| title | description | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|
How to use a secured storage account with Azure Functions |
Article that shows you how to use a secured storage account in a virtual network as the default storage account for a function app in Azure Functions. |
how-to |
01/31/2024 |
template-how-to |
This article shows you how to connect your function app to a secured storage account. For an in-depth tutorial on how to create your function app with inbound and outbound access restrictions, refer to the Integrate with a virtual network tutorial. To learn more about Azure Functions and networking, see Azure Functions networking options.
When you create a function app, you either create a new storage account or link to an existing one. Currently, only ARM template and Bicep deployments support function app creation with an existing secured storage account.
Note
Securing your storage account is supported for all tiers in both Dedicated (App Service) and Elastic Premium plans. Consumption plans currently don't support virtual networks.
For a list of all restrictions on storage accounts, see Storage account requirements.
You can create a function app along with a new storage account secured behind a virtual network that is accessible via private endpoints. The following links show you how to create these resources by using either the Azure portal or by using deployment templates:
Complete the following tutorial to create a new function app a secured storage account: Use private endpoints to integrate Azure Functions with a virtual network.
Use Bicep files or Azure Resource Manager (ARM) templates to create a secured function app and storage account resources. When you create a secured storage account in an automated deployment, you must set the vnetContentShareEnabled site property, create the file share as part of your deployment, and set the WEBSITE_CONTENTSHARE app setting to the name of the file share. For more information, including links to example deployments, see Secured deployments.
When you have an existing function app, you can't directly secure the storage account currently being used by the app. You must instead swap-out the existing storage account for a new, secured storage account.
As a prerequisite, you need to enable virtual network integration for your function app.
-
Choose a function app with a storage account that doesn't have service endpoints or private endpoints enabled.
-
Enable virtual network integration for your function app.
Set up a secured storage account for your function app:
-
Create a second storage account. This is going to be the secured storage account that your function app will use instead. You can also use an existing storage account not already being used by Functions.
-
Copy the connection string for this storage account. You need this string for later.
-
Create a file share in the new storage account. Try to use the same name as the file share in the existing storage account. Otherwise, you'll need to copy the name of the new file share to configure an app setting later.
-
Secure the new storage account in one of the following ways:
-
Create a private endpoint. When you set up private endpoint connections, create private endpoints for the
fileandblobsubresources. For Durable Functions, you must also makequeueandtablesubresources accessible through private endpoints. If you're using a custom or on-premises DNS server, make sure you configure your DNS server to resolve to the new private endpoints. -
Restrict traffic to specific subnets. Ensure that one of the allowed subnets is the one your function app is network integrated with. Double check that the subnet has a service endpoint to Microsoft.Storage.
-
-
Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share. AzCopy and Azure Storage Explorer are common methods. If you use Azure Storage Explorer, you may need to allow your client IP address into your storage account's firewall.
Now you're ready to configure your function app to communicate with the newly secured storage account.
You should now route your function app's traffic to go through the virtual network.
-
Enable application routing to route your app's traffic into the virtual network.
-
Navigate to the Networking tab of your function app. Under Outbound traffic configuration, select the subnet associated with your virtual network integration.
-
In the new page, check the box for Outbound internet traffic under Application routing.
-
-
Enable content share routing to have your function app communicate with your new storage account through its virtual network.
- In the same page, check the box for Content storage under Configuration routing.
Finally, you need to update your application settings to point at the new secure storage account.
-
Update the Application Settings under the Configuration tab of your function app to the following:
Setting name Value Comment AzureWebJobsStorageWEBSITE_CONTENTAZUREFILECONNECTIONSTRINGStorage connection string Both settings contain the connection string for the new secured storage account, which you saved earlier. WEBSITE_CONTENTSHAREFile share The name of the file share created in the secured storage account where the project deployment files reside. -
Select Save to save the application settings. Changing app settings causes the app to restart.
After the function app restarts, it's now connected to a secured storage account.
[!div class="nextstepaction"] Azure Functions networking options