Microsoft Updated AZ-720 Exam Questions and Answers by catherine

Box 1: Verify that VNet1 is configured to use the built-in Azure resolution

As mentioned in the scenario, you need to troubleshoot and resolve the reverse DNS lookup issues. Reverse DNS lookup is a process of resolving an IP address to a host name2. For example, if you have a virtual machine with an IP address of 10.0.0.4 and a host name of vm1.contoso.com, you can use reverse DNS lookup to find the host name from the IP address.

One way to perform reverse DNS lookup in Azure is to use the built-in Azure resolution. The built-in Azure resolution is a feature that allows reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default1. This feature works for both IPv4 and IPv6 addresses, and it supports both public and private IP addresses. The built-in Azure resolution uses the host name of the virtual machine as the reverse DNS record.

To use the built-in Azure resolution, you need to configure your virtual network to use the default Azure-provided DNS servers. These are the DNS servers that are automatically assigned to your virtual network when you create it3. You can verify or change the DNS server settings of your virtual network using the Azure portal, PowerShell, CLI, or REST API.

To verify that VNet1 is configured to use the built-in Azure resolution using the Azure portal, follow these steps:

• In the Azure portal, navigate to the Virtual Network resource.
• Select DNS servers under Settings.
• Check if Default (Azure-provided) is selected under DNS servers. If not, select it and click Save to apply the changes.

After configuring your virtual network to use the built-in Azure resolution, you can test the reverse DNS lookup using tools such as nslookup or dig. For example, you can use the following command to perform a reverse DNS lookup for an IP address of 10.0.0.4:

nslookup -type=PTR 10.0.0.4

The output should show the host name of the virtual machine that has that IP address.

Box 2: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.

Reverse DNS lookup issues are related to resolving IP addresses to their corresponding hostnames. In the given scenario, the issue is with reverse DNS lookups for the resources in the three virtual networks. Creating an in-addr.arpa private DNS zone and linking it to VNet1, VNet2, and VNet3 would ensure that the reverse DNS lookups can be resolved correctly across all three virtual networks. Reference: 1. Azure Private DNS: https://docs.microsoft.com/en-us/azure/dns/private-dns-overview 2. Reverse DNS lookup in Azure: https://docs.microsoft.com/en-us/azure/dns/private-dns-reverse-public-ip

Box 1: Configure service endpoint for subnet on VNet2 and VNet3. 

This is what you should do to resolve issues accessing contosostorage1 from VNet2 and VNet3. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1.

As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account2. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet2.

In this scenario, you want to allow access to contosostorage1 from VNet2 and VNet3, which are peered with VNet1. To do this, you need to configure service endpoints for the subnets on VNet2 and VNet3 that need to access the storage account1. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1. When you enable a service endpoint for a subnet, you can then grant access to the storage account only from that subnet1. This way, you can restrict access to your storage account and improve network performance by routing traffic through an optimal path.

To configure service endpoints for a subnet using the Azure portal, follow these steps1:

• In the Azure portal, navigate to the Virtual Network resource.
• Select Subnets, then select the subnet that needs to access the storage account.
• Under Service endpoints, select Microsoft.Storage from the drop-down list.
• Select Save to apply the changes.

To configure service endpoints for a subnet using the Azure CLI or PowerShell, see Enable a service endpoint.

After configuring service endpoints for the subnets on VNet2 and VNet3, you also need to grant access to contosostorage1 from those subnets. To do this, you need to modify the firewall rules on the storage account2.

To modify the firewall rules on the storage account using the Azure portal, follow these steps2:

• In the Azure portal, navigate to the Storage Account resource.
• Select Firewalls and virtual networks under Settings.
• Under Allow access from selected networks, select Add existing virtual network.
• Select the virtual network and subnet that have service endpoints enabled for Microsoft.Storage.
• Select Add to save the changes.

To modify the firewall rules on the storage account using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.

Box 2: Configure the firewall settings on contosostorage1.

The issue reported is that on-premises connections to contosostorage1 are unsuccessful. The main reason for this could be that the firewall settings on the storage account are blocking the connections. By configuring the firewall settings on contosostorage1 to allow the on-premises IP addresses, you can ensure that the on-premises connections are successful.

As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account1. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet1.

In this scenario, you want to allow access to contosostorage1 from the on-premises environment, which is connected to Azure using a Site-to-Site VPN connection. A Site-to-Site VPN connection lets you create a secure connection between your on-premises network and an Azure virtual network over an IPsec/IKE VPN tunnel2. To allow access to contosostorage1 from the on-premises environment, you need to configure the firewall settings on contosostorage1 to include the public IP address of your VPN device or gateway3.

To configure the firewall settings on contosostorage1 using the Azure portal, follow these steps1:

• In the Azure portal, navigate to the Storage Account resource.
• Select Firewalls and virtual networks under Settings.
• Under Allow access from selected networks, select Add existing virtual network.
• Select VNet1 and the subnet that has service endpoints enabled for Microsoft.Storage.
• Under Firewall, enter the public IP address of your VPN device or gateway under Address Range.
• Select Save to apply the changes.

To configure the firewall settings on contosostorage1 using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.

Box 1: Key Vault transaction limit.Based on the given scenario, the issue is related to the number of transactions per second (TPS) being throttled. The Azure Key Vault has a transaction limit, which varies depending on the service tier. In the provided images, the error message states that the request rate is too large, indicating that the transaction limit has been reached. To resolve this issue, you can either distribute the transactions over a longer period, implement a retry policy, or consider upgrading to a higher service tier if the current tier's transaction limit is insufficient for your needs. Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits

Box : 2 Distribute requests across additional Azure Key vaults

In the provided scenario, the issue is that the Azure Key Vault is experiencing throttling due to too many requests per second. Throttling occurs when the number of requests exceeds the allowed limits for a given time period. To resolve this issue, you should distribute the requests across additional Azure Key Vaults. By doing so, you can balance the load and prevent exceeding the request limits, thus avoiding throttling. Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling

To resolve the VM2 routing issue, you should modify the IP configuration setting of the Azure network interface resource of VM2. This will ensure that VM2 can communicate with other resources in the virtual network.

Troubleshooting connectivity problems between Azure VMs involves several steps such as checking whether NIC is misconfigured, whether network traffic is blocked by NSG or UDR, whether network traffic is blocked by VM firewall, whether VM app or service is listening on the port and whether the problem is caused by SNAT1.