Logic App unable to call a backend service API with private endpoint (PEC), error: “BadRequest Http request failed as there is an error: The SSL connection could not be established.”

Background:

We have an Azure Logic App trying to call a Azure Language Service API. If both allowing public access, it’s working fine. But if we wish to setup the Private Endpoint Connection (PEC), for enterprise network isolation, then we hit a lot of errors, and here’s our workarounds.

Symptom:

BadRequest Http request failed as there is an error: The SSL connection could not be established.

Below screencap showing the Cert Subject Alternative Name only contains “*.cognitiveservice.azure.com”, but not containing a “*.privatelink.cognitiveservices.azure.com”; Thus it errors out a cert handshake error.

Solution:

we setup a DNS conditional forwarding in our internal DNS server: let the public DNS “*.cognitiveservice.azure.com” pointing to the private IP “10.xx.xx.xx”

In this way, DNS correct for cert, and IP correct for PEC, while achieving the blockage of public access to the Language Service.

Further follow up:

In case if your company don’t have a private DNS or the practice to setup conditional forwarding, the root cause is indeed Microsoft should have put the “*.privatelink.cognitiveservices.azure.com” into their cert trust list. To support the PEC setup natively. We have reported to MS product team, but not sure how long it takes to fix.