Azure APIM to Event Grid via VNet Integration

Question

Azure APIM to Event Grid via VNet Integration

Syed Sajid Hussain 41

We have the following setup.

Azure APIM v2 Standard
Azure Event Grid Basic with Private endpoint only access enabled

This is what we have done so far:

Created a private endpoint for Event Grid and blocked public access to it
Enabled VNet Integration on our APIM v2 Standard instance, this uses the same VNet as the Event Grid but a separate dedicated Subnet
When we try to publish messages from APIM to Event Grid, it fails with the following error.

inputEventsCount=null, requestUri=https://**.eventgrid.azure.net/api/events, publisherInfo=publisherName=.EVENTGRID.AZURE.NET, category=User, inputSchema=EventGridEvent, armResourceId=*, filteringPolicy:DnsHost, emitAuditLogs=True, drBoundary=WithinGeopair, regionCategory=Primary, isPublishBlockedDueToDr=False, httpStatusCode=Forbidden, errorType=ClientIPRejected, errorMessage=Publishing to *.EVENTGRID.AZURE.NET by client 20.108.108.60 is rejected due to IpAddress filtering rules. For troubleshooting, visit https://aka.ms/egpublisherrorcode403.

If we enable the Public access on Event Grid, this works fine

Question is, are we missing anything that we need to do to make it to work with private endpoint? If not, is that a bug in v2 Standard APIM?

Please note that we are able to publish and get messages from Event Grid with private endpoint enabled to Logic App, which also uses VNet Integration, so the problem seems to be at the APIM end.

Regards

Syed

MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:34:23.4766667+00:00

Syed Sajid Hussain Thanks for posting your question in Microsoft Q&A. I assume you follow doc: Integrate with VNET for outbound requests in configurating VNET for APIM instance and enabled private endpoints for event grid.

Based on the error message and the description above, the subnet configured in APIM (starts with snet-dev*) is different than private endpoints configured in event grid and hence outbound IP from APIM is a public IP and gets denied by event grid. You need to configure Delegate the subnet same as event grid subnet for it to work (instead of dedicated). Please try making the changes and validate.

I hope this helps and let me know if you face any issues or any other questions.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:35:08.9566667+00:00

Syed Sajid Hussain thanks for the detailed error message and just to let you know, I removed subscriptions/resource id info from the post.
Syed Sajid Hussain 41 Reputation points

2023-12-21T22:47:01.4666667+00:00

Thanks for coming back on that, I have double checked and the Subnet used for APIM VNet integration is delegated to 'Microsoft.Web/serverFarms' but it doesn't work. or do you mean Subnets used Event Grid Private endpoint and APIM VNet integration should be the same?
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:51:25.6433333+00:00

Syed Sajid Hussain Sure. Yes, the subnet for event grid and APIM should be same.
Syed Sajid Hussain 41 Reputation points

2023-12-22T11:45:50.4633333+00:00

Tried to create a private endpoint for Event Grid in the same subnet as the APIM, gives this error. Don't think APIM VNet Integration Subnet can have Event Grid Private endpoint as former is delegated to Microsoft.Web/serverFarms
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T12:40:48.1966667+00:00

Syed Sajid Hussain Will review this and get back to you.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T15:03:53.5166667+00:00

Syed Sajid Hussain Please send an email to azcommunity@microsoft.com referencing this thread with subject as "Attn: Muthu". I will connect with you offline.
Syed Sajid Hussain 41 Reputation points

2023-12-22T15:19:55.8433333+00:00

Sure, email sent.
Syed Sajid Hussain 41 Reputation points

2023-12-22T15:25:35.39+00:00

Email bounced with this error.

The group mtmvp only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T17:38:57.4933333+00:00

took it offline.

Answer accepted by question author

0 additional answers

Your answer

MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:34:23.4766667+00:00

Syed Sajid Hussain Thanks for posting your question in Microsoft Q&A. I assume you follow doc: Integrate with VNET for outbound requests in configurating VNET for APIM instance and enabled private endpoints for event grid.

Based on the error message and the description above, the subnet configured in APIM (starts with snet-dev*) is different than private endpoints configured in event grid and hence outbound IP from APIM is a public IP and gets denied by event grid. You need to configure Delegate the subnet same as event grid subnet for it to work (instead of dedicated). Please try making the changes and validate.

I hope this helps and let me know if you face any issues or any other questions.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:35:08.9566667+00:00

Syed Sajid Hussain thanks for the detailed error message and just to let you know, I removed subscriptions/resource id info from the post.
Syed Sajid Hussain 41 Reputation points

2023-12-21T22:47:01.4666667+00:00

Thanks for coming back on that, I have double checked and the Subnet used for APIM VNet integration is delegated to 'Microsoft.Web/serverFarms' but it doesn't work. or do you mean Subnets used Event Grid Private endpoint and APIM VNet integration should be the same?
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-21T22:51:25.6433333+00:00

Syed Sajid Hussain Sure. Yes, the subnet for event grid and APIM should be same.
Syed Sajid Hussain 41 Reputation points

2023-12-22T11:45:50.4633333+00:00

Tried to create a private endpoint for Event Grid in the same subnet as the APIM, gives this error. Don't think APIM VNet Integration Subnet can have Event Grid Private endpoint as former is delegated to Microsoft.Web/serverFarms
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T12:40:48.1966667+00:00

Syed Sajid Hussain Will review this and get back to you.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T15:03:53.5166667+00:00

Syed Sajid Hussain Please send an email to azcommunity@microsoft.com referencing this thread with subject as "Attn: Muthu". I will connect with you offline.
Syed Sajid Hussain 41 Reputation points

2023-12-22T15:19:55.8433333+00:00

Sure, email sent.
Syed Sajid Hussain 41 Reputation points

2023-12-22T15:25:35.39+00:00

Email bounced with this error.

The group mtmvp only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list.
MuthuKumaranMurugaachari-MSFT 22,446 Reputation points Moderator

2023-12-22T17:38:57.4933333+00:00

took it offline.

Answer 1

Update for the community:

Syed Sajid Hussain followed doc: Integrate with VNET for outbound requests in configurating VNET for APIM instance and enabled private endpoints for event grid as described in the doc. Performed nslookup from the VNET for the event grid point and it pointed to the private endpoint correctly but gateway logs from APIM showed public IP.

The configuration was not saved correctly in APIM, and we are investigating to find the cause of the issue.

Resolution:

Syed Sajid Hussain mitigated the issue by removing VNET/Subnet from the APIM and then added it back again. After that, it started working as expected.

Glad to hear that your issue was resolved and appreciate you sharing it with the community.

Share via

Azure APIM to Event Grid via VNet Integration

0 additional answers

Your answer