| page_type | languages | products | description | urlFragment | azureDeploy | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sample |
|
|
Sample showing how to connect Azure Functions to Azure resources using private endpoints. |
connect-to-private-endpoints-with-azure-functions |
This sample shows how Azure Functions can connect to other Azure resources via a private endpoint connection. The sample uses an Azure Functions Premium plan with regional VNet Integration to interact with Azure resources confined to a virtual network.
The following components are required to run this sample:
You can use the Azure Cosmos DB Emulator and Azure Storage Emulator, along with the Azure Functions Core Tools, if you wish to develop and test locally.
An alternative deployment approach is to use the Azure CLI to deploy the included Resource Manager template.
az group create --name [YOUR-RESOURCE-GROUP-NAME] --location [YOUR-DESIRED-AZURE-REGION]
az deployment group create -g [YOUR-RESOURCE-GROUP-NAME] --template-file azuredeploy.json --parameters azuredeploy.parameters.json
After the Azure resources are deployed (which can take about 10-12 minutes), you will need to deploy the Azure Function to the newly created Azure Function app. You can use the Azure Functions Core Tools to deploy the function.
func azure functionapp publish [YOUR-FUNCTION-APP-NAME]
Please perform the following steps to run the sample.
- Connect to the newly created VM using Azure Bastion
- Copy the
sample.csvfile to the newly created VM - From the VM, use a web browser to open the Azure portal.
- Navigate to the newly created storage account which starts with
widgets. Using Storage Explorer in the portal, upload thesample.csvfile to theordersblob storage container. - Within a few seconds, the function's blog trigger should execute and process the file.
- Navigate to newly created CosmosDB resource. Using Data Explorer in the portal, open the
Widgetsdatabase andOrderscollection. You should notice the same number of documents in the CosmosDB collection as were in the sample CSV file.
This sample demonstrates how to configure an Azure Function to work with Azure resources using private endpoints. By using private endpoints, the designated resources are accessible only via the virtual network.
The sample sets up the following Azure resources:
- Azure Function with blob trigger and CosmosDB output binding
- Azure Function Premium plan with Virtual Network (VNet) Integration enabled
- Virtual network
- Configuring private endpoints for Azure resources
- Azure Storage private endpoints
- Azure Cosmos DB private endpoint
- Private Azure DNS zones
- Azure VM and Azure Bastion in order to access Azure resources within the virtual network.
The diagram provide shows a high-level depiction of the sample architecture.
Azure Functions requires the use of a general-purpose storage account. This sample uses two storage accounts to meet that requirement.
- The storage account referenced by the AzureWebJobsStorage application setting is configured with a private endpoint.
- The storage account referenced by the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING does not use a private endpoint.
The sample provisions nearly all Azure resources within the confines of a virtual network. Attempts to access the following resources will only succeed from within the VM (which is itself within the virtual network) due to the virtual network restrictions on the resources:
- Storage accounts
widgets+ unique string (e.g. widgetspmobtiatsqdgc)fnapp+ unique string +wjsa(e.g.fnapppmobtiatsqdgcwjsa)
- CosmosDB
widgets+ unique string (e.g. widgetspmobtiatsqdgc)
There are no virtual network restrictions on the following resources, and thus access to these resources is permitted from outside the virtual network (e.g. your desktop):
- Storage accounts
fnapp+ unique string (e.g. fnapppmobtiatsqdgcac)vmdiag+ unique string (e.g. vmdiagpmobtiatsqdgc)
Outline the file contents of the repository. It helps users navigate the codebase, build configuration and any related assets.
| File/folder | Description |
|---|---|
.vscode |
VS Code related settings. |
src |
Sample source code. |
src\MyFunctions.cs |
Azure Function sample code. |
src\sample.csv |
Sample CSV file. |
template |
Azure Resource Manager template and deployment script. |
template\azuredeploy.json |
Azure Resource Manager template for provisioning Azure resources. |
template\azuredeploy.parameters.json |
Parameters used by the Azure Resource Manager template. |
template\deploy.sh |
Script to deploy the template. |
.gitignore |
Define what to ignore at commit time. |
CHANGELOG.md |
List of changes to the sample. |
CONTRIBUTING.md |
Guidelines for contributing to the sample. |
README.md |
This README file. |
LICENSE |
The license for the sample. |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.