Azure APIM in Internal VNet Mode Front-ended by CloudFlare

Question

Azure APIM in Internal VNet Mode Front-ended by CloudFlare

Taranjeet Malik 611

Hi

We have an Azure APIM instance deployed in internal VNet mode (no Private Endpoint enabled). It is front-ended by CloudFlare SaaS solution. The consumers of the APIs hit a Public DNS 'A' record that points to CloudFlare, which then forwards the query to APIM instance over the ExpressRoute. The source address is translated / changed to CloudFlare IP address range, which is a set of Public IPs provided by CluodFlare. This means, when the request reaches the APIM instance, it has a source IP as one of the Public IP addresses from the CloudFlare range. Here's the exact flow of traffic:

Ineternet Client making request to Public URL--> Hits CludFlare--> Source address translated by CloudFlare--> Firewall (allows traffic from CloudFlare to APIM)--> Cloud Router--> ExpressRoute--> ExpressRoute Gateway (Hub VNet)--> Azure Firewall (Hub VNet)--> APIM (Spoke VNet)

We're currently, experiencing a problem: The client making request is getting HTTPS error 522 (Connection timed out). Azure Firewall is showing the "allow" rules triggered at the time of client making the request, however, nothing is logged at APIM showing incoming request (App Insights). There's no activity recorded in the VNet Flow logs on the spoke VNet (where APIM is deployed).

Can someone please share their experience with the similar setup? What areas to investigate, suggested troubleshooting steps?

Thanks

Taranjeet Singh

1 answer

Your answer

Answer 1

Ievgen Zasid 75

Hello @Taranjeet Malik ,

Based on the information provided above, I'd check the following

If you route to APIM FQDN but not IP address - check if there is a DNS resolver configured for APIM FQDN.
Ensure CloudFlare is routed to APIM public FQDN/IP address. "publicNetworkAccess": "Enabled", configuration should be enabled on APIM side.
Ensure APIM VNet is peered with Hub VNet
Check APIM Subnet NSG it it allows Ingress traffic from CloudFlare IP CIDR
If you have any custom UDRs ensure if there is symmetric routing is configured.

Please mark my comment as accepted answer if that helps you or let me know if you have any additional questions/concerns.

Taranjeet Malik 611 Reputation points

2025-08-12T08:26:52.1633333+00:00
Hi @Ievgen Zasid Thanks for your response.

We've confirmed the name resolution working properly (we host the private DNS zone for domain azure-api.net and clients from within the APIM VNet and outside are able to resolve the APIM FQDN successfully).

Not sure what you mean when you say "Ensure CloudFlare is routed to APIM public FQDN/IP address. publicNetworkAccess": "Enabled", configuration should be enabled on APIM side." as far as I understand, there's nothing called as Public Access for an APIM instance deployed within a VNet internal mode - it's meant to be completely private. There's a Public IP address assigned to APIM instance that's only meant to control plane traffic (no user traffic can use it in this configuration)

This is checked - Hub-Spoke topology is in-place and completely functional.

NSG on APIM subnet has correct incoming rule configured to allow CloudFlare IPs.

Asymmetric routing is something we suspect, however, we're unable to nail this down, as nothing is logged at APIM showing incoming request (App Insights). Moreover, there's no activity recorded in the VNet Flow logs on the spoke VNet (where APIM is deployed).

We logged a case with Microsoft, and one of the MS support professional says that:

APIM in internal mode with a private IP won’t respond to public IP traffic.

It won’t respond to IPs outside the VNet CIDR unless they’re part of a peered VNet or routed through a gateway (like Application Gateway, VPN, or ExpressRoute)

Can you / someone please validate the above from personal experience in similar scenario.

Thanks

Taranjeet Singh

Share via

Azure APIM in Internal VNet Mode Front-ended by CloudFlare

1 answer

Your answer