Share via

Can sp_invoke_external_rest_endpoint be used to call a private container app? e.g. One behind a private endpoint.

Aaron 30 Reputation points
2025-03-31T23:43:13.06+00:00

I'm able to use sp_invoke_external_rest_endpoint to call a public facing container app but I'm unable to connect to private container app.

I am getting the following error.

Msg 31608, Level 16, State 24, Procedure sys.sp_invoke_external_rest_endpoint_internal, Line 1 An error occurred, failed to communicate with the external rest endpoint. HRESULT: 0x80072efd.

I believe our environment is set up with everything required and I'm able to curl the container app from a VM within the same VNET using the container apps ingress.

  • Single VNET with 2 subnets - one for container app environment & one for private endpoints.
  • NSGs on both subnets with default rules. e.g. Allow all inbound & outbound.
  • Private DNS zone for privatelink.australiaeast.azurecontainerapps.io with appropriate A record for Container App Environment.
    • The VNET is linked to/associated with the Private DNS Zone.

It's the same questions as https://github.com/Azure-Samples/azure-sql-db-openai/issues/7

Azure SQL Database
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
622 questions
0 comments
Accepted answer
  1. Amira Bedhiafi 31,391 Reputation points
    2025-04-01T20:42:37.5133333+00:00

    You're running into a limitation of sp_invoke_external_rest_endpoint in Azure SQL Database: it cannot access private endpoints, including private Azure Container Apps, even if the SQL Database is in the same VNet through private link.

    sp_invoke_external_rest_endpoint uses Azure SQL managed identity and network stack to invoke HTTP(S) endpoints — but Azure SQL Database does not reside inside your VNet. Even if it's accessible from your VNet via Private Link, outbound requests from Azure SQL go over public Azure infrastructure, not through your private network.

    So even if your Container App is accessible via private endpoint.

    You’ve set up VNet integration, DNS, NSGs, etc.

    You can curl from VMs in the VNet.

    ...sp_invoke_external_rest_endpoint won’t reach it, because Azure SQL cannot route to private IPs or private DNS zones from its backend.

    If you need Azure SQL to call a private service, use a Public IP for the Container App with Authentication or I recommend :

    • an Azure Function / Logic App as a public proxy
    • ADF or Synapse pipeline Instead

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.