API Management Deployment - Service Activation Failed

Taranjeet Malik 451 Reputation points
2024-05-31T08:38:28.2733333+00:00

Hi there

I've deployed Azure API Management instance inside a VNet (Internal mode). This APIM instance sits in a spoke VNet (Subscription) and the Hub subscription has all the shared services such as Firewall, Gateway, Active Directory DNS. Internet traffic is currently not forced tunneled to on-prem and exits directly through Azure Firewall. Have completed the following configurations before APIM deployment:

1.     Created a custom Azure DNS Zone and a self-signed SSL Certificate with the required names.

2.     Linked this zone to Hub as well as spoke VNets.

3.     Created required DNS Records for the APIM resources (Gateway, portal etc.).

4.     Created NSG rules to allow inbound and outbound traffic for APIM. This also includes enabling DNS traffic to Active Directory DNS in the Hub Subscription.

5.     Created Azure Firewall rules to allow traffic to services (such as Azure AD) required by AIM

6.     Created Route Table for the APIM Subnet to bypass the API Management traffic to go directly to Internet.

7.     Enabled Service Endpoints for Storage, Key Vault, and Even Grid services on APIM subnet.

8.     Created a Public IP Address resource for APIM Management Plane functions.

I've reviewed the following articles:

https://video2.skills-academy.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2

https://video2.skills-academy.com/en-us/azure/api-management/virtual-network-reference?tabs=stv2

https://techcommunity.microsoft.com/t5/azure-paas-blog/api-management-networking-faqs-demystifying-series-ii/ba-p/1502056

 

Problem statement: The APIM deployment finished with following error:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"ActivationFailed","message":"API Management service uses Azure SQL Server internally to store configuration for your service.\nThe service deployment failed to connect to an Azure SQL Server on port 1433 from inside the Virtual Network. \n 1. Please ensure an Azure SQL Server DNS can be resolved, if using a Custom DNS Server.\n2. Please ensure that there is no NSG / Firewall blocking outbound port access on 1433 from the Virtual Network subnet where deployment is being attempted.\nPlease review other common network configuration and troubleshooting information at https://aka.ms/apim-vnet-common-issues"}]}]}}

I've used NSG Diagnostics (Network Watcher) to validate that the NSG rules are not an issue. Unsure how to establish that the APIM is able to reach the Azure SQL Servers, as there's no specific URL / IP Address specified in the error.

Can someone please suggest the best way to verify the DNS name resolution or network validation that could result in failure above error?

Thanks

Taranjeet Singh

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,908 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 23,256 Reputation points
    2024-06-04T07:02:48.6366667+00:00

    @Taranjeet Malik glad to see you were able to resolve your issue. Thanks for posting your solution so that others experiencing the same thing can easily reference this.

    Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer, they can only accept answers by others, I'll repost your solution in case you'd like to Accept the answer.

    Issue: The APIM deployment failed with following error:

    The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"ActivationFailed","message":"API Management service uses Azure SQL Server internally to store configuration for your service.\nThe service deployment failed to connect to an Azure SQL Server on port 1433 from inside the Virtual Network. \n 1. Please ensure an Azure SQL Server DNS can be resolved, if using a Custom DNS Server.\n2. Please ensure that there is no NSG / Firewall blocking outbound port access on 1433 from the Virtual Network subnet where deployment is being attempted.\nPlease review other common network configuration and troubleshooting information at https://aka.ms/apim-vnet-common-issues

    Resolution: OP was able to get through this by following the below:

    1. Allow ports listed here for Azure SQL, Azure Storage and Azure Key Vault in Azure Firewall. This is to allow APIM Subnet to be able to reach these services (although Service Endpoints were enabled for these services, we still need Azure Firewall exceptions).
    2. Allowing UDP Protocol for DNS (port 53) traffic to DSN Service (Windows AD DS integrated running in Hub Subscription. This exception is to be created on NSG attached to APIM subnet, NSG attached to subnet where DNS service is running and in Azure Firewall (if it is configured to inspect all the traffic from spokes to hub).

     

    0 comments