Not able to setup azure private endpoint as backend for Azure API Management service

akash warkhade 26 Reputation points
2022-10-24T12:26:11.737+00:00

Hi all,

I have integrated Private endpoint connected to private link service.
Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations .

annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-pls-create: "true"
service.beta.kubernetes.io/azure-pls-name: myPLS
service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET
service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1"
service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP
service.beta.kubernetes.io/azure-pls-proxy-protocol: "false"
service.beta.kubernetes.io/azure-pls-visibility: "*"
# does not apply here because we will use Front Door later
service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID"

i am getting expected response i.e response from kubernetes service from Private endpoint ip within virtual network which confirms that private link and private endpoint integration is working fine.

we now want to integrate above private endpoint service with azure api management service
so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error

{ "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" }

I also tried api management service Troubleshoot & analysis page for exact error its showing below error:

BackendConnectionFailure
An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80
Please help me what i am doing wrong in this implementation.

Our requirement is to have kubernetes private load balancer and integrate it with azure api management service which would be publicly accessible.
so user can access api only through api management service and only api management service should be able to access load balancer service.

Thanks in advance

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,459 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
550 questions
0 comments No comments
{count} votes

Accepted answer
  1. MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator
    2022-10-24T19:01:26.953+00:00

    @akash warkhade Thank you for reaching out to Microsoft Q&A. Based on your statement, you have set up API Management in non-VNET mode and when integrating with private endpoint (Kubernetes service) as backend for APIM, faced the above error. Please clarify if my understanding is incorrect.

    Assuming the above statement is true, this is expected since private endpoint (preview) only supports incoming traffic to API Management instance and unfortunately, outbound traffic is not possible at the moment. Our product team is currently working on this feature and no ETA as of now yet. Please refer thread for similar discussion and follow https://aka.ms/apimupdates for any latest updates on the feature.

    Alternatively, consider VNET integration for now for hosting backend in VNET. If you like to share feedback directly with our product team, feel free to submit a request via Azure Feedback page. I hope this answers your question and feel free to add a comment if you have any other questions. We would be happy to assist you.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. a.morvillier 6 Reputation points MVP
    2022-10-25T08:26:16.687+00:00

    Hello @akash warkhade

    It seems to be possible to connect your AFD Premium SKU to ILB depending of the official documentation: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-internal-load-balancer

    Are you able to reach your ILB/service if you deploy a VM in the same subnet just to be sure that there is no issue with the backend part (ILB/Service/AKS Cluster)

    1 person found this answer helpful.

  2. JimmySalian-2011 42,511 Reputation points
    2022-10-24T15:53:58.413+00:00

    Hi,

    Seems like Network issue with regards to ports not allowed or open to connect through, did you use Network watcher to check the logs if any drops?

    Also check this

    253611-image.png

    Hope this helps.
    JS

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. akash warkhade 26 Reputation points
    2022-10-25T07:57:35.46+00:00

    @MuthuKumaranMurugaachari-MSFT Thanks for information.. got it now.
    I also tried to integrate private link service with Azure frontdoor service(premium) which is possible as per azure documnetation.
    that also didn't work
    frontdoor service was giving error "Our services aren't available right now"
    maybe its not able to connect to private link service
    Can you please let me know what i might be doing wrong in this case ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.