The latest Troubleshooting Microsoft Azure Connectivity AZ-720 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Troubleshooting Microsoft Azure Connectivity AZ-720 exam and earn Troubleshooting Microsoft Azure Connectivity AZ-720 certification.
Table of Contents
- Question 21
- Exam Question
- Correct Answer
- Explanation
- Question 22
- Exam Question
- Correct Answer
- Question 23
- Exam Question
- Correct Answer
- Explanation
- Question 24
- Exam Question
- Correct Answer
- Question 25
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 26
- Exam Question
- Correct Answer
- Question 27
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 28
- Exam Question
- Correct Answer
- Explanation
- Question 29
- Exam Question
- Correct Answer
- Explanation
- Question 30
- Exam Question
- Correct Answer
- Explanation
- Reference
Question 21
Exam Question
You need to resolve the VM2 routing issue.
What should you do?
A. Modify the IP configuration setting of the Azure network interface resource of VM1.
B. Add a network interface to VM1.
C. Add a network interface to VM2.
D. Modify the IP configuration setting of the Azure network interface resource of VM2.
Correct Answer
D. Modify the IP configuration setting of the Azure network interface resource of VM2.
Explanation
To resolve the VM2 routing issue, you should modify the IP configuration setting of the Azure network interface resource of VM2. This will ensure that VM2 can communicate with other resources in the virtual network.
Troubleshooting connectivity problems between Azure VMs involves several steps such as checking whether NIC is misconfigured, whether network traffic is blocked by NSG or UDR, whether network traffic is blocked by VM firewall, whether VM app or service is listening on the port and whether the problem is caused by SNAT1.
Question 22
Exam Question
HOTSPOT –
A company deploys an Azure Firewall. The company reports the following log entry:
For each of the following questions, select Yes or No.
NOTE: Each correct selection is worth one point.
Questions:
- Is the rule blocking entertainment sites?
- Is the log generated by a network rule?
- Is the log generated by Azure Firewall Premium?
Correct Answer
- Is the rule blocking entertainment sites? No
- Is the log generated by a network rule? No
- Is the log generated by Azure Firewall Premium? Yes
Question 23
Exam Question
A company plans to use an Azure PaaS service by using Azure Private Link service. The Azure Private Link service and an endpoint have been configured.
The company reports that the endpoint is unable to connect to the service.
You need to resolve the connectivity issue.
What should you do?
A. Approve the connection state.
B. Disable the service network policies.
C. Disable the endpoint network policies.
D. Validate the VPN device.
Correct Answer
C. Disable the endpoint network policies.
Explanation
To resolve the connectivity issue, you should approve the connection state. According to 1, Azure Private Link service requires manual approval of connection requests from private endpoints by default. You can approve or reject a connection request by using PowerShell cmdlets or Azure portal.
Question 24
Exam Question
Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.
Current environment –
Environments –
The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).
The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet. All of the VNets are connected by using virtual network peering.
| Environment | Virtual network | VNet address space |
|---|---|---|
| Development | VNet1 | 10.150.16.0/23 |
| Testing | VNet2 | 10.150.20.0/23 |
| Production | VNet3 | 10.150.24.0/23 |
| Perimeter network | VNet4 | 10.150.28.0/23 |
Virtual machines –
The company’s subscription contains the following Azure virtual machines (VMs):
| Name | Network interface | Server IP address | Public IP address | Application security group | Connected to |
|---|---|---|---|---|---|
| VM1 | NIC1 | 10.150.16.11 | ASG1 | Subnet11 | |
| VM10 | NIC10 | 10.150.16.110 | ASG10 | Subnet110 | |
| VM2 | NIC2 | 10.150.20.12 | ASG2 | Subnet12 | |
| VM3 | NIC3 | 10.150.24.13 | ASG3 | Subnet13 | |
| VM4 | NIC4 | 10.150.28.14 | 20.6.6.6 | ASG4 | Subnet14 |
The Web Server (IIS) role is installed on VM4. The operating system firewall for each VM allows inbound ping requests.
Network security groups –
The company’s subscription includes the following network security groups (NSGs):
| Name | Associated with |
|---|---|
| NSG1 | Subnet11 |
| NSG2 | Subnet12 |
| NSG3 | Subnet13 |
| NSG4 | Subnet14 |
| NSG5 | NIC4 |
| NSG10 | Subnet110 |
Security rules –
NSG1, NSG2, NSGS, and NSG5 use the default inbound security rules. NSG4, NSG5, and NSG10 use the default outbound security rules.
NSG4 has the following inbound security rule:
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | 80 | TCP | Internet | VirtualNetwork | Allow |
NSG10 has the following inbound security rules:
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Any | TCP | ASG1 | VirtualNetwork | Allow |
| 200 | Any | Any | Any | Any | Deny |
Virtual network peering –
The virtual network peering connections are in the following table:
| Virtual Network | Peer with VNet1 | Peer with VNet2 | Peer with VNet3 | Peer with VNet4 |
|---|---|---|---|---|
| VNet1 | N/A | VNet1-VNet2 | VNet1-VNet3 | VNet1-VNet4 |
| VNet2 | VNet2-VNet1 | N/A | VNet2-VNet3 | VNet2-VNet4 |
| VNet3 | VNet3-VNet1 | VNet3-VNet2 | N/A | VNet3-VNet4 |
| VNet4 | VNet4-VNet1 | VNet4-VNet2 | VNet4-VNet3 | N/A |
Virtual network gateway –
A virtual network gateway named VNetGW is provisioned in the perimeter network. The virtual network gateway will provide:
- Network routing to customer data centers using site-to-site VPN connections.
- Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.
Information about the virtual network gateway is shown in the following table:
| SKU | Public address |
|---|---|
| VpnGw1 | 16.4.4.4 |
Site-to-site VPN connections –
The company’s site-to-site VPN connections with customers are shown in the following table:
| Name | VPN gateway address | Customer address space | Customer resources | Policy-based or route-based | IKE version | Address routing |
|---|---|---|---|---|---|---|
| Alpine Ski House | 14.2.2.2 | 192.168.190.19/32 | Web server (SSL) | Route-based | IKEv2 | Static routing |
| Contoso Suites | 11.2.2.2 | 192.168.30.12/32 | Web server (SSL) | Route-based | IKEv2 | BGP routing |
| Margie’s Travel | 12.2.2.2 | 172.16.40.14/32 | Images | Route-based | IKEv2 | BGP routing |
| Blue Yonder Airlines | 13.2.2.2 | 192.168.150.15/32 | Remote Desktop pool | Route-based | IKEv2 | BGP routing |
Point-to-site VPN configuration –
The point-to-site VPN is configured as shown in the following table:
| Address space | Tunnel type | Authentication type |
|---|---|---|
| 10.150.12.0/22 | OpenVPN (SSL) | Azure certificate, Azure Active Directory |
Users and groups –
The company’s user and group memberships are shown in the following table:
| Username | Group name |
|---|---|
| User1 | Scheduling agents |
| User2 | Warehouse |
| User3 | Sales |
The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.
Azure AD Connect –
Azure AD Connect is installed on an on-premises server named SRV1. In addition:
- The server uses a pass-through authentication agent.
- The SSPR feature is enabled.
- The SSPR feature is applied only to a group named SSPR-group.
Network policy server –
Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.
Requirements –
Business requirements –
- The scheduling agents’ internet connectivity should be blocked when connected to the point-to-site VPN.
- Sales employees must use the default VPN client on MacOS computers to connect to Azure.
- Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.
Technical requirements –
- Pass-through authentication is required for all users.
- Azure AD multi-factor authentication (MFA) is required for all users.
- All admin user accounts must be in an organizational unit (OU) named Admins.
Issues –
Resource issues –
- You discover during testing that scheduling agents are experiencing latency when accessing resources at the Alpine Ski House. You suspect that the issue is related to TCP latency.
- You receive reports that VM1 is unable to access resources at Contoso Suites.
- Users report issues connecting from VM3 to resources at Margie’s Travel. The administrator for Margie’s Travel has verified that their VPN gateway is working correctly. You need to verify whether the Fabrikam virtual network gateway is available.
- The administrator of a partner company named Blue Yonder Airlines reports VPN disconnections and IPSec failure to connect errors.
- You receive the following error on SRV1 only when trying to synchronize an administrator named Admin1: 8344 Insufficient access rights to perform the operation
- MFA requests on SRV2 are failing with a security token error.
- You are unable to ping VM10 from VM1.
User issues –
- A scheduling agent named User1 reports that they can access the internet when connected to the point-to-site VPN.
- A user named User2 reports the following error when registering for SSPR: Your administrator has not enabled you to use this feature.
- Sales team employees report that they are unable to connect by using point-to-site VPN.
- A scheduling agent named Agent1 reports issues authenticating to Azure AD.
- An administrator named Admin2 reports they cannot connect to the web server public IP address on VM4 from VM2.
You need to resolve the issue reported by the sales team employees.
What should you do?
A. Download the Azure VPN client configuration.
B. Enable IKEv2 on the virtual network gateway.
C. Configure custom routes for the client VPN.
D. Upgrade the virtual network gateway to the VpnGw2 SKU.
E. Install the certificate exported from another client computer.
Correct Answer
E. Install the certificate exported from another client computer.
Question 25
Exam Question
HOTSPOT –
A company named Contoso connects to Azure PaaS services using Azure Private Link. The company has a virtual network named contoso-vn in a resource group named contoso-rg.
An engineer modifies the Private Link service by using Azure CLI. They are unable to use a source IP address from a subnet named default.
You need to resolve the issue.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer
Explanation
“az network vnet subnet” and “disable-private-link-service-network-policies”
Reference
Microsoft Learn > Azure > Networking > Private Link > Disable network policies for Private Link service source IP
Question 26
Exam Question
Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.
Current environment –
Environments –
The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).
The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet. All of the VNets are connected by using virtual network peering.
| Environment | Virtual network | VNet address space |
|---|---|---|
| Development | VNet1 | 10.150.16.0/23 |
| Testing | VNet2 | 10.150.20.0/23 |
| Production | VNet3 | 10.150.24.0/23 |
| Perimeter network | VNet4 | 10.150.28.0/23 |
Virtual machines –
The company’s subscription contains the following Azure virtual machines (VMs):
| Name | Network interface | Server IP address | Public IP address | Application security group | Connected to |
|---|---|---|---|---|---|
| VM1 | NIC1 | 10.150.16.11 | ASG1 | Subnet11 | |
| VM10 | NIC10 | 10.150.16.110 | ASG10 | Subnet110 | |
| VM2 | NIC2 | 10.150.20.12 | ASG2 | Subnet12 | |
| VM3 | NIC3 | 10.150.24.13 | ASG3 | Subnet13 | |
| VM4 | NIC4 | 10.150.28.14 | 20.6.6.6 | ASG4 | Subnet14 |
The Web Server (IIS) role is installed on VM4. The operating system firewall for each VM allows inbound ping requests.
Network security groups –
The company’s subscription includes the following network security groups (NSGs):
| Name | Associated with |
|---|---|
| NSG1 | Subnet11 |
| NSG2 | Subnet12 |
| NSG3 | Subnet13 |
| NSG4 | Subnet14 |
| NSG5 | NIC4 |
| NSG10 | Subnet110 |
Security rules –
NSG1, NSG2, NSGS, and NSG5 use the default inbound security rules. NSG4, NSG5, and NSG10 use the default outbound security rules.
NSG4 has the following inbound security rule:
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | 80 | TCP | Internet | VirtualNetwork | Allow |
NSG10 has the following inbound security rules:
| Priority | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|
| 100 | Any | TCP | ASG1 | VirtualNetwork | Allow |
| 200 | Any | Any | Any | Any | Any |
Virtual network peering –
The virtual network peering connections are in the following table:
| Virtual Network | Peer with VNet1 | Peer with VNet2 | Peer with VNet3 | Peer with VNet4 |
|---|---|---|---|---|
| VNet1 | N/A | VNet1-VNet2 | VNet1-VNet3 | VNet1-VNet4 |
| VNet2 | VNet2-VNet1 | N/A | VNet2-VNet3 | VNet2-VNet4 |
| VNet3 | VNet3-VNet1 | VNet3-VNet2 | N/A | VNet3-VNet4 |
| VNet4 | VNet4-VNet1 | VNet4-VNet2 | VNet4-VNet3 | N/A |
Virtual network gateway –
A virtual network gateway named VNetGW is provisioned in the perimeter network. The virtual network gateway will provide:
- Network routing to customer data centers using site-to-site VPN connections.
- Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.
Information about the virtual network gateway is shown in the following table:
| SKU | Public address |
|---|---|
| VpnGw1 | 16.4.4.4 |
Site-to-site VPN connections –
The company’s site-to-site VPN connections with customers are shown in the following table:
| Name | VPN gateway address | Customer address space | Customer resources | Policy-based or route-based | IKE version | Address routing |
|---|---|---|---|---|---|---|
| Alpine Ski House | 14.2.2.2 | 192.168.190.19/32 | Web server (SSL) | Route-based | IKEv2 | Static routing |
| Contoso Suites | 11.2.2.2 | 192.168.30.12/32 | Web server (SSL) | Route-based | IKEv2 | BGP routing |
| Margie’s Travel | 12.2.2.2 | 172.16.40.14/32 | Images | Route-based | IKEv2 | BGP routing |
| Blue Yonder Airlines | 13.2.2.2 | 192.168.150.15/32 | Remote Desktop pool | Route-based | IKEv2 | BGP routing |
Point-to-site VPN configuration –
The point-to-site VPN is configured as shown in the following table:
| Address space | Tunnel type | Authentication type |
|---|---|---|
| 10.150.12.0/22 | OpenVPN (SSL) | Azure certificate, Azure Active Directory |
Users and groups –
The company’s user and group memberships are shown in the following table:
| Username | Group name |
|---|---|
| User1 | Scheduling agents |
| User2 | Warehouse |
| User3 | Sales |
The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.
Azure AD Connect –
Azure AD Connect is installed on an on-premises server named SRV1. In addition:
- The server uses a pass-through authentication agent.
- The SSPR feature is enabled.
- The SSPR feature is applied only to a group named SSPR-group.
Network policy server –
Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.
Requirements –
Business requirements –
- The scheduling agents’ internet connectivity should be blocked when connected to the point-to-site VPN.
- Sales employees must use the default VPN client on MacOS computers to connect to Azure.
- Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.
Technical requirements –
- Pass-through authentication is required for all users.
- Azure AD multi-factor authentication (MFA) is required for all users.
- All admin user accounts must be in an organizational unit (OU) named Admins.
Issues –
Resource issues –
- You discover during testing that scheduling agents are experiencing latency when accessing resources at the Alpine Ski House. You suspect that the issue is related to TCP latency.
- You receive reports that VM1 is unable to access resources at Contoso Suites.
- Users report issues connecting from VM3 to resources at Margie’s Travel. The administrator for Margie’s Travel has verified that their VPN gateway is working correctly. You need to verify whether the Fabrikam virtual network gateway is available.
- The administrator of a partner company named Blue Yonder Airlines reports VPN disconnections and IPSec failure to connect errors.
- You receive the following error on SRV1 only when trying to synchronize an administrator named Admin1: 8344 Insufficient access rights to perform the operation
- MFA requests on SRV2 are failing with a security token error.
- You are unable to ping VM10 from VM1.
User issues –
- A scheduling agent named User1 reports that they can access the internet when connected to the point-to-site VPN.
- A user named User2 reports the following error when registering for SSPR: Your administrator has not enabled you to use this feature.
- Sales team employees report that they are unable to connect by using point-to-site VPN.
- A scheduling agent named Agent1 reports issues authenticating to Azure AD.
- An administrator named Admin2 reports they cannot connect to the web server public IP address on VM4 from VM2.
You need to troubleshoot the issue reported by Blue Yonder Airlines.
Which diagnostic log should you review?
A. TunnelDiagnosticLog
B. RouteDiagnosticLog
C. IKEDiagnosticlog
D. GatewayDiagnosticLog
Correct Answer
C. IKEDiagnosticlog
Question 27
Exam Question
HOTSPOT –
A company develops an Azure Cosmos DB solution.
The solution has the following components:
- A virtual network named VNet1 in a resource group named RG1.
- A subnet named Subnet1 in VNet1.
- A Private Link service.
The company is unable to configure a source IP address for the Private Link service from Subnet1.
You need to resolve the issue for Subnet1.
How should you complete the PowerShell commands? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer
Explanation
“privateLinkServiceNetworkPolicies” and “Disabled” In order to choose a source IP address for your Private Link service, an explicit disable setting privateLinkServiceNetworkPolicies is required on the subnet.
Reference
Microsoft Learn > Azure > Networking > Private Link > Disable network policies for Private Link service source IP
Question 28
Exam Question
HOTSPOT –
Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.
Current environment –
General –
Contoso’s Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:
| Resource type | Resource name | Description |
|---|---|---|
| Virtual network | VNet1 | A hub virtual network |
| Virtual network | VNet2 and VNet3 | Spoke virtual networks peered to VNet1 |
| Private DNS Zone | contoso.com | A private DNS zone linked to VNet1, VNet2, and VNet3. The zone contains A records for all Azure virtual machines (VMs) deployed in the three virtual networks. |
| Public DNS Zone | contoso.com | A public DNS zone containing the A record of a public we site www.contoso.com |
| VPN Gateway | VPNGW1 | The VPN gateway is deployed to VNet1. It proves site-to-site and point-to-site connectivity. The public IP address of the VPNGW1 has the DNS name of VPNGW1.eastus.cloudapp.azure.net. |
| Storage account | contosostorage1 | An Azure Storage account hosting Contoso’s internal data. |
| Key Vault | KV1, KV2, KV3, KV4, and KV5 | There are five key vaults that store encryption keys for Azure VM workloads. All Azure key vaults are configured to use access policy for authorization. |
| Cosmos DB account | CosmosDB1 | Cosmos DB account hosting a database containing financial services inventory. |
VPN users use Windows 10 computers with the built-in SSTP VPN client software.
Recent changes –
- You extend the IP address space of VNet1 and create subnets in the new IP address space.
- You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
- You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.
- You configure all business critical VM workloads to use encryption keys stored in all five key vaults.
- You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.The Contoso’s data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.
- You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
- You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
- You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
You create the following resources:
| Resource type | Resource name | Description |
|---|---|---|
| Subnet | Subnet1a | Subnet on VNet1 |
| Subnet | Subnet2a | Subnet on VNet2 |
| Virtual machine | VM1 | An Azure VM connected to Subnet1a |
| Virtual machine | VM2 | An Azure VM connected to Subnet2a |
| Route table | RT12 | A route table containing a user defined rout (UDR). The UDR included the next hop configured for the IP address of the network interface of VM2 and the IP address prefix configured for the internet service tag. |
Issues –
DNS issues –
Reverse DNS lookup –
- Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.
- Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.
- VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.
Public DNS lookup –
You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.
Connectivity and routing issues –
Windows VPN –
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.
Sales department VPN –
The sales department users cannot connect by using the MacOS VPN client.
Azure Storage connectivity –
- Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.
- Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.
Cosmos DB connectivity –
You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.
VM1 routing –
Internet traffic from VM1 is routed directly to the Internet.
VM2 routing –
After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.
Azure and SharePoint issues –
Azure Key Vault –
Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.
SharePoint in VNet2 –
SharePoint traffic between tiers is blocked by NSGs which is causing application failures.
SharePoint in VNet3 –
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.
Permission issues –
Data engineering team –
The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.
Azure VM deployment –
Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.
Requirements –
DNS requirements –
Reverse DNS lookup –
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.
Public DNS lookup –
You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.
Connectivity and routing requirements
Windows VPN –
You must verify if VPN client connectivity issues are related to routing and recommend a solution.
MacOS VPN –
You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.
Azure Storage connectivity –
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.
Cosmos DB connectivity –
You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.
VM1 routing –
RT12 must be configured to route internet traffic from VM1 through VM2.
VM2 routing –
VM2 must be configured to route internet traffic from VM1.
Azure and SharePoint requirements
Azure Key Vault –
You must identify the reason for the failures and recommend a solution.
SharePoint in VNet2 –
You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.
SharePoint in VNet3 –
You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.
Permission requirements –
Azure Bicep –
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.
Data engineering team –
You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.
You need to troubleshoot the sales department issues.
How should you configure the system? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Remote ID
VPNGW1.eastus.cloudapp.azure.net
Azure Resource ID of VPNGW1
Subject name of the root certificate
Local ID
Subject name of the client certificate
Host name of the client computer
MAC address of the local network interface
Correct Answer
Remote ID: VPNGW1.eastus.cloudapp.azure.net
Local ID: Subject name of the client certificate
Explanation
Box 1: Subject name of the root certificate.
This is the value that should be configured as the system Remote ID for the VPN client on the sales department devices. The system Remote ID is used to identify the VPN server that the client is connecting to, and it must match the value that is configured on the VPN gateway in Azure. For Azure VPN Gateway, the system Remote ID is the subject name of the root certificate that is used for authentication1. Therefore, option C is correct. A detailed explanation with references is as follows:
As mentioned in the scenario, the sales department devices are using Point-to-Site VPN connections to access Azure resources. A Point-to-Site VPN connection lets you create a secure connection to your virtual network from an individual client computer2. To configure a Point-to-Site VPN connection, you need to create a virtual network gateway of type VPN in Azure, and then install a VPN client on each device that needs to connect2. The VPN client configuration includes several settings, such as the VPN server address, the tunnel type, and the authentication method. One of these settings is the system Remote ID, which is used to identify the VPN server that the client is connecting to1. The system Remote ID must match the value that is configured on the VPN gateway in Azure, otherwise the connection will fail.
For Azure VPN Gateway, there are three authentication methods available for Point-to-Site
VPN connections: certificate-based authentication, OpenVPN with Azure AD authentication, and OpenVPN with certificate-based authentication2. For certificate-based authentication, which is used in this scenario, the system Remote ID is the subject name of the root certificate that is used for authentication1. The root certificate is uploaded to Azure when creating a Point-to-Site VPN connection, and it must be installed on each device that needs to connect2. The subject name of the root certificate can be obtained by using PowerShell or OpenSSL commands1. For example, using PowerShell:
$cert = Get-ChildItem -Path Cert:CurrentUserMy | Where-Object {$_.Subject -like “ContosoRootCert”} $cert.Subject
The output of this command will show the subject name of the root certificate that matches ContosoRootCert. This value should be configured as the system Remote ID for the VPN client on each device.
Box 2: Subject name of the client certificate
In the provided scenario, the sales department is using a VPN to connect to the corporate network, and the VPN server is configured to use certificate-based authentication. To troubleshoot the sales department issues, you should configure the system Local ID to use the subject name of the client certificate. The subject name of a client certificate uniquely identifies the client and is used during the certificate-based authentication process. This allows the VPN server to verify the client’s identity and grant access to the corporate network.
This is the value that should be configured as the system Local ID for the VPN client on the sales department devices. The system Local ID is used to identify the VPN client that is connecting to the VPN server, and it must match the value that is configured on the VPN gateway in Azure. For Azure VPN Gateway, the system Local ID is the subject name of the client certificate that is used for authentication1. Therefore, option A is correct. A detailed explanation with references is as follows:
As mentioned in the scenario, the sales department devices are using Point-to-Site VPN connections to access Azure resources. A Point-to-Site VPN connection lets you create a secure connection to your virtual network from an individual client computer2. To configure a Point-to-Site VPN connection, you need to create a virtual network gateway of type VPN in Azure, and then install a VPN client on each device that needs to connect2. The VPN client configuration includes several settings, such as the VPN server address, the tunnel type, and the authentication method. One of these settings is the system Local ID, which is used to identify the VPN client that is connecting to the VPN server1. The system Local ID must match the value that is configured on the VPN gateway in Azure, otherwise the connection will fail.
For Azure VPN Gateway, there are three authentication methods available for Point-to-Site VPN connections: certificate-based authentication, OpenVPN with Azure AD
authentication, and OpenVPN with certificate-based authentication2. For certificate-based authentication, which is used in this scenario, the system Local ID is the subject name of the client certificate that is used for authentication1. The client certificate is generated from a root certificate that is uploaded to Azure when creating a Point-to-Site VPN connection, and it must be installed on each device that needs to connect2. The subject name of the client certificate can be obtained by using PowerShell or OpenSSL commands1. For example, using PowerShell:
$cert = Get-ChildItem -Path Cert:CurrentUserMy | Where-Object {$_.Subject -like “ContosoClientCert”} $cert.Subject
The output of this command will show the subject name of the client certificate that matches ContosoClientCert. This value should be configured as the system Local ID for the VPN client on each device.
Question 29
Exam Question
Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.
Current environment –
General –
Contoso’s Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:
| Resource type | Resource name | Description |
|---|---|---|
| Virtual network | VNet1 | A hub virtual network |
| Virtual network | VNet2 and VNet3 | Spoke virtual networks peered to VNet1 |
| Private DNS Zone | contoso.com | A private DNS zone linked to VNet1, VNet2, and VNet3. The zone contains A records for all Azure virtual machines (VMs) deployed in the three virtual networks. |
| Public DNS Zone | contoso.com | A public DNS zone containing the A record of a public we site www.contoso.com |
| VPN Gateway | VPNGW1 | The VPN gateway is deployed to VNet1. It proves site-to-site and point-to-site connectivity. The public IP address of the VPNGW1 has the DNS name of VPNGW1.eastus.cloudapp.azure.net. |
| Storage account | contosostorage1 | An Azure Storage account hosting Contoso’s internal data. |
| Key Vault | KV1, KV2, KV3, KV4, and KV5 | There are five key vaults that store encryption keys for Azure VM workloads. All Azure key vaults are configured to use access policy for authorization. |
| Cosmos DB account | CosmosDB1 | Cosmos DB account hosting a database containing financial services inventory. |
VPN users use Windows 10 computers with the built-in SSTP VPN client software.
Recent changes –
- You extend the IP address space of VNet1 and create subnets in the new IP address space.
- You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
- You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.
- You configure all business critical VM workloads to use encryption keys stored in all five key vaults.
- You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.
- The Contoso’s data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.
- You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
- You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
- You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
You create the following resources:
| Resource type | Resource name | Description |
|---|---|---|
| Subnet | Subnet1a | Subnet on VNet1 |
| Subnet | Subnet2a | Subnet on VNet2 |
| Virtual machine | VM1 | An Azure VM connected to Subnet1a |
| Virtual machine | VM2 | An Azure VM connected to Subnet2a |
| Route table | RT12 | A route table containing a user defined rout (UDR). The UDR included the next hop configured for the IP address of the network interface of VM2 and the IP address prefix configured for the internet service tag. |
Issues –
DNS issues –
Reverse DNS lookup –
- Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.
- Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.
- VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.
Public DNS lookup –
You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.
Connectivity and routing issues –
Windows VPN –
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.
Sales department VPN –
The sales department users cannot connect by using the MacOS VPN client.
Azure Storage connectivity –
- Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.
- Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.
Cosmos DB connectivity –
You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.
VM1 routing –
Internet traffic from VM1 is routed directly to the Internet.
VM2 routing –
After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.
Azure and SharePoint issues –
Azure Key Vault –
Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.
SharePoint in VNet2 –
SharePoint traffic between tiers is blocked by NSGs which is causing application failures.
SharePoint in VNet3 –
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.
Permission issues –
Data engineering team –
The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.
Azure VM deployment –
Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.
Requirements –
DNS requirements –
Reverse DNS lookup –
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.
Public DNS lookup –
You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.
Connectivity and routing requirements
Windows VPN –
You must verify if VPN client connectivity issues are related to routing and recommend a solution.
MacOS VPN –
You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.
Azure Storage connectivity –
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.
Cosmos DB connectivity –
You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.
VM1 routing –
RT12 must be configured to route internet traffic from VM1 through VM2.
VM2 routing –
VM2 must be configured to route internet traffic from VM1.
Azure and SharePoint requirements
Azure Key Vault –
You must identify the reason for the failures and recommend a solution.
SharePoint in VNet2 –
You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.
SharePoint in VNet3 –
You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.
Permission requirements –
Azure Bicep –
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.
Data engineering team –
You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.
You need to troubleshoot the CosmosDB1 issues from the on-premises environment.
What should you use?
A. Network Watcher next hop diagnostic tool
B. route command
C. Network Watcher Connection troubleshoot diagnostic tool
D. nslookup command
Correct Answer
A. Network Watcher next hop diagnostic tool
Explanation
This tool helps you troubleshoot network connectivity issues from a virtual machine to a given endpoint. It tests for reachability from the virtual machine to the endpoint and provides information about why a connection fails1. In this case, you can use this tool to troubleshoot the connectivity issues from the on-premises environment to CosmosDB1.
Question 30
Exam Question
HOTSPOT –
Case study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Background –
Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.
Current environment –
General –
Contoso’s Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:
| Resource type | Resource name | Description |
|---|---|---|
| Virtual network | VNet1 | A hub virtual network |
| Virtual network | VNet2 and VNet3 | Spoke virtual networks peered to VNet1 |
| Private DNS Zone | contoso.com | A private DNS zone linked to VNet1, VNet2, and VNet3. The zone contains A records for all Azure virtual machines (VMs) deployed in the three virtual networks. |
| Public DNS Zone | contoso.com | A public DNS zone containing the A record of a public we site www.contoso.com |
| VPN Gateway | VPNGW1 | The VPN gateway is deployed to VNet1. It proves site-to-site and point-to-site connectivity. The public IP address of the VPNGW1 has the DNS name of VPNGW1.eastus.cloudapp.azure.net. |
| Storage account | contosostorage1 | An Azure Storage account hosting Contoso’s internal data. |
| Key Vault | KV1, KV2, KV3, KV4, and KV5 | There are five key vaults that store encryption keys for Azure VM workloads. All Azure key vaults are configured to use access policy for authorization. |
| Cosmos DB account | CosmosDB1 | Cosmos DB account hosting a database containing financial services inventory. |
VPN users use Windows 10 computers with the built-in SSTP VPN client software.
Recent changes –
- You extend the IP address space of VNet1 and create subnets in the new IP address space.
- You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
- You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.
- You configure all business critical VM workloads to use encryption keys stored in all five key vaults.
- You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.
- The Contoso’s data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.
- You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
- You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
- You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
You create the following resources:
| Resource type | Resource name | Description |
|---|---|---|
| Subnet | Subnet1a | Subnet on VNet1 |
| Subnet | Subnet2a | Subnet on VNet2 |
| Virtual machine | VM1 | An Azure VM connected to Subnet1a |
| Virtual machine | VM2 | An Azure VM connected to Subnet2a |
| Route table | RT12 | A route table containing a user defined rout (UDR). The UDR included the next hop configured for the IP address of the network interface of VM2 and the IP address prefix configured for the internet service tag. |
Issues –
DNS issues –
Reverse DNS lookup –
- Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.
- Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.
- VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.
Public DNS lookup –
You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.
Connectivity and routing issues –
Windows VPN –
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.
Sales department VPN –
The sales department users cannot connect by using the MacOS VPN client.
Azure Storage connectivity –
- Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.
- Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.
Cosmos DB connectivity –
You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.
VM1 routing –
Internet traffic from VM1 is routed directly to the Internet.
VM2 routing –
After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.
Azure and SharePoint issues –
Azure Key Vault –
Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.
SharePoint in VNet2 –
SharePoint traffic between tiers is blocked by NSGs which is causing application failures.
SharePoint in VNet3 –
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.
Permission issues –
Data engineering team –
The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.
Azure VM deployment –
Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.
Requirements –
DNS requirements –
Reverse DNS lookup –
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.
Public DNS lookup –
You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.
Connectivity and routing requirements
Windows VPN –
You must verify if VPN client connectivity issues are related to routing and recommend a solution.
MacOS VPN –
You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.
Azure Storage connectivity –
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.
Cosmos DB connectivity –
You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.
VM1 routing –
RT12 must be configured to route internet traffic from VM1 through VM2.
VM2 routing –
VM2 must be configured to route internet traffic from VM1.
Azure and SharePoint requirements
Azure Key Vault –
You must identify the reason for the failures and recommend a solution.
SharePoint in VNet2 –
You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.
SharePoint in VNet3 –
You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.
Permission requirements –
Azure Bicep –
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.
Data engineering team –
You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.
You need to troubleshoot and resolve the reverse DNS lookup issues.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Determine the cause of the reverse DNS lookup issues.
Verify that VNet1 has autoregistration enabled.
Verify that VNet1 is configured to use the built-in Azure name resolution.
Verify that VNet1 is peered to both VNet2 and VNet3.
Resolve the reverse DNS lookup issues.
Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Configure virtual network peering between VNet2 and VNet3.
Enable autoregistration on VNet1, VNet2, and VNet3.
Correct Answer
Determine the cause of the reverse DNS lookup issues: Verify that VNet1 is configured to use the built-in Azure name resolution.
Resolve the reverse DNS lookup issues: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Explanation
Box 1: Verify that VNet1 is configured to use the built-in Azure resolution
As mentioned in the scenario, you need to troubleshoot and resolve the reverse DNS lookup issues. Reverse DNS lookup is a process of resolving an IP address to a host name2. For example, if you have a virtual machine with an IP address of 10.0.0.4 and a host name of vm1.contoso.com, you can use reverse DNS lookup to find the host name from the IP address.
One way to perform reverse DNS lookup in Azure is to use the built-in Azure resolution. The built-in Azure resolution is a feature that allows reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default1. This feature works for both IPv4 and IPv6 addresses, and it supports both public and private IP addresses. The built-in Azure resolution uses the host name of the virtual machine as the reverse DNS record.
To use the built-in Azure resolution, you need to configure your virtual network to use the default Azure-provided DNS servers. These are the DNS servers that are automatically assigned to your virtual network when you create it3. You can verify or change the DNS server settings of your virtual network using the Azure portal, PowerShell, CLI, or REST API.
To verify that VNet1 is configured to use the built-in Azure resolution using the Azure portal, follow these steps:
- In the Azure portal, navigate to the Virtual Network resource.
- Select DNS servers under Settings.
- Check if Default (Azure-provided) is selected under DNS servers. If not, select it and click Save to apply the changes.
After configuring your virtual network to use the built-in Azure resolution, you can test the reverse DNS lookup using tools such as nslookup or dig. For example, you can use the following command to perform a reverse DNS lookup for an IP address of 10.0.0.4:
nslookup -type=PTR 10.0.0.4
The output should show the host name of the virtual machine that has that IP address.
Box 2: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Reverse DNS lookup issues are related to resolving IP addresses to their corresponding hostnames. In the given scenario, the issue is with reverse DNS lookups for the resources in the three virtual networks. Creating an in-addr.arpa private DNS zone and linking it to VNet1, VNet2, and VNet3 would ensure that the reverse DNS lookups can be resolved correctly across all three virtual networks.
Reference
Microsoft Learn > Azure > Networking > DNS > What is Azure Private DNS?