Logo

dev-resources.site

for different kinds of informations.

Azure Function App (Flex Consumption) in private VNET via IaC

Published at
11/30/2024
Categories
azure
azurefunctions
gitlab
powershell
Author
rokicool
Author
8 person written this
rokicool
open
Azure Function App (Flex Consumption) in private VNET via IaC

A lot of technical terms in the name of the article, right? Let's dive into it!

Why Azure Function App?

It is not a serious question! Azure Function App is a fantastic serverless infrastructure that allows you to execute your code within a secure environment.

What if you need to perform a maintenance task by schedule? Or execute a PowerShell script within your Azure subscripton to perform a specific operation?

Azure Function App might perform it for you!

There are challenges, of course. This article explains how to overcome them and have an automated pipeline that creates infrastructure and then builds and deploys Azure Function to the correct place!

Why private VNET?

That is the weirdest part. However, some companies prohibit the use of any Azure service with a publicly accessible interface!

There will be more on that later in this article.

Why Flex Consimption?

Microsoft provides several plans for the Azure Function Apps. They are reasonable.

If you have heavy traffic and a lot of executions, your choice is the Premium Plan: about $200 per month...

What if you need to execute your function only several times per day?

So, with all possible options, we don't have a choice. Only Flex Consumption costs about $3 a month (with less than 1000 executions, remember?) And a Flex Consumption Plan-based App might be integrated into a VNET.

2024.12 UPD: Unfortunately, not $3 but $30 per month. Here is the post about that Flex Consumption is not cheap (when in private VNET)

Some technical internals of Azure Function App

To explain the challenge, I need to surface several technical details. Azure Function App is not exactly a separate service.

The usual Azure Function App has to use other Azure services. Some of them are optional, and some of them are mandatory.

Image description

Having an Azure Storage Account is a must. The Azure Function App uses the Storage Account to store the Azure Function Code. However, Azure Storage Account is a publicly available service!

The Function App must be able to access the green circle on the next schema. But that means absolutely everyone (who has the permission, of course) can access it too!

Image description

If we need to comply with the company's policy, we must turn off that green public interface of the Storage Account.

But how does the Azure Function App reach the Storage Account for the function code?

We should use a private VNET! That means a lot of things:

  • we should create Storage Account private endpoints for both Blob and File services;
  • we should integrate Azure Function App with one of the subnets in private VNET;
  • we should create DNS zone and DNS names that would allow Azure Function App to find out the private IP addresses of the Storage Account services;
  • we should provide Azure Function App with the correct DEPLOYMENT_STORAGE_CONNECTION_STRING;
  • we should allow Azure Function App identity to access the Storage Account.

Image description

More details you can find in the official Microsoft document How to use a secured storage account with Azure Functions

GitLab pipeline

A lot of technical things that must be performed for every Azure Function App deployment... So, that must be automated!

Here is my GitLab project that deploys an Azure Function App based on the Consumption Flex plan: azure-function-app

The pipeline first creates infrastructure according to all the steps mentioned above. Then, the pipeline deploys the code of the Azure Function to the infrastructure created on the first step.

The same pipeline supports two environments: DEV and PROD. The plan is to push all changes to the dev or dev_bicep branches to the DEV environment. Any changes made to the main branch will then be sent automatically to both the DEV and PROD environments.

You might find more details in the pipeline definition and the projects README.md file.

BTW, this pipeline does not use secrets. The authentication is based on OIDC (Open ID Connect). I have written an article that provides a detailed explanation of this method: GitLab, Azure, OpenTofu, and NO secrets!.

Image description

Why was this article written?

I tried to automate the Azure Function App (Flex Consumption Plan) deployment behind firewalls using Terraform, and I failed.

As of November 2024, Terraform providers don't support subnet integration with the Azure Function App based on the Flex Consumption Plan.

You can find my Terraform-based failing deployment in the dev branch of azure-function-app project.

I really prefer to use Terraform, and as soon as it supports Flex Consumption network integration, I will try to revive this project.

So, Terraform fails. But you can set up that Azure Function App configuration manually via the Portal. This implies that either the ARM Template or Bicep should function properly. I took the Microsoft Official Bicep Template, modified it to support network integration, and here it is, up and running.

As a result, I spent so many hours setting everything up, so I decided to share the findings and working example.

Questions, suggestions...

As you may have noticed, there are numerous areas for improvement. Or I could make a mistake that slipped out of my consciousness.

Please feel free to ask questions or share your suggestions. In fact, I need your feedback to understand where to dig next!

powershell Article's
30 articles in total
Favicon
Windows ไธŠ VSCode ็š„ C/C++ ๅปถไผธๆจก็ต„่™•็†็ทจ็ขผ็š„ๅ•้กŒ
Favicon
PowerShell ็š„ๆ–‡ๅญ—็ทจ็ขผ
Favicon
็ฌ”่ฎฐ3
Favicon
TryHackMe | Windows PowerShell | RSCyberTech
Favicon
Configuring Hyper-V Global Default Directories
Favicon
How I Set Up an Awesome PowerShell Environment for Script Development
Favicon
Azure Function App (Flex Consumption) PowerShell Modules solution
Favicon
File Comparison Made Easy: Detecting New and Changed Files with PowerShell
Favicon
10 Best Practices of PowerShell Code Signing for Signing Your Script
Favicon
PowerShell Script Collection: Automation and Solutions for Everyday Tasks
Favicon
Video: List All Available Windows Features on Windows 11 using CMD & PowerShell
Favicon
Set up Azure Network Security Perimeter with PowerShell
Favicon
Automating Azure Project Setup with PowerShell and GitHub Actions
Favicon
Azure Function App (Flex Consumption) in private VNET via IaC
Favicon
Using PowerShell to Create Service Principals for RBAC
Favicon
Two ways to use Pester to Mock objects with strongly typed parameters
Favicon
PowerShell Automation: Execute Batch GitHub CLI Commands
Favicon
โ“ Do you allow wrong input to enter your function?
Favicon
Introducing PowerShell Utility Scripts
Favicon
Cisco DHCP Pool conversion to Windows Server DHCP
Favicon
PowerShell | Script output garbled Chinese characters
Favicon
Rename Multiple Files in Sequence with Just One Click Using PowerShell in Windows! ๐Ÿš€
Favicon
Redirect Out-File to TestDrive: in your PowerShell Pester test scripts with this one weird trick
Favicon
Using PowerShell for day to day stuff
Favicon
Automating SharePoint Embedded: Using PowerShell to Call Graph API Endpoints
Favicon
Install Ubuntu on WSL 2
Favicon
How to Install WSL from PowerShell on Windows 10 and 11
Favicon
How to Run PowerShell Script in Jenkins Pipeline
Favicon
Identify Which Files are Large.
Favicon
Quick guide to setting up an shortcut/alias in windows

Featured ones: