Use private endpoints to integrate Azure Functions with a virtual network (2023)

  • Article
  • 16 minutes to read

This tutorial shows you how to use Azure Functions to connect to resources in an Azure virtual network by using private endpoints. You'll create a function by using a storage account that's locked behind a virtual network. The virtual network uses a Service Bus queue trigger.

In this tutorial, you'll:

  • Create a function app in the Premium plan.
  • Create Azure resources, such as the Service Bus, storage account, and virtual network.
  • Lock down your storage account behind a private endpoint.
  • Lock down your Service Bus behind a private endpoint.
  • Deploy a function app that uses both the Service Bus and HTTP triggers.
  • Lock down your function app behind a private endpoint.
  • Test to see that your function app is secure inside the virtual network.
  • Clean up resources.

Create a function app in a Premium plan

You'll create a .NET function app in the Premium plan because this tutorial uses C#. Other languages are also supported in Windows. The Premium plan provides serverless scale while supporting virtual network integration.

  1. On the Azure portal menu or the Home page, select Create a resource.

  2. On the New page, select Compute > Function App.

  3. On the Basics page, use the following table to configure the function app settings.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionSubscription under which this new function app is created.
    Resource GroupmyResourceGroupName for the new resource group where you'll create your function app.
    Function App nameGlobally unique nameName that identifies your new function app. Valid characters are a-z (case insensitive), 0-9, and -.
    PublishCodeChoose to publish code files or a Docker container.
    Runtime stack.NETThis tutorial uses .NET.
    Version3.1This tutorial uses .NET Core 3.1
    RegionPreferred regionChoose a region near you or near other services that your functions access.
  4. Select Next: Hosting. On the Hosting page, enter the following settings.

    SettingSuggested valueDescription
    Storage accountGlobally unique nameCreate a storage account used by your function app. Storage account names must be between 3 and 24 characters long. They may contain numbers and lowercase letters only. You can also use an existing account, which must meet the storage account requirements.
    Operating systemWindowsThis tutorial uses Windows.
    PlanPremiumHosting plan that defines how resources are allocated to your function app. By default, when you select Premium, a new App Service plan is created. The default Sku and size is EP1, where EP stands for elastic premium. For more information, see the list of Premium SKUs.

    When you run JavaScript functions on a Premium plan, choose an instance that has fewer vCPUs. For more information, see Choose single-core Premium plans.

  5. Select Next: Monitoring. On the Monitoring page, enter the following settings.

    SettingSuggested valueDescription
    Application InsightsDefaultCreate an Application Insights resource of the same app name in the nearest supported region. Expand this setting if you need to change the New resource name or store your data in a different Location in an Azure geography.
  6. Select Review + create to review the app configuration selections.

  7. On the Review + create page, review your settings. Then select Create to provision and deploy the function app.

  8. In the upper-right corner of the portal, select the Notifications icon and watch for the Deployment succeeded message.

  9. Select Go to resource to view your new function app. You can also select Pin to dashboard. Pinning makes it easier to return to this function app resource from your dashboard.

Congratulations! You've successfully created your premium function app.

Create Azure resources

Next, you'll create a storage account, a Service Bus, and a virtual network.

Create a storage account

Your virtual networks will need a storage account that's separate from the one you created with your function app.

  1. On the Azure portal menu or the Home page, select Create a resource.

  2. On the New page, search for storage account. Then select Create.

  3. On the Basics tab, use the following table to configure the storage account settings. All other settings can use the default values.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource groupmyResourceGroupThe resource group you created with your function app.
    NamemysecurestorageThe name of the storage account that the private endpoint will be applied to.
    RegionmyFunctionRegionThe region where you created your function app.
  4. Select Review + create. After validation finishes, select Create.

Create a Service Bus

  1. On the Azure portal menu or the Home page, select Create a resource.

  2. On the New page, search for Service Bus. Then select Create.

  3. On the Basics tab, use the following table to configure the Service Bus settings. All other settings can use the default values.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource groupmyResourceGroupThe resource group you created with your function app.
    Namespace namemyServiceBusThe name of the Service Bus that the private endpoint will be applied to.
    LocationmyFunctionRegionThe region where you created your function app.
    Pricing tierPremiumChoose this tier to use private endpoints with Azure Service Bus.
  4. Select Review + create. After validation finishes, select Create.

Create a virtual network

The Azure resources in this tutorial either integrate with or are placed within a virtual network. You'll use private endpoints to contain network traffic within the virtual network.

The tutorial creates two subnets:

  • default: Subnet for private endpoints. Private IP addresses are given from this subnet.
  • functions: Subnet for Azure Functions virtual network integration. This subnet is delegated to the function app.

Create the virtual network to which the function app integrates:

  1. On the Azure portal menu or the Home page, select Create a resource.

  2. On the New page, search for virtual network. Then select Create.

  3. On the Basics tab, use the following table to configure the virtual network settings.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource groupmyResourceGroupThe resource group you created with your function app.
    NamemyVirtualNetThe name of the virtual network to which your function app will connect.
    RegionmyFunctionRegionThe region where you created your function app.
  4. On the IP Addresses tab, select Add subnet. Use the following table to configure the subnet settings.

    Use private endpoints to integrate Azure Functions with a virtual network (1)

    SettingSuggested valueDescription
    Subnet namefunctionsThe name of the subnet to which your function app will connect.
    Subnet address range10.0.1.0/24The subnet address range. In the preceding image, notice that the IPv4 address space is 10.0.0.0/16. If the value were 10.1.0.0/16, the recommended subnet address range would be 10.1.1.0/24.
  5. Select Review + create. After validation finishes, select Create.

Lock down your storage account

Azure private endpoints are used to connect to specific Azure resources by using a private IP address. This connection ensures that network traffic remains within the chosen virtual network and access is available only for specific resources.

Create the private endpoints for Azure Files Storage, Azure Blob Storage and Azure Table Storage by using your storage account:

  1. In your new storage account, in the menu on the left, select Networking.

  2. On the Private endpoint connections tab, select Private endpoint.

    Use private endpoints to integrate Azure Functions with a virtual network (2)

  3. On the Basics tab, use the private endpoint settings shown in the following table.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource groupmyResourceGroupChoose the resource group you created with your function app.
    Namefile-endpointThe name of the private endpoint for files from your storage account.
    RegionmyFunctionRegionChoose the region where you created your storage account.
  4. On the Resource tab, use the private endpoint settings shown in the following table.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource typeMicrosoft.Storage/storageAccountsThe resource type for storage accounts.
    ResourcemysecurestorageThe storage account you created.
    Target sub-resourcefileThe private endpoint that will be used for files from the storage account.
  5. On the Configuration tab, for the Subnet setting, choose default.

  6. Select Review + create. After validation finishes, select Create. Resources in the virtual network can now communicate with storage files.

  7. Create another private endpoint for blobs. On the Resources tab, use the settings shown in the following table. For all other settings, use the same values you used to create the private endpoint for files.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource typeMicrosoft.Storage/storageAccountsThe resource type for storage accounts.
    Nameblob-endpointThe name of the private endpoint for blobs from your storage account.
    ResourcemysecurestorageThe storage account you created.
    Target sub-resourceblobThe private endpoint that will be used for blobs from the storage account.
  8. Create another private endpoint for tables. On the Resources tab, use the settings shown in the following table. For all other settings, use the same values you used to create the private endpoint for files.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource typeMicrosoft.Storage/storageAccountsThe resource type for storage accounts.
    Nametable-endpointThe name of the private endpoint for blobs from your storage account.
    ResourcemysecurestorageThe storage account you created.
    Target sub-resourcetableThe private endpoint that will be used for tables from the storage account.
  9. After the private endpoints are created, return to the Firewalls and virtual networks section of your storage account.

  10. Ensure Selected networks is selected. It's not necessary to add an existing virtual network.

Resources in the virtual network can now communicate with the storage account using the private endpoint.

Lock down your Service Bus

Create the private endpoint to lock down your Service Bus:

  1. In your new Service Bus, in the menu on the left, select Networking.

  2. On the Private endpoint connections tab, select Private endpoint.

    Use private endpoints to integrate Azure Functions with a virtual network (3)

  3. On the Basics tab, use the private endpoint settings shown in the following table.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource groupmyResourceGroupThe resource group you created with your function app.
    Namesb-endpointThe name of the private endpoint for files from your storage account.
    RegionmyFunctionRegionThe region where you created your storage account.
  4. On the Resource tab, use the private endpoint settings shown in the following table.

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Resource typeMicrosoft.ServiceBus/namespacesThe resource type for the Service Bus.
    ResourcemyServiceBusThe Service Bus you created earlier in the tutorial.
    Target subresourcenamespaceThe private endpoint that will be used for the namespace from the Service Bus.
  5. On the Configuration tab, for the Subnet setting, choose default.

  6. Select Review + create. After validation finishes, select Create.

  7. After the private endpoint is created, return to the Firewalls and virtual networks section of your Service Bus namespace.

  8. Ensure Selected networks is selected.

  9. Select + Add existing virtual network to add the recently created virtual network.

  10. On the Add networks tab, use the network settings from the following table:

    SettingSuggested valueDescription
    SubscriptionYour subscriptionThe subscription under which your resources are created.
    Virtual networksmyVirtualNetThe name of the virtual network to which your function app will connect.
    SubnetsfunctionsThe name of the subnet to which your function app will connect.
  11. Select Add your client IP address to give your current client IP access to the namespace.

    Note

    Allowing your client IP address is necessary to enable the Azure portal to publish messages to the queue later in this tutorial.

  12. Select Enable to enable the service endpoint.

  13. Select Add to add the selected virtual network and subnet to the firewall rules for the Service Bus.

  14. Select Save to save the updated firewall rules.

Resources in the virtual network can now communicate with the Service Bus using the private endpoint.

  1. In the storage account you created, in the menu on the left, select File shares.

  2. Select + File shares. For the purposes of this tutorial, name the file share files.

    Use private endpoints to integrate Azure Functions with a virtual network (4)

  3. Select Create.

Get the storage account connection string

  1. In the storage account you created, in the menu on the left, select Access keys.

  2. Select Show keys. Copy and save the connection string of key1. You'll need this connection string when you configure the app settings.

    Use private endpoints to integrate Azure Functions with a virtual network (5)

Create a queue

Create the queue where your Azure Functions Service Bus trigger will get events:

  1. In your Service Bus, in the menu on the left, select Queues.

  2. Select Queue. For the purposes of this tutorial, provide the name queue as the name of the new queue.

    Use private endpoints to integrate Azure Functions with a virtual network (6)

  3. Select Create.

Get a Service Bus connection string

  1. In your Service Bus, in the menu on the left, select Shared access policies.

  2. Select RootManageSharedAccessKey. Copy and save the Primary Connection String. You'll need this connection string when you configure the app settings.

    Use private endpoints to integrate Azure Functions with a virtual network (7)

Integrate the function app

To use your function app with virtual networks, you need to join it to a subnet. You'll use a specific subnet for the Azure Functions virtual network integration. You'll use the default subnet for other private endpoints you create in this tutorial.

  1. In your function app, in the menu on the left, select Networking.

  2. Under VNet Integration, select Click here to configure.

    Use private endpoints to integrate Azure Functions with a virtual network (8)

  3. Select Add VNet.

  4. Under Virtual Network, select the virtual network you created earlier.

  5. Select the functions subnet you created earlier. Select OK. Your function app is now integrated with your virtual network!

    If the virtual network and function app are in different subscriptions, you need to first provide Contributor access to the service principal Microsoft Azure App Service on the virtual network.

    Use private endpoints to integrate Azure Functions with a virtual network (9)

  6. Ensure that the Route All configuration setting is set to Enabled.

    Use private endpoints to integrate Azure Functions with a virtual network (10)

Configure your function app settings

  1. In your function app, in the menu on the left, select Configuration.

  2. To use your function app with virtual networks, update the app settings shown in the following table. To add or edit a setting, select + New application setting or the Edit icon in the rightmost column of the app settings table. When you finish, select Save.

    SettingSuggested valueDescription
    AzureWebJobsStoragemysecurestorageConnectionStringThe connection string of the storage account you created. This storage connection string is from the Get the storage account connection string section. This setting allows your function app to use the secure storage account for normal operations at runtime.
    WEBSITE_CONTENTAZUREFILECONNECTIONSTRINGmysecurestorageConnectionStringThe connection string of the storage account you created. This setting allows your function app to use the secure storage account for Azure Files, which is used during deployment.
    WEBSITE_CONTENTSHAREfilesThe name of the file share you created in the storage account. Use this setting with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING.
    SERVICEBUS_CONNECTIONmyServiceBusConnectionStringCreate this app setting for the connection string of your Service Bus. This storage connection string is from the Get a Service Bus connection string section.
    WEBSITE_CONTENTOVERVNET1Create this app setting. A value of 1 enables your function app to scale when your storage account is restricted to a virtual network.
  3. In the Configuration view, select the Function runtime settings tab.

  4. Set Runtime Scale Monitoring to On. Then select Save. Runtime-driven scaling allows you to connect non-HTTP trigger functions to services that run inside your virtual network.

    Use private endpoints to integrate Azure Functions with a virtual network (11)

Deploy a Service Bus trigger and HTTP trigger

Note

Enabling Private Endpoints on a Function App also makes the Source Control Manager (SCM) site publicly inaccessible. The following instructions give deployment directions using the Deployment Center within the Function App. Alternatively, use zip deploy or self-hosted agents that are deployed into a subnet on the virtual network.

  1. In GitHub, go to the following sample repository. It contains a function app and two functions, an HTTP trigger, and a Service Bus queue trigger.

    https://github.com/Azure-Samples/functions-vnet-tutorial

  2. At the top of the page, select Fork to create a fork of this repository in your own GitHub account or organization.

  3. In your function app, in the menu on the left, select Deployment Center. Then select Settings.

  4. On the Settings tab, use the deployment settings shown in the following table.

    SettingSuggested valueDescription
    SourceGitHubYou should have created a GitHub repository for the sample code in step 2.
    OrganizationmyOrganizationThe organization your repo is checked into. It's usually your account.
    Repositoryfunctions-vnet-tutorialThe repository forked from https://github.com/Azure-Samples/functions-vnet-tutorial.
    BranchmainThe main branch of the repository you created.
    Runtime stack.NETThe sample code is in C#.
    Version.NET Core 3.1The runtime version.
  5. Select Save.

    Use private endpoints to integrate Azure Functions with a virtual network (12)

  6. Your initial deployment might take a few minutes. When your app is successfully deployed, on the Logs tab, you see a Success (Active) status message. If necessary, refresh the page.

Congratulations! You've successfully deployed your sample function app.

Lock down your function app

Now create the private endpoint to lock down your function app. This private endpoint will connect your function app privately and securely to your virtual network by using a private IP address.

For more information, see the private endpoint documentation.

  1. In your function app, in the menu on the left, select Networking.

  2. Under Private Endpoint Connections, select Configure your private endpoint connections.

    Use private endpoints to integrate Azure Functions with a virtual network (13)

  3. Select Add.

  4. On the pane that opens, use the following private endpoint settings:

    Use private endpoints to integrate Azure Functions with a virtual network (14)

  5. Select OK to add the private endpoint.

Congratulations! You've successfully secured your function app, Service Bus, and storage account by adding private endpoints!

Test your locked-down function app

  1. In your function app, in the menu on the left, select Functions.

  2. Select ServiceBusQueueTrigger.

  3. In the menu on the left, select Monitor.

You'll see that you can't monitor your app. Your browser doesn't have access to the virtual network, so it can't directly access resources within the virtual network.

Here's an alternative way to monitor your function by using Application Insights:

  1. In your function app, in the menu on the left, select Application Insights. Then select View Application Insights data.

    Use private endpoints to integrate Azure Functions with a virtual network (15)

  2. In the menu on the left, select Live metrics.

  3. Open a new tab. In your Service Bus, in the menu on the left, select Queues.

  4. Select your queue.

  5. In the menu on the left, select Service Bus Explorer. Under Send, for Content Type, choose Text/Plain. Then enter a message.

  6. Select Send to send the message.

    Use private endpoints to integrate Azure Functions with a virtual network (16)

  7. On the Live metrics tab, you should see that your Service Bus queue trigger has fired. If it hasn't, resend the message from Service Bus Explorer.

    Use private endpoints to integrate Azure Functions with a virtual network (17)

Congratulations! You've successfully tested your function app setup with private endpoints.

Understand private DNS zones

You've used a private endpoint to connect to Azure resources. You're connecting to a private IP address instead of the public endpoint. Existing Azure services are configured to use an existing DNS to connect to the public endpoint. You must override the DNS configuration to connect to the private endpoint.

A private DNS zone is created for each Azure resource that was configured with a private endpoint. A DNS record is created for each private IP address associated with the private endpoint.

The following DNS zones were created in this tutorial:

  • privatelink.file.core.windows.net
  • privatelink.blob.core.windows.net
  • privatelink.servicebus.windows.net
  • privatelink.azurewebsites.net

Clean up resources

In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, you can delete them by deleting the resource group.

From the Azure portal menu or Home page, select Resource groups. Then, on the Resource groups page, select myResourceGroup.

On the myResourceGroup page, make sure that the listed resources are the ones you want to delete.

Select Delete resource group, type myResourceGroup in the text box to confirm, and then select Delete.

Next steps

In this tutorial, you created a Premium function app, storage account, and Service Bus. You secured all of these resources behind private endpoints.

Use the following links to learn more Azure Functions networking options and private endpoints:

  • Networking options in Azure Functions
  • Azure Functions Premium plan
  • Service Bus private endpoints
  • Azure Storage private endpoints
Top Articles
Latest Posts
Article information

Author: Golda Nolan II

Last Updated: 03/18/2023

Views: 5839

Rating: 4.8 / 5 (78 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.