API Management 502 error

Question

API Management 502 error

Danilo Kasparian 26

I am getting 502 Bad Gateway errors when testing any API call from my APIM

Here my configuration:

1 - APIM is configured with a Custom Domain with a certificate in the keyvault. Default SSL and negotiate client is enabled
2 - APIM is in a SubNet
3 - There is a Private DNS zone binded with the VNET containing the APIM SubNet
4 - There is no NSG
5 - My API is inside the same VNET in another SubNet
6 - My API works if I call directly from the browser

I tried to run Echo API and I had the same 502 error, the trace doesn't work and there is nothing in the diagnostic showing a possible problem.

What can be missing? Could you help me?

I tried the documents in the ms portal 502 troubleshooting but it didn't work

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-15T15:41:28.96+00:00

@Danilo Kasparian Thank you for reaching out to Microsoft Q&A. Can you confirm how APIM is deployed? Internal or External mode? I understand the direct call to backend API works from browser. I want to check if there is application gateway (or Front door) in front of APIM since diagnostics didn't show any error and possible that call couldn't reach APIM.

If it is in external mode, please validate if any route table for APIM subnet exists (Force tunnel traffic to on-premises firewall using ExpressRoute or network virtual appliance). Otherwise, let me know.
Danilo Kasparian 26 Reputation points

2022-09-15T20:25:54.75+00:00

It's solved by restarting the API Gateway

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
"Application Gateway must be restarted after any modification to the backend server DNS entries to begin to use the new IP addresses. This operation can be completed via Azure PowerShell or Azure CLI."

The part I did't understand is that calling the test request from the APIM it wasn't working, in my understanding the API Gateway is called before calling the APIM, do you have an explanation?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-15T21:01:56.44+00:00

@Danilo Kasparian That's great and glad that your issue was resolved.

When you deploy APIM in internal VNET mode, it is not accessible outside VNET (including management endpoints, API gateway, portal etc.). Based on your statement above, you have integrated APIM with Application Gateway and that means you are exposing APIM endpoints through App Gateway. So, all requests including the test request to APIM go through App Gateway (not API Gateway which is part of APIM) and your understanding is correct.

App Gateway probes the backend health status (APIM in this case) based on the interval configured and if it couldn't retrieve the health status, then it would respond back with 502 errors (Problems with default health probe) So, I guess the test request you made reached Application Gateway which returned 502 Gateway errors and never reached APIM. The APIM didn't return errors and hence you didn't find it in Diagnostics for the issue.

Sorry if term "Gateway" was confusing. I hope this answers your question and feel free to add if you have any questions.
Danilo Kasparian 26 Reputation points

2022-09-16T00:32:58.78+00:00

Sorry if I misunderstood, but when I said the test, I meant the test feature existing in the APIM, this test goes like APIM -> API Gateway -> APIM -> API ?
Or it just that when we have the API gateway integrated with an APIM they are acting together so we can say like API Gateway/APIM -> API
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-16T01:25:10.497+00:00

No problem at all. For Test option in the azure portal, here is the flow: Browser -> Application Gateway -> APIM -> Backend Internal API (for your scenario).

[Note: the test request is initiated from browser (nothing but another client like POSTMAN to send request to APIM instances), and you can open developer tools to review network or capture network monitoring tools like Fiddler or Wireshark]

Here is the architecture diagram when you integrate Application Gateway with APIM:

You as a customer initiates the request via browser and it goes to Application Gateway and forwarded to APIM and then to Internal API.

Also, I would like to clarify two terms:
API Gateway is a part of APIM - service component which is responsible for handling proxy requests, apply policies etc.
Azure Application Gateway is a PaaS service that acts as a load balancer for external customers (outside VNET).

I think you are referring Application Gateway or App Gateway as API gateway in the previous statement.

It's solved by restarting the API Gateway

I hope this clarifies and let me know if additional questions on this.

Accepted answer

0 additional answers

Your answer

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-15T15:41:28.96+00:00

@Danilo Kasparian Thank you for reaching out to Microsoft Q&A. Can you confirm how APIM is deployed? Internal or External mode? I understand the direct call to backend API works from browser. I want to check if there is application gateway (or Front door) in front of APIM since diagnostics didn't show any error and possible that call couldn't reach APIM.

If it is in external mode, please validate if any route table for APIM subnet exists (Force tunnel traffic to on-premises firewall using ExpressRoute or network virtual appliance). Otherwise, let me know.
Danilo Kasparian 26 Reputation points

2022-09-15T20:25:54.75+00:00

It's solved by restarting the API Gateway

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
"Application Gateway must be restarted after any modification to the backend server DNS entries to begin to use the new IP addresses. This operation can be completed via Azure PowerShell or Azure CLI."

The part I did't understand is that calling the test request from the APIM it wasn't working, in my understanding the API Gateway is called before calling the APIM, do you have an explanation?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-15T21:01:56.44+00:00

@Danilo Kasparian That's great and glad that your issue was resolved.

When you deploy APIM in internal VNET mode, it is not accessible outside VNET (including management endpoints, API gateway, portal etc.). Based on your statement above, you have integrated APIM with Application Gateway and that means you are exposing APIM endpoints through App Gateway. So, all requests including the test request to APIM go through App Gateway (not API Gateway which is part of APIM) and your understanding is correct.

App Gateway probes the backend health status (APIM in this case) based on the interval configured and if it couldn't retrieve the health status, then it would respond back with 502 errors (Problems with default health probe) So, I guess the test request you made reached Application Gateway which returned 502 Gateway errors and never reached APIM. The APIM didn't return errors and hence you didn't find it in Diagnostics for the issue.

Sorry if term "Gateway" was confusing. I hope this answers your question and feel free to add if you have any questions.
Danilo Kasparian 26 Reputation points

2022-09-16T00:32:58.78+00:00

Sorry if I misunderstood, but when I said the test, I meant the test feature existing in the APIM, this test goes like APIM -> API Gateway -> APIM -> API ?
Or it just that when we have the API gateway integrated with an APIM they are acting together so we can say like API Gateway/APIM -> API
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2022-09-16T01:25:10.497+00:00

No problem at all. For Test option in the azure portal, here is the flow: Browser -> Application Gateway -> APIM -> Backend Internal API (for your scenario).

[Note: the test request is initiated from browser (nothing but another client like POSTMAN to send request to APIM instances), and you can open developer tools to review network or capture network monitoring tools like Fiddler or Wireshark]

Here is the architecture diagram when you integrate Application Gateway with APIM:

You as a customer initiates the request via browser and it goes to Application Gateway and forwarded to APIM and then to Internal API.

Also, I would like to clarify two terms:
API Gateway is a part of APIM - service component which is responsible for handling proxy requests, apply policies etc.
Azure Application Gateway is a PaaS service that acts as a load balancer for external customers (outside VNET).

I think you are referring Application Gateway or App Gateway as API gateway in the previous statement.

It's solved by restarting the API Gateway

I hope this clarifies and let me know if additional questions on this.

Answer 1

Update for the community:
APIM is deployed in VNET - Internal mode and integrated with Application Gateway as per docs: Integrate API Management in an internal virtual network with Application Gateway. The direct call to backend API works from browser but when testing it from the azure portal using Test option, it returned 502 error.

@Danilo Kasparian restarted Application Gateway after following docs: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting and it resolved the issue.

Application Gateway must be restarted after any modification to the backend server DNS entries to begin to use the new IP addresses. This operation can be completed via Azure PowerShell or Azure CLI.

Share via

API Management 502 error

0 additional answers

Your answer