azure-devopsazure-web-app-serviceazure-api-managementazure-private-linkazure-dns

Web API inaccessible from APIM when both services have Private Link enabled


I'm currently tasked with setting up a secure, non-public connection between APIM and a Web API, and I've opted to use Private Endpoints for both services. The problem is that when Private Link is enabled on both, APIM can no longer connect to the Web API.

I've searched for similar questions online, but none of them seem to have Private Link enabled on APIM. Here's what I've done so far:

Microsoft automatically created a private DNS zone for it. After this setup, the Web App is not accessible to the public, as expected.

The issue arises when I try to connect to the API through APIM gateway, as it returns a 403 error, saying that the APP has blocked my access. When I do an NSLOOKUP from within the VM, both APIM and the Web App are resolving to the same subnet, which is expected as both private links use the same subnet.

I believe for some reason APIM still try to resolve the API to the public IP address even though the Private DNS zone in Web APP and Private link has a records to sort that out!

I tried putting the private links on different subnets, but still no luck. And if I go to the Networking section of the Web APP and enable public access, everything works like a charm, but that's not what we want. We need this to be accessible via VNET only and then later we'll add a VPN so people can access the APIs through APIM only when connected through the VPN.

FYI, if I choose Virtual Network type of External or Internal on APIM, everything works fine. But we're supposed to use Private Link for both the Web APP and APIM. no exposure to the internet!


Solution

  • In case anyone else encounters the same issue! It turned out Private Endpoints in APIM don't support outbound, hence APIM couldn't communicate with any Web APP which has Private Endpoints enabled on them! To achieve fully internal and private solution, APIM needs to be provisioned in Internal Mode.