Share via

Azure function app not able to access storage account

Aditya Patkar 0 Reputation points
2025-02-27T05:41:08.3533333+00:00

I have an azure function app created under flex consumption plan through azure portal and I am trying to publish my local code to the azure function, which is using an existing storage account where I have whitelisted my azure functions ip address so that it can access it. But I am getting the following error while deploying. If I enable traffic from all public ips then its able to publish and run but limiting it to selected ips is giving issue.

DETAILS: my-app
in deployment settings I am using connection string which is having AzureWebJobStorage as value and my storage account has "Allow storage account key acces" enabled.

ERROR:
Unable to get table reference or create table. Aborting write operation. This request is not authorized to perform this operation. RequestId: xxxxxxxxxxxxxxx Time:xxxxxxxxxxxx Status: 403 (Forbidden) ErrorCode: AuthorizationFailure Content: {'odata.error':{'code':'AuthorizationFailure','message':{'lang':'en-US','value':'This request is not authorized to perform this operation.}

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,393 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 1,665 Reputation points
    2025-02-27T07:23:57.92+00:00

    Hi,

    U blocked access to storage by limiting IPs. Azure Functions use dynamic outbound IPs, so whitelisting a few won't work.

    Use Virtual Network (VNet) Integration instead of IP whitelisting

    Switch to Private Endpoints for secure access

    If u must whitelist, get all outbound IPs from az functionapp show --query outboundIpAddresses and add them Or just allow all traffic and move on (not best solution allow all traffci, but at least u can check it).

    Please click Accept Answer and upvote if the above was helpful.

    rgds,

    Alex

    0 comments
  2. Deepanshu katara 14,330 Reputation points MVP
    2025-02-27T07:44:01.53+00:00

    Hello Aditya , welcome to MS Q&A

    The function might execute from different IPs than the one you’ve whitelisted as These IPs are not static and dynamic and can changeUser's image

    Your storage account’s firewall might be blocking Azure Functions' traffic.

    Fix:

    Each function app has a set of available outbound IP addresses. Any outbound connection from a function, such as to a back-end database, uses one of the available outbound IP addresses as the origin IP address. You can't know beforehand which IP address a given connection will use. For this reason, your back-end service must open its firewall to all of the function app's outbound IP addresses.

    When a function app that runs on the Consumption plan or the Flex consumption is scaled, a new range of outbound IP addresses may be assigned. When running on either of these plans, you can't rely on the reported outbound IP addresses to create a definitive allowlist. To be able to include all potential outbound addresses used during dynamic scaling, you'll need to add the entire data center to your allowlist.

    If you want to whitelist, get all outbound IPs from az functionapp show --query outboundIpAddresses

    Pls check this doc -->IP addresses in Azure Functions

    Please let me know if any ques

    Kindly accept answer if it helps

    Thanks

    Deepanshu

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.