app service in vnet isolation with logic app api connector, connectionRuntimeUrl resolution issue of azure-apihub.net

DavidPerry-1112 11 Reputation points
2022-10-03T03:49:47.733+00:00

Hi There folks,

I have an app service in vnet isolation with a logic app using a connector.  Connector uses the connectionRuntimeUrl that points to xxx.azure-apihub.net.

azure-apihub.net is not able to be resolved by the default Azure dns of the vnet 168.63.129.16.

Testing confirms that adding a private zone dns for the fqdn resolves the issue.  (this cannot be to permanent fix as its dynamic)

Surely Azure dns should be able to resolve an azure service.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,895 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,006 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Priya Kumar 1,096 Reputation points Microsoft Employee
    2022-10-03T04:53:42.393+00:00

    @DavidPerry-1112
    Hello David,

    Thanks for reaching out to Q&A platform.

    Regarding your query, if the issue is getting resolved by creating the “private zone”, I doubt you trying to access the service using Internal Access point.

    Please reconfirm the configuration:

    1. Was the connector is Logic App ISE?
    2. What do you see in the access endpoint?
      246808-image.png
    3. Internal: Private endpoints permit calls to logic apps in your ISE where you can view and access inputs and outputs from logic apps' runs history only from inside your virtual network.
    4. External: Public endpoints permit calls to logic apps in your ISE where you can view and access inputs and outputs from logic apps' runs history from outside your virtual network. If you use network security groups (NSGs), make sure they're set up with inbound rules to allow access to the run history's inputs and outputs. For more information, see Enable access for ISE.
      If using Private Endpoint, you need Private DNS zone to resolve the FQDN to a private IP address.
      https://learn.microsoft.com/en-us/azure/logic-apps/connect-virtual-network-vnet-isolated-environment-overview#ise-endpoint-access

    Regards,
    Priya Kumar


  2. JananiRamesh-MSFT 22,121 Reputation points
    2022-10-10T15:05:02.693+00:00

    Hi @DavidPerry-1112 Thanks for getting back, this seems like a configuration issue, and it needs further investigation I would suggest you open a support ticket as our support engineers have the best tools to assist you further. Do you already have a support plan, or I can create a one-time free support ticket to resolve the issue?


  3. DavidPerry-1112 11 Reputation points
    2022-11-04T03:40:46.907+00:00

    So as it turns out. There is a problem with these three requirements not mixing

    1. a vnet isolated environment and an internal APIM
    2. a private dns zone for azure-api.net - to reference the internal IPs of the APIM
    3. an application service environment with logic apps, using private IP

    As soon as you try to reference the api connector triggerurl d118d2ad282ff3c.19.common.logic-australiaeast.azure-apihub.net

    you will be confronted with an issue where resolution is broken

    d118d2ad282ff3c.19.common.logic-australiaeast.azure-apihub.net -> logic-apim-australiaeast.azure-api.net -> logic-apim-australiaeast-australiaeast-01.regional.azure-api.net -> apimgmttmnkcvu5sw9azhytvjpq8viho6jteyueksirsv2wxmu.trafficmanager.net -> api6d75822aa4b4r6455b81094232d7745bb9goyuia18dlbolslx1ffc3.australiaeast.cloudapp.azure.com    
    

    You see the middle of the resolution is CNAMEs that use the azure-api.net zone.

    At this stage the fix would be to remove the logicapp triggerurl from the extra azure-api.net CNAMES.

    0 comments No comments