Issue with deploying Azure API Management instance to a virtual network - internal mode

Question

I am facing some strange issues while deploying my Azure API Management instance to a virtual network in internal mode. Essentially, I am following this article from Microsoft. Deploy Azure APIM Internal to a Virtual Network

I have listed below the steps that I have performed and the results of that as well.

What I did so far that went well.

1. Created an Azure VNET (say VNET-1) in a Resource Group (say RG-1) in an Azure region.
2. Created a Network Security Group (say NSG-1) in RG-1 and configured the NSG with minimum configuration and required ports open as mentioned in the MS article above.
3. Created a subnet (say Subnet-APIM) in VNET-1 and selected NSG-1 as its Network Security Group. The Delegate subnet to a service setting for the subnet was set to None.
4. Enabled service endpoints for KeyVault, EventHub, ServiceBus, SQL, and Storage in the Subnet.
5. Created a Standard SKU public IPv4 address (say Pub-IP-1) in RG-1 and assigned a DNS name to that.
6. Created an Developer Tier Azure APIM instance (say APIM-1) in RG-1 without VNET.
7. The APIM was created successfully and I tested the echo api (created by default) using Postman and received 200 OK in response.

The issue that I am facing during VNET Integration.

8. Tried to enable the VNET integration for the APIM following the below steps Select APIM Instance > Select Network > Virtual network > Select the Internal access type

Selected VNET-1, Subnet-APIM & Pub-IP-1 > Apply > Save.

9. After this the Azure shows a blue banner on top of the APIM instance with a message "Service is being updated". After 3 to 4 mins I get a notification saying "Successfully configured Virtual Network for VNET-1" but the blue banner remains there with the message "Service is being updated" for sometime. The banner finally disappears after some 30 mins without any error but I don't see the VNET settings applied as when I come back to the Azure APIM network settings the Virtual Network section shows "None".

10.I checked the activity logs too and found an entry "Create or Update API Management Service instance" -- Succeeded but the Virtual Network was still not integrated as I am not able to see the Private IP of the APIM instance on the portal.

Any help will be appreciated.

I tried a new deployment and this time got the below error.

{
    "status": "Failed",
    "error": {
        "code": "ActivationFailed",
        "message": "API Management service uses Azure Storage to download the service configuration.\nThe service deployment failed to connect to an Azure Storage account from inside the Virtual Network. \n 1. Please ensure an Azure Storage Account DNS can be resolved, if using a Custom DNS Server.\n2. Please ensure that there is NSG / Firewall allows outbound to `AzureStorage` ServiceTag from the Virtual Network subnet where deployment is being attempted.\nPlease review other common network configuration and troubleshooting information at https://aka.ms/apim-vnet-common-issues"
    }
}

I have configured the Outbound rule for Azure storage in NSG. Is there anything else that is required ?

Answer 1

If you have followed the MS Docs and created all the associated resource like virtual network, NSG and public IP addresses as given in the documentation, then you should be able to enable internal virtual network in APIM.

I have created the above mentioned resources and then enabling internal virtual network in APIM.

Then I got successfully configured message but then there was a banner with Service is being updated message appears at the top. It look around 30-40 min to disappear in my case. When I navigated to Networks blade, I was able to see the virtual network details.

I am also see the Private IP in Overview blade.

I would suggest you to try adding the virtual network one more time but please ensure to add it to single instance at a time.