APIM Incident Report

SCUBA MCPBurndown2 campaign flagged unauthenticated MCP endpoint on APIM's ServiceTree ID. Security compliance finding, not a service health issue.

DRI assessed: "These are customer endpoints, no action APIM can take." Needs AIM.Assess tagging per MCP TSG. ● MEDIUM recurrence — more burndown alerts expected.

Misrouted to APIM. Belongs to Azure API Center (ServiceId 574680a6). Two endpoints are the intentionally-public mcp.azure.com registry. Others belong to ACA/App Service.

Tagged AIM.Exception:Public for registry endpoints. Requesting re-routing of non-API-Center endpoints to respective owners. ● LOW recurrence

Developer Portal user registration returning "User registration is not supported" after platform change. Multiple customers across regions affected. New support cases still being linked daily (latest May 6: apim-ynv-ai-lz-uat). Customers requesting rollbacks.

Marked mitigated (workaround documented), but new cases still arriving. RCA requested by multiple support engineers. Some customers need explicit service rollback.

● HIGH — Still accumulating. Root fix unclear. Highest customer impact this week.

20+ unique support cases. Multiple regions. Auto-escalated to Sev1. RCA timeline being demanded by CSS.

VNET-injected SKUv1 services lose intermediate SSL certs during OS reimage. Outbound TCP port 80 blocked in NSG prevents AIA cert download. Gateway serves incomplete chain → 502s from AFD/AppGW. Reboots use cached certs (fine); reimages need fresh download (breaks).

Customer fix: open outbound TCP 80 + Apply Network Settings. Transferred to Platform for permanent fix. ● HIGH recurrence — will continue with each reimage cycle for affected NSG configs.

GatewayV2 + HTTP.SYS breaks MAPI endpoint. URL prefix registration excludes control plane hostnames by design (ControlPlaneForwarderFilter.cs line 50–54), and management hosting failed to bind them. Code gap confirmed with HIGH confidence (5 independent evidence blocks).

GatewayV2 rolled back for all impacted via ACIS feature flag. Fix in ProxyHostSettingsBuilder.ProcessSpecialCases shipping in next release. ● LOW recurrence — rollout halted.

Transient external connectivity issues cause 5–7 users to see ServiceBlade load failures, barely exceeding 5-user threshold. Backend healthy. 95% of 5xx from test service apim-gfs-api-tst-centralus. DRI confirmed via Grafana: external connectivity, not regression.

● Fires ~weekly (noise)
All 4 recent occurrences = transient/false alarm. Raise threshold from 5 users or add sustained-failure criteria to stop Sev2 noise.

Azure SQL ConflictingServerOperation — concurrent DB creation from internal RnR test services. All failures are devPortalRnr-*/rpRnr-*. Zero customer services affected. Self-recovered (transient).

● ~1/week across regions
Always internal-only. Filter RnR services from SLA calculation or lower severity for internal-only failures.

HealthMonitorCheckApiServicesHealth SKUv1 track stalls on SF partition. Gradual decline (2000/hr → 0) suggests resource exhaustion from prior spike. SKUv2 track unaffected. Exact mechanism undiagnosable (need SF partition metrics not in Kusto).

Mitigated via Geneva Action "Control Health Monitoring on Platform" (stop+start). ● Weekly in EUAP
Needs: SF partition telemetry + auto-restart logic. Root cause still undiagnosed.

App Service P1v3 capacity exhaustion in MWH2 datacenter. HTTP 409: "No available instances." Rate dropped to 56.25%. Failures started May 1 but alert only fired May 5 (5-day gap).

App Service (Splinter Twin) team increased capacity. 91% failures were internal pool replenishment. Only 4 customer services affected. Alerting gap needs repair item.

GatewayV2 race condition in ContinueWith callback for incomplete payload transfer. Bug 25298069. Fix exists in PR #15280162 but not yet rolled out to AOAI services.

Rolled back to Gateway V1 for affected services. Code fix pending deployment to AOAI fleet.