App insights dependency tracking caused http 403 forbidden error when an app service connects to storage account, need a fix to re-enable tracking

Question

App insights dependency tracking caused http 403 forbidden error when an app service connects to storage account, need a fix to re-enable tracking

http 403 forbidden Exception was thrown in our application, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation

error was:
2020-08-26T07:17:22 PID[2360] Error 5108 07:17:22 ERROR exception from InitializeContainerThe remote server returned an error: (403) Forbidden.2020-08-26T07:17:22 PID[2360] Information 5108 07:17:22 INFO Candidate Profile Name /61dd00a4-5da5-4dfc-8b92-a69ef036a7a6.docx||Prod_emailbackup (1).docx?26/08/2020 07:17:222020-08-26T07:17:22 PID[2360] Error 5108 07:17:22 ERROR UploadFileToAzure exception: The remote server returned an error: (403) Forbidden.

This error came when a file was being uploaded to the container through the app.

Solution:
we commented this line out at wwwroot/applicationinsights.config in our app service

<!--<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"/>-->

Issue is documented here: https://github.com/Azure/azure-sdk-for-net/issues/3460

Can anyone please help in how to enable App insights dependency tracking without causing a http 403 forbidden error when connecting between an app service and storage account

If we enable the tracking again by enabling the line, we will end up in http 403 again.

Ok i'm thinking of using this fix: changes in wwwroot/applicationinsights.config in our app service

Replacing

<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
</TelemetryModules>

with

<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
    <ExcludeComponentCorrelationHttpHeadersOnDomains>
    <Add>core.windows.net</Add>
    </ExcludeComponentCorrelationHttpHeadersOnDomains>
</Add>
</TelemetryModules>

This is to ensure any connection to core.windows.net (i.e storage account) will not have any additional headers added.

will this work ?

I mean all the dependencies will show up in application map right? or because of this the storage account will no longer show in application map.

Thanks in advance.

Answer 1

I think we can chalk this to closure. applicationinsights.config (or xml) will come into picture when in Visual Studio we create a project, and VS has the Application Insights SDK installed. This is probably fixed in the latest version, so ensure to have the latest SDK installed. Read more here: https://learn.microsoft.com/en-us/azure/azure-monitor/app/configuration-with-applicationinsights-config . We should ignore this file when publishing content to an app service in Azure. When i tried creating a new app in azure and enable application insights on it, it doesn't seem to create such a "applicationinsights.config". The instrumentation settings in the app service configuration is enough to have application insights activated on the app service. IF in case this applicationinsights.config is definitely needed on the app service, then we have to make sure of the below config: (this ensures no additional headers such as x-ms-request-root-id, x-ms-request-id and Request-Id are added to requests going out of the appservice)

<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
<Add>core.chinacloudapi.cn</Add>
<Add>core.cloudapi.de</Add>
<Add>core.usgovcloudapi.net</Add>
<Add>localhost</Add>
<Add>127.0.0.1</Add>
</ExcludeComponentCorrelationHttpHeadersOnDomains>
</Add>
</TelemetryModules>