Problem Outline
Azure Function App can not be accessed once it is integrated into a VNET and WEBSITE_VNET_ROUTE_ALL is set to 1.
This is required so that the Function App can securely connect to SQL without making the SQL publicly available.
Errors:
Unable to list Function App keys.
HTTP Request (CURL) from within VM in same network fails: 504 Gateway Timed out
Architectural Diagram
Steps to reproduce
- Create a Resource Group
- Create a VNET with 10.20.11.0/26 address space
- Create a Subnet for the Function App to integrate into with address range of 10.20.11.0/27
- Create a Linux Function App and integrated in the VNET you created in step 2.
- See that App keys still loads as normal.
- Create a Subnet for the database with address range of 10.20.11.32/27
- Create SQL Server and SQL Database.
- Create a Private Link with DNS Zone on the Database and restrict public access.
- Link DNS Zone to VNET created in step 2.
- Function app resolved SQL private link as public IP address.
- In the Function App configuration, add an Application setting WEBSITE_VNET_ROUTE_ALL and set it to 1.
- See that Function app now resolves SQL private link as private IP address
- See that Function App keys are not loading.
- Attempt to connect to Azure Functions though a connection from the network or from public link.
- See that Function app gateway times out.
Through an SSH connection into the Function App and with nslookup we determined that the connection to the private link resolves the local IP address of the SQL database as expected.
Setting the WEBSITE_VNET_ROUTE_ALL flag to 0, nslookup resolves the public IP of the SQL database.
As the SQL database is restricted and only available on the network, it is vital that the WEBSITE_VNET_ROUTE_ALL setting is set to 1.
WEBSITE_VNET_ROUTE_ALL = 1
WEBSITE_VNET_ROUTE_ALL = 0
References
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
This was resolved by adding a "Microsoft.Storage" service endpoint to the Function App subnet.
When all of the traffic is sent into the vnet, it needs a service endpoint to Storage so that it can read the Function App configuration and functions.