question

GavinWun-4722 avatar image
0 Votes"
GavinWun-4722 asked brtrach-MSFT edited

Azure ARM/Bicep VNet Integration stops function from working after recent change for vnetRouteAllEnabled at portal

Hello,

The bicep that we used to deploy/update a function resource on Azure has stopped working this week.

Since the end of last week, there was a new change where the flag vnetrouteAllEnabled was added to the portal under vnet integrations settings page - https://docs.microsoft.com/en-us/answers/questions/503122/is-website-vnet-route-all-redundant-or-soon-to-be.html

Whenever I try to deploy a function to Azure with vnet integration, the functions would not work - e.g. SCM website would return service unavailable etc.

The same bicep worked fine last week and seems like the flag vnetrouteAllEnabled is doing something different to the setup that's causing the function to stop working.

The following is the original bicep that worked before -

 resource functionsSite 'Microsoft.Web/sites@2021-01-15' = {
   name: functionsAppName
   location: location
   kind: kind
   identity: {
     type: 'SystemAssigned' //type: isSystemAssignedManagedIdentity ? 'SystemAssigned' : 'None'
   }
   properties: {
     serverFarmId: functionsAppPlanName_resource.id
     siteConfig: {
       linuxFxVersion: linuxFxVersion 
       alwaysOn: alwaysOn
       scmIpSecurityRestrictionsUseMain: false
       ipSecurityRestrictions: appGwSubnetId == '' ? [] : ipSecurityRestrictions
     }
     containerSize: 1536
     reserved: true
   }
   tags: {
     'environment': environmentName
     'service': serviceTag
     'instance': instance
   }
    
 }
    
 resource networkConfig 'Microsoft.Web/sites/networkConfig@2020-06-01' = if(vnetSubnetId != '') {
   parent: functionsSite
   name: 'virtualNetwork'
   properties: {
     subnetResourceId: vnetSubnetId
     swiftSupported: true
   }
 }

But now when I use the above bicep, I am unable to access the function's SCM website, and also the function will be inaccessible as well (e.g. cannot turn on stream logs etc to view what's going on)

I've also tried the following bicep that I changed to use after seeing the new option "vnetrouteAllEnabled" for vnet integration in the portal to use that option instead, but still doesn't work (some parts excluded to shorten the bicep. e.g. app settings etc) -

 resource functionsSite 'Microsoft.Web/sites@2021-01-15' = {
   name: functionsAppName
   location: location
   kind: kind
   identity: {
     type: 'SystemAssigned' //type: isSystemAssignedManagedIdentity ? 'SystemAssigned' : 'None'
   }
   properties: {
     serverFarmId: functionsAppPlanName_resource.id
     siteConfig: {
       linuxFxVersion: linuxFxVersion 
       alwaysOn: alwaysOn
       scmIpSecurityRestrictionsUseMain: false
       ipSecurityRestrictions: appGwSubnetId == '' ? [] : ipSecurityRestrictions
       vnetRouteAllEnabled: vnetSubnetId == '' ? false : true
       vnetPrivatePortsCount: 0
     }
     containerSize: 1536
     reserved: true
     virtualNetworkSubnetId: vnetSubnetId == '' ? null : vnetSubnetId
   }
   tags: {
     'environment': environmentName
     'service': serviceTag
     'instance': instance
   }
    
 }

I am deploying this function to an app service plan using Premium V2 (P1V2 PremiumV2) - all Linux plans and functions.

I have also removed the flag WEBSITE_VNET_ROUTE_ALL from app settings as well but still fails.

Note that the storage account used by the function is also vnet restricted as well so I've also included app settings WEBSITE_CONTENTOVERVNET to the bicep deploy.

Creating the function without vnet integration, then manually setting it via portal works fine, just wouldn't work via bicep.

I've tried to compare the export from portal from the function created via portal vs what was deployed by bicep, and both looks the same.

azure-functions
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers