Create and Deploy an Azure Function App
- Jonathan Bailey (Unlicensed)
- Alvaro (Unlicensed)
Create the Azure Function App
Azure Function Apps using the arcgis package must use Python 3.6.x. By default, function apps created using the Azure Portal use Python 3.7.x. To use Python 3.6.x, the function app must be created using either VS Code or the Azure CLI.
In Visual Studio Code, click View, then click Command Palette…
Click Azure Functions: Create Function App in Azure… (Advanced).
Click the name of the subscription in which to create the function app.
Type a name for the function app and press Enter.
Click Linux for the OS.
Click App Service Plan.
Click + Create new App Service plan.
Type a name for the new app sevice plan and press Enter.
Click a pricing tier for the app service plan.
Click Python 3.6.x for the runtime.
Click the name of the resource group in which to create the new function app. In general, this should be the same as the resource group hosting the eGIS instance virtual machines on which the functions will run.
Click + Create new storage account.
Type a name for the new storage account, and press Enter.
Click + Create new Application Insights resource.
Type a name for the new Application Insights resource, and press Enter.
Click Canada Central for the resource location.
The function app will be created in the background.
Configure the Function App
Once the function app is created, some settings need to be applied.
Allow Access to the eGIS Key Vault
The function app needs access to the key vault to retrieve secrets, such as passwords.
In the Azure Portal, click the menu, and click Function App.
Click the name of the function app that you created above.
Click the Platform Features tab.
Click Identity.
Click On, then click Save, the click Yes to create a system assigned identity for the function app.
Click the Copy to Clipboard button to copy the identity’s ID.
Click the menu, then click Key vaults.
Click the EgisKeyVault.
Click Access Policies.
Click Add Access Policy.
Click next to Select Principal.
Paste the function app identity’s ID into the Select text box.
Click the name of the function app’s identity and click Select.
In the Secrete permissions dropdown list, select Get and List.
Click Add.
Access Secrets from the Key Vault
Azure functions can access secrets from the key vault as environment variables. The function app must be configured to retrieve the values of the environment variables from the key vault.
In the EgisKeyVault blade, click Secrets.
Click the name of the secret to retrieve.
Click the current version of the secret.
Click Copy to clipboard next to the Secret Identifier.
From the Azure menu, click Function App.
Click the name of the function app.
Click Configuration.
Under Application Settings, click New application setting.
In the Name text box, type the name of the environment variable to which the secret will be assigned.
In the Value text box, enter @Microsoft.KeyVault(SecretUri=<secret identifier>), where <secret identifier> is the identifier copied from the key vault above.
Click OK.
Click Save.
Repeat the above steps to add additional key vault secrets, as necessary.
WEBSITE_RUN_FROM_PACKAGE
Still on the function app’s configuration page, add an application setting named WEBSITE_RUN_FROM_PACKAGE with a value of 1.
Always On
Click the General settings tab.
Click Always on, and click Save.
Join the eGIS VNet
In case the VNET is in place for the resource group, the Azure Functions should be able to reach the VMs without any problem.
In case the VNET is not in place, the IP address that will execute the Azure Functions App needs to be whitelisted in the Firewall of the servers that need to be reached by the Azure Function App. To get the list of IPs address that the Azure Functions will be using, do this:
Go to the Azure Function details and click on Platform features
2. Go to Properties
3. The IP addresses listed in the field Additional Outbound IP addresses are all the possible ones to be used and should be added to the firewall whitelist