Skip to content

Unable to add SCM access restriction on Flex Consumption SKU via Azure CLI #31414

Open
Open
Unable to add SCM access restriction on Flex Consumption SKU via Azure CLI#31414
Assignees
evelyn-ysshreyas-gopalakrishnazhoxing-mscalvinhzyamamounelsayedkaibocaikamperiadis
Labels
Auto-AssignAuto assign by botFunctionsaz functionappPossible-SolutionService AttentionThis issue is responsible by Azure service team.Similar-Issueact-observability-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.
@Rich-Lang

Description

@Rich-Lang
Rich-Lang
opened on May 6, 2025

Describe the bug

The Azure CLI command az functionapp config access-restriction add fails when executed against an Azure Function App deployed using the Flex Consumption SKU. This appears to be a bug or unsupported scenario in the CLI, as the same command succeeds without issue on Consumption SKU Function Apps. Execution fails with error
Operation returned an invalid status 'Bad Request'

Related command

az functionapp config access-restriction add --resource-group $RG_NAME -n $FA_FLEX --rule-name $RULE_NAME --action Allow --ip-address 192.168.0.0/27 --priority 250 --scm-site true

Errors

Operation returned an invalid status 'Bad Request'

Issue script & Debug output

Content: {"Code":"BadRequest","Message":"The following list of 5 site configuration properties (Site.SiteConfig.FtpsState, Site.SiteConfig.Use32BitWorkerProcess, Site.SiteConfig.PreWarmedInstanceCount, Site.SiteConfig.NetFrameworkVersion, Site.SiteConfig.FunctionsRuntimeScaleMonitoringEnabled) for Flex Consumption sites is invalid. Please remove or rename them before retrying.","Target":null,"Details":[{"Message":"The following list of 5 site configuration properties (Site.SiteConfig.FtpsState, Site.SiteConfig.Use32BitWorkerProcess, Site.SiteConfig.PreWarmedInstanceCount, Site.SiteConfig.NetFrameworkVersion, Site.SiteConfig.FunctionsRuntimeScaleMonitoringEnabled) for Flex Consumption sites is invalid. Please remove or rename them before retrying."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51021","MessageTemplate":"{0} is invalid. {1}","Parameters":["The following list of 5 site configuration properties (Site.SiteConfig.FtpsState, Site.SiteConfig.Use32BitWorkerProcess, Site.SiteConfig.PreWarmedInstanceCount, Site.SiteConfig.NetFrameworkVersion, Site.SiteConfig.FunctionsRuntimeScaleMonitoringEnabled) for Flex Consumption sites","Please remove or rename them before retrying."],"Code":"BadRequest","Message":"The following list of 5 site configuration properties (Site.SiteConfig.FtpsState, Site.SiteConfig.Use32BitWorkerProcess, Site.SiteConfig.PreWarmedInstanceCount, Site.SiteConfig.NetFrameworkVersion, Site.SiteConfig.FunctionsRuntimeScaleMonitoringEnabled) for Flex Consumption sites is invalid. Please remove or rename them before retrying."}}],"Innererror":null}

Expected behavior

I expect the access-restriction to be created and the rule summary output as follows:

[
  {
    "action": "Allow",
    "description": null,
    "headers": null,
    "ipAddress": "192.168.0.0/27",
    "name": "testingRule",
    "priority": 250,
    "subnetMask": null,
    "subnetTrafficTag": null,
    "tag": "Default",
    "vnetSubnetResourceId": null,
    "vnetTrafficTag": null
  },
  {
    "action": "Deny",
    "description": "Deny all access",
    "headers": null,
    "ipAddress": "Any",
    "name": "Deny all",
    "priority": 2147483647,
    "subnetMask": null,
    "subnetTrafficTag": null,
    "tag": null,
    "vnetSubnetResourceId": null,
    "vnetTrafficTag": null
  }
]

Environment Summary

azure-cli 2.72.0

core 2.72.0
telemetry 1.1.0

Extensions:
application-insights 1.2.2
bastion 1.3.1
logic 1.1.0
ml 2.36.1
quota 1.0.0

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\user.azure'
Extensions directory 'C:\Users\user.azure\cliextensions'

Python (Windows) 3.12.8 (tags/v3.12.8:2dc476b, Dec 3 2024, 19:30:04) [MSC v.1942 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Full Reproduction with Consumption App & Flex App side-by-side. Run on PowerShell prompt

$RG_NAME = "functionAppTest"
$SA_NAME = "functionapptestsa123"
$FA_FLEX = "testingAZCLIFlex"
$FA_NAME = "testingAZCLIConsumption"
$RULE_NAME = "testingRule"
az group create --name $RG_NAME --location "westus"
az storage account create --resource-group $RG_NAME --name $SA_NAME --sku Standard_LRS --output none
az functionapp create --resource-group $RG_NAME -n $FA_FLEX --storage-account $SA_NAME --flexconsumption-location "westus" --runtime python --runtime-version "3.11" --output none
az functionapp create --resource-group $RG_NAME -n $FA_NAME --storage-account $SA_NAME --consumption-plan-location westus --runtime python --runtime-version "3.11" --os-type Linux --output none

az functionapp config access-restriction add --resource-group $RG_NAME -n $FA_NAME --rule-name $RULE_NAME --action Allow --ip-address 192.168.0.0/27 --priority 250 --scm-site true
az functionapp config access-restriction add --resource-group $RG_NAME -n $FA_FLEX --rule-name $RULE_NAME --action Allow --ip-address 192.168.0.0/27 --priority 250 --scm-site true

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botFunctionsaz functionappPossible-SolutionService AttentionThis issue is responsible by Azure service team.Similar-Issueact-observability-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions