In my primary Azure region, East US 2, I have FrontDoor, a virtual network, and 4 premium function apps. These work perfectly fine but I am trying to set up the functions in a secondary region, Central US according to this diagram.
My thoughts were that I would have a second App Service Plan (EP1), a second virtual network, and a second premium function app for each of my functions. I was able to get this to mostly work but my pipeline fails when deploying the first functions app settings. The error I get is: Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.
In my main bicep file I have:
var appSettings = {
APPINSIGHTS_INSTRUMENTATIONKEY: appInsights.properties.InstrumentationKey
APPLICATIONINSIGHTS_CONNECTION_STRING: appInsights.properties.ConnectionString
WEBSITE_RUN_FROM_PACKAGE: '1'
AzureWebJobsStorage__accountName: '${storageAccount.name}'
BuyingDBCosmosURL: 'https://${cosmosAccountName}.documents.azure.com:443/'
FUNCTIONS_EXTENSION_VERSION: '~3'
FUNCTIONS_WORKER_RUNTIME: 'dotnet'
AzureWebJobsStorage: <connection string>
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: <connection string>
}
@batchSize(1)
module appServiceFunction '../modules/applications/app-service.bicep' = [for (item, i) in config.functionApps: if (deployFN || rebuildEnvironment) {
name: '${prefixAppServices}-${item.name}-fn'
params: {
appServiceKind: 'functionapp'
appServiceName: '${prefixAppServices}-${item.name}-fn'
appServicePlanId: (deployFN) ? appServicePlan.outputs.appServicePlanId : (rebuildEnvironment) ? appServicePlan.outputs.appServicePlanId : ''
appServiceAuth: item.appAuth
appServiceSiteConfig: {
healthCheckPath: '/api/${item.name}/healthCheck'
}
appServiceSettings: union({
WEBSITE_CONTENTSHARE: '${prefixAppServices}-${item.name}-fn'
}, appSettings)
ipSecurityRestrictions: fnIpSecurityRestrictions
virtualNetworkSubnetId: subnetFunction.id
location: location
tags: appTags
logAnalyticsRetention: logAnalyticsRetention
actionGroupId: (deployFN) ? actionGroup.outputs.actionGroupId : (rebuildEnvironment) ? actionGroup.outputs.actionGroupId : ''
}
dependsOn: [
cosmos
]
}]
And in a separate file where I create the resource, we use a config resource to define the app settings in key/value pairs (I also tried passing the app settings in directly to the function and received the same error):
resource appSettings 'Microsoft.Web/sites/config@2021-01-15' = if (!empty(appServiceSettings)) {
name: 'appsettings'
parent: appService
properties: appServiceSettings
}
I'm not exactly sure where the issue is as high availability and disaster recovery is new to me so I added some pictures of the configuration. Please let me know if I can add anything to this question!!
Edit: If I navigate to the storage account networking tab and change "Allow access from Selected Networks" to "Allow access from All Networks", then I am able to deploy the function apps and their app settings no problem.
Add WEBSITE_CONTENTOVERVNET=1 setting in azure function app settings and then try. This worked for me.
Few things need to check: