Share via

Function app is not able to access the key vault

urmila purohit 0 Reputation points
2025-10-15T10:00:32.6933333+00:00

Hii team,
I am trying to access the key vault from function app but getting below error:
Due to this function app is not able to connect to Azure database

Microsoft.Azure.WebJobs.Script.ExternalStartupException : Error configuring services in an external startup class. ---> System.AggregateException : Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (An attempt was made to access a socket in a way forbidden by its access permissions. (prod-ai-keyvault.vault.azure.net:443)) (An attempt was made to access a socket in a way forbidden by its access permissions. (abc-keyvault.vault.azure.net:443)) (An attempt was made to access a socket in a way forbidden by its access permissions. (abc-keyvault.vault.azure.net:443)) (An attempt was made to access a socket in a way forbidden by its access permissions. (abc-keyvault.vault.azure.net:443)) ---> An attempt was made to access a socket in a way forbidden by its access permissions. (abc-keyvault.vault.azure.net:443) ---> An attempt was made to access a socket in a way forbidden by its access permissions. (abc-keyvault.vault.azure.net:443) ---> An attempt was made to access a socket in a way forbidden by its access permissions.

Please let me know if you have any idea regarding above issue.
Thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 18,310 Reputation points Volunteer Moderator
    2025-10-15T10:57:41.9533333+00:00

    urmila purohit hi,

    your function app is trying to reach the key vault over the public internet, but something is blocking the outbound connection on port 443.

    this is almost always caused by the network restrictions on either your function app or your key vault.

    check the key vault's network settings. go to your key vault in the azure portal, then go to 'networking'. if 'public access' is set to 'disabled' or if it is set to 'selected networks', your function app's outbound ip address needs to be on the allow list. you can find your function app's outbound ip addresses in its 'properties' blade. you need to add all of them to the key vault's firewall allow list.

    if your function app is running on an app service plan, you can also consider giving it a dedicated outbound ip by adding a virtual network integration.

    another possibility is that your function app itself has outbound restrictions. if it is running in an app service environment or has vnet integration, there might be network security groups or route tables that are blocking traffic to the key vault's public endpoint.

    the best long term solution is to use a private endpoint for your key vault. this creates a private ip address for the key vault inside your virtual network. then, if your function app is also integrated with the same vnet, the communication happens entirely over the private network, bypassing the public firewall altogether. the microsoft docs explain this setup well https://free.blessedness.top/en-us/azure/key-vault/general/private-link-service.

    check the key vault's firewall to make sure it allows your function app's outbound ip addresses. if you are in a locked down environment, set up a private endpoint for secure, reliable access.

    regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    0 comments
  2. urmila purohit 0 Reputation points
    2025-10-15T12:59:25.93+00:00

    Hii @Alex Burlan ,
    Currently, in the network configuration of key vault, the "Allow public access from all networks" is enable. Also function app is using consumption plan so function app is not under any VNet. So basically, function app is also public but still facing the above error on Azure console. However internally function app is able to access key vault but on Azure function app portal, I can see the error.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.