|
1 | 1 | --- |
2 | 2 | title: How to configure Azure Functions with a virtual network |
3 | 3 | description: Article that shows you how to perform certain virtual networking tasks for Azure Functions. |
4 | | -ms.topic: conceptual |
| 4 | +ms.topic: how-to |
5 | 5 | ms.date: 03/24/2023 |
6 | 6 | ms.custom: template-how-to |
7 | 7 | --- |
8 | 8 |
|
9 | 9 | # How to configure Azure Functions with a virtual network |
10 | 10 |
|
11 | | -This article shows you how to perform tasks related to configuring your function app to connect to and run on a virtual network. For an in-depth tutorial on how to secure your storage account, please refer to the [Connect to a Virtual Network tutorial](functions-create-vnet.md). To learn more about Azure Functions and networking, see [Azure Functions networking options](functions-networking-options.md). |
| 11 | +This article shows you how to perform tasks related to configuring your function app to connect to and run on a virtual network. For an in-depth tutorial on how to secure your storage account, refer to the [Connect to a Virtual Network tutorial](functions-create-vnet.md). To learn more about Azure Functions and networking, see [Azure Functions networking options](functions-networking-options.md). |
12 | 12 |
|
13 | 13 | ## Restrict your storage account to a virtual network |
14 | 14 |
|
15 | | -When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. During creation, you can secure the storage account using the Azure Portal (refer Option 1 below) or ARM template (refer Option 2 below). If the storage account was not secured during creation, you can also replace this storage account with one that is secured with service endpoints or private endpoints by updating the settings manually (refer Option 3 below). Due to current design, its not possible to directly secure the same storage account thats used by an already created function app. |
| 15 | +When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can secure a new storage account behind a virtual network during account creation. At this time, you can't secure an existing storage account being used by your function app in the same way. |
16 | 16 |
|
17 | | -- **Option 1:** To create a new function app using a new storage account that's locked behind a virtual network, via the Azure portal, you can follow the tutorial [Use private endpoints to integrate Azure Functions with a virtual network](https://learn.microsoft.com/azure/azure-functions/functions-create-vnet) |
| 17 | +> [!NOTE] |
| 18 | +> Securing your storage account is supported for all tiers in both Dedicated (App Service) and Elastic Premium plans. Consumption plans currently don't support virtual networks. |
18 | 19 |
|
19 | | -- **Option 2:**To create a new function app using a new storage account that's locked behind a virtual network, via an ARM template, you can use this [Quickstart template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/function-app-storage-private-endpoints) |
| 20 | +### During function app creation |
20 | 21 |
|
21 | | -- **Option 3:**To secure an already existing function app to a secure storage account that's locked behind a virtual network, follow the instructions below. |
| 22 | +You can create a new function app along with a new storage account secured behind a virtual network. The following links show you how to create these resources by using either the Azure portal or by using deployment templates: |
22 | 23 |
|
23 | | -> [!NOTE] |
24 | | -> This feature currently works for all Windows and Linux virtual network-supported SKUs in the Dedicated (App Service) plan and for Windows Elastic Premium plans. Consumption tier isn't supported. |
| 24 | +# [Azure portal](#tab/portal) |
| 25 | + |
| 26 | +Complete the following tutorial to create a new function app a secured storage account: [Use private endpoints to integrate Azure Functions with a virtual network](functions-create-vnet.md). |
| 27 | + |
| 28 | +# [Deployment templates](#tab/templates) |
| 29 | + |
| 30 | +Use Bicep or Azure Resource Manager (ARM) [quickstart templates](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/function-app-storage-private-endpoints) to create secured function app and storage account resources. |
| 31 | + |
| 32 | +--- |
| 33 | + |
| 34 | +### Existing function app |
| 35 | + |
| 36 | +When you have an existing function app, you can't secure the storage account currently being used by the app. You must instead swap-out the existing storage account for a new, secured storage account. |
| 37 | + |
| 38 | +To secure the storage for an existing function app: |
| 39 | + |
| 40 | +1. Choose a function app with a storage account that doesn't have service endpoints or private endpoints enabled. |
| 41 | + |
| 42 | +1. [Enable virtual network integration](./functions-networking-options.md#enable-virtual-network-integration) for your function app. |
25 | 43 |
|
26 | | -1. Create or Use a function app with a storage account that does not have service endpoints or private endpoints enabled. |
| 44 | +1. Create or configure a second storage account. This is going to be the secured storage account that your function app uses instead. |
27 | 45 |
|
28 | | -1. Configure the function to connect to your virtual network. |
| 46 | +1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) in the new storage account. |
29 | 47 |
|
30 | | -1. Create or configure a different storage account. This will be the storage account we secure with private endpoints or service endpoints and connect our function. |
| 48 | +1. Secure the new storage account in one of the following ways: |
31 | 49 |
|
32 | | -1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) in the secured storage account. |
| 50 | + * [Create a private endpoint](../storage/common/storage-private-endpoints.md#creating-a-private-endpoint). When using private endpoint connections, the storage account must have private endpoints for the `file` and `blob` subresources. For Durable Functions, you must also make `queue` and `table` subresources accessible through private endpoints. |
33 | 51 |
|
34 | | -1. Enable service endpoints or private endpoint for the storage account. |
35 | | - * If using private endpoint connections, the storage account will need a private endpoint for the `file` and `blob` sub-resources. If using certain capabilities like Durable Functions, you will also need `queue` and `table` accessible through a private endpoint connection. |
36 | | - * If using service endpoints, enable the subnet dedicated to your function apps for storage accounts on the firewall. |
| 52 | + * [Enable a service endpoint from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network). When using service endpoints, enable the subnet dedicated to your function apps for storage accounts on the firewall. |
37 | 53 |
|
38 | | -1. Copy the file and blob content from the function app storage account to the secured storage account and file share. |
| 54 | +1. Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share. |
39 | 55 |
|
40 | 56 | 1. Copy the connection string for this storage account. |
41 | 57 |
|
|
0 commit comments