Snippets

KQL snippet: correlate AKS private ingress and application logs

A short query to read ingress controller and application logs together when a private AKS route returns 502, timeouts or no endpoints.

10 Jun 2026 kqlazureakskubernetesprivate-endpointdnslogsmonitoringrunbookrollback

Use this query when a private AKS route returns 502, timeouts, empty responses or intermittent failures after an ingress, service or deployment change. It keeps ingress controller messages and application logs in the same timeline so the incident lead can see whether traffic reaches the cluster and then the pods.

kusto aks-private-ingress-controller-app-correlation.kql

let Window = 2h;
let Namespace = "prod";
let Host = "api.internal.example.com";
let ControllerLogs =
ContainerLogV2
| where TimeGenerated > ago(Window)
| where KubernetesNamespace has_any ("ingress", "ingress-nginx", "appgw")
| where LogMessage has_any (Host, "upstream", "no endpoints", "502", "timeout", "connect", "service")
| project TimeGenerated,
        Source="ingress-controller",
        PodName,
        KubernetesNamespace,
        LogMessage;
let AppLogs =
ContainerLogV2
| where TimeGenerated > ago(Window)
| where KubernetesNamespace == Namespace
| where LogMessage has_any ("error", "failed", "timeout", "dependency", "ready", "health")
| project TimeGenerated,
        Source="application",
        PodName,
        KubernetesNamespace,
        LogMessage;
ControllerLogs
| union AppLogs
| order by TimeGenerated desc

Quick read: ingress controller errors without application logs point to routing, service or endpoint slices; application errors after controller success point to workload or downstream dependencies; no signal on either side sends the diagnosis back to DNS, Application Gateway, private load balancer or the caller network.