An Azure service that provides a hybrid, multi-cloud management platform for APIs.
The screenshots show that APIM can’t resolve dc.services.visualstudio.com, which is required for Application Insights connectivity. This is a DNS/network issue between the APIM subnet and the DNS infrastructure (Azure Private DNS Resolver and any upstream resolvers), not an Application Insights configuration issue.
Based on the provided context, focus on DNS resolution and outbound connectivity from the APIM subnet:
- Verify DNS resolution from the APIM VNet
From a VM in the same subnet/VNet as APIM (or another host that uses the same Azure Private DNS Resolver):- Run
nslookup dc.services.visualstudio.comand confirm:- It returns an IP address (public IP, since this is a public endpoint).
- There is no
NXDOMAIN, timeout, or unreachable DNS server error.
- If
nslookupfails or times out, validate that:- The APIM subnet can reach the Azure Private DNS Resolver over UDP/TCP 53 (NSG, NVA, Azure Firewall).
- Any custom DNS forwarders used by the resolver can reach public DNS to resolve
*.visualstudio.com.
- Run
- Check that DNS isn’t misdirected by Private Link or private zones
The Application Insights troubleshooting guidance notes that multiple Azure Monitor Private Link configurations can overwrite DNS and cause ingestion endpoints to resolve to the wrong private IP.- Review private DNS zones (for example,
privatelink.*) and ensure there is no A record or CNAME fordc.services.visualstudio.comor*.visualstudio.comthat points to an incorrect private IP. - If such a record exists, remove or correct it so that
dc.services.visualstudio.comresolves to the intended public endpoint.
- Review private DNS zones (for example,
- Confirm outbound network connectivity from APIM to the ingestion endpoint
Even if DNS resolves correctly, NSGs, UDRs, or Azure Firewall can block outbound traffic:- NSG on APIM subnet/NIC:
- Ensure outbound rules allow HTTPS (TCP 443) to the resolved IP for
dc.services.visualstudio.com.
- Ensure outbound rules allow HTTPS (TCP 443) to the resolved IP for
- UDR:
- Verify that any user-defined routes send internet-bound traffic either to an NVA/Azure Firewall that allows the traffic, or directly to the internet as intended.
- Azure Firewall / NVA:
- Confirm rules allow outbound HTTPS to
dc.services.visualstudio.com.
- Confirm rules allow outbound HTTPS to
- NSG on APIM subnet/NIC:
- Validate Application Insights ingestion path as per telemetry troubleshooting
The Application Insights pipeline can drop telemetry when:- The SDK/agent cannot reach the ingestion endpoint due to DNS or network blocks.
- The ingestion endpoint requires TLS 1.2 while the client uses older TLS.
- Once DNS and outbound HTTPS are confirmed, Application Insights telemetry should reach the ingestion endpoint.
- If telemetry is still missing, follow the Application Insights guidance:
- Use PowerShell or
curlfrom a VM in the same VNet/subnet to send test telemetry to the ingestion endpoint and confirm it is accepted. - If PowerShell/
curltests fail, re-check DNS resolution and firewall/NSG rules as above.
- Use PowerShell or
- Endpoints to validate from APIM VNet
From the context and the APIM diagnostics screenshot, validate at least:-
dc.services.visualstudio.com(for Application Insights). - Any Application Insights ingestion endpoint used by the APIM instance (resolved via DNS when sending telemetry).
- General Azure control-plane endpoints (already shown as healthy in your screenshot, such as Azure Active Directory and Blob storage).
-
- APIM in internal VNet mode with custom DNS
From the context on DNS and private endpoints:- All hostnames required by APIM (including Application Insights endpoints) must be resolvable from all VNets and on-premises networks that require access.
- When using custom DNS (Azure Private DNS Resolver), ensure:
- The resolver has correct forwarders for public DNS.
- Private DNS zones are correctly linked to the VNet and don’t override unrelated public endpoints.
- NSG/UDR/Azure Firewall rules allow DNS and HTTPS traffic as described above.
Once nslookup dc.services.visualstudio.com from the APIM VNet returns a valid public IP and outbound HTTPS to that IP is allowed, the APIM network diagnostics should clear the DNS error and Application Insights telemetry should start flowing.
References: