Issues with Service Bus Trigger and VNet-Integrated Azure Functions Not Recognizing Network Rules

Question

I am experiencing a challenging issue with my Azure environment, specifically regarding the interaction between Azure Functions, Azure Service Bus (Standard), and network security rules. I have set up Azure Functions within an App Service Plan (B1), which are integrated into a Virtual Network (VNet). These functions are intended to be triggered by messages from an Azure Service Bus queue.

The Service Bus is configured with network rules to enhance security, operating under a Standard tier. According to Microsoft documentation on Service Bus and IP filtering (https://learn.microsoft.com/de-de/azure/service-bus-messaging/service-bus-ip-filtering), functions within a VNet are considered trusted resources and should not require specific IP whitelisting to communicate with the Service Bus. However, in practice, the functions fail to trigger from the Service Bus messages unless I explicitly whitelist the outgoing IP addresses of the Azure Functions in the Service Bus network rules.

This behavior seems contrary to the documentation's guidance, suggesting that either the VNet integration is not correctly recognized as a trusted source by the Service Bus or there might be a misconfiguration on my part.

I appreciate your assistance in resolving this matter, as it is critical to the security and architecture of our cloud infrastructure.

Best regards, Michael

Answer 1

Hi @Schneider, Michael , how did you configure your Service Bus? Does it have binding to virtual network using service endpoints? I'm guessing you can't configure a private endpoint as your Service Bus is Standard, not Premium.

If you bind your Service Bus to the same vnet as your Azure Functions, it will see that Service Bus is available via a service endpoint (private IP address), so it will not use public network access. Make sure that you add your subnet (that you use for Azure Functions vnet injection) into "Selected Network" configuration of your Service Bus network configuration (step 4-6 in this guide).

Please note that "TrustedServiceAccessEnabled" is for Azure Services listed here, not for Azure virtual network.

Answer 2

Hi @Schneider, Michael , I understand that you're trying to use vNet integration with Azure Functions.

App Service Plan B1 supports vNet integration for any App Services that use that plan, not for Azure Functions.

The smallest SKU for Azure Functions that supports vNet integration is EP1 (Azure Function Premium Plan). Please refer to this document.

Answer 3

Hi @Silvia Wibowo I tested it out by creating a complete new ASP P1v3 with my Azure Functions and it looks exactly like before with B1. See Network Settings in ASP:

Azure Functions Network Settings:

So, is it just something running in the background that I can't see? How can I identify a valid configuration for ASP.NET and Azure Functions with a VNet? And my second question goes back to the Service Bus (Standard).

With the current configuration, ASP P1v3, the function is unable to communicate with the Service Bus if the network rules are configured to block public network access but allow TrustedServiceAccessEnabled. If I enable public network access and set the Default Action to Deny, I have to add the Azure Functions' Outbound IPs to the Allow List to get it up and running again. However, it doesn't seem like it is running through the VNet. So I wonder if i have a problem with my vnet integration of the ASP and Function or if there is any limitation to Service Bus Standard with Trusted Service Azure Functions in ASP.

# Aktualisieren des Netzwerkregelsatzes, um Trusted Services zu deaktivieren
Set-AzServiceBusNetworkRuleSet -ResourceGroupName $ResourceGroupName `
                               -NamespaceName $NamespaceName `
                               -PublicNetworkAccess "Disabled" `
                               -DefaultAction "Allow" `
                               -TrustedServiceAccessEnabled `
                               -IpRule $IpRules