I have an VNET in Azure that is connected via a S2S tunnel to our on-premises network. This VNET contains a VM that is able to traverse the Virtual Network Gateway and access our on-premise resources. Our on-premise resources are able to see the VM. We have added an App Service plan (EP1) and a function to this VNET. The Function app can communicate/ping the VM, however, it cannot ping our on-premise resources. I've been over the documentation repeatedly and based on everything we've been able to determine, we're configured correctly.
Is this just something that Azure is unable to do? Or has anyone had this type of setup work for them?
I'm contemplating abandoning the App Service plans and just running Kubernetes on the VM and calling it a day.
I would like to suggest that you may check the following aspects according to your current description.
Use Azure Functions Premium plan or a dedicated plan(Require a Standard, Premium, PremiumV2, PremiumV3, or Elastic Premium pricing plan.)
In native Windows apps, the tools ping, nslookup, and tracert won't work through the app console, you could use
tcpping.exe hostnameorPrivateIPaddress [optional: port]to test for TCP connectivity to a host and port combination.Set the app setting
WEBSITE_VNET_ROUTE_ALLwith the value1to make sure all of your outbound calls from your app into your VNet. If you are using Azure DNS private zones, you also need to setWEBSITE_DNS_SERVERwith the value168.63.129.16.Use an empty(not other resources deployed inside the subnet) or dedicated subnet in your Azure VNet to integrate with the function app. To avoid any issues with subnet capacity, you should use a
/26with 64 addresses.You're trying to reach a non-RFC 1918 address by using the regional VNet Integration feature.
Is your on-premises gateway configured to route traffic back up to Azure?
Is there an NSG blocking egress from your integration subnet?
Let me know if you have any concerns.