Snippets

KQL snippet: correlate private App Service and Application Gateway

A short query to separate WAF, gateway, private DNS, access restrictions and App Service logs during a private access incident.

12 Jun 2026 kqlazureapp-serviceprivate-endpointdnswaflogsmonitoringrunbook

Use this query after a correlated curl from the consumer network. It shows whether the request remains blocked at Application Gateway/WAF or actually reaches App Service.

kusto app-service-private-correlation.kql

let Window = 2h;
let Host = "app.internal.example.com";
let Path = "/health";
let CorrelationId = "ops-20260612080000";
let Gateway =
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where Category in ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog")
| where host_s has Host or requestUri_s has Path or transactionId_g == CorrelationId
| project TimeGenerated, Source=Category, host=host_s, uri=requestUri_s, status=coalesce(httpStatus_d, status_d), ruleId=ruleId_s, action=action_s, transactionId=tostring(transactionId_g);
let AppService =
AppServiceHTTPLogs
| where TimeGenerated > ago(Window)
| where CsHost has Host or CsUriStem has Path or CsUserAgent has CorrelationId
| project TimeGenerated, Source="AppServiceHTTPLogs", host=CsHost, uri=CsUriStem, status=ScStatus, ruleId="", action=CsMethod, transactionId=CorrelationId;
Gateway
| union AppService
| order by TimeGenerated desc

Quick read: gateway logs without App Service logs point to WAF, backend health, private DNS, TLS or restrictions; App Service logs with 500 point to code or dependency; no row points to DNS, routing or the wrong test location.