Function app won't reply to requests from Azure while CORS is configured to allow AzureCloud service tag

Jeremie Delassus - Admin 0 Reputation points
2025-08-20T03:29:11.7966667+00:00

We need help configuring the app to make sure that API calls from our Dynamics instance are properly answered by the app.

The CORS configuration allows that and this should work:

User's image

User's image

At this point a Hello World test is failing too:

Error: {"message":"Failed to fetch","stack":"TypeError: Failed to fetch\n    at https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:24202\n    at https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:24423\n    at ot (https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:6961)\n/n")    at https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:10700\n    at Array.forEach (<anonymous>)\n    at https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:10688\n    at Object.ot (https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:177:6961)\n/n")    at b (https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:60:2039)\n/n")    at v (https://portal.azure.com/Content/Dynamic/b0-EKHUBy_1l.js:60:1870)","isError":true}%22,%22isError%22:true%7D"https://portal.azure.com/content/dynamic/b0-ekhuby_1l.js:60:1870)%22,%22iserror%22:true%7d")

We can reach the app on its private endpoint IP address in our VNET. The message confirms that the app is up and running (see attachment)

User's image

Note that we have added the FQDN to our internal DNS to resolve the private IP of the endpoint. The VNET DNS config is also pointed at our internal DNS servers.

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Michele Ariis 4,505 Reputation points MVP
    2025-08-20T06:18:29.6566667+00:00

    Hi, CORS isn’t your problem, reachability is: your Function App is reachable only via its Private Endpoint (you even override DNS to the private IP), so calls from Dynamics/your browser/Azure Portal hit the public hostname and are blocked before CORS runs; the AzureCloud service tag in Access Restrictions applies only to the public endpoint and is both too broad and useless if “Public network access” is disabled; moreover the Portal “Hello world” test runs from your client’s IP, which your rules deny, hence “Failed to fetch.” Pick a supported ingress: best is put Azure Front Door Standard/Premium (or API Management in VNet) in front, connect it to the Function via Private Link, then in Access Restrictions allow only Front Door (use the AzureFrontDoor.Backend service tag and/or the X-Azure-FDID header filter) and keep Deny all; keep your private DNS for internal callers and set CORS to your Dynamics origin(s). If you refuse an edge service, you must enable Public network access and explicitly allow the caller’s IPs (hard to maintain for Dynamics) and accept that the app is public; either way, your current “AzureCloud allow + private endpoint” combo can’t make Dynamics work. For troubleshooting: temporarily allow your client public IP to test from the Portal, or test from a VM inside the VNet (curl to the FQDN resolving private); verify the Public network access setting, rule order, and that only one path (Front Door/APIM or public) is open; once the network path is correct, CORS will apply and the API will answer.

    0 comments No comments

  2. Pashikanti Kumar 5 Reputation points Microsoft External Staff Moderator
    2025-08-20T06:55:28.4933333+00:00

    Hi Jeremie Delassus - Admin,

    Thank you for posting your question in the Microsoft Q&A forum

    I support Michele answer,

    I understand that your Hello World test is currently failing

    Step-by-Step Solution

    Azure Portal → Function App → Networking → Access Restrictions

    Add rules above the default deny

    User's image I recommend configuring the app as described above to resolve the issues

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.