Why does Azure Functions app lose VNET integration for short times RRS feed

  • Question

  • I was directed here from Twitter.

    We have a premium functions app plan with multiple function apps. They are all integrated to the same VNET. All resources the functions access are restricted to allow access only from that VNET. That includes Service bus, Storage, Event hub and Key Vault.

    At random times we get errors like:

    Message Ip has been prevented to connect to the endpoint. For more information see: Virtual Network service endpoints: 
    Exception type Microsoft.Azure.ServiceBus.UnauthorizedException

    Message Exception while executing function: XXX Operation returned an invalid status code 'Forbidden'

    Exception type Microsoft.Azure.KeyVault.Models.KeyVaultErrorException

    or some similiar for Storage. 

    It can't be a configuration issue because most of the time it works.

    Most errors come from service bus as we have service bus triggers and the functions start to log errors immediately if access to service bus is broken. 

    It happens totally randomly. One random functions app and one random resource at a random time. The problem usually lasts just a few seconds, but the exceptions are caught in our Application Insights alerts. Sometimes days can go past without errors, sometimes it happens a few times per day.

    This is a development environment, but we would like it solved before going to production

    Wednesday, May 27, 2020 2:00 PM

All replies

  • Hello Sami R - Could you share with us your function app name privately?
    Monday, June 1, 2020 7:00 AM
  • Same happened to my vnet-integrated premium app, opened a support ticket with MS (120051322002711) but to no avail, the suggestions I got were in direction of setting up a 2nd function app in another region with azure front door, or to disconnect/reconnect the func app to the vnet (which I anyway did) ...

    One of the statements was "The main error you had received was that the integrated Vnet had become disconnected and this error is due to Source-code Annotation Language (SAL) instance that was missing but  was reestablished once you had reconnected the Vnet.", but I am not sure if that is a fact or just an assumption, as they could not get hold of the network logs ... 

    I am afraid I will experience additional downtimes in production, and trying to move as fast as possible to AKS (hopefully it is not as half-baked as premium plan functions, but I am not betting my life on it).

    Wednesday, June 3, 2020 10:16 PM