Deploy Azure function with Azure DevOps pipeline and secured storage account

Question

Hello,

We have several azure functions in a dedicated plan and part of a vnet that use the same storage account. The storage account has the sole scope to meet the requirement that a function must always be linked to a storage.

The deployment process is automated using an Azure DevOps pipeline.

We are trying to address a penetration testing recommendation by securing the storage account and we noticed the following behavior:

1. If securing the current storage account(by allowing only the vnet traffic), things go well, the pipeline runs successfully.
2. If creating a new storage account and secure it (by allowing only the vnet traffic), the deployment is no more possible because the network rules that forbids traffic by default. In this case, it seems sensible to perform a whitelisting. However, if we whitelist the pipeline agent ip, the deployment pipeline still doesn't work.
   `

   [error]Failed to deploy web package to App Service.

[error]To debug further please check Kudu stack trace URL : https://<placeholder>.scm.azurewebsites.net/api/vfs/LogFiles/kudu/trace

[error]Error: Error: Failed to deploy web package to App Service. Internal Server Error (CODE: 500)

`
The stack trace specifically mention the lack of access.

On the other hand, if we set the storage network rules to Allow all traffic, the deployment is successful.

The questions:
a) Not sure why securing the old storage account dos not affect the pipeline while a new secure storage does?
b) Not sure why whitelisting only the agent ip doesn't look to work? Are there any under the hood requests from a different ip?

Answer 1

@BeniaminMuresan-5169 ,

Thanks for reaching out.

Firstly, I would suggest you to look into the below article to make sure that the Storage account is integrated with vnet properly.

https://learn.microsoft.com/en-us/azure/azure-functions/configure-networking-how-to#restrict-your-storage-account-to-a-virtual-network

So you have a working and a non- working storage account, please make sure the settings/configuration are identical on both the storage accounts and with respect to the function app associated with it. Please check if you have the following settings enabled in the function app as well

WEBSITE_CONTENTOVERVNET = 1.
WEBSITE_VNET_ROUTE_ALL = 1.
WEBSITE_DNS_SERVER =168.63.129.16 (applicable when you are using Azure DNS)

Whitelisting the devops agent ip on the storage account may or may not help. However we suggest to make the above changes which is sufficient for the deployment to be successful. Also, please try to enable verbose logging in the devops pipeline to get more descriptive error message. Verbose logging can be enabled by adding the parameter “system.debug” = true in the devops pipeline.

https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemdebug

Also before the deployment, please make sure that the function app is able to reach the storage account or not. You can check this by navigating to the functions page in the Function app and see if you are getting "Azure functions runtime is unreachable" error. If you see this error, then it means that the function app is not able to communicate with the Storage account.

I hope this helps!

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Answer 2

@BeniaminMuresan-5169 ,
Have you got a chance to look into the answer provided above?

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.