VNet configuration during Deployment

Overview

The Turbo360 private instance now supports an optional VNet configuration as part of the deployment process. When enabled, all function apps, SQL, and Storage resources are placed inside a private virtual network. Public network access to SQL and Storage is disabled automatically as the final step, after all post-deployment verifications are complete.

Enabling VNet configuration

VNet configuration is available on the Resource details step of the deployment wizard. It works with both Connection string and Managed identity authentication modes.

1. Open the Turbo360 Installer and proceed to the Resource details step.
2. Under Authentication, select Connection string or Managed identity.
3. Check the Include VNet configuration checkbox.

Once the checkbox is selected, the VNet fields are auto-filled with default values. Provide the Resource Group, Region, and Virtual Network name — or click Use existing to select a pre-provisioned VNet. The Address Space (CIDR), Integration Subnet, and Private Endpoint Subnet fields are populated automatically.

Scroll down to provide resource names for each component — Web App, Processor, Document generator, Chart generator, SQL Server, SQL database, and Storage account — across their respective resource groups and regions.

4. Click Start deployment.

Troubleshooting Cost Import Issues on VNet-Enabled Instances

On instances deployed with VNet configuration, if the Cost Analyzer module is configured with Azure SQL Database , cost imports for subscriptions may fail with the following error:

This occurs because the storage account is now restricted to the VNet, and the SQL Database credentials no longer have access to it via OPENROWSET BULK. The resolution is to switch the SQL server to use its Managed Identity to access the storage account.

Navigate to Cost Analyzer → Cost imports to check the health status of your subscriptions. A Failed status on any subscription confirms the issue.

Resolution

The following steps apply regardless of whether the instance was deployed using Connection string or Managed identity authentication.

Enable the SQL server's managed identity

1. In the Azure Portal, search for and open your SQL server (search "SQL server", not "SQL database").
2. Go to Security → Identity.
3. Set System assigned → Status to On, then click Save

Allow the SQL server through the storage firewall

1. Open the Storage account → Security + networking → Networking.
2. On the Public access tab, click Manage next to the public network access status.

3. In the Public network access panel, set Public network access to Enable.
4. Under Public network access scope, select Enable from selected networks.

6. Scroll down to the Resource instances section, and set:
   — Resource type: Microsoft.Sql/servers
   — Instance name: your SQL server
7. Click Save.

Grant the SQL identity read access on storage

1. Go to Storage account → Access Control (IAM).
2. Click + Add → Add role assignment.
3. Select the role Storage Blob Data Reader, then click Next.

5. Under Members, set Assign access to = Managed identity, then click + Select members.
6. Choose SQL server as the managed identity type and select your SQL server instance.
7. Click Review + assign twice to confirm.

Verify

Once all steps are complete, navigate to Cost Analyzer → Cost imports and manually trigger the import by clicking the run button next to the subscription, or wait for the next orchestrator run. The import should complete successfully.