Function App & Account Storage - Public Internet Access

Question

I am struggling to understand the communication that the FunctionApp requires. Let's say I have a function app written in Python that during the runtime communicates with some public API. Besides that it does not need any internet access.

How I understand is that Function App to run requires communication with Storage Account. Both of those resources have their networking tabs, where we can set the option for "Public network access" to: a) Enabled from all networks b) Enabled from selected virtual networks and IP addresses c) Disabled

In the example setting provided Storage account and Function App do not need to be available from all networks. Is the public internet access needed for communication between them? How does the function app identity that can be turned on influences this workflow?

Answer 1

If you restrict access to the Function App and Storage Account by changing the Public network access setting to Enabled from selected virtual networks and IP addresses, you can specify which virtual networks and IP addresses are allowed to access your resources.

To establish communication between Function App and Storage Account:

• Integrate the Function App with a VNET/subnet:

Function App should be created with Functions Premium or App Service Plan to integrate with VNET.

• Add VNET Subnet in the Storage Account=> Networking and add the ClientIP in the firewall:

• This allows to establish communication between Azure Function App and Storage Account.

Function App identity can be used to authenticate your Function App with Azure Key Vault or Azure Storage to improve the security of your application.

---

• I have created a Python Azure Function App with Access Restrictions enabled.
• Also allowed Enabled from selected virtual networks and IP addresses storage account.

But I got 403 Forbidden error due to the access restrictions in the function app while accessing public API.

• As per my observation to run the Azure function with public APIs, Enabled from all networks should be allowed in the Function app=>Networking in few Scenarios.

I have created a Python Azure function to access a Public API (https://www.weatherapi.com) using below code.

@app.route(route="HttpTrigger", auth_level=func.AuthLevel.ANONYMOUS)
def HttpTrigger(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    location = req.params.get('location')
    if not location:
        try:
            req_body = req.get_json()
        except ValueError:
            pass
        else:
            location = req_body.get('location')

    if location:
        url = f'https://api.weatherapi.com/v1/current.json?key=<API_KEY>2&q={location}'
        response = requests.get(url)
        data = response.json()
        return func.HttpResponse(f"Current temperature in {location} is {data['current']['temp_c']} degrees Celsius.")
    else:
        return func.HttpResponse(
             "Please provide a location parameter in the query string or in the request body",
             status_code=400
        )

• I had to enable "Enabled from all networks" to run the function.

References:

1. Configure Azure Storage firewalls and virtual networks
2. Azure Functions Access to Restricted Storage Accounts – Mr. Brooks