Terraform-provider-azurerm: Feature Request: Connect function app to VNET

Hi @tombuildsstuff , Is there a timeline when this can be implemented for azurerm_function_app resource?

FYI: virtual_network_name is listed under azurerm_function_app resource, however it does not work for me (no network is attached to the function app). I am using a Function App in an App Service Plan on Linux.

@davemurphysf I'm seeing the same behavior on my end. Terraform seems to happily create my function and the VNet/dedicated subnet but it doesn't attach the Function to it. No errors or anything in the output.

virtual_network_name

I don't see any reference to this attribute in the docs or code.

It seems to have disappeared in the last few releases. I was making reference to it in 1.44.0 code, and once I upgraded to 2.8.0 the reference was no longer valid.

I'm tempted to pick this up over the weekend, let's see how that goes:)

/assign

When I looked into this, I saw two separate options for VNet integration:

• Regional VNet Integration
• Gateway-required VNet Integration

For the first option I checked if it was currently possible to configure Regional VNet Integration for Function Apps with azurerm_app_service_virtual_network_swift_connection and it seems to work fine. Is this option known and does it work as expected? It seems the best option when working in the same region and is also the (only) option implemented for normal App Services at the moment.

Or should we implement the Gateway-required VNet Integration for both Functions and App Services?

Configuration that worked for me regarding the Regional VNet Integration:

provider "azurerm" {
  version          = "=2.8.0"
  skip_provider_registration = true
  features {}

  subscription_id = "********************************************"
  tenant_id       = "********************************************"
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "west europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "accexamplevnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "accexamplesubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.1.0/24"

  delegation {
    name = "accexampledelegation"

    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_plan" "example" {
  name                = "accexampleasp"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}


resource "azurerm_storage_account" "example" {
  name                     = "functionsappexamplesa"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_function_app" "example" {
  name                       = "example-azure-function-aristosvo"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  app_service_plan_id        = azurerm_app_service_plan.example.id
  storage_account_name       = azurerm_storage_account.example.name
  storage_account_access_key = azurerm_storage_account.example.primary_access_key
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
  app_service_id = azurerm_function_app.example.id
  subnet_id      = azurerm_subnet.example.id
}

@katbyte @tombuildsstuff Would renaming azurerm_app_service_virtual_network_swift_connection to azurerm_app_service_regional_virtual_network_integration make sense?
What about duplicating it to azurerm_function_app_regional_virtual_network_integration with some small changes:

resource "azurerm_function_app_regional_virtual_network_integration" "example" {
  function_app_id = azurerm_function_app.example.id
  subnet_id       = azurerm_subnet.example.id
}

I tried to configure it as @aristosvo mentioned it.

For a function_app I receive an error like this:

Error: Error creating/updating App Service VNet association between "func-coronaapp-01-dev-request" (Resource Group "rg-cloud-enabling-dev-vorantrag") and Virtual Network "vnet-cloud-enabling-dev": web.AppsClient#CreateOrUpdateSwiftVirtualNetworkConnection: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=<nil> <nil>

  on main.tf line 86, in resource "azurerm_app_service_virtual_network_swift_connection" "vorantrag_req":
  86: resource "azurerm_app_service_virtual_network_swift_connection" "vorantrag_req" {

For deployment slots (either app service as function app) I don't receive any error message, but the VNet integration is not setup.

Is this a bug or a known limitation?

@MaxiPalle the documentation on this isn't easy to find and I'm not in front of it now, but there is a hard limit of one Vnet integration per app service plan. If you want to create multiple Vnet integrations for different functions and app services, each one will need it's own app service plan.

I ran into this a few months ago and you'll get the same error in the portal, which doesn't tell you why it's happening whatsoever. Hopefully this helps!

Hi @rudolphjacksonm ,

thanks for bringing this to my attention.

You're right: the limitations for some of the function apps originate from the chosen app service plan as per https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration.
So I have to redesign a few things now ....

BUT: what a bout slots? Haven't found any limitations for this and creating the slots manually in the portal does work.

Cheers,
Jens

Just sat down this morning to put some FA's into a vNet and discovered this. From 2 years ago. Lol, I guess I'm screwed then

How are users working around this? Azure CLI or Powershell step commands after the Terraform?

@mcalnd70 Can you explain what you mean? Is regional VNet integration not working for you?

There is a PR for Gateway-required VNet integration (#7048) which is blocked by Microsoft due to the API.

@aristosvo Just a basic regional vNet integration. How do you get it to work with Function Apps?

@aristosvo I've just used your example, looks good, thank you! Lifesaver

@aristosvo Did you know that re-running the Terraform PLAN after that produces a nulling out of the entry "virtual_network_name" that does nothing? (default is the name of my subnet in the vNet)

 ~ site_config {
            always_on                 = false
            ftps_state                = "AllAllowed"
            http2_enabled             = false
            ip_restriction            = []
            min_tls_version           = "1.2"
            use_32_bit_worker_process = false
          - virtual_network_name      = "16dfc123-4568-4g0a-c51-188887a8888_default" -> null
            websockets_enabled        = false

After running APPLY after this, as previously mentioned, the entry doesn't really do anything and the vNet integration remains in-place

@mcalnd70 No, I didn't! If you'd like to raise it as an issue, feel free.

@mcalnd70 there's about half a dozen different networking integrations for the App Service family (incl. Function Apps) - that particular integration has been superseded on Azure's side (but continues working for existing integrations) - so unfortunately that's a limitation of Azure rather than something specific to Terraform