Exercise: Troubleshoot cloud and hybrid connectivity
Important
You need your own Azure subscription to complete the exercises in this module. If you don't have an Azure subscription, you can still view the demonstraition video at the bottom of this page.
If you have not already run the script in unit 2, please do so now so you can follow the exercise below.
You have configured your network as shown in the diagram below. You want VM1 and VM2 to communicate via the VnetHub. Users are complaining that VM1 cannot communicate with VM2. You need to investigate to diagnose the problem, and then fix it.
There are three Azure virtual networks (VNets) in a hub and spoke topology.
Diagnosis
Verify the network topology
Sign in to the Azure portal using the same account you used to activate the sandbox.
Familiarize yourself with the network topology and check it matches the diagram above.
Check the private IP addresses of the firewall (FW1) and virtual machines (VM1 and VM2). These are allocated automatically. Make a note of the correct IP addresses if they are different from the diagram.
Check OSI level 3 connectivity
Connect to each virtual machine (VM1 and VM2) using Remote Desktop. Windows credentials are:
User name: AdminXyz
Password: sfr9jttzrjjeoem7hrf#
On VM1, open a command prompt window and ping the private IP address of VM2.
Ping the private IP address of the Azure firewall (FW1).
On VM2, open a command prompt window and ping the private IP address of VM1.
Ping the private IP address of the Azure firewall (FW1).
Troubleshoot the problem
To understand what is causing the problem, try the following troubleshooting steps:
Examine ipconfig /all on both VM1 and VM2.
Examine the Network Security Groups, and routing tables.
Examine the firewall and the firewall rules.
Examine the peering connection properties.
The diagram shows the effective routes on VM1-nic.
Resolution
When you examined the peering connections, you would have found that the peering settings are different.
VNet | Peering name | Traffic forwarded from remote virtual network |
---|---|---|
VnetHub | Hub-Spoke1 | Allow (default) |
VnetHub | Hub-Spoke2 | Block traffic that originates from outside this virtual network |
VnetSpoke1 | Spoke1-Hub | Allow (default) |
VnetSpoke2 | Spoke2-Hub | Block traffic that originates from outside this virtual network |
The settings on Hub-Spoke2 are incorrect.
To fix the problem, you must change the setting in both sides of the peering between VnetHub and VnetSpoke2.
Hub-Spoke2
Spoke2-Hub
The Traffic forwarded from remote virtual network must be set to Allow.
It should now be possible on VM1 to ping VM2.
There will be a short delay before the new settings take effect. If the ping fails at first, try again.
In this demonstration you will see how to proactively troubleshoot Conditional Access policies using the What if tool in the Azure portal: