Our ERP system sends order update webhooks to an Azure Event Grid custom topic, but events are failing to deliver. The ERP system shows successful POST attempts, but Event Grid diagnostics show no incoming events. After investigation, we suspect the corporate Azure Firewall is blocking the traffic.
ERP webhook config:
POST https://erp-events.eastus-1.eventgrid.azure.net/api/events
Content-Type: application/json
aeg-sas-key: [token]
Firewall logs show outbound HTTPS traffic from ERP subnet being denied. We’ve tried adding Event Grid service tags to allowed destinations, but webhook delivery still fails. Order updates are delayed by 10-15 minutes until the ERP retry mechanism kicks in through an alternate path. Has anyone successfully configured Azure Firewall to allow Event Grid webhook traffic from on-premises systems?
I’ve implemented similar integrations and found that using private endpoints for Event Grid topics is far more reliable than managing firewall rules. If your ERP system is connected via ExpressRoute or VPN, you can access Event Grid through private link without traversing the firewall at all. It also eliminates the SSL inspection issue entirely.
Check your rule collection priority order - deny rules in higher priority collections will override allow rules in lower priority collections. Use Azure Firewall’s diagnostic settings to enable detailed flow logs, then filter for your Event Grid FQDN. This will show you exactly which rule is matching. Also verify that your ERP source IP range is correctly defined in the allow rule.
Service tags alone won’t work if your Event Grid topic uses a custom domain. You need explicit FQDN rules in your firewall application rules. Try adding *.eventgrid.azure.net to your allowed application rules with HTTPS protocol. Also check if your firewall is doing SSL inspection - that can break the Event Grid SAS token authentication.