I have a Azure App Service making SSH and I need to see my logs of the public calls going out and global front door is also in the front. Any advise will help

Peter Wilcox 21

I have a Azure App Service making SSH and I need to see my logs of the public calls going out and global front door is also in the front. Any advise will help.

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-08-28T06:26:07.17+00:00
@Peter Wilcox

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to check logs of your App Service via Azure Front Door.

You have to make note of two important things here:

Azure Front Door only provides load balancing and global availability for HTTP and HTTPS requests

Not for SSH connections

Outgoing traffic from Origin (your case - App Service), will not go through the AFD

So, no logging for outgoing requests can be provided by AFD.

You must check them directly from the App service

The logs available in AFD are as follows,

FrontDoorAccessLog

Information about every incoming request is logged into the access log

FrontDoorHealthProbeLog and

Azure Front Door logs every failed health probe request. These logs can help you to diagnose problems with an origin. The logs provide you with information that you can use to investigate the failure reason and then bring the origin back to a healthy status.

FrontDoorWebApplicationFirewallLog

The Azure Front Door WAF provides detailed reporting on each request and each threat that it detects

Metrics available are as follows : https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-monitor-metrics

How to Enable Logs? https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs

Log Schema: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-diagnostics?pivot=front-door-standard-premium&pivots=front-door-standard-premium#health-probe-log

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-08-29T05:17:17.6466667+00:00

@Peter Wilcox

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Peter Wilcox 21 Reputation points

2023-08-29T10:44:06.9933333+00:00

Thank you for this and I appreciate it. My troubles are understanding and tracking the public IP that is assigned via vnet, nat gateway and NSG. When I look at the logs on the app service I just see the docker ip's. How can I verify in the logs that the assigned Azure public ip is the only one that is being routed out to Azure?
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-08-30T06:29:24.84+00:00
@Peter Wilcox

I was under the impression that you are using an App Service that is not integrated into Azure VNET.

Can you confirm if you are using a VNET Integrated App Service?

If so, Can you confirm if this integrated subnet contains a NAT Gateway?

Also, since you have used "Azure Front Door" tag only, I shall try my best to provide information on the behavior and logs available for App Service

Cheers,

Kapil.
Peter Wilcox 21 Reputation points

2023-08-31T00:50:08.0766667+00:00
Yes

Yes
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-01T08:08:56.2733333+00:00
@Peter Wilcox

I can see Azure NAT Gateway supports App service integrated subnets.

https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration

However, NAT gateway does not have any logs of it's own.

Please note that the efficient way to log Azure Virtual Network traffic is by leevraging NSG Flow logs.

This is how we can capture traffic between and outside Virtual machines

Unfortunately, this feature does not support App Service integrated subnets as of now

Incompatible services - NSG Flow Logs

App services deployed under an Azure App Service plan don't support NSG flow logs

and I believe the behavior is same even if NAT gateway is associated to the subnet where App Service is integrated.

My recommendation is to leverage tools and monitoring from Azure App Service end for logging instead of VNET logging or AFD.

I would suggest you to use the tag "Azure App Service" and post your requirement once more, so that the community members with expertise over App Service can assist you in this regard.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-05T06:32:32.29+00:00

@Peter Wilcox

I have summarized our discussion and posted it as an answer.

Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

And, if you have any further query do let us know.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-06T09:06:52.83+00:00

@Peter Wilcox

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-07T13:34:06.72+00:00

@Peter Wilcox

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-05T06:31:01.8766667+00:00
@Peter Wilcox

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to check logs of your App Service via Azure Front Door.

You have to make note of two important things here:

Azure Front Door only provides load balancing and global availability for HTTP and HTTPS requests

Not for SSH connections

Outgoing traffic from Origin (your case - App Service), will not go through the AFD

So, no logging for outgoing requests can be provided by AFD.
- You must check them directly from the App service

You informed us that the App Service is

VNET Integrated

and the subnet contains a NAT Gateway.

And if there are any logging available at the VNET Level.

Unfortunately, NAT gateway does not have any logs of it's own.

The efficient way to log Azure Virtual Network traffic is by leveraging NSG Flow logs.

This is how we can capture traffic between and outside Virtual machines

As of now, this feature does not support App Service integrated subnets as of now

Incompatible services - NSG Flow Logs

App services deployed under an Azure App Service plan don't support NSG flow logs

and I believe the behavior is same even if NAT gateway is associated to the subnet where App Service is integrated.

My recommendation is to leverage tools and monitoring from Azure App Service end for logging instead of VNET logging or AFD.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Peter Wilcox 21 Reputation points

2023-09-07T14:46:17.9066667+00:00

Kapil,

Thank for this do you know of area inside of Azure that I can vote for this functionality.

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-09-11T10:22:35.37+00:00

@Peter Wilcox

Sure, you can use Azure feedback hub : https://feedback.azure.com/

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Share via

I have a Azure App Service making SSH and I need to see my logs of the public calls going out and global front door is also in the front. Any advise will help

1 answer