Can't deploy Azure Function app settings because fileshare returns 403

Question

In my primary Azure region, East US 2, I have FrontDoor, a virtual network, and 4 premium function apps. These work perfectly fine but I am trying to set up the functions in a secondary region, Central US according to this diagram.

My thoughts were that I would have a second App Service Plan (EP1), a second virtual network, and a second premium function app for each of my functions. I was able to get this to mostly work but my pipeline fails when deploying the first functions app settings. The error I get is: Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.'. Please check if the storage account is accessible.

In my main bicep file I have:

var appSettings = {
  APPINSIGHTS_INSTRUMENTATIONKEY: appInsights.properties.InstrumentationKey
  APPLICATIONINSIGHTS_CONNECTION_STRING: appInsights.properties.ConnectionString
  WEBSITE_RUN_FROM_PACKAGE: '1'
  AzureWebJobsStorage__accountName: '${storageAccount.name}'
  BuyingDBCosmosURL: 'https://${cosmosAccountName}.documents.azure.com:443/'
  FUNCTIONS_EXTENSION_VERSION: '~3'
  FUNCTIONS_WORKER_RUNTIME: 'dotnet'
  AzureWebJobsStorage: <connection string>
  WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: <connection string>
}

@batchSize(1)
module appServiceFunction '../modules/applications/app-service.bicep' = [for (item, i) in config.functionApps: if (deployFN || rebuildEnvironment) {
  name: '${prefixAppServices}-${item.name}-fn'
  params: {
    appServiceKind: 'functionapp'
    appServiceName: '${prefixAppServices}-${item.name}-fn'
    appServicePlanId: (deployFN) ? appServicePlan.outputs.appServicePlanId : (rebuildEnvironment) ? appServicePlan.outputs.appServicePlanId : ''
    appServiceAuth: item.appAuth
    appServiceSiteConfig: {
      healthCheckPath: '/api/${item.name}/healthCheck'
    }
    appServiceSettings: union({
      WEBSITE_CONTENTSHARE: '${prefixAppServices}-${item.name}-fn'
    }, appSettings)
    ipSecurityRestrictions: fnIpSecurityRestrictions
    virtualNetworkSubnetId: subnetFunction.id
    location: location
    tags: appTags
    logAnalyticsRetention: logAnalyticsRetention
    actionGroupId: (deployFN) ? actionGroup.outputs.actionGroupId : (rebuildEnvironment) ? actionGroup.outputs.actionGroupId : ''
  }
  dependsOn: [
    cosmos
  ]
}]

And in a separate file where I create the resource, we use a config resource to define the app settings in key/value pairs (I also tried passing the app settings in directly to the function and received the same error):

resource appSettings 'Microsoft.Web/sites/config@2021-01-15' = if (!empty(appServiceSettings)) {
  name: 'appsettings'
  parent: appService
  properties: appServiceSettings
}

I'm not exactly sure where the issue is as high availability and disaster recovery is new to me so I added some pictures of the configuration. Please let me know if I can add anything to this question!!

Edit: If I navigate to the storage account networking tab and change "Allow access from Selected Networks" to "Allow access from All Networks", then I am able to deploy the function apps and their app settings no problem.

Answer 1

Add WEBSITE_CONTENTOVERVNET=1 setting in azure function app settings and then try. This worked for me.

Few things need to check:

1. Storage account should be on selected network.
2. You should have blob, file private endpoints in the same VNET where azure function is deployed.
3. check DNS zone and a record for storage account pe.