When you use a common VNet and place service endpoints on the integration subnet, outbound traffic from your APIM instance to those services bypasses the internet, thus avoiding SNAT port restrictions. If your backend API is hosted on an Azure service that supports service endpoints such as App Service, you can avoid SNAT port exhaustion issues by placing your APIM instance and backend service in the same virtual network and exposing it through service endpoints or private endpoints. Place your APIM and backend service in the same VNet Without different SNAT ports for the return traffic from your background service, APIM would have no way to separate one response from another.īecause SNAT ports can be reused if the destination IP or destination port are different, another way to avoid SNAT port exhaustion is by using multiple IPs for your backend service URLs.įor more, see Outbound proxy Azure Load Balancer. Use multiple IPs for your backend URLsĮach connection from your APIM instance to the same destination IP and destination port of your backend service will use a SNAT port, in order to maintain a distinct traffic flow. SNAT port usage is currently not available as a metric for autoscaling API Management units. For more info, see Scale your API Management service. You can allocate additional SNAT ports by scaling your API Management instance with additional units. Scale your APIM instanceĮach API Management instance is allocated a number of SNAT ports, based on APIM units. Of these strategies, the following are applicable to API Management. General strategies for mitigating SNAT port exhaustion are discussed in Troubleshooting outbound connections failures from Azure Load Balancer documentation. Mitigations and solutionsĪddressing the problem of SNAT port exhaustion first requires diagnosing and optimizing the performance of your backend services. The Azure Network load balancer reclaims SNAT ports from closed connections only after waiting four minutes.Ī rapid succession of client requests to your APIs may exhaust the pre-allocated quota of SNAT ports if these ports are not closed and recycled fast enough, preventing your APIM service from processing client requests in a timely manner. Once a SNAT port has been released, the port is available for reuse as needed. SNAT ports are used up when you have repeated calls to the same address and port combination. That limit affects opening connections to the same host and port combination. This situation is only applicable to backend APIs exposed on public IPs.Įach instance of API Management service is initially given a pre-allocated number of SNAT ports. As discussed in Outbound connections in Azure, Azure uses source network address translation (SNAT) and a Load Balancer (not exposed to customers) to communicate with end points outside Azure in the public IP address space, as well as end points internal to Azure that aren't using Virtual Network service endpoints. Whenever a client calls one of your APIM APIs, Azure API Management service opens a SNAT port to access your backend API. This pattern of symptoms often occurs due to network address translation (SNAT) port limits with your APIM service. These symptoms manifest as instances of BackendConnectionFailure in your Azure Monitor resource logs. SymptomsĬlient applications calling APIs through your API Management (APIM) service may exhibit one or more of the following symptoms: If you require more help, contact the Azure experts at Azure Community Support or file a support request with Azure Support. Specifically, this article will provide information and troubleshooting for the exhaustion of source address network translation (SNAT) ports. This article helps you troubleshoot intermittent connection errors and related latency issues in Azure API Management.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |