Failure Atlas

Start from the symptom, not the category.

A diagnostic map for operational situations: 502 errors, private DNS drift, WAF blocks, Terraform locks, automation guardrails and private AI controls.

Cloud 3 notes

Internal APIM returns an error on a private API

Correlate Application Gateway/WAF and APIM logs, then separate DNS, TLS, policy, identity and private backend reachability before changing policies or opening access.

First checks
  • Check whether WAF blocked the request
  • Confirm APIM received the same path
  • Validate backend DNS and TLS from the APIM path
  • Replay with a correlation ID
  1. 01 Azure internal APIM: diagnose a private API before changing policies
  2. 02 KQL snippet: correlate WAF and APIM on an Azure private API
  3. 03 Azure Application Gateway: diagnose 502 errors without mixing DNS, TLS and backend health
Networking 4 notes

Private Endpoint name still resolves publicly

Confirm the CNAME chain, Private DNS Zone association and hybrid forwarding from the consuming network.

First checks
  • Run nslookup from the workload network
  • Check privatelink CNAME
  • Verify Private DNS Zone links and forwarders
  1. 01 Azure snippet: check Private Endpoint DNS resolution
  2. 02 Azure snippet: detect Private Endpoint DNS drift
  3. 03 Azure hybrid DNS: when to use Private Resolver, on-premises forwarders and private zones
  4. 04 Azure Private Endpoint: detect Terraform, DNS, and network drift before incident
Cloud 4 notes

A synthetic probe fails on an Azure private path

Separate DNS, TLS, Application Gateway health, WAF blocks and runner network before changing routing or application code.

First checks
  • Resolve the hostname from the probe network
  • Check TLS/SNI with the real hostname
  • Correlate probe run with WAF and gateway logs
  1. 01 Azure: make private paths verifiable with synthetic probes
  2. 02 KQL snippet: track synthetic probes for an Azure private path
  3. 03 Azure Application Gateway: diagnose 502 errors without mixing DNS, TLS and backend health
  4. 04 Azure Private Endpoint: detect Terraform, DNS, and network drift before incident
Cloud 3 notes

Azure Container Apps private ingress fails or reaches the wrong revision

Separate private DNS, Application Gateway handoff, Container Apps ingress mode, revision traffic and console logs before rolling back or changing traffic weights.

First checks
  • Resolve the hostname from the caller network
  • Check ingress target port and active revisions
  • Correlate system and console logs
  1. 01 Azure Container Apps: diagnose private ingress before changing revisions
  2. 02 KQL snippet: diagnose Container Apps private ingress and revisions
  3. 03 Azure: make private paths verifiable with synthetic probes
Cloud 3 notes

AKS private ingress returns 502 or reaches no service endpoints

Separate private DNS, Application Gateway health, ingress controller routing, Kubernetes service selectors, endpoint slices and pod readiness before rolling back a deployment.

First checks
  • Resolve the hostname from the caller network
  • Check Application Gateway backend health and host header
  • Verify ingress, service and endpoint slices
  • Correlate controller and application logs
  1. 01 Azure AKS: diagnose private ingress before changing deployments
  2. 02 KQL snippet: correlate AKS private ingress and application logs
  3. 03 Azure Application Gateway: diagnose 502 errors without mixing DNS, TLS and backend health
Cloud 3 notes

Azure Functions private HTTP endpoint returns 403, 503 or no request logs

Separate private DNS, Private Endpoint reachability, access restrictions, Functions runtime state, private storage and Application Insights evidence before redeploying code or opening public access.

First checks
  • Resolve the hostname from the caller network
  • Replay with a correlation ID
  • Check Function App access restrictions and Private Endpoint status
  • Correlate requests, traces and exceptions
  1. 01 Azure Functions: diagnose a private HTTP endpoint before changing code
  2. 02 KQL snippet: correlate an Azure Functions private HTTP endpoint
  3. 03 Azure: make private paths verifiable with synthetic probes
Cloud 5 notes

Azure WAF blocks a legitimate request

Start from blocked requests, rule ID and URI before deciding between exclusion, custom rule or application fix.

First checks
  • List blocked URIs in KQL
  • Identify ruleId and match field
  • Validate false-positive scope
  1. 01 KQL snippet: list Azure WAF blocked URIs quickly
  2. 02 WAF and KQL: identify a false positive before creating an exclusion
  3. 03 Azure WAF: add an OWASP/CRS exclusion without weakening all protection
  4. 04 Azure WAF: frame an emergency custom rule without losing evidence
  5. 05 Azure snippet: audit WAF custom rule priorities
Infrastructure 4 notes

A secret rotation or managed identity change breaks an application or pipeline consumer

Separate preparation, cutover, revocation and managed identity diagnostics; validate the real execution identity, private path and authentication errors before deleting the old value or broadening access.

First checks
  • List real consumers
  • Verify the runtime identity and vault read access
  • Check private DNS and source network
  • Watch 401/403/500 or Key Vault denials
  1. 01 Service identity and secret rotation: a production runbook, not an isolated task
  2. 02 KQL snippet: detect authentication errors after secret rotation
  3. 03 Azure managed identity: diagnose private access before changing permissions
  4. 04 KQL snippet: diagnose Key Vault denial with managed identity