Kontext
Console

Debug - Azure Functions Flex Consumption Plan - Attach File Share via SMB

Raymond Tang Raymond Tang 1 0.05 index 7/9/2025

Context

When creating Python or other language based Azure Functions App in a virtual network, you may encounter errors when trying to mount a Azure blob file share to the function app. There can be multiple reasons the integration can fail.

Common root causes

The following are some of the common errors that can use the integration to fail:

  • Storage account doesn't exist
  • File share with the name provided doesn't exist
  • The access key provided is not correct
  • The managed identity has no access to the storage account (if key is not used).
  • The storage account network rules blocks access from the subnet where the function app is hosted.
  • The subnet has no rules configured to allow HTTP/HTTPS outbound to the storage account if the integration is for blob container.

If none of the above is the root cause, and if you are integrating file share, it might be caused by the following issue.

SMB network security group rule

For my case, I neglected that SMB is the protocol I used for the file share while the network security group rules attached to the subnet where the function app is hosted doesn't allow outbound for SMB.

Verify the status of the file share integration

We can verify whether the file share mount is successful using Azure CLI:

az webapp config storage-account list --resource-group resource-group-name -n function-app-name

Sample output:

[
  {
    "name": "shareddata",
    "slotSetting": true,
    "value": {
      "accessKey": "+***==",
      "accountName": "***",
      "mountPath": "/mnt/***",
      "protocol": "Smb",
      "shareName": "***-shared-data",
      "state": "NotValidated",
      "type": "AzureFiles"
    }
  }
]

The output shows the share is not validated yet.

The fix

Add the outbound rule to allow SMB:

      {
        name: 'AllowAzureFilesSMB'
        properties: {
          priority: 235
          direction: 'Outbound'
          access: 'Allow'
          protocol: 'Tcp'
          sourcePortRange: '*'
          destinationPortRange: '445'
          sourceAddressPrefix: '*'
          destinationAddressPrefix: 'Storage.AustraliaEast'
        }
      }

After adding the above rule for SMB protocol, it works like a charm.

NFS protocol

If you use NFS instead SMB, please make sure the NFS port is whitelisted, for example, NFSv4.1 protocol runs on port 2049.

References

https://learn.microsoft.com/en-us/azure/azure-functions/scripts/functions-cli-mount-files-storage-linux

azure function-apps networks nsg storage
Join the Discussion

View or add your thoughts below

Comments