1. Customer Complaint

Driver and Vehicle Standards Agency requested PremiumV2 whitelisting in UK South for 5 subscriptions (dev/sit/uat/preprod/prod).

2. What customer saw

Unable to deploy PremiumV2 in UK South without capacity exception.

3. CSS telemetry

Standard capacity exception request via CSS template.

4. Diagnosis & Fix

By Design. Customer directed to use proper capacity request template. Mitigated by shubhash.

5. Monitoring Miss?

No — process issue, not product issue.

6. Repairs

N/A.

1. Customer Complaint

MCP tools/list response schema changed, breaking customer integration. Nested objects in schema being flattened — e.g., expected {"location": {"type": "string"}} but received {"location_type": "string"}.

2. What customer saw

Different payload structure post-upgrade. MCP tool definitions returned flattened properties instead of nested objects.

3. CSS telemetry

Schema mismatch confirmed. CSS engineer (tehnoonr) independently identified as "a regression in MCP server implementation with the latest build — nested objects in the schema are being flattened." Upgrade telemetry confirmed version change on 2026-04-17 at 00:58:35 UTC.

4. Diagnosis & Fix

Breaking change in v0.51.3757.0 — two bugs:
(1) Intentional schema unwrapping in OperationExtensions.GetInputSchema()
(2) Body reconstruction bug in InvokeToolHandler.ExecuteMethodAsync() where newPayload is overwritten per iteration.

Rollback to v0.50.3674.0 + service quarantine. Ashendre mitigated Apr 24.

5. Monitoring Miss?

Yes — no API contract tests to detect breaking schema changes in MCP tool definitions before release.

6. Repairs

• Schema versioning for MCP tool definitions
• Contract tests for MCP tools/list response structure to prevent future regressions

1. Customer Complaint

Customer reported intermittent connection failures affecting ~20% of requests from AKS cluster to APIM service "enterprise-int-apim-prod" (Premium SKUv1, Central US). Failing with ECONNREFUSED 10.12.2.228:443 when calling Salesforce API through APIM. Issue began after OS upgrade on 2026-04-29 ~12:00 UTC.

2. What customer saw

GraphQL operation failures in AKS app (msol-content-bff): "connect ECONNREFUSED 10.12.2.228:443." IP is the APIM Internal Load Balancer VIP. Path: AKS (separate VNET/sub) → Hub VNET with Palo Alto firewall → APIM Internal VNET. TCP-level RST packets prevented requests from reaching gateway.

3. CSS telemetry

CSS queried ProxyRequest for the failing URL and found only HTTP 200/204 — failing requests never reached APIM gateway. CRP telemetry confirmed VirtualMachineScaleSets.AutoOSUpgrade.POST upgrading to Windows Server 2022 image 20348.5020.260413. Network traces showed bidirectional RST packets — firewall saw resets from LB IP 10.12.2.228, APIM nodes saw resets from AKS pod IP 10.17.107.7.

4. Diagnosis & Fix

Faulty VM (gwhost_02) after OS upgrade. SRE Agent confirmed all 4 VMs healthy post-upgrade with continuous heartbeats. DRI (ethanlao) broke down ClientConnectionFailure by RoleInstance revealing almost all failures from gwhost_02. ReplaceVM initiated via Geneva Action (enterprise-int-apim-prod_ManageCompute_ead74155). After replacement, ClientConnectionFailures ceased. Mitigated.

5. Monitoring Miss?

Yes. No LSI filed before CRI. Per-VM ClientConnectionFailure pattern on gwhost_02 not detected by existing monitoring. DRI feedback: "SRE Agent did not check telemetry by role instance, which clearly shows faulty node." Per-VM error distribution monitoring could have caught this earlier.

6. Repairs

Transferred to Platform for RCA. Root cause: "Service/VM Issue."
DRI improvement: SRE Agent should check telemetry by RoleInstance to identify faulty nodes.
No additional repair items documented.

1. Customer Complaint

Customer reported intermittent 504 timeout errors from their Application Gateway (agw-apim-prod-eu-01-pri-int) when making requests to APIM service (apim-prod-eu-01) in West Europe. Issue began ~2026-04-28T23:18 UTC. Failing calls never reached APIM.

2. What customer saw

Intermittent HTTP 504 (Gateway Timeout) from Application Gateway routing to Premium multi-region internal VNet APIM. Successful requests worked normally. Failed requests returned 504 with no entries in APIM GatewayLogs — requests did not reach APIM. Issue specific to West Europe region.

3. CSS telemetry

CSS confirmed no ProxyRequest entries for failed requests (only 200/204 for successful ones). P97 latency under 400ms (no backend slowness). Error reasons >99% empty. However, identified increase in ClientConnectionFailure errors correlating with problem start and unhealthy patterns on APIM Internal Load Balancer (ILB) beginning when customer issue appeared.

4. Diagnosis & Fix

Faulty VM (gwhost_33). Customer-reported issue start time (2026-04-28 23:15 UTC) correlated with increase in ConnectionIdle errors in HttpSys and BackendConnectionFailures specifically on gwhost_33. ReplaceVM operation initiated (apim-prod-eu-01_ManageCompute_63b54556). After VM replacement completed, incident mitigated.

5. Monitoring Miss?

Yes. No LSI filed before CRI. gwhost_33 had ConnectionIdle and BackendConnectionFailure errors since 2026-04-28 but no automated alert fired. Issue discovered only via customer support case filed 2026-05-01 — approximately 3 days after issue began.

6. Repairs

No repair items documented.

1. Customer Complaint

Customer reports cached responses returning truncated data (~2 MB instead of expected ~7 MB). Silent truncation with no error codes or indicators. Impact on data integrity — customers unknowingly serving incomplete payloads downstream.

2. What customer saw

Responses that should be ~7 MB returned as ~2 MB when served from built-in cache. No error codes, no truncation headers — completely silent data loss. Only affects built-in cache; external Redis cache returns full responses correctly.

3. CSS telemetry

Regression tied to build 0.51.27763.0. ~2 MB truncation boundary suggests hardcoded buffer size or misconfigured limit introduced in that build. External Redis unaffected confirms issue is in the built-in (in-memory) cache path, not the caching policy logic itself.

4. Diagnosis & Fix

Cache truncation regression in build 0.51.27763.0. ~2 MB silent truncation boundary for built-in cache responses. Root cause likely in Proxy/Gateway.Policies cache provider or in-memory cache buffer sizing. Customer workaround: skip caching for responses >2 MB. Fix pending — offending commit not yet identified publicly.

5. Monitoring Miss?

Yes. Silent truncation means no observable failure signal. No validation exists to compare cached response size vs original response size. No error/warning emitted when response is truncated.

6. Repairs

• Fail-loud behavior: emit error/warning when cached response is truncated (never silently serve partial data)
• Identify and fix the ~2 MB buffer limit introduced in 0.51.27763.0
• Add cache integrity validation (compare stored size vs expected Content-Length)
• Proactive notification to customers who may be affected but haven’t reported

1. Customer Complaint

Bleu cloud acceptance testing — APIM Standard instance portal returning HTTP 503.

2. What customer saw

https://{instance}.portal.azure-api.sovcloud-api.fr returned "HTTP Error 503. The service is unavailable."

3. CSS telemetry

Incomplete information provided. Could not reproduce.

4. Diagnosis & Fix

Unable to Reproduce. Information provided was incomplete, preventing investigation. Mitigated by javierbo.

5. Monitoring Miss?

N/A.

6. Repairs

N/A.

1. Customer Complaint

High capacity and increased Client Connection Failures (CCFs) and timeouts across all APIs, severely impacting production workloads on a Basic SKU APIM service in North Europe.

2. What customer saw

Connection closed events, timeouts across all APIs. Azure Front Door in front of APIM showed timeouts on ping tests. Issue started ~10 AM Eastern May 13. Scaling out at 16:20 UTC did not immediately resolve CCFs.

3. CSS telemetry

AppLens detected capacity above 75%. SRE Agent analysis: 8x traffic surge over baseline (58K → 490K req/hr), CCF rates 22–27% uniform across ALL VMs (systemic, not per-VM fault). “events” API responsible for >90% of errors. Backend p95 latency 90–140s causing gateway to hold connections and saturate CPU. BackendConnectionFailure secondary to gateway overload. No platform deployment or VNET issues found.

4. Diagnosis & Fix

Customer capacity issue — Basic SKU saturated by 8x traffic surge.

Root cause: Basic SKU (1 unit, 2 VMs) overwhelmed by sustained traffic escalation over 3 days, peaking at ~490K req/hr on May 13. Backend services responding at p95 latency of 90–140s, causing gateway VMs to hold connections until CPU exhaustion. Clients then closed connections (CCF). Secondary BCF errors to backend 20.105.12.67:443 as gateway lost ability to maintain outbound connections.

Mitigation: Scale-out added VMs (gwhost_6 through gwhost_16), reducing 5xx from 10% to 0.23%. Customer upgraded backend service to higher SKU to resolve latency. Javier downgraded Sev2→Sev3 and resolved.

5. Monitoring Miss?

No — AppLens correctly detected capacity >75%. This is a customer workload/SKU sizing issue, not a platform failure.

6. Repairs

N/A — customer needs to upgrade from Basic SKU and optimize backend latency. Recommendations provided: evaluate Standard/Premium SKU, investigate “events” API traffic source, implement exponential backoff on client retries.

1. Customer Complaint

Converting OAS API (~150 resources) with deep nested allOf/anyOf/oneOf/$ref into MCP server — only 3–4 tools visible instead of full set. 100% failure rate on MCP tools/list endpoint. Customer platform blocked.

2. What customer saw

"No tools available" or MCP error -32001 (Request timed out). ClientConnectionFailure: connection unexpectedly closed. Conversion completed without error but silently dropped ~146 operations.

3. CSS telemetry

NullReferenceException at OperationExtensions.GetObjectDefinition():198 — definition.Properties is null when OpenAPI uses allOf/$ref composition. Stack trace confirms pre-fix binary deployed (method signature lacks HashSet<string> visited parameter). 46 errors on this service, 1,333+ errors across 18 services globally in 7 days.

4. Diagnosis & Fix

Known product defect — fix merged but NOT deployed. NRE in MCP gateway schema parser when allOf/anyOf/oneOf not resolved. Fix (Task 37471067 / ResolveCompositeDefinition()) authored by ondrejoprala Apr 13, merged to main ~late April. SKUv2 rollback to v0.50 means fix was lost. Workaround: flatten OpenAPI spec (replace allOf/anyOf with inline properties).

5. Monitoring Miss?

No monitoring miss per se — functional limitation. But no validation exists to verify all operations successfully converted, and no deployment tracking caught the fix regression.

6. Repairs

Task 37471067 (merged, awaiting deployment). Recommended: (1) Deploy fix urgently, (2) Add conversion validation comparing source op count vs tool count, (3) Surface warnings when operations silently dropped.

1. Customer Complaint

APIM service failed during platform upgrade, left in unhealthy state for 9+ days. Hundreds of internal users blocked from dev/testing. Premium service, management endpoint unreachable. Customer escalated multiple times.

2. What customer saw

Service stuck in "Updating" state. Management endpoint unreachable. "Apply Network Settings" also fails. Portal shows unhealthy. No admin operations possible.

3. CSS telemetry

Platform-initiated rollback (0.51.27763.0 → 0.49.25546.0) triggered by Sev1 INC 788655236 (DevPortal). Bootstrapper on target version cannot find machine certificate 916F5EED... — 8 failure cycles (30-min timeout each) over 5 hours. VMSS rolling upgrade failed: 100% unhealthy instances. Orchestration locked permanently.

4. Diagnosis & Fix

Failed platform rollback — certificate incompatibility between versions. Target version 0.49.x requires cert not available on reimaged VMs (provisioned by 0.51.x only). Nima did ForceRuntimeUpgrade to 0.51.28257.0 (retake) on May 12 — partially recovered (1 instance up). Also found 3 tooling bugs: ACIS JSON deserialization error in State=4, NotEligible without reason, wrong version when Release Channel ≠ All.

5. Monitoring Miss?

Yes. (1) Stuck orchestration not detected — no alert for services in failed upgrade state. (2) No auto-recovery mechanism. (3) Collateral damage from Sev1 rollback batch not validated per-service before execution.

6. Repairs

No repair items linked. Recommended: (1) Alert on services stuck in Upgrading >2h, (2) Auto-recovery for failed rollbacks, (3) Validate cert compatibility before cross-version rollback, (4) Fix 3 infra/tooling issues found by Nima.

1. Customer Complaint

DTE Electric Company reported timeout/connection failures from on-prem to APIM (Premium, Internal VNet, Central US). 50% of API calls failing, causing payment failures for hundreds of customers per minute.

2. What customer saw

Intermittent TLS connection failures — TCP handshake succeeded but TLS handshake never completed. gwhost_1 did not respond to TLS ClientHello.

3. CSS telemetry

PCAPs: GW Host 1 resetting TCP sessions. DNS/CRL/AIA endpoints unreachable on gwhost_1 only. Infrastructure-layer per-VM networking degradation.

4. Diagnosis & Fix

Per-VM networking degradation on gwhost_1. Couldn't reach cert validation servers. Auto-healing replaced VM at 03:48 UTC Apr 9. Impact: ~16.5h.

5. Monitoring Miss?

Yes — health checks don't probe per-VM TLS handshake. Auto-healing took ~16h.

6. Repairs

Enhanced LB health probes with TLS validation. Faster auto-healing. CRL soft-fail resilience.

Notes

Central US datacenter infrastructure stress. Related IcMs for same region connectivity issues: 775500895, 775342041, 776075200, 776236264

1. Customer Complaint

API calls via SHG hang until client timeout (~10 min).

2. What customer saw

Requests hang indefinitely. Path: Client-AWS ELB-SHGW-Netskope-Backend.

3. CSS telemetry

GatewayV2 timing out on large headers. Backend CSP header 7.7KB exceeds HTTP/2 HPACK MAX_HEADER_LIST_SIZE default (8192).

4. Diagnosis & Fix

Code Bug - HTTP/2 HPACK limit 8192 in TcpChannelInitializer vs 65536 for HTTP/1.1. Fix ETA: 2 months.

5. Monitoring Miss?

No - product bug.

6. Repairs

Override Http2Settings to 65536. Expose net.client.http2.max-header-list-size.

1. Customer Complaint

HM Electronics (Sev A, Premium) - intermittent SSL cert verification failures.

2. What customer saw

Intermittent SSL CERT_VERIFY_FAILED on backend calls.

3. CSS telemetry

Classified as customer issue.

4. Diagnosis & Fix

Customer issue. Downgraded to Sev3.

5. Monitoring Miss?

N/A.

6. Repairs

N/A.

1. Customer Complaint

Customer reported unable to scale out.

2. What customer saw

Scale-out appeared broken.

3. CSS telemetry

Customer actually has 60 instances. Problem is orchestration logs/container size reporting.

4. Diagnosis & Fix

Not a scaling issue - reporting/logging problem. Martin investigating.

5. Monitoring Miss?

No (reporting issue).

6. Repairs

Fix orchestration log reporting.

1. Customer Complaint

Customer reported APIM service completely down.

2. What customer saw

Service unreachable, all traffic returning 500s.

3. CSS telemetry

Auto OS rolling upgrade triggered destructive VMSS model update from scale-out. All VMs lost Redis. Health monitor deadlocked.

4. Diagnosis & Fix

Scale-out triggered destructive VMSS upgrade. ~7h outage. Macko mitigated with Reboot Apr 25.

5. Monitoring Miss?

Yes - cascading failure not caught until customer reported.

6. Repairs

Rolling upgrade guardrails. Redis resilience. Reboot as preferred first mitigation.

Activation 1 (Apr 30 16:39 – 18:40 UTC)

1. Customer Complaint

Scale-out operation for Premium APIM service in Central US failing consistently. Previously working fine. ~5,000 customer employees affected by inability to scale. Service running at capacity above 75%.

2. What customer saw

Service failed to scale. Service running at capacity above 75%. Spike of 5xx.

3. CSS telemetry

Failed scale orchestration.

4. Diagnosis & Fix

Scale operation failed: Error Message: VM 'gwhost_1431' has not reported status for VM agent or extensions. No log in ApiSvcHost. Replace node 1431. Scale Completed.

Activation 2 (Apr 30 20:21 – 22:50 UTC)

1. Customer Complaint

Issues with functional Service new spike of 5xx.

2. What customer saw

Service new spike of 5xx.

4. Diagnosis & Fix

Node constantly report "Timer_ConnectionIdle". Replace node 1450. Scale completed. gwhost_1453 has higher number of client connection failures than other nodes — Replaced.

Activation 3 (May 1 07:55 – 10:51 UTC)

1. Customer Complaint

Issues with functional Service new spike of 400/429.

2. What customer saw

Service new spike of 400/429, Failed requests.

4. Diagnosis & Fix

Traffic burst to "authenticationhelperapi" + ratelimiting policy blocked ~25% of the traffic. 429 and 400 return codes. Increased Limit to unblock. Then returned limit. Manually scale.

Activation 4 (May 1 12:09 – 13:54 UTC)

1. Customer Complaint

Issues with functional Service new spike of 5xx.

2. What customer saw

Service new spike of 5xx.

4. Diagnosis & Fix

All nodes returned 5xx. Not APIM Issue.

1. Customer Complaint

Intermittent 408 request timeout errors on Premium SKU v1 service.

2. What customer saw

Clients received 408 timeouts. Requests never appeared in ProxyRequests logs.

3. CSS telemetry

PCAPs: client reusing source ports too quickly. SYN packets with reused ephemeral ports in TIME_WAIT state.

4. Diagnosis & Fix

Customer Error. Client reusing source ports aggressively with improper connection pooling. Customer advised to fix. Macko mitigated Apr 9.

5. Monitoring Miss?

No — client-side issue.

6. Repairs

N/A.

1. Customer Complaint

Healthcare S500 — workspace gateway cert expired, 5AM data sync failed. Mission-critical outage.

2. What customer saw

SSL/TLS trust relationship failure on workspace gateway endpoint. Another workspace on same service working fine.

3. CSS telemetry

WorkspaceGatewayWebsiteSslCertificateItemDetails showed expired cert. No ProxyRequest logs (requests never reached gateway).

4. Diagnosis & Fix

Gateway (Workspace) — managed SSL cert expired, not auto-renewed. Tuan renewed cert + shallow update to rotate at-risk certs. Mitigated Apr 9.

5. Monitoring Miss?

Yes — no alert for workspace gateway cert expiration.

6. Repairs

Cert expiration alerting for workspace gateways.

1. Customer Complaint

Second DTE service (dte-cu-prod-azure-apps-apim-prod) also dropping traffic from degraded gwhost_4.

2. What customer saw

Same pattern as 976163 — traffic drops after TCP handshake, before TLS.

3. CSS telemetry

Same infrastructure-level VM networking degradation. Both DTE services affected by same regional issue.

4. Diagnosis & Fix

VM replacement. Tuan replaced degraded VM Apr 10. Customer RCA delivered.

5. Monitoring Miss?

Yes — same gap as 976163.

6. Repairs

See INC 976163.

1. Customer Complaint

ACE Declared Outage wrapper for DTE Energy issue (SR 2604090040004283).

2-4.

Same as INC 976845. Mitigated by Tuan Apr 10 at 16:20 UTC.

5. Monitoring Miss?

Yes — same.

6. Repairs

See INC 976163.

1. Customer Complaint

AOAI team — HTTP 500 from ExpressionValueValidationFailure on cache-value policy. Impacted cognitivewcusprod (3,590 errors/3h).

2. What customer saw

HTTP 500 for management/update actions. cache-value refresh-after evaluated outside valid range [1, 2147483647].

3. CSS telemetry

Unintended upgrade to unsupported build via misconfigured orchestration + ForceUpgrade feature flag bypassing SDP.

4. Diagnosis & Fix

Service - Configuration. ForceUpgrade deployed unsupported version. Rollback + unlock stuck services + disable ForceUpgrade + quarantine. Rapopescu mitigated Apr 11.

5. Monitoring Miss?

Partially — ForceUpgrade bypassed release safeguards.

6. Repairs

Disable/restrict ForceUpgrade. Validate cache-value at compilation time.

1. Customer Complaint

Content Safety / AOAI API requests failing consistently after build rollback.

2. What customer saw

HTTP 408 timeouts. Systematic failures after onset.

3. CSS telemetry

APIM → RP (checkAccess) → connection failure → 408. Build rolled back but background refresh config remained → invalid combination.

4. Diagnosis & Fix

Invalid build + config combination after rollback. Disabled background refresh on affected services.

5. Monitoring Miss?

Validate config compatibility on rollback.

6. Repairs

See INC 777722043.

1. Customer Complaint

Custom cert update failed: "Unable to Update API service with vnet injection." Cert expiring Apr 17.

2. What customer saw

IPTagsCannotBeModifiedForExistingStaticPublicIPAddresses — RP tried to add IP tags to existing static PIP.

3. CSS telemetry

BetaFeature for IPTags applied globally as wildcard, modifying existing PIPs (immutable).

4. Diagnosis & Fix

RP Regression. Tom removed AzureFirstPartyServiceTag config Apr 14. Resolved Apr 16.

5. Monitoring Miss?

Yes — global wildcard rule not caught in deployment review.

6. Repairs

Fix BetaFeature to not apply IPTags to existing static PIPs.

1. Customer Complaint

APIM stuck in "Updating" for 6+ hours. All critical public-facing apps down due to expired cert.

2. What customer saw

Cert update triggered ~200min process that got stuck. VMSS deployment failed (Conflict). Only 2/6 VMs serving.

3. CSS telemetry

Initial VMSS failure at 09:51 UTC (3h15 after start). Retry stuck 2+ hours with no logs.

4. Diagnosis & Fix

RP — VMSS update stuck. Retry mechanism stuck with no logging. Macko mitigated Apr 15 with ad-hoc steps.

5. Monitoring Miss?

Yes — no alert for long-running stuck updates.

6. Repairs

Alert on operations exceeding expected duration with no progress.

1. Customer Complaint

Default gateway cert expired Apr 9. Microsoft-managed TLS cert not auto-renewed. Production down.

2. What customer saw

NET::ERR_CERT_DATE_INVALID. All HTTPS traffic blocked on default hostname.

3. CSS telemetry

Cert expired, entirely Microsoft-managed. Customer cannot renew/replace.

4. Diagnosis & Fix

Gateway (Managed) — auto-renewal failed. Tuan ran ACIS to renew Apr 15. Rafal resolved Apr 21.

5. Monitoring Miss?

Yes — no alert for managed cert approaching expiry.

6. Repairs

Cert expiration alerting for managed certs.

1. Customer Complaint

Multiple customers unable to deploy PremiumV2 in East US 2. Misleading error about activation limits.

2. What customer saw

"PremiumV2 SKU activation limit reached." Actual cause: ApiServicePrepoolExhaustedException (HTTP 503). Issue ~3 weeks old.

3. CSS telemetry

Kusto: HTTP 503 with ApiServicePrepoolExhaustedException in East US 2.

4. Diagnosis & Fix

Resource Pool Exhaustion. Dan closed East US 2 for PremiumV2 activations Apr 21. Some capacity for exceptions.

5. Monitoring Miss?

Yes — no alert for prepool exhaustion. Persisted ~3 weeks.

6. Repairs

Fix misleading error message. Proactive prepool exhaustion alerting per SKU/region. Capacity planning.

1. Customer Complaint

Multiple customers - APIM not sending any emails. Dev Portal password resets, invitations, admin notifications all broken.

2. What customer saw

No emails from apimgmt-noreply@mail.windowsazure.com. Flows completed in UI but no email arrived.

3. CSS telemetry

No failures in APIM email pipeline. No active SMTP outages. ~6 days before declaration.

4. Diagnosis & Fix

DDoS email flood - Free Trial subscriptions flooded emails during DDoS, SMTP flagged APIM address as spam. Dan fixed with hotfix Apr 21.

5. Monitoring Miss?

Yes - no email delivery success rate monitoring. ~6 days elapsed.

6. Repairs

Rate-limiting. Email delivery metrics. Drop-off alerting. Block FreeTrial emails.

1. Customer Complaint

AOAI Hub - Workspace/Hub gateway activations failing in Australia East.

2. What customer saw

Activation failures. New gateways not provisioned.

3. CSS telemetry

DNS record quota exhausted (10k limit).

4. Diagnosis & Fix

Capacity - DNS team increased 10k to 30k Apr 16. Resolved Apr 23.

5. Monitoring Miss?

Yes - no DNS quota alerting.

6. Repairs

DNS quota monitoring at 80%. Cleanup deprovisioned gateways. Dedicated DNS zones for AOAI Hub.

1. Customer Complaint

S500 healthcare - workspace gateway unreachable, production impacted.

2. What customer saw

Gateway connectivity failure. Events not processed.

3. CSS telemetry

QueryEventsFailed: 403 AuthenticationFailed. Internal SAS token expired. Recurred on each upgrade (expired credential re-applied).

4. Diagnosis & Fix

Software defect - SAS URL expired, not auto-renewed. Upgrade re-deployed stale credential. Omar and Kriti worked together to resolve — Kriti refreshed SAS Apr 17.

5. Monitoring Miss?

Yes - no credential expiration monitoring.

6. Repairs

Code fix for credential renewal. Health checks for auth validity.

1. Customer Complaint

Starting April 28, unwanted log entries for send-one-way-request policy and /ext_cap/v1/req_res_cap path appeared in Application Insights for every API call. Entries unrelated to business processes, causing confusion during debugging. Customer also requested quarantine of their 4 Premium tier services in Australia.

2. What customer saw

Unwanted dependency log entries in App Insights Failures blade for every API call. Entries showed send-one-way-request fire-and-forget calls logged as failed dependencies (ResponseCode=0, Success=false). Initially observed on Developer tier only; Premium tier services had not yet been upgraded to affected gateway version (0.51.x).

3. CSS telemetry

CSS confirmed unwanted log entries. SRE Agent verified via GatewayHeartbeat that all 4 Premium services were on version 0.50.27283.0 (pre-regression), while 0.51.x rollout was 50–70% complete across Australia regions. Root cause: gateway 0.51.x introduced new TrackOutgoingRequestDependencies() method in ApplicationInsightsLogPublisher.cs that tracks all policy-initiated outgoing requests as App Insights dependencies, including fire-and-forget calls.

4. Diagnosis & Fix

0.51 regression in Application Insights dependency tracking. Root cause established in related ICM 21000001008018. Gateway 0.51.x introduced per-policy outgoing request dependency tracking that logged send-one-way-request as failed dependencies (ResponseCode=0). Tom Kerkhove directed Maxim A to apply feature flag "logs.applicationinsights.dependency.legacy": "true" as custom settings on affected services. Settings applied, incident mitigated.

5. Monitoring Miss?

Yes. No LSI filed before CRI. App Insights dependency tracking regression in 0.51.x discovered only through customer reports. False-positive failed dependencies in customer App Insights not covered by platform monitoring.

6. Repairs

• Product fix needed: Exclude send-one-way-request from DependencyTrackingSources, or handle ResponseCode=0 as neutral (not failed) for fire-and-forget policies
• Continued tracking in ICM 21000001008018
• Quarantine impact: Feature flag blocks all 0.51 features. Gateway team to evaluate targeted fix backport to 0.50.x or fast-track in 0.52.x

1. Customer Complaint

SSL certificate verification failures on backend calls.

2. What customer saw

SSL CERTIFICATE_VERIFY_FAILED intermittently on backend connections.

3. CSS telemetry

Transferred to Platform for deeper RCA.

4. Diagnosis & Fix

Result of migrating VMs to 1P image. Intermediate certificates (and CRLs) not immediately available because customer NSG blocks outbound port 80 (not configured as documented). Not expected to repeat unless VM replace/reimage without proper NSG configuration. Team actively rebooting VMs for services where bootstrapper complains about the chain. Unconfirmed but lack of intermediates likely temporary — AzSecPack script probably installs them in background.

5. Monitoring Miss?

TBD — related to broader certificate chain emerging issue pattern.

6. Repairs

Cannot suggest repair items as this is part of 1P migration. Active reboots for affected services. Customer must configure NSG properly (outbound port 80) to prevent recurrence on future reimage.

See full incident details in ICM.

See full incident details in ICM.

See full incident details in ICM.

1. Customer Complaint

Multiple customers reported that after OS Upgrade maintenance, their APIM gateway endpoint presented an incomplete certificate chain. Filed as emerging issue (CSS-sourced) affecting classic/V1 SKU VNET-injected services where outbound TCP port 80 is blocked. Escalated Sev3→Sev2 due to multiple prior Sev2 CRIs.

2. What customer saw

Clients connecting directly saw incomplete cert chain and SSL handshake failures. Customers with AFD or AppGW in front of APIM received HTTP 502 errors. Manifested specifically after OS upgrade events on VNET-injected V1 SKU services.

3. CSS telemetry

AppLens detected capacity above 75% during impact. No additional telemetry findings beyond automated analysis.

4. Diagnosis & Fix

External/Customer Issue - VNET. Occurs on VNET-injected V1 SKU services where outbound TCP port 80 blocked. Customer fix: (1) allow outbound TCP port 80 to Internet, (2) click "Apply Network Settings" from Portal Network blade.

Note: "Apply Network Settings" alone temporarily mitigates until next OS upgrade — suggests Bootstrapper performs different cert chain assembly during reboot vs re-image. Mitigated as emerging issue tracking LSI since fix is documented customer config change.

5. Monitoring Miss?

Yes. No LSI or proactive alert before CRI. Multiple Sev2 CRIs filed by customers — consistently discovered through customer reports. No existing monitor detects incomplete cert chains on gateway endpoints after OS upgrades.

6. Repairs

• Investigate why Bootstrapper handles cert chain differently during re-image (OS Upgrade) vs reboot
• Create awareness of emerging issue pattern
• No formal repair items attached

1. Customer Complaint

Customer services were stuck and not recovering. Subscriptions re-enabled and services not coming back.

2. What customer saw

Service shown as Deleted/Suspended in Portal for days after customer being unsuspended. No actual error or banner.

3. CSS telemetry

Services not being created, no telemetry at all for 3 different CRIs. CSS opened an emerging issue.

4. Diagnosis & Fix

Undelete queue blocked by poison pills. With SRE Agent help identified that SubscriptionLifecycleOrchestration runs 5 steps: (1) WarnSuspendedContainers, (2) SuspendWarnedContainers, (3) SuspendAndWarnActiveContainers, (4) TerminateContainersWhoseSubscriptionIsUnRegisteredOrDeleted, (5) ActivateContainersForSubscriptionWhichGotRegistered.

Orchestration hardcoded to max 20 services per iteration. ~14 services persistently failing to undelete (SKUv2 RG quota, P1v3 pool exhaustion). With 12-16 failing per cycle + previous steps filling the bucket, no opportunity to process undelete queue.

Fix: Kriti unblocked 7 services failing with P1v3. Team unblocked SQL size and SKUv2 RG quota failures to free space. Nina made hotfix to skip poison pills so they no longer block queue completely.

5. Monitoring Miss?

Yes — No SLA or completion monitoring for undelete. No check on how long a service has been waiting to be undeleted. Undelete buried inside SubscriptionLifecycleOrchestration as the last possible step. Also found SKUv2 preprovisioning RGs with quota exhaustion (MSI 800/800, ServerFarms 100/100) — creating and leaving them regardless of undelete success/failure.

6. Repairs

• Done: Skip hotfix rolled out behind beta feature (poison pill bypass)
• Needed: Cleanup of quota-exhausted SKUv2 preprovisioning RGs
• Needed: Decouple undelete from SubscriptionLifecycleOrchestration
• Needed: SLA metric / Alert on undelete consistently failing