Bot Service unable to call API that's deployed as a private endpoint

Question

I wanna use Azure Bot Service and secure the the messaging endpoint by adding it to a vnet. Is Azure Bot Services able to use VNET for Outbound? The Channel (MS Teams via link) breaks as soon as I disable public access on the message endpoint. It works if the endpoint is public.

Example: samplebot.azurewebsites.net/api/messages I've added this endpoint to a vnet_1 and attached a private link. The endpoint es reachable via a virtual machine from within the vnet, and blocked from the internet as desired.

In Azure Bot Service, I've created 2 Private Endpoints under "Networking". Both are linked to the vnet_1

I set the Disable public access and use private access flag. Well I hope? The flag is a but hard to understand.

I did not change the Messaging endpoint configuration, as I expect(?) that the URL wont change as soon as Azure Bot Services uses the VNET for Outbound traffic. From the VM inside vnet_1 the url: samplebot.azurewebsites.net/api/messages still works.

Question is: Is Azure Bot Services using the VNET for Outbound? Maybe some setting which is not doable via the blades is missing? The Channel breaks as soon as I disable public access on the message endpoint

Answer 1

@Grossmann, Tobias Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Your question: Question is: Is Azure Bot Services using the VNET for Outbound?

Commencing September 1, 2023, it is strongly advised to employ the Azure Service Tag method for network isolation. Are you using the Service Tag ? Is the NSG configured correctly ?

To answer your question, Azure Bot Service can use VNET for outbound traffic. To integrate Azure Bot Service with a Virtual Network, you need to create an Azure Virtual Network resource in the same region as your bot. This creates both a virtual network and a subnet. Then, open the app service resource for your bot and enable virtual network integration. Virtual network integration connects the app service to the virtual network, ensuring that outbound traffic from the bot app service passes through the firewall.

However, if you disable public network access, it might break the channel (MS Teams via link) as you’ve experienced.

The same has been documented already. You can block public access to your Azure AI Bot Service and only allow access through Private Endpoint. You can disable network access of Azure AI Bot Service in Azure portal. This will unconfigure the Teams channels. No other channels (except Direct Line) can be configurated or updated in Azure portal. More Info here.

This is because the bot service needs to communicate with other Bot Framework services. You might need to configure private endpoints to restore connectivity.

Please refer network isolation for the VNET and private endpoint configuration details: https://learn.microsoft.com/en-us/azure/bot-service/dl-network-isolation-how-to?view=azure-bot-service-4.0&tabs=network

Hope this helps.

**
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.