Azure App Service is a cloud-based platform that enables developers to deploy and manage web applications effortlessly, without the need to manage underlying infrastructure. Occasionally, you might encounter issues when making external calls between two App Services. In this blog post, we’ll explore how to troubleshoot these failed external calls using the App Service IP Sec audit logs.
App Service IP Sec audit logs provide detailed information about the traffic that passes through your IPsec tunnel. This information can be used to troubleshoot issues related to failed external calls between App Services. The audit logs provide details such as source IP address, destination IP address, protocol, and port number.
Azure Monitor Logs reference - AppServiceIPSecAuditLogs | Microsoft Learn
Scenario: The customer has set up a client-server model using VNet integration in Azure. The client is an app service that makes HTTPS requests to a backend-end app service acting as the server. This front-end app service has a private endpoint, which means that it can only be accessed from within the customer's VNet.
To troubleshoot failed external calls between App Services, follow these steps:
Step 1: Enable IP Sec Audit logs, enable IP Sec audit logs, navigate to your App Service and select the "Diagnostic logs" option under the "Monitoring" section. Then, select "IPSecurity Audit logs" and turn on the "Enabled" switch.
Step 2: Select Send to Storage account or Log Analytics workspace.
Step 3: Check Audit logs for CIp, Service Endpoint, and Details
The CIP
field shows the client IP address that initiated the request[1]. The ServiceEndpoint
field shows the service endpoint that was accessed[1]. The Details
field provides additional information about the request, such as whether it was denied due to public network access[1].
Deviation 1
CIp":"52.255.100.33:3648"
"ServiceEndpoint":"False",
"Details":"Denied non-PrivateEndpoint requests for private link enabled due to PublicNetworkAccess"
The error message ‘Details: Denied non-PrivateEndpoint requests for private link enabled due to PublicNetworkAccess’ indicates that the request was rejected because the name resolution pointed to a public IP address, and the client attempted to access the app service using that public IP. To resolve this, ensure that the client in a client-server model is using the correct private endpoint DNS name to connect to the app service. This DNS name should resolve to the private IP address linked to the app service’s private endpoint.
Deviation 2
"CIp":"[fd00::7ca4:6b0c:200:a00:2fe]:50140"
"ServiceEndpoint":"True"
"Details":"Traffic was received via service tunneling but no private link identifier was provided."
The error message "Details":"Traffic was received via service tunneling but no private link identifier was provided." indicates that the request was received via service tunneling without the private endpoint identifier. A private endpoint linked to the web app cannot be used simultaneously with service endpoints. If you plan to use service endpoints, please remove the private endpoint from the web app. Conversely, if your intention is to use the private endpoint, check the VNet integration subnet for Microsoft.Web and remove it.
Additional Solutions:
- Ensure that the private endpoint is correctly configured on the App Service server in a client-server model. Confirm that the private endpoint is not in a pending state, the private DNS zone is linked to the appropriate virtual network, and the DNS record exists.
- If the client in a client-server model uses custom DNS servers and is in an ASEv3 environment, App Service Environment v3 doesn't fall back to Azure DNS if your configured custom DNS servers in the virtual network are not able to resolve a given name. If this behavior is required, ensure that you have a forwarder to a public DNS or include Azure DNS in the list of custom DNS servers. Migrate to App Service Environment v3 by using the migration feature - Azure App Service Environment | Microsoft Learn
- Check for limitation: Connect privately to an App Service apps using private endpoint | Microsoft Learn