Azure Functions Virtual Network Integration | Private Endpoints for Azure Functions 

Hello Edem, Thanks for checking out my video. We can create a function app with a secure storage account(private endpoint). We just need to enable the private endpoint for the storage account and place it in a VNET. Enable the outbound traffic from the function app to the same VNET. If you are looking to do it with an ARM template, you can refer to azure.microsoft.com/en-au/resources/templates/function-app-storage-private-endpoints/ Hope this helps. Cheers, Sri.

@@srigunnala Yes, thank you :)! Let me ask you one more question. I'm not 100% sure I understand, the role VNet injection plays here. I mean, I can enable private endpoints for example for my storage account, and it is enough to have private endpoint enabled to address that Storage Account via a local IP from a subnet from a given VNet rather than having to take the internet route to talk to the storage accounts public IP. What is that different for Function Apps? Could you please help me understand that in more detail? I was kinda sure that VNet injection will already give the injected Azure services IP addresses from within the VNet/Subnet. Thanks again Sir and hope to see more from you :)!

@@edemfromeden5432 Private Endpoint for function App and injection a function app into VNET are two different things. When Private Endpoint is enabled for the function app, it can be accessed only from configured VNET ( traffic flow over Microsoft Backbone network). If you have an App Service Environment, you inject the function app into a virtual network, and access can be controlled using network security groups. Hope this helps!! Cheers, Sri.

Thank you! I am glad you found it helpful! Cheers, Sri!

Hello there, You can create your own subnet or use the default one. Just make sure you have proper NSG in place to facilitate required inbound/outbound traffic. Cheers, Sri.

Hi there, Thank you!. if you have VNET in azure which is connected to onprem via VPN or express route, yes you can reach to onprem resources from Azure. We just need to route Azure Function outbound traffic via this VNET which can reach onprem. Also, based on what you want to achieve, there are other possible options as well. Cheers, Sri.

@@srigunnala Hi Sri! Great content! thank you very much. Im trying to achieve what CloudyKube wants. Can you point me to the right direction in How to route outbound traffic via the VNET. I have a VPN Gateway connected to a Fortigate on premise and we have connection between on premise virtual machines and azure virtual machines but the azure functions cant reach the on premise servers. Thanks in advcance.

I'm Glad you liked it! Thank you!

Thank you, I am glad it was helpful! Cheers, Sri.

Unfortunately, not as of now. Since consumption plan runs in multitenant azure environment, it doesn't support any VNET Integration. Thanks, Sri!

no problem, as i thought, thnx, is there any hacky way around this like wrap serevrless functions into some other resource or are we basically stuck with the higher cost? thnx again@@srigunnala

Thank you, Vishnu!

Really a good question! Unfortunately there is no easy way to it. One way is to 1. We need to deploy Virtual Machine Scale Set (VMSS) in to the same virtual network(where private end point resides) and run the build agent on it. 2. Configure CI/CD pipeline to use the build agent hosted on VMSS. Thanks, Sri.

@@srigunnala Thanks!

Hello Rifat, Thank you for checking my video. In the demo, It is function app with an app service plan. Enabling a private endpoint for the storage account(table storage to retrieve the data) doesn't work. If we run the functions in an App Service Environment, we can deploy them directly into your virtual network. In this case, we can enable a private endpoint for PaaS resources(like storage accounts) and place them in the same VNET as functions so functions can access PaaS resources through a private endpoint. Hope this helps! Cheers, Sri.