[Izikiel43]

Probably because the actual portal service call happens at new page load. Metric pages and everything else are data plane/control plane info most likely, which is coming from other services.

An easy way to validate this would be using fidler or similar to analyze the traffic that happens in the loaded page.

[mixdup]

This is exactly the case. API calls/cli tools never went down because they tickle the control plane APIs directly, and the Portal also tickles those APIs directly. The Portal seems to just be a client-side web app, and the CDN serving that and what ever minimal server-side infra that makes login work, etc was what was targeted by the ddos