Trouble Running Function Apps Internally with Private Endpoints and VNet Integration
Hello everyone,
I’m facing an issue with running Azure Function Apps internally, and I’m hoping to get some insights from the community. Full disclosure, I hate bugging people with questions on forums but I am kind of at a loss and need some inspiration from other Azure-minded people to help me get past this.
Background:
I have the following setup in Azure:
• Azure Data Factory (ADF): Deployed with a private endpoint.
• Function App: Deployed with a private endpoint and VNet integration enabled.
• Storage Account: Deployed with a private endpoint.
• Self-Hosted Integration Runtime (SHIR): Running in Azure within the same VNet.
• DNS Configuration:
• Private DNS zones are linked.
• Record sets are configured.
• Conditional forwarders are set up on our Domain Controller (DC).
All these resources are in the same VNet and subnet, and they should be able to communicate internally. When I ping the Function App from the SHIR, it resolves to its private IP address.
The Issue:
When I try to run the Function App with the private endpoint and VNet integration enabled—using custom DNS to point to our internal servers—I receive timeout errors. However, if I switch everything to public (disable private endpoints and VNet integration), the Function App runs without issues.
I have also tried using the Function App’s private IP address in the linked service for the Function App in ADF, but that doesn’t work either.
Question:
Given that the Storage Account, ADF, SHIR, and Function App are all in the same subnet with the same DNS configurations, why can’t the Function App be reached internally? Is there something I’m missing in the configuration?
If anyone has experience running Function Apps internally using VNet integration and private endpoints with ADF, I would greatly appreciate your insights or suggestions.
UPDATE:
I resolved the problem. The fileshare on the functionapp's storage account wasn't accessible over 445 between the function app and the SHIR because it was created on it's own private DNS zone without the appropriate links. All previous tests were trying to connect it's blob private endpoint which was on a private DNS zone with links. Thanks again guys for helping out.