This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 7.000000000000001%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
With requirements for additional security, we have network restrictions on our Azure storage accounts. I removed restriction to one storage account and created Function App that works great. As soon as I change the storage account to Selected Networks, Function App gets an error System.Private.CoreLib: Access to the path 'C:\home\site\wwwroot\host.json' is denied.
If I add WEBSITE_RUN_FROM_PACKAGE =1 I get read only access to Function App.
How do get full access?
Hi Vlad,
Can we have a list of all of the Application Settings that you have for your Functions?
There are several network options, they can all be found here:
Without having access to the App Settings, I would say that you seem to be running into the same problem that these folks are:
https://github.com/Azure/Azure-Functions/issues/1349
Let me know if that helped.
Pierre,
the link that you have provided to github is for Premium subscription. I am using Consumption plan which doesn't support Vnet integration. Function App is not using any kind of firewall restrictions. The network restrictions are applied the storage account level. in the networking tab on the storage account I changed it from All networks to Selective Networks and that is when Function app stops working and can't access the blob
Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.
I Do believe that this is why it is not working.
Source : https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
I can't find a way to put function app in the exceptions.
I agree, without upgrading to a Premium subscription and creating Vnet integration there is no work around. I guess it's the limitation of the free service. I found that I can resolve my issue by using Logic App instead of Function App.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 93%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
This is an old thread, but for posterity:
I also have this issue. Through careful reading of the documentation I found that when the storage account and function are in the same region, the communication is through private IP channels, not the IP address listed in the function's outbound IP list.
The answer I found here is to place them in different regions. I have recently tested this and it works. However, it leaves much to be desired...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 71%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)