Muokkaa

Jaa


How to use a secured storage account with Azure Functions

This article shows you how to connect your function app to a secured storage account. For an in-depth tutorial on how to create your function app with inbound and outbound access restrictions, see the Integrate with a virtual network tutorial. To learn more about Azure Functions and networking, see Azure Functions networking options.

Restrict your storage account to a virtual network

When you create a function app, you either create a new storage account or link to an existing one. Currently, only the Azure portal, ARM template deployments, and Bicep deployments support function app creation with an existing secured storage account.

Note

Secured storage accounts are supported for all tiers of the Dedicated (App Service) plan and the Elastic Premium plan. They're also supported by the Flex Consumption plan. The Consumption plan doesn't support virtual networks.

For a list of all restrictions on storage accounts, see Storage account requirements.

Secure storage during function app creation

You can create a function app, along with a new storage account that is secured behind a virtual network. The following sections show you how to create these resources by using either the Azure portal or by using deployment templates.

Complete the steps in Create a function app in a Premium plan. This section of the virtual networking tutorial shows you how to create a function app that connects to storage over private endpoints.

Note

When you create your function app in the Azure portal, you can also choose an existing secured storage account in the Storage tab. However, you must configure the appropriate networking on the function app so that it can connect through the virtual network used to secure the storage account. If you don't have permissions to configure networking or you haven't fully prepared your network, select Configure networking after creation in the Networking tab. You can configure networking for your new function app in the portal under Settings > Networking.

Secure storage for an existing function app

When you have an existing function app, you can directly configure networking on the storage account being used by the app. However, this process results in your function app being down while you configure networking and while your function app restarts.

To minimize downtime, you can instead swap-out an existing storage account for a new, secured storage account.

1. Enable virtual network integration

As a prerequisite, you need to enable virtual network integration for your function app:

  1. Choose a function app with a storage account that doesn't have service endpoints or private endpoints enabled.

  2. Enable virtual network integration for your function app.

2. Create a secured storage account

Set up a secured storage account for your function app:

  1. Create a second storage account. This storage account is the secured storage account for your function app to use instead of its original unsecured storage account. You can also use an existing storage account not already being used by Functions.

  2. Save the connection string for this storage account to use later.

  3. Create a file share in the new storage account. For your convenience, you can use the same file share name from your original storage account. Otherwise, if you use a new file share name, you must update your app setting.

  4. Secure the new storage account in one of the following ways:

    • Create a private endpoint. As you set up your private endpoint connection, create private endpoints for the file and blob subresources. For Durable Functions, you must also make queue and table subresources accessible through private endpoints. If you're using a custom or on-premises Domain Name System (DNS) server, configure your DNS server to resolve to the new private endpoints.

    • Restrict traffic to specific subnets. Ensure your function app is network integrated with an allowed subnet and that the subnet has a service endpoint to Microsoft.Storage.

  5. Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share. AzCopy and Azure Storage Explorer are common methods. If you use Azure Storage Explorer, you might need to allow your client IP address access to your storage account's firewall.

Now you're ready to configure your function app to communicate with the newly secured storage account.

3. Enable application and configuration routing

Note

These configuration steps are required only for the Elastic Premium and Dedicated (App Service) hosting plans. The Flex Consumption plan doesn't require site settings to configure networking.

You're now ready to route your function app's traffic to go through the virtual network:

  1. Enable application routing to route your app's traffic to the virtual network:

    1. In your function app, expand Settings, and then select Networking. In the Networking page, under Outbound traffic configuration, select the subnet associated with your virtual network integration.

    2. In the new page, under Application routing, select Outbound internet traffic.

  2. Enable content share routing to enable your function app to communicate with your new storage account through its virtual network. In the same page as the previous step, under Configuration routing, select Content storage.

Note

You must take special care when routing to the content share in a storage account shared by multiple function apps in the same plan. For more information, see Consistent routing through virtual networks in the Storage considerations article.

4. Update application settings

Finally, you need to update your application settings to point to the new secure storage account:

  1. In your function app, expand Settings, and then select Environment variables.

  2. In the App settings tab, update the following settings by selecting each setting, editing it, and then selecting Apply:

    Setting name Value Comment
    AzureWebJobsStorage Storage connection string Use the connection string for your new secured storage account, which you saved earlier.
    WEBSITE_CONTENTAZUREFILECONNECTIONSTRING Storage connection string Use the connection string for your new secured storage account, which you saved earlier.
    WEBSITE_CONTENTSHARE File share Use the name of the file share created in the secured storage account where the project deployment files reside.
  3. Select Apply, and then Confirm to save the new application settings in the function app.

    The function app restarts.

After the function app finishes restarting, it connects to the secured storage account.

Next steps