The curious case of an Azure Application Gateway showing no metrics and logs
This is the curious case of an Azure Application Gateway showing no metrics and logs at all. Even thought this was one of the main customer’s production Application Gateways we could see 0 requests in the metrics. Which was strange as behind the Application Gateway was an online webshop which served thousands of customers every day.
These metrics should show up regardless if you have log analytics configured or not. Our diagnostic logs are automatically configured based on this Azure Policy written by Tao. We double checked the diagnostics settings were enabled, which was the case, but still no logs were stored in Log Analytics:
Issue
I logged a ticket and the Azure support team came back after a few days saying that the issue is due to some custom SSL Policy on the Azure Application Gateway. The customer did change the default SSL settings and was using the following custom SSL settings:
"SSLPolicy": {
"CipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
],
Solution
In order to make the logs and metrics work, we had to add 2 more cypher suites :
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The reason for this is that the Azure Application Gateway V1 writes logs to a storage account in the backend. This storage account requires certain Cypher Suites to be enabled in order to be able to store the logs and metrics to that storage account. The following 3 cypher suites mentioned below must be enabled:
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
So make sure you have at least the 3 cypher enabled as seen in this picture.
Conclusion
Don’t mess with the SSL settings .
A few seconds after adding the 2 missing cypher suites the metrics and logs started to show up.
Hope this helps,
Alex
Leave a comment