I am trying to connect my python runtime Azure function app to our managed instance, but I am encountering what seems to be an IP whitelisting problem.
I am currently trying to use SQL authentication to connect my Azure function app to the managed instance, but I keep getting a timeout error. When I open up all inbound traffic to our public endpoint, the function app works as expected. So, I then tried to whitelist the IP addresses associated with the azure resource. This web page explains how to find the outbound IP Addresses of a function app using the Azure Resource Explorer.
So, I added those IP addresses to the whitelist for the managed instances public endpoint, and it work! Temporarily though… I was able to get the app to run successfully a few times, but when I redeployed the app I got the same timeout error. I thought that maybe the outbound IP addresses change every time you redeploy your function app, but when I refreshed the Azure Resource Explorer, it showed that the IP addresses had not changed.
My question, what is the approach for allowing azure resources, like the managed instance and function apps, to interact with each other without having to mess with whitelisting the right ip address(es)?
I have a VNET setup for the managed instance, and I read here that resources within the same virtual network, even in different subnets, can talk to each other. However, I don’t know what to add for the "service endpoints," "subnet delegation," or "network policy for private endpoints" sections to allow the function app to be setup correctly on the VNET. Also, potentially a service connector may do the trick. There are so many options I don’t know what the best approach would be.
2
Answers
The solution was to whitelist the "AzureCloud", not "AppService", service tag in the Inbound Security Rules of the Network Security Group associated to the Azure Managed Instance, and setting the priority number of this new rule to a lower priority number than the rule that denies all inbound traffic; the lower the priority number, the higher priority it takes. The highest priority rule would have 100 and lowest being 65500. After adding the NSG inbound security rule this, the connection to the Azure SQL MI public endpoint was not blocked by the Azure NSG for my function app.
You need to integrate your Azure Function with the VNET associated to your SQL Managed instance.
Keep in mind that Function VNET integration is only available on Premium, Dedicated and ASE plans. So if you are using Consumption plan, you don’t have the option available.
Once you integrate your function with your SQL managed instance, then you should be able to establish communication between the two.
https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-portal