Share via

How can a Logic App workflow be configured to use private DNS resolution with Azure Bicep?

Ammar Asim 20 Reputation points
2025-02-19T12:49:40.9666667+00:00

I have been assigned to utilize a private endpoint within a virtual network through an Azure Logic App deployed in the same network. I successfully deployed the workflow and integrated it with the virtual network using the following:

resource logicAppVnetIntegration 'Microsoft.Web/sites/networkConfig@2024-04-01' = {
  parent: logicApp
  name: 'virtualNetwork'
  properties: {
    subnetResourceId: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, logicAppSubnetName)
    swiftSupported: true
  }
}

Additionally, I have configured the following Logic App settings:

appSettings: [
  {
    name: 'WORKFLOWS_MANAGED_IDENTITY'
    value: 'SystemAssigned'
  }
  {
    name: 'WEBSITE_VNET_ROUTE_ALL'
    value: '1'
  }
  {
    name: 'WEBSITE_DNS_SERVER'
    value: '168.63.129.16'
  }
]

However, when I send a request to the private endpoint, I receive the following error:

{
  "error": {
    "code": "403",
    "message": "Public access is disabled. Please configure private endpoint."
  }
}

Here is the visualization of my bicep code:
User's image

After debugging, I suspect that the issue is due to the Logic App failing to resolve the private endpoint. If anyone has encountered a similar issue, I would appreciate any guidance. Bicep templates would be especially helpful.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,389 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Madugula Jahnavi 10 Reputation points Microsoft External Staff
    2025-03-03T11:55:15.09+00:00

    Hello Ammar Asim,

    While integrating a logic app with private endpoint in a virtual network, it is needed a create a DNS zone configuration attached to enable logic app to route through that specific created private endpoint.

    To do that in bicep, add below code in your main bicep configuration. Below code contains a creation of DNS zone and also linking created DNS to a virtual network ( MSDoc ) .

    param logicApp string = 'vnetlogicapp'
param vnetName string = 'windowsnew-vnet'
param logicAppSubnet string = 'vnetsub'
param dnsZoneName string = 'mynewdomain.org'
resource logic 'Microsoft.Web/sites@2024-04-01' existing = {
  name: logicApp
}
resource existvnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
  name: vnetName
}
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' existing = {
  parent: existvnet
  name: logicAppSubnet
}
resource logicAppVnetIntegration 'Microsoft.Web/sites/networkConfig@2024-04-01' = {
  parent: logic
  name: 'virtualNetwork'
  properties: {
    subnetResourceId: subnet.id
    swiftSupported: true
  }
}
resource dnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
  name: 'mydnsnew.com'
  location: 'global'
}
resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  parent: dnsZone
  location: 'global'
  name: '${vnetName}-dnslink'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: existvnet.id
    }
  }
}

    Deployment succeeded:

    bicepimage

    vnetimage

    You can also refer this Blog by Fabrizio for more relevant information on integration.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.