Function App to write data to Storage Account with Private Link

Sumeetha Mogasati 126 Reputation points
2022-05-09T21:31:42.553+00:00

Hi,
Function App has been successfully deployed that writes data to Storage Account using the Storage Account Key.

The function app is working as expected for the Storage Account with no Private Link.

When the same Function App (using the Storage Account Key) is deployed to a Storage Account that is configured to use Private Link, function app is failing with an exception 'This request is not authorized to perform this operation'. Status: 403 (This request is not authorized to perform this operation.).

Please note the exception stack below. Help appreciated.


The listener for function 'myfunctionapp' was unable to start. This request is not authorized to perform this operation.

RequestId:491a211d-601e-004a-1c07-63c526000000

Time:2022-05-08T18:15:44.6350205Z

Status: 403 (This request is not authorized to perform this operation.)

ErrorCode: AuthorizationFailure

Content:

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.

RequestId:491a211d-601e-004a-1c07-63c526000000

Time:2022-05-08T18:15:44.6350205Z</Message></Error>

Headers:

Server: Microsoft-HTTPAPI/2.0

x-ms-request-id: 491a211d-601e-004a-1c07-63c526000000

x-ms-client-request-id: 23cc799b-59c0-4787-a89d-494ae0166de9

x-ms-error-code: AuthorizationFailure

Date: Sun, 08 May 2022 18:15:44 GMT

Content-Length: 246

Content-Type: application/xml

Microsoft.Azure.WebJobs.Host.Listeners.FunctionListenerException:

Azure.RequestFailedException:

at Azure.Storage.Blobs.BlobRestClient+<AcquireLeaseAsync>d__36.MoveNext (Azure.Storage.Blobs, Version=12.9.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Azure.Storage.Blobs.Specialized.BlobLeaseClient+<AcquireInternal>d__26.MoveNext (Azure.Storage.Blobs, Version=12.9.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Azure.Storage.Blobs.Specialized.BlobLeaseClient+<AcquireAsync>d__25.MoveNext (Azure.Storage.Blobs, Version=12.9.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Microsoft.Azure.WebJobs.Script.BlobLeaseDistributedLockManager+<TryAcquireLeaseAsync>d__12.MoveNext (Microsoft.Azure.WebJobs.Script, Version=3.5.0.0, Culture=neutral, PublicKeyToken=null: D:\a_work\1\s\src\WebJobs.Script\Host\DistributedLockManagers\BlobLeaseDistributedLockManager.cs:134)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Microsoft.Azure.WebJobs.Script.BlobLeaseDistributedLockManager+<TryLockAsync>d__8.MoveNext (Microsoft.Azure.WebJobs.Script, Version=3.5.0.0, Culture=neutral, PublicKeyToken=null: D:\a_work\1\s\src\WebJobs.Script\Host\DistributedLockManagers\BlobLeaseDistributedLockManager.cs:82)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Microsoft.Azure.WebJobs.Host.SingletonManager+<TryLockAsync>d__19.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.32.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Singleton\SingletonManager.cs:113)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Microsoft.Azure.WebJobs.Host.Listeners.SingletonListener+<StartAsync>d__13.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.32.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Singleton\SingletonListener.cs:48)

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at System.Runtime.CompilerServices.TaskAwaiter.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)

at Microsoft.Azure.WebJobs.Host.Listeners.FunctionListener+<StartAsync>d__13.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.32.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Listeners\FunctionListener.cs:68)

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,604 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,892 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
485 questions
0 comments No comments
{count} votes

Accepted answer
  1. MughundhanRaveendran-MSFT 12,446 Reputation points
    2022-05-10T09:35:04.333+00:00

    @Sumeetha Mogasati ,

    Thanks for reaching out to Q&A.

    I hope the private endpoint linked with the Storage account and the function app are in the same vnet. They can be in same or different subnets inside the vnet. Also please make sure you have configured the DNS changes for private endpoints properly.

    From the function app settings perspective, please make sure you have added the below settings,

    200583-image.png

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings?msclkid=ccba4026d04311eca281f0c501e04a01#website_dns_server

    I hope this helps!

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.


2 additional answers

Sort by: Most helpful
  1. Takahito Iwasa 4,841 Reputation points MVP
    2022-05-09T21:39:07.77+00:00

    Hi, @Sumeetha Mogasati

    Is your function configured to access your storage account using a private link?

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli#private-endpoints

    To call other services that have a private endpoint connection, such as storage or service bus, be sure to configure your app to make outbound calls to private endpoints.


  2. Sumeetha Mogasati 126 Reputation points
    2022-05-17T14:13:59.587+00:00

    Thanks for your rapport and help, @MughundhanRaveendran-MSFT

    can confirm that after adding the Function App SubNet to the Storage Account Firewall, all working as expected now.

    Regards