Snippets

KQL snippet: correlate an Azure Functions private HTTP endpoint

A short query to separate DNS, private access, Functions runtime and application exceptions during a private HTTP incident.

11 Jun 2026 kqlazurefunctionsprivate-endpointdnslogsmonitoringrunbookidentity

Use this query after a correlated curl from the consumer network. It shows whether the request reaches Azure Functions, whether the runtime reports storage or listener issues, or whether the failure is already in code or a dependency.

kusto azure-functions-private-http-correlation.kql

let Window = 2h;
let Host = "api.internal.example.com";
let CorrelationId = "ops-20260611080000";
let Req =
requests
| where timestamp > ago(Window)
| where url has Host or tostring(customDimensions["x-correlation-id"]) == CorrelationId
| project timestamp, Source="request", name, resultCode, success, operation_Id, url, cloud_RoleName;
let Tr =
traces
| where timestamp > ago(Window)
| where message has_any (Host, CorrelationId, "Host lock", "storage", "listener", "Starting", "Stopping", "Function")
| project timestamp, Source="trace", message, severityLevel, operation_Id, cloud_RoleName;
let Ex =
exceptions
| where timestamp > ago(Window)
| project timestamp, Source="exception", message=outerMessage, severityLevel, operation_Id, cloud_RoleName;
Req
| union Tr, Ex
| order by timestamp desc

Quick read: no request after the test points to DNS, Private Endpoint, APIM, Application Gateway or access restrictions; a 403 or 503 request points to platform and configuration; a correlated exception points to code, identity or a downstream dependency.