0

I’m trying to deploy an Azure Function App (running on the Flex Consumption Plan) with an HTTP trigger. The function app is configured with: • VNet integration for outbound traffic • Private endpoint for inbound access

Our environment requires all outbound traffic to go through a corporate internet proxy (Bluecoat).

When I try to deploy my code using either: func azure functionapp publish <app_name> or ax functionapp deployment source config-zip ...

The deployment fails, and the Azure portal shows an error stating that the Function App cannot access the Oryx endpoint, which is required for builds. How can I configure my Azure Function App (Flex Consumption Plan) to route outbound internet traffic through our corporate proxy so it can access the Oryx build service and other necessary endpoints? Is there a supported way to set environment variables like HTTP_PROXY or HTTPS_PROXY, or use VNet features to achieve this? I tried to configure the But it didn't work

Improve this question
2
  • Try deploying from a machine outside the proxy or make sure your Bluecoat proxy allows access to Oryx and related URLs and that outbound traffic is correctly routed through your VNet/NAT. Commented Jun 4 at 4:16
  • Enable Route All on your Function App’s VNet so all outbound traffic routes through your network, and configure a UDR to send 0.0.0.0/0 traffic to your Bluecoat proxy with NSG allowing it. Setting HTTP_PROXY or HTTPS_PROXY won’t work because the build process doesn’t use those environment variables. Commented Jun 9 at 12:23

1 Answer 1

Reset to default
1

Under the Flex Consumption plan, the Oryx build process always runs inside Microsoft’s infrastructure and will not respect any HTTP_PROXY or HTTPS_PROXY settings you place in your Function App. Here we need to check every outbound request from the build container travels through the virtual network and then through the Bluecoat proxy before it reaches the public endpoints Oryx needs, such as mcr.microsoft.com, nuget.org or github.com.

  • Because you already have VNet integration enabled, the Function App’s outbound traffic is automatically sent into the designated subnet. To capture that traffic, create a user-defined route on the same subnet where VNet integration is configured.
az network route-table create \
  --name rt-to-proxy \
  --resource-group MyResourceGroup \
  --location eastus

az network route-table route create \
  --resource-group MyResourceGroup \
  --route-table-name rt-to-proxy \
  --name default-route \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address 10.0.1.4

az network vnet subnet update \
  --resource-group MyResourceGroup \
  --vnet-name MyVNet \
  --name MySubnet \
  --route-table rt-to-proxy

Once this route is associated with the subnet, any attempt by Oryx to fetch packages or images will flow into your VNet, be picked up by the route table, and be forwarded to your Bluecoat proxy appliance, which then sends it out to the internet. Make sure your Network Security Group allows the Function subnet to connect to the proxy over HTTPS (and HTTP if needed) and configure the Bluecoat appliance to permit outbound calls to the specific domains used by Oryx.

After you’ve applied these networking changes, simply redeploy the Function App with the usual publish command.

func azure functionapp publish <app_name>

The Oryx build will now fetch all its required artifacts through your corporate proxy without any further configuration in the Function App itself.

  • If it’s impractical to open the proxy to every possible Oryx endpoint, you can bypass the in-Azure build step entirely by preparing your deployment package ahead of time. Build and package your app locally (or in a CI/CD agent) and then publish with:
func azure functionapp publish <app_name> --no-build

Alternatively, containerize the function.

docker build -t myfunctions:latest .
docker tag myfunctions:latest <yourACR>.azurecr.io/myfunctions:latest
docker push <yourACR>.azurecr.io/myfunctions:latest

Then configure the Function App to use that image from Azure Container Registry. Both approaches routing through your proxy or using a prebuilt package ensure that your corporate compliance requirements are met while keeping your deployment process smooth and reliable.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.