Snippets

Snippet KQL : corréler App Service privé et Application Gateway

Une requête courte pour distinguer WAF, gateway, DNS privé, access restrictions et logs App Service pendant un incident d'accès privé.

12 juin 2026 kqlazureapp-serviceprivate-endpointdnswaflogsmonitoringrunbook

Utilise cette requête après un curl corrélé depuis le réseau consommateur. Elle montre si la requête reste bloquée au niveau Application Gateway/WAF ou si elle atteint réellement App Service.

kusto app-service-private-correlation.kql

let Window = 2h;
let Host = "app.internal.example.com";
let Path = "/health";
let CorrelationId = "ops-20260612080000";
let Gateway =
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where Category in ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog")
| where host_s has Host or requestUri_s has Path or transactionId_g == CorrelationId
| project TimeGenerated, Source=Category, host=host_s, uri=requestUri_s, status=coalesce(httpStatus_d, status_d), ruleId=ruleId_s, action=action_s, transactionId=tostring(transactionId_g);
let AppService =
AppServiceHTTPLogs
| where TimeGenerated > ago(Window)
| where CsHost has Host or CsUriStem has Path or CsUserAgent has CorrelationId
| project TimeGenerated, Source="AppServiceHTTPLogs", host=CsHost, uri=CsUriStem, status=ScStatus, ruleId="", action=CsMethod, transactionId=CorrelationId;
Gateway
| union AppService
| order by TimeGenerated desc

Lecture rapide : logs gateway sans logs App Service orientent vers WAF, backend health, DNS privé, TLS ou restrictions ; logs App Service avec 500 orientent vers code ou dépendance ; aucune ligne oriente vers DNS, routage ou mauvais point de test.