Understanding how an azure function storage account works and securing it

BeniaminMuresan-5169 116 Reputation points
2021-08-16T19:20:16.757+00:00

I need to secure a storage account that some of the functions from the project I work on share. Only these function should have access to the storage account. All of the functions are already part of a VNET, so securing it by only allowing access from the VNET should be really easy.

What is blurry in my mind is about why and what is stored in the storage account considering that all my functions are are using a common standard app service plan.

The docs mention that in case of consumption or premium plan, the storage account is used to store the function code and binding configuration files.
https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations. However, it is not my case because I am using a dedicated plan.

I noticed I don't quite understand how an azure function storage account works while trying to test if the storage account is secure after configuring the VNET configuration. If I try to open something from the storage account from azure portal, I can't, and this is expected. As long as my IP is not included to have access. However, If I place a function outside the VNET and restart it, it will still run. Here, I would expect it to break. Also, if I delete the storage account, the function still works and I don't get it, why? AzureWebJobsStorage is correctly set and links the function to the correct storage account.

All in all my questions are:

  1. What part of a storage account and why is used in case of an azure function that run on a dedicated service plan?
  2. Why the function still runs even if it does not have access to the azure storage account or if I delete the storage account?
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,213 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,279 questions
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 21,391 Reputation points
    2021-08-27T07:57:06.887+00:00

    Hi @BeniaminMuresan-5169 ,

    Functions relies on Azure Storage for operations such as managing triggers and logging function executions. For example, in case of timer trigger function, it stores information about last execution time along with other meta information and synchronization related information.

    The Azure blob storage is used to maintain state and function keys.
    The Table storage in storage account is used to store metrices related to function execution along with other information.
    You can connect to the function app's storage account using Azure storage explorer to check these details to get an idea.

    Therefore, it is possible that your functions might continue to execute (especially http trigger function) even when you disconnect the storage account. However, for smooth functioning of the app and for it to be triggered correctly, it is required to have a general-purpose Azure Storage account that supports Blob, Queue, and Table storage.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    4 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.