How Private DNS Zones for API Management break Logic Apps
Author:
Paul Smithdale
Published: November 8, 2022
3 minutes to read
Creating a Private DNS Zone for internal API Management instances using the default domain name can have unintended consequences. It can be done, but first let’s explore the problem and why you shouldn’t.
API Management Domain Names
By default, APIM presents the following endpoints for API gateway, management, developer discovery and source control which are applicable for both Internal and External APIM configuration.
| Endpoint | Endpoint configuration | Purpose |
|---|---|---|
| API Gateway | [domain prefix].azure-api.net | Endpoint to access APIs |
| Developer portal (legacy) | [domain prefix].portal.azure-api.net | Provides a user interface for exploring API definitions |
| The new developer portal | [domain prefix].developer.azure-api.net | Provides a user interface for exploring API definitions |
| Direct management endpoint | [domain prefix].management.azure-api.net | Management of the APIM instance |
| Git | [domain prefix].scm.azure-api.net | Bulk source control configuration |
When API Management is configured for Internal mode, the customer is responsible for managing DNS for the APIM endpoints.
A Private DNS Zone with the name azure-api.net can be used to manage A Records for all instances of APIM however, this configuration has implications.
The problem with Private DNS Zones and azure-api.net
Private DNS Zones are useful for resolving resource names within your Azure Virtual Networks including App Services Environments and Private Endpoints. When Private DNS Zones are used for domain names available internally and externally, you run the risk of conflicting with external public services.
Logic App Managed Connectors Conflicts
Managed Connectors provide a way for you to access other services and systems where built-in connectors aren’t available. The connectors are managed by Microsoft and hosted in Azure.
Behind the scenes Microsoft leverages services including Traffic Manager, API Management and Azure Relay to provide Managed Connectors.
When you create a Managed Connector, the underlying managedApiConnections definition contains a connectionRuntimeUrl that indicates where requests will be sent that looks like:
"connectionRuntimeUrl": "https://xxxxxxxxxxxxx.xx.common.logic-australiaeast.azure-apihub.net/apim/myCosmosCon/xxxxxxxxxxxxxxxxxxxxxxxx/"
When you run an nslookup debug on the domain name xxxxxxxxxxxxx.xx.common.logic-australiaeast.azure-apihub.net several CNAMEs will be resolved before returning the A Record. One of those CNAMES resolves to an azure-api.net address, which is also the default domain name for our API Management instances.
When a Private DNS Zone for azure-apihub.net is created to resolve internal API Management endpoints, the zone also intercepts requests to Managed Connectors causing name resolution to fail and Managed Connectors to break.
Resolving DNS Conflicts
Private DNS Zones can be used for API Management however, configure custom domain names and choose a domain suffix that will minimise the number of Private DNS Zones e.g. api.contoso.com, with prefixes for gateway, management, portal and scm.
Alternatively, if Custom DNS has been configured for your Virtual Networks, create individual A Records within your DNS Server for each of the API Management endpoints.