How to check detail outbound traffic of AKS with Azure Firewall setup

Kit Shing Kwong 0 Reputation points
2024-03-15T10:51:19.0233333+00:00

Hi,

We have a AKS and all outbound traffic from this AKS are forwarded to a Azure Firewall with a user-defined route table. May I know where can I find the detail log of the outbound traffic? The closest log I can find are the AZFWApplicationRule and AZFWNetworkRule tables which provide the request host and destination port number of the outbound request. But it does not provide details like the request URI and response status code. How can I find these information ?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,860 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
    2024-03-15T11:42:03.7266667+00:00

    Hello @Kit Shing Kwong ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have used Azure Firewall to protect Azure Kubernetes Service (AKS) clusters and would like to find the detailed log of the outbound traffic including the request URI and response status codes.

    You can monitor Azure Firewall using Structured Logs, which uses a predefined schema to structure log data for easy searching, filtering, and analysis. These logs include information such as source and destination IP addresses, protocols, port numbers, and firewall actions.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics

    https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs

    https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace

    You seem to be using the correct logs:

    AZFWNetworkRule - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwnetworkrule

    AZFWApplicationRule - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule

    For request URI:

    In the AZFWApplicationRule log, you can find:

    User's image

    For response status codes:

    HTTP(s) response status codes are mostly found in WAF logs but not in the Azure Firewall logs.

    In Azure Firewall, you will only find the action taken by the firewall following the match with a particular rule. For example: Firewall may Allow/Deny a specific packet.

    You can also use Azure Firewall Workbook which provides a flexible canvas for Azure Firewall data analysis. You can use it to gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. Azure Firewall Workbook allows you to filter your firewalls and resource groups, and dynamically filter per category with easy-to-read data sets when investigating an issue in your logs.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook

    If you are looking for something else, please let us know.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments