Help resolve error in Network Status during APIM External VNET Creation.

Question

Request for Support: Securing APIM → Function App Access via Private Network. Help resolve issue in Network rules during VNET Creation.

We are working on securing private network access for our integration with the following architecture:

Dynamics F&O (Power Platform) → APIM → Function App → Storage Account

Our goal is to enable private inbound access from APIM to the Function App.

To achieve this, we attempted to configure APIM in an External VNET, but we encountered the following network status error:

“Connection to management endpoint failed with WebException: ConnectFailure : Unable to connect to the remote server.”

So far, we have completed the following:

• Configured all inbound and outbound NSG rules on the subnet as documented.
• Enabled service endpoints for Storage, Event Hub, Key Vault, etc., as recommended in the documentation: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2#troubleshooting
• Additionally, we set up route table rules for the APIM subnet.

Despite these configurations, the management endpoint connectivity issue persists. ApiManagement Control Plane - inbound - Failed

Are there any additional configurations required? Could anyone assist with resolving this issue or point out any missing steps needed to secure APIM → Function App communication via private endpoints?

Answer 1

Hi @AJO JOY ,

Thanks for reaching out to Microsoft Q&A.

“Connection to management endpoint failed with WebException: ConnectFailure: Unable to connect to the remote server,”

The error often stems from misconfigured network settings.

Here are a few things you can check:

1. NSG Rules: Ensure that your Network Security Group (NSG) is allowing inbound traffic on port 3443 from the IP addresses encompassed by the ApiManagement service tag. This is crucial for the management traffic.
2. Service Endpoints: Make sure that service endpoints for necessary Azure services (Azure SQL, Azure Storage, Azure Event Hubs, and Azure Key Vault) are enabled on the APIM subnet at the time of deployment.
3. User-Defined Routes (UDRs): If you're using user-defined routes, verify that they are correctly set up to direct connectivity back to Azure by allowing the appropriate IP prefixes for the control plane traffic.
4. Forced Tunneling: If forced tunneling is configured, it may be blocking the management traffic's symmetric route. You should consider setting up UDRs for the inbound IPs with the next hop type set to Internet to bypass any on-premises firewalls.
5. Resource Provider Registration: Confirm that the Microsoft.Web resource provider is registered for your subscription. You can check this in the Azure Portal under your subscription settings.
6. Deployment Validation: It can also be beneficial to deploy a VM inside the APIM subnet and test connectivity to the respective Azure services (like Azure Storage, SQL DB, etc.) to ensure everything is functioning as expected.

You can check out the relevant documentation for further reading:

1. Common network configuration issues
2. Connect to a virtual network using Azure API Management
3. Troubleshooting API Management deployment
4. IP addresses of API Management service in VNet

Hope this helps!

---

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.