Azure Function app with private link is not working with API management service

Yash Mochi 41 Reputation points
2022-11-03T13:04:27.497+00:00

Dear Microsoft team,

I have added Private endpoint for Inbound traffic in my Azure Function app, which has automatically enabled Access restriction from Public network.
After it, from my VNet, I am able to call Azure functions without any restriction.

Now, I have created one API Management service.
Under networking section, I have configured private endpoint for accessing it in my private network with proper private DNS zone. (Virtual network setting is set to 'None').

I tried exposing my Azure Function HTTP triggers using API Management service.

When I try to access my Azure function HTTP trigger using API Management. It is throwing 403 (IP Forbidden) error.
If I disable Public access restriction from my Azure functions inbound traffic, it is giving me proper data.

It seems like, my APIM instance is not able to resolve private IP address of my Azure function app. Which any other service is able to resolve, like Virtual machine when I call Azure function directly from VM.

Seems like issue in my APIM configuration, please guide me.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,930 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,605 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
486 questions
0 comments No comments
{count} votes

Accepted answer
  1. MuthuKumaranMurugaachari-MSFT 22,266 Reputation points
    2022-11-03T18:42:01.353+00:00

    @Yash Mochi Thank you for reaching out to Microsoft Q&A. Based on my understanding, you have deployed APIM with Vnet: None and a private endpoint connection set up and got 403 error when trying to access Azure Function HttpTrigger from APIM.

    Unfortunately, private endpoint (preview) only supports incoming traffic to API Management instance and outbound traffic is not possible at the moment (refer similar discussion). However, I think you are accessing public endpoint of Azure Functions from APIM and hence it works when you disable the access restriction in Azure Functions. You would need to add public IP addresses of APIM in Azure Functions access restrictions for it to allow (since connections from APIM are not private). Refer IP addresses of Azure API Management.

    Alternatively, you can deploy APIM in VNET and only allow subnets in access restriction feature for now. I hope this answers your question and feel free to add a comment if you have any other questions. We would be happy to assist you.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful