Deployment Guide¶
This guide covers deploying the IPAM Function App to Azure.
Prerequisites¶
- Azure subscription with appropriate permissions
- Azure CLI or PowerShell Az modules installed
- Function App created (or use Azure Developer CLI
azd) - Storage Account for Table Storage
- Application Insights resource (optional but recommended)
Deployment Steps¶
1. Create Azure Resources¶
Function App¶
Create a Function App with PowerShell 7.4 isolated worker model:
# Create resource group
az group create --name rg-ipam-prod --location westus2
# Create storage account
az storage account create `
--name stipamprod `
--resource-group rg-ipam-prod `
--location westus2 `
--sku Standard_LRS
# Create Function App (Premium Plan for VNET Integration)
az functionapp create `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--storage-account stipamprod `
--consumption-plan-location westus2 `
--runtime powershell `
--runtime-version 7.4 `
--functions-version 4 `
--os-type Windows
Note: For production, use Function Premium Plan (P1v4) to support VNET Integration for private storage access:
az functionapp plan create `
--name plan-ipam-prod `
--resource-group rg-ipam-prod `
--location westus2 `
--sku P1V2
az functionapp create `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--plan plan-ipam-prod `
--storage-account stipamprod `
--runtime powershell `
--runtime-version 7.4 `
--functions-version 4 `
--os-type Windows
Application Insights (Optional)¶
az monitor app-insights component create `
--app appi-ipam-prod `
--location westus2 `
--resource-group rg-ipam-prod
2. Configure Managed Identity¶
Enable system-assigned managed identity:
3. Assign Permissions¶
Storage Account Permissions¶
$functionAppIdentity = (Get-AzFunctionApp -ResourceGroupName rg-ipam-prod -Name func-ipam-prod).Identity.PrincipalId
$storageAccountId = (Get-AzStorageAccount -ResourceGroupName rg-ipam-prod -Name stipamprod).Id
New-AzRoleAssignment `
-ObjectId $functionAppIdentity `
-RoleDefinitionName 'Storage Table Data Contributor' `
-Scope $storageAccountId
Resource Graph Permissions¶
The managed identity needs query access to subscriptions defined in SUPERNETS_CONFIG. This is typically handled at the subscription level or via Resource Graph permissions.
A sample Azure Resource Graph query script is provided in query-arg.ps1 to demonstrate querying VNets across those subscriptions.
4. Configure Application Settings¶
Set all required app settings (see docs/Configuration.md for complete list):
# Storage connection
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=stipamprod;..."
# Manager timer schedule
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings MANAGER_TIMER_SCHEDULE="0 */15 * * * *"
# CIDR configuration
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings CIDR_SIZE_MIN=20 CIDR_SIZE_MAX=26 CIDR_SIZE_DEFAULT=22
# Lease duration
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings LEASE_DURATION_HOURS=24
# Supernet configuration (JSON string)
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings SUPERNETS_CONFIG='[{"SubscriptionId":"...","Scopes":[...]}]'
# Manifest configuration (JSON string)
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings SCOPE_CONFIG_MANIFEST='{"default":[...]}'
# Application Insights (if created)
az functionapp config appsettings set `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--settings APPLICATIONINSIGHTS_CONNECTION_STRING="InstrumentationKey=..."
5. Deploy Function Code¶
Using Azure Functions Core Tools¶
Using Azure CLI¶
az functionapp deployment source config-zip `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--src ./deployment.zip
6. Create Table Storage Table¶
The networkCidr table will be created automatically on first use, or create it manually:
$storageContext = (Get-AzStorageAccount -ResourceGroupName rg-ipam-prod -Name stipamprod).Context
New-AzStorageTable -Name networkCidr -Context $storageContext
7. Verify Deployment¶
Test Vendor Function¶
$body = @{
SessionId = 'test-deployment-123'
CidrSize = 22
} | ConvertTo-Json
Invoke-RestMethod `
-Uri 'https://func-ipam-prod.azurewebsites.net/api/getNewNetwork' `
-Method Post `
-Body $body `
-ContentType 'application/json'
Test Manager Function¶
Manually trigger the Manager function or wait for the timer schedule:
az functionapp function show `
--name func-ipam-prod `
--resource-group rg-ipam-prod `
--function-name Manager
Post-Deployment¶
Monitoring¶
- Application Insights: Monitor function execution, errors, and performance
- Storage Metrics: Monitor Table Storage operations and capacity
- Function Metrics: Monitor function invocations, duration, and errors
Validation¶
- Verify Manager function runs on schedule and updates Table Storage
- Verify Vendor function allocates networks correctly
- Check Application Insights for errors or warnings
- Verify Table Storage contains expected gaps after Manager Sync
Troubleshooting¶
- Function Not Starting: Verify modules are baked into the deployment package (modules are not managed via
requirements.psd1) - Permission Errors: Verify managed identity has correct role assignments
- Table Storage Errors: Verify connection string and table exists
- ARG Query Failures: Verify managed identity has subscription access
Production Considerations¶
- VNET Integration: Use Function Premium Plan for private storage access
- Scaling: Configure auto-scaling based on load
- Backup: Consider backup strategy for Table Storage data
- Disaster Recovery: Plan for regional failover if needed
- Monitoring: Set up alerts for function failures and performance degradation
Rollback¶
To rollback to a previous deployment:
Use deployment slots for zero-downtime deployments and easy rollback.