Connection Issue of External WAF to an Instance inside Azure Cloud

Question

Connection Issue of External WAF to an Instance inside Azure Cloud

Carl Dela Cruz 0

Hello everyone,

I'm reaching out to request guidance and support regarding an issue we're encountering. We are currently unable to receive syslog traffic from our external WAF to one of our log collectors within our Azure network.

At present, we are not using a native firewall solution and are relying solely on Azure Network Security Groups (NSGs). However, it appears that the WAF is unable to establish a connection to the log collector within the Azure environment.

Given this setup, we would appreciate your recommendations on the most optimized and secure setup for this scenario. From what I understand, in other environments, syslog traffic is often sent first to a cloud-hosted firewall, which then forwards the logs to an internal log collector. Unfortunately, this setup isn't feasible in our current environment.

We would like to ask for your insight on any additional configurations or considerations we might be missing—aside from whitelisting the log source IP to the log collector, which we have already implemented.

Thank you in advance for your assistance.

Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-17T13:00:45.3+00:00

Hi @Carl Dela Cruz

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
Carl Dela Cruz 0 Reputation points

2025-04-21T06:07:49.41+00:00

Hi, Alex and Sai. Thank you for taking the time. just wanted to know if there's anyway for me to see if the VM in my azure is successfully establishing connection to the Syslog Server i wanted to get logs from (which is public WAF)?

In addition, is the azure monitor and sentinel are included to the subscription or is it add-ons?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-21T14:34:47.4766667+00:00
Hi @Carl Dela Cruz

Actually, the Syslog Source (your external WAF) actively sends log messages, and the Syslog Collector or Server (your Azure VM) listens for and receives these messages. So, your Azure VM doesn't typically establish an outbound connection to the WAF to get logs. Instead, you need to verify if the VM is successfully receiving the incoming syslog traffic from the WAF on the configured port (like UDP 514 or TCP 6514)

Make sure that the syslog service (like rsyslog, syslog-ng) is running: sudo systemctl status rsyslog and check the service's configuration to confirm it's set up to receive remote logs on the correct interface and port or protocol and verify the log files where incoming logs should be written and look for entries originating from the WAF's IP address.

Use netstat or ss to confirm the syslog service is listening on the expected port:

For UDP: sudo netstat -lunp | grep 514 (or your specific port)

For TCP: sudo netstat -ltnp | grep 6514 (or your specific port)

This confirms the service is ready to receive traffic on that port.

Use tcpdump directly on the VM to see if packets are arriving from the WAF's IP on the correct port. Replace (WAF_IP) and (SYSLOG_PORT) accordingly.

sudo tcpdump -i any src host <WAF_IP> and port <SYSLOG_PORT> -n

If you see packets arriving here, it confirms traffic is reaching the VM's network interface.

Use Network Watcher's Packet Capture feature for the VM's network interface. Set filters for the WAF's source IP and the destination syslog port on your VM's private IP. This helps verify if traffic is reaching the NIC at the Azure level, even before the OS firewall or syslog service processes it.

Check NSG Flow Logs again, specifically filtering for allowed traffic from the WAF IP to your VM IP on the syslog port.

If you see traffic arriving using packet capture but logs aren't appearing in your syslog files, the issue likely lies within the VM's OS firewall or the syslog service configuration itself.

Neither Azure Monitor nor Microsoft Sentinel is fully included in a standard Azure subscription for free, although both have some free components. They are primarily considered add-on services with usage-based pricing.

Some basic features like collecting standard platform metrics and Azure Activity Logs are free.

Costs are primarily driven by:

Sending logs and telemetry to Log Analytics workspaces or Application Insights (priced per GB ingested, often with a small monthly free allowance like 5GB).

Storing data beyond the default free retention period incurs costs (per GB per month) and running certain types of log queries, setting up specific alerts, data export, etc... can also have associated costs.

Pay-As-You-Go is standard, but Commitment Tiers are available, offering discounts if you commit to ingesting a certain amount of data daily.

Sentinel adds SIEM/SOAR capabilities on top of Azure Monitor Log Analytics. It has its own pricing structure in addition to the underlying Log Analytics data ingestion and retention costs.

There's typically a 31-day free trial when you first enable Sentinel on a workspace.

Costs are primarily based on the volume of data analyzed by Sentinel. Certain data sources may have ingestion benefits or be free.

Similar to Monitor, it offers Pay-As-You-Go and Commitment Tiers. Microsoft is moving towards "simplified pricing tiers" that combine the cost for Log Analytics ingestion and Sentinel analysis into a single, tiered rate.

Kindly let us know if the above helps or you need further assistance on this issue.

2 answers

Your answer

Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-17T13:00:45.3+00:00

Hi @Carl Dela Cruz

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
Carl Dela Cruz 0 Reputation points

2025-04-21T06:07:49.41+00:00

Hi, Alex and Sai. Thank you for taking the time. just wanted to know if there's anyway for me to see if the VM in my azure is successfully establishing connection to the Syslog Server i wanted to get logs from (which is public WAF)?

In addition, is the azure monitor and sentinel are included to the subscription or is it add-ons?

Answer 1

Dear Carl,

Thank you for reaching out with your concern here at Q&A portal. Based on your description, here are some recommendations to troubleshoot and resolve the connectivity issue between your external WAF and the Azure-based log collector

Please verify NSG rules

Ensure the NSG attached to the log collector's subnet or NIC allows inbound traffic on the syslog port (typically UDP 514 or TCP 601-1024, depending on your setup).

Confirm that the source IP of the external WAF is explicitly whitelisted in the NSG.

Check Azure Network Architecture

If the log collector is behind an internal load balancer or private endpoint, ensure routing is correctly configured.

Verify that the log collector’s private IP is reachable from the external WAF’s outbound path (e.g., no NAT/firewall blocking on the WAF side).

Consider Azure Firewall or NVA for Additional Security

Since you’re not using a native firewall, an Azure Firewall or a third-party NVA (e.g., FortiGate, Palo Alto) could help securely forward syslog traffic.

If cost is a concern, a Linux-based VM with IPTables/UFW could act as a minimal forwarding proxy.

Test Connectivity Directly. Temporarily expose the log collector to a public IP (for testing) and verify if syslog traffic arrives.

Use tools like tcpdump for Linux or Wireshark for Windows to confirm if packets reach the VM.

Alternative is Azure Monitor or Sentinel Integration

If the WAF supports it, consider forwarding logs to Azure Monitor or Microsoft Sentinel instead of an on-VM collector for a more scalable solution.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

Answer 2

Hi @Carl Dela Cruz

Check the NIC configuration of your log collector VM in the Azure portal. Does it have a Public IP assigned? If it's behind a Standard Azure LB, ensure the Public IP is assigned to the LB's frontend, and you have an appropriate Load Balancing rule or Inbound NAT rule directing the syslog traffic to the collector VM.

Please verify whether you've whitelisted the source IP or not. If yes, please double-check the rule details:

Source: IP Addresses - Set to the specific Public IP of your external WAF. Avoid using Any or broad ranges, if possible, for security.
Source Ports: * or Any.
Destination: IP Addresses - Set to the Private IP address of your log collector VM NIC.
Destination Ports: Match the required syslog port: 514 for the UDP rule and 6514 for the TCP rule.
Protocol: Must be set to UDP for the port 514 rule and TCP for the port 6514 rule. Mismatching the protocol will cause the rule to fail.
Action: Allow.
Priority: Must be a number lower than the default DenyAllInBound rule (priority 65500) and lower than any custom Deny rules that might otherwise block this traffic. Valid priorities range from 100 to 4096. Assigning a low number ensures these rules take precedence over default denials.

In which level did you associate NSG? Azure allows NSGs to be associated at two levels: the virtual machine's NIC and the subnet within which the NIC resides. When NSGs are applied at both levels, they create a layered security posture, but both must be correctly configured for traffic to pass.

Even if Azure NSGs allow the traffic, the firewall running inside the log collector VM's operating system must also permit the inbound traffic, so configure the OS firewall to allow inbound traffic on the correct port (like 514) and protocol (UDP/TCP) specifically from the source IP address of the WAF.

Make sure the syslog service is installed, enabled, and running on the collector VM. Verify the syslog daemon configuration. It needs to be configured to: Listen for remote logs and listen on the correct network interface and sometimes they default to listening only on 127.0.0.1 (localhost). Listen on the correct port and protocol (UDP/TCP).

Confirm the WAF is configured to send syslog messages to the correct Public IP Address of your Azure log collector and ensure the port and protocol (UDP/TCP) configured on the WAF match what you are expecting and allowing in Azure (NSG, OS Firewall) and on the syslog daemon and is there any UDRs applied to the VM's subnet that might be forcing traffic destined for the internet through an NVA or elsewhere, potentially creating asymmetric routing.

Run a packet capture on the log collector VM's NIC via Azure Network Watcher. Filter for the source IP of the WAF and the destination port (514). This will show if packets are even reaching the Azure NIC level and enable NSG Flow Logs to see if traffic from the WAF IP is being allowed or denied by the NSG rules.

Use this tool to simulate a connection attempt from the WAF's Public IP to your VM's Public/Private IP and port. It will tell you which NSG rule is allowing or denying the traffic.

I hope this has been helpful!

Your feedback is important so please take a moment to click 'Accept answer'.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Share via

Connection Issue of External WAF to an Instance inside Azure Cloud

2 answers

Your answer