How to terminate Durable Function instance hosted in a container app in a VNet?

Laoura Gkogka 20

I have an Azure Durable Function running inside an Azure Container App that is deployed within a VNet. I need to stop or terminate instances of this function, but I am unsure of the best approach, considering the networking constraints.

Khadeer Ali 3,510 Reputation points Microsoft Vendor

2025-02-17T13:15:56.32+00:00

@Laoura Gkogka ,

Thanks for reaching out. To terminate an instance of your Azure Durable Function running inside an Azure Container App within a VNet, you can use the HTTP API to start the termination process, which might take some time to complete. Ensure that your Azure Storage account has a private endpoint for the table sub-resource to help with SSL connections and avoid connectivity issues. Additionally, update the storage account firewall rules to allow access from the VNet where your function app is located, which will facilitate deployment. Lastly, check that the DNS settings allow resolution of the storage account's private endpoint, as this is necessary for the function app to connect to the storage account.

If the termination request doesn't work as expected, you can use the Purge API to delete all state associated with the instance. Also, setting timeouts and retry logic for your orchestrations and activity functions can help avoid issues.

references :

https://learn.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-instance-management?tabs=csharp#terminate-instances

https://learn.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-http-api

If you have any more questions or need further assistance, feel free to reach out.
Laoura Gkogka 20 Reputation points

2025-02-18T08:54:04.9066667+00:00

Hi Khadeer,

Thank you for your response!

We attempted to run the following command from our jumphost, but we encountered a 401 Unauthorized error:

curl -v -X POST "<CONTAINER-APP-URL>/runtime/webhooks/durabletask/instances/<INSTANCE-ID>/terminate"

Based on the documentation, it seems we need to include an authentication code, but we’re unsure which specific code is required or if there is actually anything else we should take into account.

For context, our Azure Durable Function is hosted in Container Apps within a VNet, and it is accessible from our jumphost VM.

We appreciate your help!
Laoura Gkogka 20 Reputation points

2025-02-18T09:59:22.9933333+00:00

As an update, we are using the terminatePostUri obtained after sending the request as follows:

curl -i -X POST "<terminatePostUri>"

However, we are still encountering a 401 Unauthorized error, even though the terminatePostUri contains the expected code. Here is the exact response:

HTTP/2 401 content-length: 0 date: <DATE> server: Kestrel www-authenticate: Bearer request-context: appId=cid-v1:<APP-ID>

Could you please advise if additional authentication is required, or if there are any specific headers or tokens that need to be included in the request? Any insights would be greatly appreciated.
Khadeer Ali 3,510 Reputation points Microsoft Vendor

2025-02-18T10:36:35.11+00:00

@Laoura Gkogka

Could you confirm which authentication method you are using?

If you are using a Function Key, please ensure that it is included in the request.

You can find the function key in: Azure Portal → Function App → Functions → Your Function → Function Keys

Try appending it to your request like this:

curl -i -X POST "<terminatePostUri>&code=<YOUR_FUNCTION_KEY>"

If the issue persists, try setting the function’s authentication to Anonymous (only for testing). You can change this in: Azure Portal → Function App → Authentication → Change Authorization Level to Anonymous
Laoura Gkogka 20 Reputation points

2025-02-18T11:08:38.72+00:00

@Khadeer Ali

We do not have a Function App as we packaged Durable Functions as a containerized application and deployed to Azure Container Apps instead of Azure App Service. Find attached our architecture.
Khadeer Ali 3,510 Reputation points Microsoft Vendor

2025-02-19T10:12:27.4566667+00:00

@Laoura Gkogka ,

Did you get chance to try the above methods?

1 answer

Khadeer Ali 3,510 Reputation points Microsoft Vendor

2025-02-18T11:50:57.55+00:00

@Laoura Gkogka ,

Since your Durable Function is running in an Azure Container App inside a VNet, the 401 error might be due to authentication or network restrictions.

Authentication – Managed Identity: Make sure your Managed Identity (msi-salil-test) has the right permissions, like "Azure Container Apps Service Contributor" and "Storage Queue Data Contributor". You can check its permissions with this command:

az role assignment list --assignee <MANAGED_IDENTITY_CLIENT_ID>

If you're using MSI, try getting an access token and passing it in your request:

ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com --query accessToken --output tsv)

curl -i -X POST "<terminatePostUri>" -H "Authorization: Bearer $ACCESS_TOKEN"

Network Access: Since your function is inside a VNet, make sure your jumphost can reach the Container App. Run nslookup from the jumphost to check DNS resolution. Also, ensure that Private Endpoints and Firewall Rules allow traffic from the jumphost to the Container App.

Last option -Set to Anonymous: If you're still getting a 401 error, you can temporarily set authentication to Anonymous in the Azure Portal. Go to Container Apps → Authentication → Change to Anonymous. If this works, then it's definitely an authentication issue.
Please sign in to rate this answer.
Khadeer Ali 3,510 Reputation points Microsoft Vendor

2025-02-20T14:47:14.35+00:00

@Laoura Gkogka ,

Just following up again to see if you were able to resolve the issue or if there's anything else I can assist you with.

Laoura Gkogka 20 Reputation points

2025-02-20T14:50:07.3033333+00:00

Hi @Khadeer Ali thank you for your help but even after following all of the alternative solutions we keep getting the 401 error.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to terminate Durable Function instance hosted in a container app in a VNet?

1 answer

Your answer