Stream Azure Spring Apps application console logs in real time

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps.

This article describes how to enable log streaming in the Azure CLI to get real-time application console logs for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see Analyze logs and metrics with diagnostics settings. For more information on streaming logs, see Stream Azure Spring Apps job logs in real time.

Prerequisites

Stream logs

Use the following steps to stream logs in the Azure portal:

  1. Go to the Overview page for your Azure Spring Apps service instance and then select Apps in the navigation pane.

  2. Find your target app and select the context menu.

  3. In the pop-up context menu, select View log stream.

    Screenshot of the Azure portal that shows the Apps page with the View log stream context menu item highlighted.

By default, logs start streaming for a randomly selected app instance. You can select yours afterwards.

Screenshot of the Azure portal that shows the Log stream page.

For convenience, there are many entry points to stream logs. You can find them in the following panes:

  • The App list pane
  • The Deployment list pane
  • The App instance list pane

Stream an Azure Spring Apps app log in a virtual network injection instance

For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see Deploy Azure Spring Apps in a virtual network

Azure Spring Apps also enables you to access real-time app logs from a public network using Azure portal or the Azure CLI.

Note

Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you.

Use the following steps to enable a log streaming endpoint on the public network:

  1. Select the Azure Spring Apps service instance deployed in your virtual network and then select Networking in the navigation menu.

  2. Select the Vnet injection tab.

  3. Switch the status of Dataplane resources on public network to enable to enable a log streaming endpoint on the public network. This process takes a few minutes.

    Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted.

After you enable the log stream public endpoint, you can access the app log from a public network just like you would access a normal instance.

Secure traffic to the log streaming public endpoint

Log streaming uses the same key as the test endpoint described in Set up a staging environment in Azure Spring Apps to authenticate the connections to your deployments. As a result, only users who have read access to the test keys can access log streaming.

To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see Tutorial: Filter network traffic with a network security group using the Azure portal. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Note

If you can't access app logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you allowed such inbound traffic.

The following table shows an example of a basic rule that we recommend. You can use commands like nslookup with the endpoint <service-name>.private.microservices.azure.cn to get the target IP address of a service.

Priority Name Port Protocol Source Destination Action
100 Rule name 80 TCP Internet Service IP address Allow
110 Rule name 443 TCP Internet Service IP address Allow

Next steps