Azure APIM unable to access Application Insights

Sumit Gaur 475 Reputation points
2026-07-01T19:11:26.7166667+00:00

Hi,

We have provisioned an Azure API Management (APIM) instance in Internal VNet mode and configured Application Insights for API diagnostics and logging.

However, we are experiencing an issue where no telemetry is being sent from APIM to Application Insights. In the Network section of the APIM portal, we see the following warning/error (pls refer screenshot)

Our APIM VNet is configured to use an Azure Private DNS Resolver as the custom DNS server, which resolves both Azure and our organization's internal DNS queries.

To troubleshoot the issue, we have already:

Verified that the Application Insights resource and its associated Log Analytics workspace have public internet ingestion enabled.

  • Added an outbound NSG rule to allow UDP port 53 traffic from the APIM subnet.

Confirmed that APIM is configured to use the Azure Private DNS Resolver as its DNS server.

Despite these changes, the warning remains in the APIM Network diagnostics, and we still do not see any telemetry being ingested into Application Insights.

Could you please advise on any additional troubleshooting steps or configuration checks we should perform? Specifically, we would appreciate guidance on:

Whether any additional DNS, NSG, UDR, or Azure Firewall configuration is required for APIM when using Azure Private DNS Resolver.

Which Azure endpoints should be validated to ensure they are resolvable and reachable from APIM for Application Insights ingestion.

Whether there are any known limitations or additional configuration requirements for APIM running in Internal VNet mode with a custom DNS server.

Please let us know if you require any additional information, such as our network topology, routing configuration, NSG rules, or diagnostic logs.

User's image

User's image

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.


1 answer

Sort by: Most helpful
  1. AI answer

    2026-07-01T19:12:03.5+00:00

    The screenshots show that APIM can’t resolve dc.services.visualstudio.com, which is required for Application Insights connectivity. This is a DNS/network issue between the APIM subnet and the DNS infrastructure (Azure Private DNS Resolver and any upstream resolvers), not an Application Insights configuration issue.

    Based on the provided context, focus on DNS resolution and outbound connectivity from the APIM subnet:

    1. Verify DNS resolution from the APIM VNet
      From a VM in the same subnet/VNet as APIM (or another host that uses the same Azure Private DNS Resolver):
      • Run nslookup dc.services.visualstudio.com and confirm:
        • It returns an IP address (public IP, since this is a public endpoint).
        • There is no NXDOMAIN, timeout, or unreachable DNS server error.
      • If nslookup fails or times out, validate that:
        • The APIM subnet can reach the Azure Private DNS Resolver over UDP/TCP 53 (NSG, NVA, Azure Firewall).
        • Any custom DNS forwarders used by the resolver can reach public DNS to resolve *.visualstudio.com.
    2. Check that DNS isn’t misdirected by Private Link or private zones
      The Application Insights troubleshooting guidance notes that multiple Azure Monitor Private Link configurations can overwrite DNS and cause ingestion endpoints to resolve to the wrong private IP.
      • Review private DNS zones (for example, privatelink.*) and ensure there is no A record or CNAME for dc.services.visualstudio.com or *.visualstudio.com that points to an incorrect private IP.
      • If such a record exists, remove or correct it so that dc.services.visualstudio.com resolves to the intended public endpoint.
    3. Confirm outbound network connectivity from APIM to the ingestion endpoint
      Even if DNS resolves correctly, NSGs, UDRs, or Azure Firewall can block outbound traffic:
      • NSG on APIM subnet/NIC:
        • Ensure outbound rules allow HTTPS (TCP 443) to the resolved IP for dc.services.visualstudio.com.
      • UDR:
        • Verify that any user-defined routes send internet-bound traffic either to an NVA/Azure Firewall that allows the traffic, or directly to the internet as intended.
      • Azure Firewall / NVA:
        • Confirm rules allow outbound HTTPS to dc.services.visualstudio.com.
    4. Validate Application Insights ingestion path as per telemetry troubleshooting
      The Application Insights pipeline can drop telemetry when:
      • The SDK/agent cannot reach the ingestion endpoint due to DNS or network blocks.
      • The ingestion endpoint requires TLS 1.2 while the client uses older TLS.
      For APIM:
      • Once DNS and outbound HTTPS are confirmed, Application Insights telemetry should reach the ingestion endpoint.
      • If telemetry is still missing, follow the Application Insights guidance:
        • Use PowerShell or curl from a VM in the same VNet/subnet to send test telemetry to the ingestion endpoint and confirm it is accepted.
        • If PowerShell/curl tests fail, re-check DNS resolution and firewall/NSG rules as above.
    5. Endpoints to validate from APIM VNet
      From the context and the APIM diagnostics screenshot, validate at least:
      • dc.services.visualstudio.com (for Application Insights).
      • Any Application Insights ingestion endpoint used by the APIM instance (resolved via DNS when sending telemetry).
      • General Azure control-plane endpoints (already shown as healthy in your screenshot, such as Azure Active Directory and Blob storage).
    6. APIM in internal VNet mode with custom DNS
      From the context on DNS and private endpoints:
      • All hostnames required by APIM (including Application Insights endpoints) must be resolvable from all VNets and on-premises networks that require access.
      • When using custom DNS (Azure Private DNS Resolver), ensure:
        • The resolver has correct forwarders for public DNS.
        • Private DNS zones are correctly linked to the VNet and don’t override unrelated public endpoints.
        • NSG/UDR/Azure Firewall rules allow DNS and HTTPS traffic as described above.

    Once nslookup dc.services.visualstudio.com from the APIM VNet returns a valid public IP and outbound HTTPS to that IP is allowed, the APIM network diagnostics should clear the DNS error and Application Insights telemetry should start flowing.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.