Sample should have private endpoint for Key Vault and Storage Account

[francovanzyl96]

Is your feature request related to a problem? Please describe.
The sample would be more practical and secure if the Azure Key Vault and Storage Account resources have private endpoints deployed. Additionally the Azure Container Registry could also have a private endpoint.

Describe the solution you'd like
I would like to see a sample where Azure Key Vault and Storage Account resources have private endpoints deployed. Additionally the Azure Container Registry could also have a private endpoint. I would also like to see samples of how the App Settings should be configured to force all outbound traffic from the Function App to go over the private VNet attached to the Container Apps Environment.

Describe alternatives you've considered
I have attempted to use the App Settings as described for deploying Function Apps on App Service Plans, however this does not seem to include a solution for accessing Key Vault secrets over a private endpoint connection.

Additional context

[raorugan]

Ack on this. Allow us to get back on this.

[raorugan]

@francovanzyl96 , I was able to set storage app setting with private endpoint for a function app deployed on ACA , here is the sample endpoint for the same

Can you clarify following:

1. Which SKU - app service or Elastic premium or azure container apps is the function app deployed?
2. What error message do you see?

[francovanzyl96]

Thanks for the update. What authentication method are you using to access the storage account from the Function app?

The Storage Account access is part of my issue, but would love to also see Function App on containers fetching secrets from a Key Vault with a private endpoint.

To answer your questions.

1. The Function is deployed on Azure Container Apps managed environment

• Consumption workload profile.
• Managed environment is deployed in "internal" mode and attached to an existing subnet.
• Using a user-assigned managed identity to connect to the Functions Storage account.
• Running durable functions so it could be due to blob, table, queue or file access on the Functions storage account. I did create private endpoints for each of these services on the Storage account.
• App settings for connecting to webjobsstorage:

  {
    name: 'AzureWebJobsStorage__credential'
    value: 'managedidentity'
  }
  {
    name: 'AzureWebJobsStorage__clientId'
    value: identityClientId
  }
  {
    name: 'AzureWebJobsStorage__accountName'
    value: storageName
  }

2. I do not get any deployment errors, only see this error in tab where Functions should be loaded

Internal server error occurred. Operation failed: Request failed with error message {"error":{"code":"ResourceNotProvisioned","message":"The ContainerApp 'xxxxxx' has not been provisioned successfully. ProvisioningState: 'Failed'."}}

[raorugan]

We need resource id details for this to debug further. Since this is a public forum can you please open support ticket ? We can get your resource details and check why provisioning failed?

On a side note did you try re-deploying , ensure resource provisioning is successful (you may check this in the json view of the resource in the Azure Portal) and trigger the durable function?

[raorugan]

Hi @francovanzyl96 , were you able to raise support issue on this. On the other hand can you check if private DNS or private endpoint or IP config issues exist. As a repro suggested the same error message that you were seeing due to network config issues.

[francovanzyl96]

Hi @raorugan, I was not able to raise a support ticket on this yet, would need to redeploy an environment with private endpoints to reproduce the issue again first. Will do this asap and create a support request.

On the other hand can you check if private DNS or private endpoint or IP config issues exist - I have checked that private endpoints and private DNS zones are properly created and linked to the correct VNets. Are there any specific checks you would like me to do?

[raorugan]

Azure functions on Azure container apps can access both storage and ACR private end points with private DNS connected with Managed Identity. We double-checked this and works fine. We re-pro'ed the scenario with wrong ip configs and were able to see similar errors that you saw . For checking your environment, configs and troubleshooting raising support ticket is the best.

[francovanzyl96]

Ok thanks and also Key Vault?

[raorugan]

yes , KeyVault as well. Azure service that is reachable through private endpoint from container app environment VNET Internal with managed identity should work

[francovanzyl96]

Ok, I will redeploy it like that and create a support ticket. Thanks for looking into it.

[raorugan]

hello @francovanzyl96 , is the issue resolved?