Monitoring Azure Application Gateway

Effective monitoring of Azure Application Gateway is crucial for ensuring the health, performance, and availability of your web applications. Application Gateway provides a comprehensive set of monitoring tools and metrics that allow you to gain insights into its operations and quickly identify and resolve issues.

Key Monitoring Tools

Azure Application Gateway integrates with several Azure services to provide robust monitoring capabilities:

  • Azure Monitor: This is the primary service for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. For Application Gateway, Azure Monitor provides metrics and logs.
  • Azure Network Watcher: Offers network diagnostic and visualization tools for Azure. Key features for Application Gateway include connection troubleshoot, IP flow verify, and packet capture.
  • Azure Log Analytics: A tool within Azure Monitor that allows you to query and analyze log data. You can send Application Gateway diagnostics logs to a Log Analytics workspace for detailed analysis.
  • Application Insights: While not directly for the gateway itself, Application Insights can monitor the performance and usage of the applications hosted behind the Application Gateway, providing end-to-end visibility.

Metrics in Azure Monitor

Application Gateway exposes a rich set of metrics that provide real-time insights into its performance. You can view these metrics in the Azure portal under the Application Gateway resource. Some important metrics include:

  • Healthy Host Count: The number of backend servers that are currently healthy.
  • Unhealthy Host Count: The number of backend servers that are currently unhealthy.
  • Total Requests: The total number of requests processed by the Application Gateway.
  • Request Duration: The time taken to process requests.
  • Data In/Out: The amount of data transferred through the gateway.
  • Backend Connection Errors: The number of errors encountered when establishing connections to backend servers.

You can set up alerts based on these metrics to be proactively notified of potential issues.

Diagnostic Logs

Application Gateway provides several types of diagnostic logs that can be sent to Azure Monitor Logs (Log Analytics), a storage account, or Event Hubs:

  • ApplicationGatewayAccessLog: Records details about each request and response. This log is useful for analyzing traffic patterns, performance, and identifying problematic requests.
  • ApplicationGatewayPerformanceLog: Records performance details for each request, such as latency and backend response time.
  • ApplicationGatewayFirewallLog: Records details about requests processed by the Web Application Firewall (WAF) if enabled. This is crucial for security monitoring and threat detection.
  • ApplicationGatewayAuditLog: Records actions performed on the Application Gateway resource itself (e.g., configuration changes).

Enabling Diagnostic Logs

  1. Navigate to your Application Gateway resource in the Azure portal.
  2. In the left-hand menu, under Monitoring, select Diagnostic settings.
  3. Click Add diagnostic setting.
  4. Select the log categories you want to collect.
  5. Choose the destination for your logs (e.g., Send to Log Analytics workspace).
  6. Click Save.

Using Log Analytics for Deeper Insights

Once diagnostic logs are sent to a Log Analytics workspace, you can use Kusto Query Language (KQL) to perform powerful analysis.


// Example: Find the top 10 client IP addresses by request count
ApplicationGatewayAccessLog
| summarize count() by ClientIP
| top 10 by count_
                

// Example: Identify requests with high latency
ApplicationGatewayPerformanceLog
| where BackendResponseProcessingTime > 5000 // Latency in milliseconds
| project TimeGenerated, ClientIP, RequestUri, BackendResponseProcessingTime

Health Probes

Health probes are essential for Application Gateway to determine the health of your backend servers. Configure appropriate health probes for your backend pools:

  • Protocol: HTTP or HTTPS.
  • Host: The host header to send in the probe request.
  • Path: The relative path for the probe request (e.g., `/health`).
  • Interval: The time in seconds between health probes.
  • Timeout: The time in seconds to wait for a response.
  • Unhealthy threshold: The number of consecutive failures before a backend server is marked unhealthy.

Ensure your application has an endpoint that correctly reports its health status (e.g., returning a 200 OK status code when healthy).

Network Watcher Integration

Use Azure Network Watcher to diagnose connectivity issues between clients and your Application Gateway, or between the gateway and your backend servers. Tools like "Connection troubleshoot" can be invaluable.

Alerting and Dashboards

Create custom dashboards in Azure Monitor to visualize key Application Gateway metrics and logs. Set up alerts for critical conditions, such as a significant increase in unhealthy hosts or backend connection errors.

Tip: Regularly review your monitoring data to identify trends, optimize performance, and ensure the security of your applications.

Web Application Firewall (WAF) Monitoring

If you are using the WAF feature, the ApplicationGatewayFirewallLog is critical. Monitor this log for detected threats, blocked requests, and WAF rule matches. Configure WAF policies and exclusions as needed.

Application Gateway Monitoring Dashboard Example

Example visualization of Application Gateway metrics in Azure Monitor.