Snippets

KQL snippet: isolate Azure SQL private endpoint errors

A short query to separate firewall, authentication, public endpoint and missing connection evidence during a private Azure SQL incident.

14 Jun 2026 azuresqlprivate-endpointdnskqllogsidentityrunbookfirewall

When an application no longer reaches Azure SQL through a Private Endpoint, first check whether SQL actually sees the attempt and which connection error is attached to it.

kusto azure-sql-private-errors.kql

let Window = 2h;
let Server = "sql-prod-orders";
let Database = "orders";
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where ResourceProvider == "MICROSOFT.SQL"
| where Resource has Server or database_name_s == Database
| where action_name_s has_any ("DATABASE AUTHENTICATION", "LOGOUT", "BATCH COMPLETED")
 or error_number_d in (40615, 18456, 18452, 18470)
 or statement_s has_any ("Login failed", "firewall", "denied")
| project TimeGenerated, Resource, database_name_s, action_name_s, error_number_d, succeeded_s, session_server_principal_name_s, client_ip_s, statement_s
| order by TimeGenerated desc

Quick read:

no line for the test: go back to DNS, Private Endpoint, routing or connection string;
40615 or firewall message: check public access, firewall rules and the source SQL actually sees;
18456 or denied principal: check real identity, contained user, Entra ID group and the secret in use.