Feature Request: Connect function app to VNET

[subesokun]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Allow connecting a function app to a VNET gateway. While this is possible via the Azure portal it seems it's not yet possible via the azurerm. Our use-case is that we've some services that are accessible only from within a VNET but our function apps needs to be able to talk to them.

New or Affected Resource(s)

• azurerm_function_app

References

https://stackoverflow.com/questions/45040020/connect-azure-function-app-to-vnet

[svangeti]

Hi @tombuildsstuff , Is there a timeline when this can be implemented for azurerm_function_app resource?

[davemurphysf]

FYI: virtual_network_name is listed under azurerm_function_app resource, however it does not work for me (no network is attached to the function app). I am using a Function App in an App Service Plan on Linux.

[rudolphjacksonm]

@davemurphysf I'm seeing the same behavior on my end. Terraform seems to happily create my function and the VNet/dedicated subnet but it doesn't attach the Function to it. No errors or anything in the output.

[null-ref-0000]

virtual_network_name

I don't see any reference to this attribute in the docs or code.

[bruceharrison1984]

It seems to have disappeared in the last few releases. I was making reference to it in 1.44.0 code, and once I upgraded to 2.8.0 the reference was no longer valid.

[aristosvo]

I'm tempted to pick this up over the weekend, let's see how that goes:)

/assign

[aristosvo]

When I looked into this, I saw two separate options for VNet integration:

• Regional VNet Integration
• Gateway-required VNet Integration

For the first option I checked if it was currently possible to configure Regional VNet Integration for Function Apps with azurerm_app_service_virtual_network_swift_connection and it seems to work fine. Is this option known and does it work as expected? It seems the best option when working in the same region and is also the (only) option implemented for normal App Services at the moment.

Or should we implement the Gateway-required VNet Integration for both Functions and App Services?

Configuration that worked for me regarding the Regional VNet Integration:

provider "azurerm" {
  version          = "=2.8.0"
  skip_provider_registration = true
  features {}

  subscription_id = "********************************************"
  tenant_id       = "********************************************"
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "west europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "accexamplevnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "accexamplesubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.1.0/24"

  delegation {
    name = "accexampledelegation"

    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_plan" "example" {
  name                = "accexampleasp"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}


resource "azurerm_storage_account" "example" {
  name                     = "functionsappexamplesa"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_function_app" "example" {
  name                       = "example-azure-function-aristosvo"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
  app_service_id = azurerm_function_app.example.id
  subnet_id      = azurerm_subnet.example.id
}

[aristosvo]

@katbyte @tombuildsstuff Would renaming azurerm_app_service_virtual_network_swift_connection to azurerm_app_service_regional_virtual_network_integration make sense?
What about duplicating it to azurerm_function_app_regional_virtual_network_integration with some small changes:

resource "azurerm_function_app_regional_virtual_network_integration" "example" {
  function_app_id = azurerm_function_app.example.id
  subnet_id       = azurerm_subnet.example.id
}

[MaxiPalle]

I tried to configure it as @aristosvo mentioned it.

For a function_app I receive an error like this:

Error: Error creating/updating App Service VNet association between "func-coronaapp-01-dev-request" (Resource Group "rg-cloud-enabling-dev-vorantrag") and Virtual Network "vnet-cloud-enabling-dev": web.AppsClient#CreateOrUpdateSwiftVirtualNetworkConnection: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=<nil> <nil>

  on main.tf line 86, in resource "azurerm_app_service_virtual_network_swift_connection" "vorantrag_req":
  86: resource "azurerm_app_service_virtual_network_swift_connection" "vorantrag_req" {

For deployment slots (either app service as function app) I don't receive any error message, but the VNet integration is not setup.

Is this a bug or a known limitation?

[rudolphjacksonm]

@MaxiPalle the documentation on this isn't easy to find and I'm not in front of it now, but there is a hard limit of one Vnet integration per app service plan. If you want to create multiple Vnet integrations for different functions and app services, each one will need it's own app service plan.

I ran into this a few months ago and you'll get the same error in the portal, which doesn't tell you why it's happening whatsoever. Hopefully this helps!

[MaxiPalle]

Hi @rudolphjacksonm ,

thanks for bringing this to my attention.

You're right: the limitations for some of the function apps originate from the chosen app service plan as per https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration.
So I have to redesign a few things now ....

BUT: what a bout slots? Haven't found any limitations for this and creating the slots manually in the portal does work.

Cheers,
Jens

[mcalnd70]

Just sat down this morning to put some FA's into a vNet and discovered this. From 2 years ago. Lol, I guess I'm screwed then

How are users working around this? Azure CLI or Powershell step commands after the Terraform?

[aristosvo]

@mcalnd70 Can you explain what you mean? Is regional VNet integration not working for you?

There is a PR for Gateway-required VNet integration (#7048) which is blocked by Microsoft due to the API.

[mcalnd70]

@aristosvo Just a basic regional vNet integration. How do you get it to work with Function Apps?

[mcalnd70]

@aristosvo I've just used your example, looks good, thank you! Lifesaver

[mcalnd70]

@aristosvo Did you know that re-running the Terraform PLAN after that produces a nulling out of the entry "virtual_network_name" that does nothing? (default is the name of my subnet in the vNet)

 ~ site_config {
            always_on                 = false
            ftps_state                = "AllAllowed"
            http2_enabled             = false
            ip_restriction            = []
            min_tls_version           = "1.2"
            use_32_bit_worker_process = false
          - virtual_network_name      = "16dfc123-4568-4g0a-c51-188887a8888_default" -> null
            websockets_enabled        = false

After running APPLY after this, as previously mentioned, the entry doesn't really do anything and the vNet integration remains in-place

[aristosvo]

@mcalnd70 No, I didn't! If you'd like to raise it as an issue, feel free.

[tombuildsstuff]

@mcalnd70 there's about half a dozen different networking integrations for the App Service family (incl. Function Apps) - that particular integration has been superseded on Azure's side (but continues working for existing integrations) - so unfortunately that's a limitation of Azure rather than something specific to Terraform

[Asos-RiverPhillips]

@tombuildsstuff What has this been superseded by? We're looking to integrate functions with virtual networks.

[rudolphjacksonm]

This has been superseded by azurerm_app_service_virtual_network_swift_connection I believe, or at least that's what we've been using for a few months now with no issues.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection

[byteknacker]

> For the first option I checked if it was currently possible to configure Regional VNet Integration for Function Apps with `azurerm_app_service_virtual_network_swift_connection` and it seems to work fine. Is this option known and does it work as expected? It seems the best option when working in the same region and is also the (only) option implemented for normal App Services at the moment.

@aristosvo
I just used azurerm_app_service_virtual_network_swift_connection to connect an Azure Function App and a subnet within the same region and it worked. I would suggest to simply add an entry within the documentation for azurerm_app_service_virtual_network_swift_connection to say that this works for both App Service and Function App. In addition to that, also make a reference to the new entry within the azurerm_function_app documentation. This will save the effort of creating a new resource with the same feature that is already covered by azurerm_app_service_virtual_network_swift_connection.

[aristosvo]

@byteknacker Consider it done!

I would suggest to simply add an entry within the documentation for azurerm_app_service_virtual_network_swift_connection to say that this works for both App Service and Function App. In addition to that, also make a reference to the new entry within the azurerm_function_app documentation. This will save the effort of creating a new resource with the same feature that is already covered by azurerm_app_service_virtual_network_swift_connection.

• [Docs]function_app Regional VNet Integration #10333

[ghost]

This has been released in version 2.45.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.45.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!