Test-AppInsightsTelemetryFlow

Comprehensive diagnostic tool for Azure Monitor Application Insights.
Tests network connectivity (DNS, TCP, TLS), validates AMPLS/Private Link
configurations, checks for known issues that cause silent data loss, and
sends a test telemetry record to confirm end-to-end pipeline health.

QUICK START:
 Install-Script -Name Test-AppInsightsTelemetryFlow
 Test-AppInsightsTelemetryFlow -ConnectionString "InstrumentationKey=..."

WHAT IT CHECKS:
 - DNS resolution for all Azure Monitor endpoints
 - TCP connectivity (port 443) and TLS handshake validation
 - Proxy and TLS inspection detection
 - AMPLS private link IP validation (with Azure login)
 - Known issues: local auth, ingestion sampling, deleted workspace,
   daily cap, diagnostic settings duplicates, workspace transforms
 - End-to-end telemetry ingestion test with KQL verification query
 - Data plane query to verify record arrived with latency breakdown

All Azure operations are READ-ONLY. The script never modifies any resource.

MULTI-CLOUD SUPPORT:
Azure Public, Azure Government, and Azure China (21Vianet) are detected
automatically from the connection string endpoints. All API calls, DNS
zones, and troubleshooting links adapt to the detected cloud.

AZURE CHECKS (automatic):
If the Az.Accounts module is installed and you have an active Azure login,
the script automatically performs AMPLS validation, known issue checks, and
E2E verification against the data plane API. No extra switches needed.
Use -NetworkOnly to skip all Azure calls (pure network checks only).

OUTPUT MODES:
- Default:  Full verbose output with educational explanations
- Compact:  Progress lines only with focused diagnosis at the end

WHAT TO EXPECT:
The script runs non-interactively in ~10-30 seconds for network checks.
With Azure checks enabled, total time is ~30-90 seconds (includes ~60s
of polling for E2E verification). Results display as they complete.
Two report files (JSON + TXT) are saved automatically to -OutputPath.

CONSENT PROMPTS:
Before querying Azure resources or sending test telemetry, the script
prompts for interactive Y/N consent. Use -AutoApprove to bypass prompts
in CI/CD, scheduled tasks, or other non-interactive environments.
Use -NetworkOnly or -SkipIngestionTest to skip gated operations entirely.

PREREQUISITES:
Network checks require PowerShell 5.1+ (Windows) or PowerShell 7+
(Linux/macOS). No external modules are needed for network checks.
Azure resource checks require Az.Accounts and Az.ResourceGraph modules
(auto-detected at runtime; the script tells you if they're missing).

Designed to run from:
- Azure App Service (Kudu/SCM PowerShell console)
- Azure Function App (Kudu console)
- Azure VMs / VMSS
- AKS node or pod (pwsh)
- On-premises servers
- Developer workstations
- Cloud Shell (connected to VNet)

AZURE API CALLS (read-only):
When Az modules are available and logged in, the script makes these calls:

With authentication (Connect-AzAccount required):
 POST management.azure.com  ARG query to find App Insights resource
 POST management.azure.com  ARG query to find AMPLS/private link scopes
 POST management.azure.com  ARG query to find workspace transform DCRs
 GET  management.azure.com  ARM: Read AMPLS scoped resources, access modes
 GET  management.azure.com  ARM: Read private endpoint DNS configurations
 GET  management.azure.com  ARM: Read backend LA workspace (health, cap, access mode)
 GET  management.azure.com  ARM: Read daily cap (PricingPlans API)
 GET  management.azure.com  ARM: Read diagnostic settings
 POST api.applicationinsights.io  Data plane: KQL query for E2E verify

Without authentication (always runs):
 DNS  Resolve each endpoint hostname via Resolve-DnsName / nslookup
 TCP  Connect to port 443 via System.Net.Sockets.TcpClient
 TLS  Handshake validation via System.Net.Security.SslStream
 POST {ingestion-endpoint}/v2.1/track  Send one test availability record

Use -Debug to see every request/response in real time.