Share via

Function App does not work after switching the network to private endpoint on the storage account

nettech 171 Reputation points
2026-01-18T22:01:22.3633333+00:00

Hi,

I created a new functions app and disabled the public network access on the storage account configured for it. The app stopped working as a result. Enabling public access makes the functions app usable, but out security policy does not allow public access on any of the azure resources.

I did create a private end point for the storage account and assigned it as i did on all other storage accounts, does function app require public access on the storage account ?

thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-01-18T22:01:31.8+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    When you disable public network access on the storage account and switch to using a private endpoint, the Azure Function App should still be able to access the storage account as long as it is properly configured to use the private endpoint. Here are some key points to consider:

    1. Private Endpoint Configuration: Ensure that the private endpoint for the storage account is correctly created and associated with the virtual network that your Function App is integrated with. The Function App must be able to resolve the private endpoint's DNS name.
    2. Network Integration: Verify that your Function App is integrated with the same virtual network where the private endpoint is located. If the Function App is not in the same virtual network or does not have access to it, it will not be able to connect to the storage account.
    3. DNS Configuration: If you are using a custom DNS server, make sure it is configured to resolve the private endpoint correctly. This is crucial for the Function App to communicate with the storage account.
    4. Firewall and Network Rules: Check the firewall settings and network rules on the storage account to ensure that they allow traffic from the virtual network where the Function App is deployed.

    If all these configurations are correct and the Function App still does not work, you may want to review the logs for any specific error messages that could provide further insights into the connectivity issues.

    References:

    0 comments
  2. Pravallika KV 7,485 Reputation points Microsoft External Staff Moderator
    2026-01-19T02:15:55.3966667+00:00

    Hi nettech,

    Thanks for reaching out to Microsoft Q&A.

    does function app require public access on the storage account ?

    No, it does not require public access on the storage account, but you do need proper networking and configuration to ensure private connectivity.

    If you disable public access in the storage account, only selected IP ranges based on firewall rules or private endpoints configured can access the storage account. This leads to 403 error in Azure Function if it was not authorized to access the storage account.

    You can secure a new storage account via private endpoint as described in doc: Restrict your storage account to a virtual network and Secure storage account linked to Function App with private endpoint ,this feature is not supported in Consumption plans.

    Supported Plans & Networking Requirements:

    Azure Functions plans have differing support for secure storage:
    Plan VNet Integration Supports Secured Storage
    Consumption No Cannot use secured/private storage
    Flex Consumption, Premium, Dedicated/App Service Yes Supports private endpoint + private storage

    To lock down your storage account while keeping the function app functional, you must use Flex Consumption or Premium/Dedicated plans, paired with VNet integration and a private endpoint on the storage account.

    Even after wiring up the private endpoint, the Function App must be explicitly configured to route all storage traffic privately.

    This requires adding two Application Settings:

    WEBSITE_CONTENTOVERVNET = 1
WEBSITE_VNET_ROUTE_ALL = 1

    Without these, the Function runtime may still attempt public endpoint access, which will fail if public network access is disabled. Hope this helps!

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.