Naxaya articles

Naxaya articles https://naxaya.com Technical articles, implementation notes, and reusable snippets published on Naxaya. en Azure Functions: diagnose a private HTTP endpoint before changing code https://naxaya.com/articles/azure-functions-private-http-trigger-diagnostic-runbook/ https://naxaya.com/articles/azure-functions-private-http-trigger-diagnostic-runbook/ Thu, 11 Jun 2026 00:00:00 GMT Build an operational runbook for private Azure Functions failures by separating DNS, Private Endpoint, access restrictions, private storage, Application Insights logs and rollback evidence. Cloud KQL snippet: correlate an Azure Functions private HTTP endpoint https://naxaya.com/articles/snippet-kql-azure-functions-private-http-trigger/ https://naxaya.com/articles/snippet-kql-azure-functions-private-http-trigger/ Thu, 11 Jun 2026 00:00:00 GMT A short query to separate DNS, private access, Functions runtime and application exceptions during a private HTTP incident. Snippets Azure AKS: diagnose private ingress before changing deployments https://naxaya.com/articles/azure-aks-private-ingress-diagnostic-runbook/ https://naxaya.com/articles/azure-aks-private-ingress-diagnostic-runbook/ Wed, 10 Jun 2026 00:00:00 GMT Build an operational runbook for AKS private ingress failures by separating DNS, Application Gateway, ingress controller, Kubernetes service endpoints, pod readiness and rollback evidence. Cloud KQL snippet: correlate AKS private ingress and application logs https://naxaya.com/articles/snippet-kql-aks-private-ingress-nginx/ https://naxaya.com/articles/snippet-kql-aks-private-ingress-nginx/ Wed, 10 Jun 2026 00:00:00 GMT A short query to read ingress controller and application logs together when a private AKS route returns 502, timeouts or no endpoints. Snippets Azure Container Apps: diagnose private ingress before changing revisions https://naxaya.com/articles/azure-container-apps-private-ingress-diagnostic-runbook/ https://naxaya.com/articles/azure-container-apps-private-ingress-diagnostic-runbook/ Tue, 09 Jun 2026 00:00:00 GMT Build an operational runbook for Azure Container Apps private ingress failures by separating DNS, ingress mode, revision routing, application logs and rollback evidence. Cloud KQL snippet: diagnose Container Apps private ingress and revisions https://naxaya.com/articles/snippet-kql-container-apps-private-ingress-revisions/ https://naxaya.com/articles/snippet-kql-container-apps-private-ingress-revisions/ Tue, 09 Jun 2026 00:00:00 GMT A short query to correlate Azure Container Apps system and console logs when private ingress, probes or revision traffic fail. Snippets Azure internal APIM: diagnose a private API before changing policies https://naxaya.com/articles/azure-internal-apim-private-api-diagnostic-runbook/ https://naxaya.com/articles/azure-internal-apim-private-api-diagnostic-runbook/ Mon, 08 Jun 2026 00:00:00 GMT Qualify a failure across Application Gateway, WAF, internal APIM and a private backend by separating DNS, routing, policy, identity and logs before any fix. Cloud KQL snippet: correlate WAF and APIM on an Azure private API https://naxaya.com/articles/snippet-kql-correlate-waf-apim-private-api/ https://naxaya.com/articles/snippet-kql-correlate-waf-apim-private-api/ Mon, 08 Jun 2026 00:00:00 GMT A short query to see whether a private API request is blocked by Application Gateway WAF, received by APIM or missing from the expected path. Snippets Azure managed identity: diagnose private access before changing permissions https://naxaya.com/articles/azure-managed-identity-private-access-runbook-key-vault/ https://naxaya.com/articles/azure-managed-identity-private-access-runbook-key-vault/ Sun, 07 Jun 2026 00:00:00 GMT Build a runbook for Key Vault, Storage or private API access failures with managed identity, RBAC, private DNS, logs and real execution evidence. Infrastructure KQL snippet: diagnose Key Vault denial with managed identity https://naxaya.com/articles/snippet-kql-managed-identity-key-vault-denied-access/ https://naxaya.com/articles/snippet-kql-managed-identity-key-vault-denied-access/ Sun, 07 Jun 2026 00:00:00 GMT A short query to separate identity denial, network path and source address when an Azure workload can no longer access Key Vault. Snippets Azure: make private paths verifiable with synthetic probes https://naxaya.com/articles/azure-private-path-synthetic-probes-dns-tls-waf/ https://naxaya.com/articles/azure-private-path-synthetic-probes-dns-tls-waf/ Sat, 06 Jun 2026 00:00:00 GMT Build useful synthetic probes for DNS, TLS, Application Gateway, WAF and Private Endpoint so private Azure paths fail with evidence before production incidents. Cloud KQL snippet: track synthetic probes for an Azure private path https://naxaya.com/articles/snippet-kql-azure-private-path-synthetic-probes/ https://naxaya.com/articles/snippet-kql-azure-private-path-synthetic-probes/ Sat, 06 Jun 2026 00:00:00 GMT A short query to track synthetic probe failures and separate DNS, TLS, WAF or Application Gateway symptoms on an Azure private path. Snippets Azure WAF: frame an emergency custom rule without losing evidence https://naxaya.com/articles/azure-waf-emergency-custom-rule-evidence-rollback/ https://naxaya.com/articles/azure-waf-emergency-custom-rule-evidence-rollback/ Fri, 05 Jun 2026 00:00:00 GMT Apply a temporary Azure WAF custom rule with priority, KQL evidence, business validation and rollback, without permanently hiding managed-rule signals. Cloud Azure snippet: audit WAF custom rule priorities https://naxaya.com/articles/snippet-azure-waf-audit-custom-rule-priorities/ https://naxaya.com/articles/snippet-azure-waf-audit-custom-rule-priorities/ Fri, 05 Jun 2026 00:00:00 GMT A short command to list custom rules in an Azure WAF policy with priority, action and type before an urgent change. Snippets Service identity and secret rotation: a production runbook, not an isolated task https://naxaya.com/articles/service-identity-secret-rotation-production-runbook/ https://naxaya.com/articles/service-identity-secret-rotation-production-runbook/ Thu, 04 Jun 2026 00:00:00 GMT Build operable rotation for secrets, certificates, and application identities with dependency inventory, evidence, change windows, monitoring, and rollback. Infrastructure KQL snippet: detect authentication errors after secret rotation https://naxaya.com/articles/snippet-kql-auth-errors-after-secret-rotation/ https://naxaya.com/articles/snippet-kql-auth-errors-after-secret-rotation/ Thu, 04 Jun 2026 00:00:00 GMT A short query to watch 401, 403, and 500 errors after rotating an application secret or service identity. Snippets Azure Private Endpoint: detect Terraform, DNS, and network drift before incident https://naxaya.com/articles/azure-private-endpoint-drift-terraform-dns-validation/ https://naxaya.com/articles/azure-private-endpoint-drift-terraform-dns-validation/ Wed, 03 Jun 2026 00:00:00 GMT Build an operational drift reading across Terraform, Private Endpoint, private DNS, CI runners, and validation evidence before a private Azure path breaks in production. Cloud Azure snippet: detect Private Endpoint DNS drift https://naxaya.com/articles/snippet-azure-private-endpoint-drift-dns/ https://naxaya.com/articles/snippet-azure-private-endpoint-drift-dns/ Wed, 03 Jun 2026 00:00:00 GMT A short check to compare the expected DNS chain, returned private address, and test path from a workload or CI runner. Snippets Azure Functions with private Storage: keep runtime, deployment, and diagnostics under control https://naxaya.com/articles/azure-functions-private-storage-runtime-deployment-diagnostics/ https://naxaya.com/articles/azure-functions-private-storage-runtime-deployment-diagnostics/ Tue, 02 Jun 2026 00:00:00 GMT An operational approach to securing the Azure Functions Storage account with Private Endpoint without breaking runtime behavior, deployments, DNS resolution, triggers, and operational checks. Cloud Monitoring: turn an alert into an actionable operations runbook https://naxaya.com/articles/monitoring-actionable-alert-runbook/ https://naxaya.com/articles/monitoring-actionable-alert-runbook/ Tue, 02 Jun 2026 00:00:00 GMT Build useful alerts by connecting signal, diagnosis, scope, decision and rollback path instead of accumulating noisy notifications. Infrastructure Azure snippet: check Private Endpoint DNS resolution https://naxaya.com/articles/snippet-azure-private-endpoint-dns-check/ https://naxaya.com/articles/snippet-azure-private-endpoint-dns-check/ Tue, 02 Jun 2026 00:00:00 GMT A short sequence to confirm that an Azure service exposed through Private Endpoint resolves to a private address from the right network. Snippets KQL snippet: list Azure WAF blocked URIs quickly https://naxaya.com/articles/snippet-kql-waf-top-blocked-uris/ https://naxaya.com/articles/snippet-kql-waf-top-blocked-uris/ Tue, 02 Jun 2026 00:00:00 GMT A short KQL query to identify the most blocked URIs by Azure Web Application Firewall on Application Gateway. Snippets Terraform snippet: diagnose a stuck state lock before force-unlock https://naxaya.com/articles/snippet-terraform-state-lock-diagnostic/ https://naxaya.com/articles/snippet-terraform-state-lock-diagnostic/ Tue, 02 Jun 2026 00:00:00 GMT A short procedure to qualify a stuck Terraform lock, confirm that no apply is still active, and restart with a clean plan. Snippets Terraform Azure: secure a private state backend without breaking CI https://naxaya.com/articles/terraform-azure-private-state-backend-ci/ https://naxaya.com/articles/terraform-azure-private-state-backend-ci/ Mon, 01 Jun 2026 00:00:00 GMT Design an Azure Terraform backend based on a private Storage Account with CI identity, controlled network access, locking, separate bootstrap, and a diagnostic runbook when init or plan fails. Automation Private Azure Key Vault: diagnose DNS, managed identity, and network access without mixing everything https://naxaya.com/articles/azure-private-key-vault-diagnostics-dns-managed-identity-network-access/ https://naxaya.com/articles/azure-private-key-vault-diagnostics-dns-managed-identity-network-access/ Sun, 31 May 2026 00:00:00 GMT An operational method to analyze access failures to Azure Key Vault behind Private Endpoint by separating DNS resolution, network path, managed identity, RBAC, and application configuration. Cloud Azure Key Vault in a private network: organize secret rotation without blind spots https://naxaya.com/articles/azure-key-vault-private-network-secret-rotation-without-blind-spots/ https://naxaya.com/articles/azure-key-vault-private-network-secret-rotation-without-blind-spots/ Sat, 30 May 2026 00:00:00 GMT A concrete method to operate Azure Key Vault with private endpoint, private DNS, managed identities, secret rotation, and application-side validation controls. Cloud Azure WAF: qualify a false positive before creating an exclusion https://naxaya.com/articles/azure-waf-qualify-false-positive-before-exclusion/ https://naxaya.com/articles/azure-waf-qualify-false-positive-before-exclusion/ Fri, 29 May 2026 00:00:00 GMT A practical method to analyze an Azure WAF block, isolate the rule involved, compare application evidence, and decide between a fix, a targeted exclusion, or a custom rule. Cloud Azure WAF: when to use custom rules before managed OWASP rules https://naxaya.com/articles/azure-waf-custom-rules-before-managed-owasp-rules/ https://naxaya.com/articles/azure-waf-custom-rules-before-managed-owasp-rules/ Thu, 28 May 2026 00:00:00 GMT Know when to add an Azure WAF custom rule to block or allow precise traffic before managed OWASP/CRS rules, without hiding useful security signals. Cloud Azure WAF: add an OWASP/CRS exclusion without weakening all protection https://naxaya.com/articles/azure-waf-add-targeted-owasp-crs-exclusion/ https://naxaya.com/articles/azure-waf-add-targeted-owasp-crs-exclusion/ Wed, 27 May 2026 00:00:00 GMT Move from a qualified WAF block to a targeted OWASP/CRS exclusion in an Azure Application Gateway policy, with scope, variable, rule, validation and rollback. Cloud WAF and KQL: identify a false positive before creating an exclusion https://naxaya.com/articles/waf-kql-identify-false-positive-before-exclusion/ https://naxaya.com/articles/waf-kql-identify-false-positive-before-exclusion/ Tue, 26 May 2026 00:00:00 GMT A KQL analysis method to qualify an Azure WAF block, distinguish attack, noise and application false positive, then document the decision before any exclusion. Cloud