Share via

Api management service is external and my aca backend instance is private i hsoted an app but not able to make api management to backend communcaition

Soundarya Manjunatha 0 Reputation points
2025-11-26T07:52:24.3866667+00:00

the api managment i tried adding an api and then source revision url is set but the base url which gateway gives is giving 404 error and i am not able to each backend

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-26T07:52:40.2533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To enable communication between your external Azure API Management (APIM) service and a private backend instance, ensure that the following steps are correctly configured:

    1. Private Endpoint: If your backend service is private, you should set up a private endpoint for your API Management service. This allows secure communication without exposing your backend to the public internet.
    2. DNS Configuration: Verify the DNS settings for your private endpoint. The API Management service should resolve to the private IP address of your backend service. You can check this in the Azure portal under the API Management service settings.
    3. Base URL: Ensure that the base URL you are using in your API configuration matches the private endpoint. The base URL should not include a trailing slash to avoid misconfigurations.
    4. Health Status: Check the health status of your backend services in the API Management instance. You can use PowerShell to confirm the health status: 
         Get-AzApplicationGatewayBackendHealth -Name $appgwName -ResourceGroupName $resGroupName
      Make sure that the backend pool is healthy.
    5. API Operation Configuration: Ensure that the operations defined in your API are correctly set up to route requests to the backend. The urlTemplate in the operation should be correctly appended to the base URL of the API.
    6. Testing: After making these configurations, test the API endpoint using tools like curl to ensure that the requests are being routed correctly to the backend service without returning a 404 error.

    If you continue to encounter issues, consider reviewing the logs for more detailed error messages that could provide further insights into the problem.

    0 comments
  2. Anurag Rohikar 3,035 Reputation points Microsoft External Staff Moderator
    2025-12-01T14:44:00.0933333+00:00

    Hello Soundarya Manjunatha,

    Thanks for sharing these details. This gives a clear picture of the setup, and based on what you described, the 404 behavior is expected.

    Root Cause

    With your Container App configured for ingress "Limited to Container Apps Environment" in a workload profile environment, the app becomes reachable only from other apps inside the same ACA environment via its internal service mesh. It does not expose a VNet IP or private endpoint that APIM (even with VNet integration) or a VM in the same VNet can target directly. This is why your tests succeed only when switching to external ingress and fail with 404 otherwise.​

    Documentation: Networking in Azure Container Apps environment, Ingress in Azure Container Apps

    Private Endpoints for ACA

    Container Apps does not support private endpoints at the individual app level. Private endpoints or internal load balancers (ILB) apply only to the environment, and only when the environment is created with internal (ILB) mode.

    Since your current environment is not ILB-enabled, apps with environment-only ingress are reachable only inside the environment and not from APIM, VMs, or other VNet-integrated resources.

    Documentation: https://learn.microsoft.com/en-us/azure/container-apps/networking

    Why APIM VNet Integration Does Not Help

    APIM Developer tier "external + VNet" allows outbound access to VNet-private IPs, but your ACA backend lacks a targetable VNet IP or private endpoint. Environment-only ingress runs on ACA's managed overlay network, not a directly addressable private IP that APIM can resolve and reach.​

    Available Options:

    1. Make backend Container App external and secure it. Simplest fix: Set ingress to External, then use IP restrictions to allow only your APIM outbound IPs or service tags. This keeps the app secure while enabling APIM to reach it.
    2. Deploy APIM self-hosted gateway in ACA environment Running the APIM gateway as a Container App places it inside the same environment, allowing it to reach internal ingress directly. This provides fully private end-to-end traffic flow. Documentation: APIM self-hosted gateway overview
    3. Migrate to internal Container Apps environment Create/recreate the ACA environment as Internal (with ILB/private IP from your VNet). APIM in the same VNet can then target the environment's private endpoint, routing to your internal app. Check regional availability for workload profiles.​

    Next Steps

    If maintaining the Front Door → APIM → backend private ACA flow is your priority, the “External ingress + IP restrictions” option provides the fastest resolution while keeping the backend locked down.

    I hope this helps. Please do let us know if you have any further questions on this. Thank you!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.