Event grid Domain to Webhook endpoint connection

Question

Event grid Domain to Webhook endpoint connection

Pratima Patil 50

I want a Subscriber Webhook endpoint to access the events from my Event grid domain. This subscriber url is in a private network Vnet A (MIP-vnet). I have created a private endpoint for my Event grid domain in Vnet B (DBcore-vnet). Vnet A & Vnet B are peered. Also I have created virtual network link for communication of event grid domain within both the vnets via a private ip.
Below are my settings on event grid domain side-

User's image

With this setup, will I be able to make my event grid domain accessible for the subscriber webhook url? Please let me know if I am missing anything, or have done anything incorrect.

Accepted answer

0 additional answers

Your answer

Answer 1

Luis Arias 8,591

Hello Pratima Patil,

Your setup is almost there, but there’s one important catch. While your Event Grid Domain has a private endpoint in Vnet B (DBcore-vnet) for secure inbound communication, outbound communication (like delivering events to your webhook in Vnet A) works a bit differently. Event Grid always sends events outbound using public endpoints, even if the domain itself is accessed via private networking. This means your current setup won’t let the Event Grid Domain directly communicate with the private webhook in Vnet A.

Basically, for everything to work right, your private webhook endpoint needs to be reachable by Event Grid's public IPs. There are a few different ways you can set that up.

If your endpoint is open to the public, just setting up IP allowlisting for Event Grid's IP range is the easiest way to go.
You could use Azure API Management to create a secure connection between Event Grid and your private webhook. (This is not the best solution in terms of cost.)
Another way is to create an Azure Function or Logic App inside your private network that gets the events and passes them on to your webhook. (This is not the best solution in term of effort but It works if you need to keep the traffic in your internal network)

In short, with your current setup, the Event Grid Domain won’t fully be able to reach the private webhook, since outbound traffic doesn’t use private networking. You’ll need one of the above workarounds to get this.

References:

If the information helped address your question, please Accept the answer.

Luis

Pratima Patil 50 Reputation points

2025-03-31T11:44:27.5733333+00:00

Thank you for your response @Luis Arias
I checked all the three ways you provided. In my case, the subscriber webhook url is in a private network and behind some firewall rules, hence event grid domain cannot access it. Also the team cannot whitelist the range of public ip's of egd. So cannot use the first option.

Now, we already are using apim in our environment. So I think, that would be the right option and I just have to add the webhook handler. (Not sure how to set this up). Also APIM is in another vnet. Do you have any reference for this setup?

Note: APIM in Vnet-C, Webhook in Vnet-A.
Luis Arias 8,591 Reputation points

2025-04-01T07:35:09.94+00:00

Hi again Pratima, Yes I think you can utilize APIM in Vnet-C as a connector to route Event Grid requests to a webhook in Vnet-A. However you have to ensure there is APIM vnet Injected , the connectivity between Vnets via peering is configured and the NSG rules have to allow the 443 HTTPs communication.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Regards,

Luis
Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-03T14:26:35.45+00:00

Hi @Pratima Patil,

Just checking in to see if the below answer provided by @Luis Arias helped.
Ranashekar Guda 1,275 Reputation points Microsoft External Staff

2025-04-04T14:39:33.2466667+00:00

Hi @Pratima Patil,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.
Pratima Patil 50 Reputation points

2025-04-09T15:57:00.7366667+00:00

Thank you for the help. As event grid cannot route outbound traffic through private network, I went with an approach where eventgrid reaches webhook endpoint through apim vnet. It is costly no doubt but thats only if you are implementing apim for this only reason.

I have apim setup within my organization so just had to add an api.

Vnet peering done between apim vnet and webhook server vnet.

Assuming webhook is hosted on vm thats accessed through public ip, i have additionally requested to whitelist the apim range on server.

waiting for it to be whitelisted.

will confirm soon.

Meanwhile please confirm if I am on a right track.

Share via

Event grid Domain to Webhook endpoint connection

0 additional answers

Your answer