Forum Discussion

akashwarkhade's avatar
akashwarkhade
Copper Contributor
Oct 24, 2022

Not able to setup azure private endpoint url as webservice/backend for Azure API Management

 

Hi all,

I have integrated Private endpoint connected to private link service.
Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations .

  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-pls-create: "true"
    service.beta.kubernetes.io/azure-pls-name: myPLS
    service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET
    service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1"
    service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP
    service.beta.kubernetes.io/azure-pls-proxy-protocol: "false"
    service.beta.kubernetes.io/azure-pls-visibility: "*"
    # does not apply here because we will use Front Door later
    service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID"


i am getting expected response i.e response from kubernetes service from Private endpoint ip within virtual network which confirms that private link and private endpoint integration is working fine.

we now want to integrate above private endpoint service with azure api management service
so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error 

{ "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" }


I also tried api management service Troubleshoot & analysis page for exact error its showing below error:

BackendConnectionFailure
An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80

Please help me what i am doing wrong in this implementation.

Our requirement is to have kubernetes private load balancer and integrate it with azure api management service which would be publicly accessible.
so user can access api only through api management service and only api management service should be able to access load balancer service.

Thanks in advance

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Dec 17, 2025

    Test this out:

     

    • Trace in APIM: Enable tracing; look for BackendConnectionFailure details, TLS errors, or DNS resolution results. SSL/TLS trust and SNI problems manifest as 500s with trust/handshake failures.
    • DNS resolution test: From a VM in APIM’s subnet, nslookup/dig the backend FQDN. It must resolve to the PE’s private IP. If it resolves public, fix Private DNS links.
    • TCP reachability: From that VM, test tcping or Test-NetConnection to the backend FQDN:port. If blocked, adjust NSGs/UDRs or SLB rules.
    • FS logs / Load balancer health: Check the Standard LB health probe and AKS service endpoints; the LB must show healthy backends on the port APIM calls.
    • Certificate/SNI validation: If HTTPS, verify the cert chain installed at the ingress. Ensure APIM uses the same hostname in the Host header and SNI; otherwise certificate mismatch causes trust errors.

     

    Troubleshoot 500 BackendConnectionFailure SSL/TLS Error | Microsoft Community Hub

     

Resources