to Azure with vnet integration, the functions would not work - e.g. SCM website would return service unavailable etc.

The same bicep worked fine last week and seems like the flag vnetrouteAllEnabled is doing something different to the setup that's causing the function to stop working.

The following is the original bicep that worked before -

resource functionsSite 'Microsoft.Web/sites@2021-01-15' = {  
  name: functionsAppName  
  location: location  
  kind: kind  
  identity: {  
    type: 'SystemAssigned' //type: isSystemAssignedManagedIdentity ? 'SystemAssigned' : 'None'  
  }  
  properties: {  
    serverFarmId: functionsAppPlanName_resource.id  
    siteConfig: {  
      linuxFxVersion: linuxFxVersion   
      alwaysOn: alwaysOn  
      scmIpSecurityRestrictionsUseMain: false  
      ipSecurityRestrictions: appGwSubnetId == '' ? [] : ipSecurityRestrictions  
    }  
    containerSize: 1536  
    reserved: true  
  }  
  tags: {  
    'environment': environmentName  
    'service': serviceTag  
    'instance': instance  
  }  
  
}  
  
resource networkConfig 'Microsoft.Web/sites/networkConfig@2020-06-01' = if(vnetSubnetId != '') {  
  parent: functionsSite  
  name: 'virtualNetwork'  
  properties: {  
    subnetResourceId: vnetSubnetId  
    swiftSupported: true  
  }  
}  

But now when I use the above bicep, I am unable to access the function's SCM website, and also the function will be inaccessible as well (e.g. cannot turn on stream logs etc to view what's going on)

I've also tried the following bicep that I changed to use after seeing the new option "vnetrouteAllEnabled" for vnet integration in the portal to use that option instead, but still doesn't work (some parts excluded to shorten the bicep. e.g. app settings etc) -

resource functionsSite 'Microsoft.Web/sites@2021-01-15' = {  
  name: functionsAppName  
  location: location  
  kind: kind  
  identity: {  
    type: 'SystemAssigned' //type: isSystemAssignedManagedIdentity ? 'SystemAssigned' : 'None'  
  }  
  properties: {  
    serverFarmId: functionsAppPlanName_resource.id  
    siteConfig: {  
      linuxFxVersion: linuxFxVersion   
      alwaysOn: alwaysOn  
      scmIpSecurityRestrictionsUseMain: false  
      ipSecurityRestrictions: appGwSubnetId == '' ? [] : ipSecurityRestrictions  
      vnetRouteAllEnabled: vnetSubnetId == '' ? false : true  
      vnetPrivatePortsCount: 0  
    }  
    containerSize: 1536  
    reserved: true  
    virtualNetworkSubnetId: vnetSubnetId == '' ? null : vnetSubnetId  
  }  
  tags: {  
    'environment': environmentName  
    'service': serviceTag  
    'instance': instance  
  }  
  
}  

I am deploying this function to an app service plan using Premium V2 (P1V2 PremiumV2) - all Linux plans and functions.

I have also removed the flag WEBSITE_VNET_ROUTE_ALL from app settings as well but still fails.

Note that the storage account used by the function is also vnet restricted as well so I've also included app settings WEBSITE_CONTENTOVERVNET to the bicep deploy.

Creating the function without vnet integration, then manually setting it via portal works fine, just wouldn't work via bicep.

I've tried to compare the export from portal from the function created via portal vs what was deployed by bicep, and both looks the same.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,353 questions
0 comments No comments
{count} vote