(403) Traffic is not from an approved private endpoint.

Question

(403) Traffic is not from an approved private endpoint.

Dimitrios Bardis 0

I have an Azure Function App on Flex Consumption (Linux, Python) that is VNet-integrated and uses managed identity to call Azure AI Document Intelligence.

Document Intelligence is configured with:

Public network access disabled
Custom subdomain enabled
Private endpoint in the same VNet
Private DNS zone privatelink.cognitiveservices.azure.com linked to the VNet

The Function App:

Is integrated with subnet rag-vnet / snet-functions
Uses managed identity successfully
Can start processing blobs normally

But when it calls Document Intelligence with the normal custom-subdomain endpoint, the SDK fails with:

azure.core.exceptions.HttpResponseError: (403) Traffic is not from an approved private endpoint.

This worked before. Any ideas? I have checked the dns zones, verified "approved", they are linked to right vnet, etc.. I would like to log in to function runtime to do nslookup on the pe of doc intelligence but i do not know how to login.

Dimitrios Bardis 0 Reputation points

2026-04-22T16:37:37.37+00:00

there is no Tools->Kudu or Tools->Console.

2 answers

Your answer

Dimitrios Bardis 0 Reputation points

2026-04-22T16:37:37.37+00:00

there is no Tools->Kudu or Tools->Console.

Answer 1

Siddhesh Desai 6,555 Microsoft External Staff Moderator

Hi @Dimitrios Bardis

Thank you for reaching out to Microsoft Q&A.

In Azure Functions Flex Consumption (Linux), the portal experience is different from Premium or Dedicated plans. Kudu / Advanced Tools and the in‑portal Console are not available for Flex Consumption apps. This is by design, not a misconfiguration.

That 403 from Document Intelligence (“Traffic is not from an approved private endpoint”) almost always means your Function App is still talking to the public endpoint instead of your private endpoint. Even though you’ve got a privatelink DNS zone linked and a PE in the VNet, a couple of gotchas tend to sneak in when you’re using a custom subdomain:

DNS for your custom subdomain isn’t resolving to the PE’s private IP

Your Function isn’t routing ALL outbound (including DNS) traffic into the VNet

Here’s what you can try:

Verify DNS resolution

• Spin up a quick VM (or enable SSH on your Flex container – see below) in the same VNet/subnet and run:

nslookup <your-custom-endpoint>.cognitiveservices.azure.com

• You should see the private IP of your PE. If you still get a public IP, DNS isn’t mapping correctly.

Fix your Private DNS zone for the custom domain

Because you enabled a custom subdomain, Azure doesn’t automatically populate that in the standard

privatelink.cognitiveservices.azure.com zone. You need to:

Create (or extend) a Private DNS zone that matches your custom slice – for example:

• If your endpoint is contoso-ai.document-intel.azure.com, you might need a

privatelink.document-intel.azure.com zone

In that zone, add either:

• A CNAME from contoso-ai.document-intel.azure.com → contoso-ai.privatelink.cognitiveservices.azure.com

• Or an A record pointing directly at your PE’s private IP

Link the DNS zone to your VNet.

Force all outbound + DNS traffic into the VNet

In a Flex Consumption plan you need to ensure your app actually sends DNS queries into the VNet:

App Setting WEBSITE_VNET_ROUTE_ALL = 1

If you have a custom DNS server configured on the VNet, also set

WEBSITE_DNS_SERVER = 168.63.129.16

WEBSITE_DNS_SERVER = 168.63.129.16 (Azure’s DNS) so your app picks up the private DNS zones

Enable an SSH console in your Function to validate

On Linux Flex you don’t get Kudu/Console – instead:

Add App Setting

WEBSITE_SSH_ENABLED = true

In the Azure portal, go to your Function > Development Tools > SSH and you’ll land in a shell where you can run nslookup or curl

Once your custom-domain name actually resolves to the private IP and all traffic is VNet-routed, the SDK call will flow over the PE and that 403 will disappear.

Dimitrios Bardis 0 Reputation points

2026-04-23T16:04:50.6966667+00:00

thank you for the good insights! However i do not see anywhere **Function > Development Tools > SSH
**
Dimitrios Bardis 0 Reputation points

2026-04-23T16:45:44.8966667+00:00

also @Siddesh desai I tried to log the ip of the doc intelligence endpoint in the logs in my functions app runtime and i can see that the ip is correct.

Document Intelligence DNS resolution for 'ragdocintsvc.cognitiveservices.azure.com': [{'ip': '10.50.0.68', 'is_private': True}]

this is my conf

i still get 403
Dimitrios Bardis 0 Reputation points

2026-04-23T17:18:05.1166667+00:00

@Siddesh desai
my doc intelligence network setup is this

should it work with "disabled"? i guess it should because i use private endpoint or?
Siddhesh Desai 6,555 Reputation points Microsoft External Staff Moderator

2026-04-23T17:19:56.1833333+00:00

@Dimitrios Bardis

Try using the selected network and select your private endpoint and check?
Dimitrios Bardis 0 Reputation points

2026-04-23T17:28:22.8366667+00:00

@Siddhesh Desai It will probably work if i do so but that is not the security solution i need :) It should work by keeping this private and allow access only via private endpoints otherwise what is the meaning of having "Disabled" if we always have to select "Selected Networks and Private Endpoints" to require private endpointS?

For Document Intelligence with a private endpoint, that is already the private-endpoint-only posture. Disabled means the public endpoint is off. Access is then allowed only through approved private endpoint connections. That is already stricter than Selected Networks and Private Endpoints. If I switch it to Selected Networks and Private Endpoints, I am not telling Azure “only this private endpoint.” I am turning the public endpoint back on and then restricting that public path with network ACLs such as subnet rules or IP rules. That is a different model.
Dimitrios Bardis 0 Reputation points

2026-04-23T20:30:43.95+00:00

@Siddhesh Desai i tried to cancel my subscription and created new one and deployed but i still got the same problem !
Dimitrios Bardis 0 Reputation points

2026-04-24T06:21:34+00:00

i tried "Try using the selected network and select your private endpoint and check" and i still got the same error
Dimitrios Bardis 0 Reputation points

2026-04-24T08:51:55.43+00:00
I now noticed this: My Azure Function App (Flex Consumption) is VNet‑integrated and configured to call Azure Document Intelligence through a Private Endpoint. DNS resolution inside the Function App resolves the endpoint to the private IP correctly, and a curl test from the Function App container returns HTTP 200. However, the actual outbound call from the function runtime is sent from a public outbound IP, not from the VNet‑integrated subnet. Document Intelligence therefore rejects the request with:

Code

403: Traffic is not from an approved private endpoint

Evidence:

DNS resolution inside the Function App → 10.x.x.x (correct)

curl from the Function App → 200 OK (private endpoint works)

Actual outbound IP during the failing SDK call → 74.241.138.252 (public)

Document Intelligence rejects the call because it arrives via the public endpoint

Conclusion: Flex Consumption is starting function workers that are **not VNet‑integrated

How do i fix thios?**
Siddhesh Desai 6,555 Reputation points Microsoft External Staff Moderator

2026-05-01T06:39:32.4633333+00:00

Hi @Dimitrios Bardis Can you refer this Blog and re-check your steps: https://cloudtips.nl/azure-functions-flex-consumption-plan-f374a6e6dd14

Answer 2

The 403 error indicates that calls are still reaching the public endpoint instead of the private endpoint, even though the private endpoint is approved. This is a DNS/routing issue between the Function App and the Document Intelligence private endpoint.

To troubleshoot and fix:

Verify DNS resolution from the Function App
- Open the Function App in Azure portal.
- Go to Tools → Kudu or Tools → Console.
- In the console, use nameresolver.exe to see where the custom subdomain resolves:
```
     nameresolver.exe <your-custom-subdomain>.cognitiveservices.azure.com
```
- If DNS resolves to a public IP instead of the private endpoint IP, the private DNS configuration is not being used by the Function App.
Ensure DNS is configured to resolve to the private endpoint
- For services using Private Endpoint, DNS lookups must resolve to the private IP of the endpoint.
- Make sure one of the following is true for the Function App’s VNet:
  1. The VNet uses Azure DNS and is linked to the private DNS zone privatelink.cognitiveservices.azure.com.
  2. If using a custom DNS server, that DNS server forwards queries for privatelink.cognitiveservices.azure.com to Azure DNS (168.63.129.16) or hosts the appropriate A records.
- If DNS still resolves to a public IP, verify:
  - The private DNS zone exists.
  - The zone is linked to the same VNet used by the Function App integration.
  - The private endpoint has a DNS zone group configured so A records are created automatically.
Confirm the Function App is correctly VNet-integrated
- The Function App must be integrated with the VNet/subnet that has access to the private endpoint and its DNS zone.
- For Flex Consumption / Dedicated / Premium plans, VNet integration is supported; ensure the integration is active and not misconfigured.
Test TCP connectivity to the private endpoint
- From the same console, use tcpping to verify network access:
```
     tcpping.exe <your-custom-subdomain>.cognitiveservices.azure.com 443
```
- Successful tcpping plus correct DNS (private IP) confirms that traffic is going over the private endpoint.
If DNS resolves correctly but 403 persists
- Re-check that public network access is disabled on the Document Intelligence resource and that the private endpoint is in Approved state.
- If both Function App and Document Intelligence Studio show timeouts or 403s even with correct DNS and private endpoint, check Azure Status/Service Health and consider testing a Document Intelligence resource in another region to rule out a regional service issue.

These steps let the Function runtime “nslookup” equivalent via nameresolver.exe and confirm that the Function App is actually using the private endpoint rather than the public endpoint.

References:

Share via

(403) Traffic is not from an approved private endpoint.

2 answers

Your answer