I'm unable to access private endpoint enabled storage account via APIM

Question

I'm unable to access private endpoint enabled storage account via APIM

Prakashchandra Pandey 0

Hi Team - I'm unable to access private endpoint enabled storage account via APIM.

Doing test it provides an error "HTTP/1.1 409 Public access is not permitted on this storage account."

It's true because we have disabled Public Enabled option as "Disabled".

APIM with Standard v2 tier and it is configured in Hub Vnet and Vnet integration is enabled.

Storage accounts is configured in spoke vnet and private endpoint is enabled. There is peering between Hub and Spoke vnet.

Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T09:06:48.37+00:00
Hello Prakashchandra Pandey,

To isolate the exact cause, we recommend:

Validate DNS resolution specifically from the APIM subnet path (using a temporary VM in the same subnet as APIM, if direct testing isn’t possible).

Confirm the private endpoint connection status is Approved in the storage account.

Review NSG and route table rules to ensure HTTPS (443) traffic from the APIM subnet to the private endpoint IP is allowed.

Capture a network trace or storage diagnostic log to verify whether the incoming request is identified as public or private traffic.
Prakashchandra Pandey 0 Reputation points

2026-02-19T09:31:11.3266667+00:00

Hello Praveen,

Regarding, first point how it's different validating DNS resolution from Bastion and other VM with APIM subnet as each subnet belongs to same virtual network?

Regarding point 2, PFA screenshot for your reference,

VNet-to-Vnet communication is allowed at any protocols.

Route Table is already configured.

Network trace from Bastion Host is PFA.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T09:52:34.14+00:00
Hello Prakashchandra Pandey,

Thanks for the details.

Private DNS is correctly configured

Hub–spoke peering is fine

Storage private endpoint itself is working

So, the issue is NOT DNS, NOT peering, NOT storage.

Use APIM Premium (classic) in internal VNet mode.

This gives:

True private outbound

Full private endpoint reachability

Enterprise hub-spoke support

Or

Use self-hosted gateway inside VNet

Advanced but works when Premium cost is an issue.
Prakashchandra Pandey 0 Reputation points

2026-02-19T10:04:36.2466667+00:00

Hi Praveen - Thanks for confirming that the issue is NOT DNS, NOT peering, NOT storage. Here is Internet incoming flow for reference.

Internet --> APIM --> API --> Storage account.

Appreciate if you can provide relevant Microsoft Documentation for option 1 and 2 given by you so accordingly, I can plan for either of solution deployment.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T10:22:26.8066667+00:00

Hello Prakashchandra Pandey,

Use APIM Premium (classic) in internal VNet mode:

Deploy your Azure API Management instance to a virtual network - internal mode

Use self-hosted gateway inside VNet

Self-hosted gateway overview

Provision a self-hosted gateway in Azure API Management
Prakashchandra Pandey 0 Reputation points

2026-02-19T10:28:46.91+00:00

Thanks Praveen,Before implementing your suggestion. I would like to know that with APIM Standard v2 our setup is not possible or have any limitation? If yes, please share me link or Microsoft documentation, because what we are implementing using APIM its basic requirement of any architecture.

So, I want any solid reason to implement your suggestion.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T11:02:32.3533333+00:00

Hello Prakashchandra Pandey,

This behavior is not a configuration issue but a service-tier networking limitation of APIM Standard v2. For scenarios where backend services are accessible only via private endpoints, Microsoft-aligned guidance is to use either:

APIM Premium (classic) in Internal VNet mode, or

Self-hosted gateway deployed within the private network.

These options ensure fully private, end-to-end connectivity and prevent the 409 public-access error.

Use a virtual network to secure inbound or outbound traffic for Azure API Management
Prakashchandra Pandey 0 Reputation points

2026-02-19T11:25:29.6233333+00:00

Hello Praveen, I've gone through MS document https://learn.microsoft.com/hi-in/azure/api-management/api-management-features where it clearly states that Standard v2 is supported for Private endpoint support for inbound connections.
Prakashchandra Pandey 0 Reputation points

2026-02-20T06:41:18.2766667+00:00

Hello Praveen - I'm waiting for your feedback on above query.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-20T07:53:02.0133333+00:00

Hello Prakashchandra Pandey,

The document you referenced for Azure API Management shows that Standard v2 supports Private Endpoint for inbound connections.

That statement is correct.

But there is an important distinction:

Private Endpoint (Inbound to APIM) -Supported

VNet Integration (Outbound) -Supported

Full Internal VNet Injection - Not supported

Guaranteed Private Endpoint backend reachability - Not guaranteed

The Core Limitation:

Standard v2 uses VNet integration for outbound traffic, not full VNet injection.

This means:

APIM still runs on shared infrastructure.

Outbound traffic is SNATed.

It is not fully inside your VNet.

Private endpoint resolution may work.

But backend service may still detect traffic as “public”.

That is exactly why your Storage Account returns:

HTTP/1.1 409 Public access is not permitted

The request reaches the storage service, but it is not recognized as coming from the private endpoint path.
Prakashchandra Pandey 0 Reputation points

2026-02-20T08:40:58.1966667+00:00

Hello Praveen - If I understood correctly from your above explaination that Standardv2 is not guaranteed that it will work as mentioned in https://learn.microsoft.com/hi-in/azure/api-management/virtual-network-concepts?utm_source=chatgpt.com#virtual-network-injection-premium-v2-tier

If yes, please write an email to me, so I can share it with my technical leadership team for further action. Thank you.
Prakashchandra Pandey 0 Reputation points

2026-02-20T08:41:57.9833333+00:00

Also, confirmed it will work without hassle once we deployed APIM with Premium V2 in our environment. Thank you once again.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-20T11:49:27.0133333+00:00

Hello Prakashchandra Pandey,

Yes, once we deploy Azure API Management in the Premium tier (VNet Injection / Internal mode), the current limitation will be resolved.

Unlike Standard v2, the Premium tier supports full virtual network injection. This means:

APIM is fully deployed inside our virtual network

Outbound traffic flows privately within the VNet

Backend services using Private Endpoints recognize traffic as private

The “HTTP/1.1 409 – Public access is not permitted” error will no longer occur

With Premium deployed in Internal mode, the architecture will support true end-to-end private connectivity without workaround dependencies.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-24T07:54:24.7933333+00:00

Hello Prakashchandra Pandey,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T09:06:48.37+00:00

Hello Prakashchandra Pandey,

To isolate the exact cause, we recommend:

Validate DNS resolution specifically from the APIM subnet path (using a temporary VM in the same subnet as APIM, if direct testing isn’t possible).

Confirm the private endpoint connection status is Approved in the storage account.

Review NSG and route table rules to ensure HTTPS (443) traffic from the APIM subnet to the private endpoint IP is allowed.

Capture a network trace or storage diagnostic log to verify whether the incoming request is identified as public or private traffic.
Prakashchandra Pandey 0 Reputation points

2026-02-19T09:31:11.3266667+00:00

Hello Praveen,

Regarding, first point how it's different validating DNS resolution from Bastion and other VM with APIM subnet as each subnet belongs to same virtual network?

Regarding point 2, PFA screenshot for your reference,

VNet-to-Vnet communication is allowed at any protocols.

Route Table is already configured.

Network trace from Bastion Host is PFA.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T09:52:34.14+00:00

Hello Prakashchandra Pandey,

Thanks for the details.

Private DNS is correctly configured

Hub–spoke peering is fine

Storage private endpoint itself is working

So, the issue is NOT DNS, NOT peering, NOT storage.

Use APIM Premium (classic) in internal VNet mode.

This gives:

True private outbound

Full private endpoint reachability

Enterprise hub-spoke support

Or

Use self-hosted gateway inside VNet

Advanced but works when Premium cost is an issue.
Prakashchandra Pandey 0 Reputation points

2026-02-19T10:04:36.2466667+00:00

Hi Praveen - Thanks for confirming that the issue is NOT DNS, NOT peering, NOT storage. Here is Internet incoming flow for reference.

Internet --> APIM --> API --> Storage account.

Appreciate if you can provide relevant Microsoft Documentation for option 1 and 2 given by you so accordingly, I can plan for either of solution deployment.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T10:22:26.8066667+00:00

Hello Prakashchandra Pandey,

Use APIM Premium (classic) in internal VNet mode:

Deploy your Azure API Management instance to a virtual network - internal mode

Use self-hosted gateway inside VNet

Self-hosted gateway overview

Provision a self-hosted gateway in Azure API Management
Prakashchandra Pandey 0 Reputation points

2026-02-19T10:28:46.91+00:00

Thanks Praveen,Before implementing your suggestion. I would like to know that with APIM Standard v2 our setup is not possible or have any limitation? If yes, please share me link or Microsoft documentation, because what we are implementing using APIM its basic requirement of any architecture.

So, I want any solid reason to implement your suggestion.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T11:02:32.3533333+00:00

Hello Prakashchandra Pandey,

This behavior is not a configuration issue but a service-tier networking limitation of APIM Standard v2. For scenarios where backend services are accessible only via private endpoints, Microsoft-aligned guidance is to use either:

APIM Premium (classic) in Internal VNet mode, or

Self-hosted gateway deployed within the private network.

These options ensure fully private, end-to-end connectivity and prevent the 409 public-access error.

Use a virtual network to secure inbound or outbound traffic for Azure API Management
Prakashchandra Pandey 0 Reputation points

2026-02-19T11:25:29.6233333+00:00

Hello Praveen, I've gone through MS document https://learn.microsoft.com/hi-in/azure/api-management/api-management-features where it clearly states that Standard v2 is supported for Private endpoint support for inbound connections.
Prakashchandra Pandey 0 Reputation points

2026-02-20T06:41:18.2766667+00:00

Hello Praveen - I'm waiting for your feedback on above query.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-20T07:53:02.0133333+00:00

Hello Prakashchandra Pandey,

The document you referenced for Azure API Management shows that Standard v2 supports Private Endpoint for inbound connections.

That statement is correct.

But there is an important distinction:

Private Endpoint (Inbound to APIM) -Supported

VNet Integration (Outbound) -Supported

Full Internal VNet Injection - Not supported

Guaranteed Private Endpoint backend reachability - Not guaranteed

The Core Limitation:

Standard v2 uses VNet integration for outbound traffic, not full VNet injection.

This means:

APIM still runs on shared infrastructure.

Outbound traffic is SNATed.

It is not fully inside your VNet.

Private endpoint resolution may work.

But backend service may still detect traffic as “public”.

That is exactly why your Storage Account returns:

HTTP/1.1 409 Public access is not permitted

The request reaches the storage service, but it is not recognized as coming from the private endpoint path.
Prakashchandra Pandey 0 Reputation points

2026-02-20T08:40:58.1966667+00:00

Hello Praveen - If I understood correctly from your above explaination that Standardv2 is not guaranteed that it will work as mentioned in https://learn.microsoft.com/hi-in/azure/api-management/virtual-network-concepts?utm_source=chatgpt.com#virtual-network-injection-premium-v2-tier

If yes, please write an email to me, so I can share it with my technical leadership team for further action. Thank you.
Prakashchandra Pandey 0 Reputation points

2026-02-20T08:41:57.9833333+00:00

Also, confirmed it will work without hassle once we deployed APIM with Premium V2 in our environment. Thank you once again.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-20T11:49:27.0133333+00:00

Hello Prakashchandra Pandey,

Yes, once we deploy Azure API Management in the Premium tier (VNet Injection / Internal mode), the current limitation will be resolved.

Unlike Standard v2, the Premium tier supports full virtual network injection. This means:

APIM is fully deployed inside our virtual network

Outbound traffic flows privately within the VNet

Backend services using Private Endpoints recognize traffic as private

The “HTTP/1.1 409 – Public access is not permitted” error will no longer occur

With Premium deployed in Internal mode, the architecture will support true end-to-end private connectivity without workaround dependencies.
Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-24T07:54:24.7933333+00:00

Hello Prakashchandra Pandey,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

It seems that the error "HTTP/1.1 409 Public access is not permitted on this storage account" indicates that the storage account is configured to disallow public access, which is expected since you mentioned that the public access option is set to "Disabled". Since you are using Azure API Management (APIM) in a Hub VNet with VNet integration enabled, and the storage account is in a spoke VNet with a private endpoint, it's crucial to ensure that the following configurations are correctly set up:

Private Endpoint Configuration: Ensure that the private endpoint for the storage account is properly configured and that it is associated with the correct subnet in the spoke VNet.
VNet Peering: Verify that the VNet peering between the Hub and Spoke VNets is correctly set up, allowing traffic to flow between them. Ensure that the peering settings allow forwarded traffic.
Network Security Groups (NSGs): Check if there are any NSGs associated with the subnets that might be blocking traffic to the storage account.
DNS Resolution: Ensure that the DNS settings are correctly configured so that the APIM can resolve the private endpoint's DNS name to its private IP address. You may need to set the WEBSITE_DNS_SERVER app setting in APIM to the DNS server used for resolution.

If all configurations are correct and the issue persists, you may want to use tools like Azure Storage Explorer to test connectivity to the storage account from within the VNet.

References:

Praveen Kumar Gudipudi 1,870 Reputation points Microsoft External Staff Moderator

2026-02-19T08:26:02.2+00:00

Hello Prakashchandra Pandey,

Issue: provides an error "HTTP/1.1 409 Public access is not permitted on this storage account.

Resolution:

A Private DNS zone exists for: privatelink.blob.core.windows.net

The Private DNS zone is linked to both VNets:

Spoke VNet (where the private endpoint resides)

Hub VNet (where API Management is deployed)

The DNS A record for the Storage Account resolves to the private endpoint IP address.

Validation from a resource in the Hub VNet (for example, a test VM) confirms:

nslookup <storage-account>.blob.core.windows.net → private IP address

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
Prakashchandra Pandey 0 Reputation points

2026-02-19T08:57:33.3466667+00:00

Hello Praveen - Yes, storage account's DNS record is getting resolved properly from Azure VM Bastion which is in same Virtual Network in different subnet. PFA. for validation of Private IP resolution.

Share via

I'm unable to access private endpoint enabled storage account via APIM

1 answer

Your answer