Share via

Azure APIM in Internal VNet Mode Front-ended by CloudFlare

Taranjeet Malik 611 Reputation points
2025-08-09T02:02:57.5866667+00:00

Hi

We have an Azure APIM instance deployed in internal VNet mode (no Private Endpoint enabled). It is front-ended by CloudFlare SaaS solution. The consumers of the APIs hit a Public DNS 'A' record that points to CloudFlare, which then forwards the query to APIM instance over the ExpressRoute. The source address is translated / changed to CloudFlare IP address range, which is a set of Public IPs provided by CluodFlare. This means, when the request reaches the APIM instance, it has a source IP as one of the Public IP addresses from the CloudFlare range. Here's the exact flow of traffic:

Ineternet Client making request to Public URL--> Hits CludFlare--> Source address translated by CloudFlare--> Firewall (allows traffic from CloudFlare to APIM)--> Cloud Router--> ExpressRoute--> ExpressRoute Gateway (Hub VNet)--> Azure Firewall (Hub VNet)--> APIM (Spoke VNet)

We're currently, experiencing a problem: The client making request is getting HTTPS error 522 (Connection timed out). Azure Firewall is showing the "allow" rules triggered at the time of client making the request, however, nothing is logged at APIM showing incoming request (App Insights). There's no activity recorded in the VNet Flow logs on the spoke VNet (where APIM is deployed).

Can someone please share their experience with the similar setup? What areas to investigate, suggested troubleshooting steps?

Thanks

Taranjeet Singh

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ievgen Zasid 150 Reputation points
    2025-08-11T19:45:37.2466667+00:00

    Hello @Taranjeet Malik ,

    Based on the information provided above, I'd check the following

    1. If you route to APIM FQDN but not IP address - check if there is a DNS resolver configured for APIM FQDN.
    2. Ensure CloudFlare is routed to APIM public FQDN/IP address. "publicNetworkAccess": "Enabled", configuration should be enabled on APIM side.
    3. Ensure APIM VNet is peered with Hub VNet
    4. Check APIM Subnet NSG it it allows Ingress traffic from CloudFlare IP CIDR
    5. If you have any custom UDRs ensure if there is symmetric routing is configured.

    Please mark my comment as accepted answer if that helps you or let me know if you have any additional questions/concerns.

  2. Anurag Rohikar 600 Reputation points Microsoft External Staff Moderator
    2025-08-25T12:18:06.8866667+00:00

    Hello Taranjeet Malik, Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.

    Thanks for the detailed description of your setup that helps a lot.

    Ievgen Zasid is correct on checking DNS resolution, NSG/UDR, and symmetric routing. Those are always the first things to validate in VNet-integrated APIM deployments, so credit where due.

    Now, adding on top of that:

    1. APIM internal mode traffic limitation

    In Internal VNet mode, the APIM data plane is only reachable through its private IP within the VNet (or peered VNets) or over private connectivity options such as ExpressRoute, VPN Gateway, or Application Gateway with private link.

    So yes, what the Microsoft engineer said matches the documented behavior APIM will not respond to requests where the source appears as a public IP (like Cloudflare’s ranges) unless that traffic is properly routed into the private IP space of the VNet. 2. Why traffic doesn’t show up in APIM/App Insights

    The fact that you see Azure Firewall “allow” logs but no hits at APIM or in VNet Flow Logs on the APIM subnet strongly suggests asymmetric routing or that the traffic never actually resolves to APIM’s private IP. Since Cloudflare rewrites the source to its public ranges, APIM likely drops this traffic because it doesn’t match an internal/private source reachable over the VNet.

    1. Cloudflare with APIM internal mode — supported options

    If you want to continue with Cloudflare as the frontend, you’ll typically need one of these approaches:

    • Place an Application Gateway (with WAF) or Azure Front Door Premium (with Private Link to APIM) between Cloudflare and APIM. These can terminate TLS at the edge and forward to APIM’s private IP.
    • Alternatively, if ExpressRoute is used, ensure Cloudflare can forward to APIM’s private IP address (not the control plane public IP). This usually requires a Cloudflare-to-Azure setup that supports private routing, which isn’t the default SaaS proxying model.
    1. Tier differences (Developer/Consumption vs. v2 tiers)

    There’s no tier where an Internal mode APIM suddenly starts accepting traffic from public IP sources. The behavior is consistent across v1/v2 SKUs. The difference between “classic” and “v2” tiers is mainly in networking architecture (availability zones, scaling, migration path), not this fundamental routing rule.

    References:

    Hope this helps clarify the behavior and next steps. Please let us know if you need further guidance. Thank you!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.