Forum Discussion

akashwarkhade's avatar
akashwarkhade
Copper Contributor
Oct 22, 2022

Not able to setup azure private endpoint url as webservice/backend for Azure API Management service

Hi all,

I have integrated Private endpoint connected to private link service.
Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations .

  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-pls-create: "true"
    service.beta.kubernetes.io/azure-pls-name: myPLS
    service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET
    service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1"
    service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP
    service.beta.kubernetes.io/azure-pls-proxy-protocol: "false"
    service.beta.kubernetes.io/azure-pls-visibility: "*"
    # does not apply here because we will use Front Door later
    service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID"


i am getting expected response i.e response from kubernetes service from Private endpoint ip which confirms that private link and private endpoint integration is working fine.

we now want to integrate above private endpoint service with azure api management service
so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error 

{ "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" }


I also tried api management service Troubleshoot & analysis page for exact error its showing below error:

BackendConnectionFailure
An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80

Please help me what i am doing wrong in this implementation
Our requirement is to have kubernetes private load balancer and integrate it with azure api management service.
so user can access api only through api management service and only api management service should be able to access load balancer service.

Thanks in advance
  

api management
azure private link
load balancer

1 Reply

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Oct 07, 2025

    In view of APIM as the only public access point, with backend reachable only via private IP, would suggest:


    1. Deploy APIM in Internal VNet Mode
    •    Use the Developer, Premium, or Isolated SKU (Standard does not support full VNet integration for outbound traffic).
    •    Enable VNet integration with internal mode so APIM can access private IPs.
    •    Ensure APIM is in the same VNet or peered VNet as your Kubernetes load balancer.
    2. Use Private DNS Zones
    •    Ensure your private endpoint DNS resolves correctly inside the VNet.
    •    Use Azure Private DNS Zones to map the private endpoint to a friendly FQDN.
    3. Configure NSG and Firewall Rules
    •    Allow traffic from APIM subnet to the backend IP and port (e.g., port 80).
    •    Double-check that no NSG or firewall is blocking outbound traffic from APIM.
    4. Avoid Using Public Endpoint in Backend URL
    •    Use the private IP or private DNS name in your APIM backend configuration.
    •    Do not use public FQDNs that resolve outside the VNet.

Resources