Azure Function App calling and Azure Event Grid

Question

Hi, I currently have Azure Function App that publish and subscribe to Event Grids. Some of the Function App retrieve data from external sources and publish events to Event Grids for internal transmission to subsequent Azure Functions. The Functions are also talking to Database, Event Hubs and Storage Accounts. We have Vnet Integrated the Functions Apps and are using Service Endpoints to enable Azure Backbone Communication. The Event Grids do not cater for Service Endpoints so when they call the event grid the call is being made over the internet to the Public Endpoint. We are using Managed Identity so have secured these endpoints. I cannot use Private Endpoints as the push mechanism is not supported on Event Grids as per documentation. Based on this the query I have as follows are; On the Function App when we set Application Routing Outbound Internet Flag will this direct traffic internally only? What is the purpose of this flag? Can I direct traffic for functions to event grids to be internal only? Thanks Mike

Answer 1

@GRAY Mike Thanks for reaching out. It looks like you are trying to restrict outbound traffic from your Azure Function App to the public internet and instead route it through your VNet. The "Application Routing (Outbound Internet)" flag in the Function App settings controls whether outbound traffic from your app is routed through the VNet integration or directly to the public internet.

When this flag is set to "On", outbound traffic from your app is routed through the VNet integration, and when it is set to "Off", outbound traffic is sent directly to the public internet.

However, please note that this flag only controls outbound traffic from your app and does not affect inbound traffic to your app. In other words, it will not affect the traffic coming into your app from Event Grids.

Regarding your question about directing traffic for functions to event grids to be internal only, unfortunately, it is not currently possible to deliver events using private endpoints with Event Grids. However, you can use a private link configured in Azure Functions or your webhook deployed on your virtual network to pull events. This means that the traffic goes over the public IP/internet from Event Grid to Event Hubs, Service Bus, or Azure Storage, but the channel can be encrypted, and a managed identity of Event Grid is used. If you configure your Azure Functions or webhook deployed to your virtual network to use an Event Hubs, Service Bus, or Azure Storage via private link, that section of the traffic will evidently stay within Azure.

Please 'Accept Answer' if it helped so that it can help others in the community looking for help on similar topics.

Answer 2

Your Azure Function App, integrated into a virtual network, primarily interacts with Azure Event Grids over the internet using public endpoints. This is due to the current lack of support for private endpoints in Azure Event Grids, necessitating the use of the internet for such communications, even though your Function Apps are secured with Managed Identity. When it comes to routing outbound traffic from your Azure Function App, the key lies in the integration with a virtual network and the appropriate configuration of the WEBSITE_VNET_ROUTE_ALL application setting. Setting this flag to 1 ensures that outbound traffic from the Azure Function is directed into the virtual network, allowing you to control the traffic flow using NSGs and UDRs. This setup is essential for securing and managing your application's communication within Azure's networking infrastructure. However, it's important to note that despite these configurations, traffic to Event Grids must still traverse the public internet https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options https://www.thebestcsharpprogrammerintheworld.com/2020/07/20/website_vnet_route_all-and-azure-functions/ Additionally, integrating Azure Functions with Azure Virtual Network NAT can be beneficial to avoid issues like SNAT port exhaustion, ensuring efficient use of outbound connections​ https://azure.github.io/AppService/2021/03/02/Using-Azure-Functions-with-Azure-Virtual-Network-NAT-to-Avoid-SNAT-Port-Exhaustion.html