Introduction
When your Logic App Standard is integrated with a Virtual Network (VNET), you can use these APIs to troubleshoot connectivity issues to downstream resources like SQL databases, Storage Accounts, Service Bus, Key Vault, and more. The checks run directly from the worker hosting your Logic App, so the results reflect the actual network path your workflows use.
API Overview
| API | HTTP Method | Route Suffix | Purpose |
|---|---|---|---|
| ConnectivityCheck | POST | /connectivityCheck | Validates end-to-end connectivity to an Azure resource (SQL, Key Vault, Storage, Service Bus, etc.) |
| DnsCheck | POST | /dnsCheck | Performs DNS resolution for a hostname |
| TcpPingCheck | POST | /tcpPingCheck | Performs a TCP ping to a host and port |
How to Call Using Azure API Playground
- Sign in with your Azure account.
https://portal.azure.com/#view/Microsoft_Azure_Resources/ArmPlayground.ReactView
- Use POST method with the URLs below.
Instead of API playground you can also use PowerShell or Az Rest
URL Pattern
Production slot:
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{logicAppName}/connectivityCheck?api-version=2026-03-01-previewDeployment slot:
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{logicAppName}/slots/{slotName}/connectivityCheck?api-version=2026-03-01-previewReplace connectivityCheck with dnsCheck or tcpPingCheck as needed.
all the requests should be Json
1. ConnectivityCheck
Tests end-to-end connectivity from your Logic App to an Azure resource. This validates DNS, TCP, and authentication in a single call.
Supported Provider Types
| ProviderType | Use For |
|---|---|
| KeyVault | Azure Key Vault |
| SQL | Azure SQL Database / SQL Server |
| ServiceBus | Azure Service Bus |
| EventHubs | Azure Event Hubs |
| BlobStorage | Azure Blob Storage |
| FileShare | Azure File Share (see Port 445 limitation) only tese 443 |
| QueueStorage | Azure Queue Storage |
| TableStorage | Azure Table Storage |
| Web | Any HTTP/HTTPS endpoint |
Credential Types
| CredentialType | When to Use |
|---|---|
| ConnectionString | You have a connection string to provide directly |
| Authentication | You have an endpoint URL with username and password |
| CredentialReference | You want to reference an existing connection string or app setting by name |
| AppSetting | You want to reference an app setting configured on the Logic App |
| ManagedIdentity | Your Logic App uses Managed Identity to authenticate |
Sample Request — Connection String (SQL Database)
POST https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{logicAppName}/connectivityCheck?api-version=2026-03-01-preview Content-Type: application/json
{
"properties": {
"providerType": "SQL",
"credentials": {
"credentialType": "ConnectionString",
"connectionString": "Server=tcp:myserver.database.windows.net,1433;Database=mydb;User ID=myuser;Password=mypassword;Encrypt=True;TrustServerCertificate=False;"
},
"resourceMetadata": {
"entityName": ""
}
}
}
Sample Request — App Setting Reference (Service Bus)
Use this when your connection string is stored in an app setting on the Logic App (e.g., ServiceBusConnection).
{
"properties": {
"providerType": "ServiceBus",
"credentials": {
"credentialType": "AppSetting",
"appSetting": "ServiceBusConnection"
},
"resourceMetadata": {
"entityName": "myqueue"
}
}
}
Sample Request — Managed Identity (Blob Storage)
Use this when your Logic App authenticates using Managed Identity.
{
"properties": {
"providerType": "BlobStorage",
"credentials": {
"credentialType": "ManagedIdentity",
"managedIdentity": {
"targetResourceUrl": "https://mystorageaccount.blob.core.windows.net",
"clientId": ""
}
},
"resourceMetadata": {
"entityName": ""
}
}
}Tip: Leave clientId empty to use the system-assigned managed identity. Provide a client ID to use a specific user-assigned managed identity.
2. DnsCheck
Tests whether a hostname can be resolved from your Logic App's worker. This is useful for verifying private DNS zones and private endpoints are configured correctly.
Sample Request
POST https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{logicAppName}/dnsCheck?api-version=2026-03-01-preview Content-Type: application/json
{
"properties": {
"dnsName": "myserver.database.windows.net"
}
}3. TcpPingCheck
Tests whether a TCP connection can be established from your Logic App to a specific host and port. This is useful for checking if a port is open and reachable through your VNET.
Sample Request
POST https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{logicAppName}/tcpPingCheck?api-version=2026-03-01-preview Content-Type: application/json
{
"properties": {
"host": "myserver.database.windows.net",
"port": "1433"
}
}
Port 445 (SMB / Azure File Share) — Known Limitation
Port 445 cannot be reliably tested using TcpPingCheck or ConnectivityCheck with the FileShare provider type.
Restricted Outgoing Ports
Regardless of address, applications cannot connect to anywhere using ports 445, 137, 138, and 139. In other words, even if connecting to a non-private IP address or the address of a virtual network, connections to ports 445, 137, 138, and 139 are not permitted.
Microsoft