Chapter 1: Troubleshoot Business Continuity Issues

Identify Connectivity Issues Between Services (Azure to Azure)

Azure-to-Azure connectivity issues can occur between services deployed in different regions, resource groups, subscriptions, or virtual networks (VNets). Common scenarios include:

• Azure Web App connecting to Azure SQL Database
• Azure Functions accessing Azure Storage
• VMs in different VNets needing secure communication

Key Troubleshooting Steps

1. Verify Network Peering

• Ensure Virtual Network Peering is established and the Allow forwarded traffic and Allow gateway transit options are correctly configured.
• Use az network vnet peering show or check peering settings in the Azure Portal.

1. Check Network Security Groups (NSGs)

• NSGs can block traffic between subnets, VNets, or regions.
• Use NSG flow logs to verify traffic is allowed.
• Use the Effective Security Rules in Azure Portal for VM NICs.

1. Firewall and Service Endpoint Restrictions

• Many PaaS services like Azure SQL and Azure Storage use service endpoints or private endpoints.
• Validate IP firewall rules or Private Link configurations.
• Use Azure Resource Manager logs to verify endpoint usage.

1. DNS Resolution

• Ensure proper DNS resolution between Azure services, especially when using private DNS zones.
• For example, misconfigured DNS can prevent an app from resolving a private endpoint name.

1. Diagnostic Tools

• Use Connection Troubleshoot in Network Watcher to test connectivity.
• Use Azure Monitor Logs to check for latency or timeouts between services.

Troubleshoot Hybrid Connectivity Issues (On-Prem to Azure)

Hybrid connectivity allows on-premises environments to connect securely with Azure. Common methods include Site-to-Site VPN, Point-to-Site VPN, and ExpressRoute.

Key Troubleshooting Areas

1. Site-to-Site VPN

• Check IPsec/IKE logs on both Azure and on-prem VPN devices.
• Use az network vpn-connection show and Get-AzVirtualNetworkGatewayConnection to verify tunnel status.
• Ensure both local and Azure address spaces are properly defined and do not overlap.

1. Point-to-Site VPN

• Ensure client certificates are valid and the VPN configuration is downloaded correctly.
• Troubleshoot with the Azure VPN client logs (%AppData%/AzureVPN).
• Use rasphone diagnostics and packet captures to validate IP routing.

1. BGP Configuration (ExpressRoute or VPN with BGP)

• Verify BGP session status.
• Use Get-AzExpressRouteCircuitPeeringConfig and check for learned routes.
• Use NVA (Network Virtual Appliance) logging to trace dropped BGP advertisements.

1. Firewall/NSG/Route Conflicts

• Ensure traffic from on-premises is allowed through firewalls and NSGs.
• Misconfigured User Defined Routes (UDRs) may send traffic to the wrong destination.

1. Connectivity Testing

• Use Azure Network Watcher IP Flow Verify to test from Azure.
• Use on-prem tracert or pathping to determine where traffic is dropped.

Analyze VPN and ExpressRoute Connectivity

VPN Gateway Troubleshooting

Azure VPN Gateways support both policy-based and route-based configurations.

1. Common VPN Gateway Issues

• IKE Phase 1 or 2 failure: Mismatch in encryption protocols, shared keys, or policies.
• Dead peer detection (DPD) failures: Monitor logs for inactive tunnels.
• MTU size issues: Result in fragmented packets; use ping -f -l to determine path MTU.

1. VPN Gateway Logs

• Enable Diagnostic logs for VPN Gateway.
• Analyze logs in Log Analytics:

kusto

CopyEdit

AzureDiagnostics | where Category == "GatewayDiagnosticLog" | sort by TimeGenerated desc

1. High Availability Issues

• Ensure VPN Gateway SKU supports Active-Active mode.
• Redundant tunnels should be tested using manual failover and packet capture.

ExpressRoute Troubleshooting

ExpressRoute offers private, dedicated connections.

1. Check Circuit Status

• Use:

bash

CopyEdit

az network express-route show --name <circuitName>

• Ensure ProvisioningState and ServiceProviderProvisioningState are both Provisioned.

1. Check Peering Status

• Validate BGP sessions are Established.
• Ensure VLAN ID is correct and IP configuration matches.

1. Verify Routing

• Use Route Table Summary in the Azure portal.
• Ensure routes are advertised and received properly.

1. Check for Route Filters

• Misconfigured route filters can block prefix advertisement.
• Use:

bash

CopyEdit

az network route-filter rule list --filter-name <filterName>

1. Loopback Tests

• Conduct loopback tests using ExpressRoute NVA or managed CPE.

Diagnose Azure Load Balancer and Application Gateway Issues

Azure Load Balancer

1. Basic vs. Standard SKU

• Basic Load Balancer does not support availability zones or diagnostics.
• Standard supports more features including NSG flow logs, health probes.

1. Health Probe Troubleshooting

• Check backend VM status using:

bash

CopyEdit

az network lb address-pool show-health

• Ensure backend VMs are responding on the health probe port/path.

1. NSG and UDR Conflicts

• NSGs on backend NICs or subnets can block traffic.
• Misconfigured UDRs can cause asymmetric routing.

1. Load Balancer Logging

• Enable diagnostics and check LoadBalancerProbeHealthStatus:

kusto

CopyEdit

AzureDiagnostics | where Category == "LoadBalancerProbeHealthStatus"

Application Gateway

1. Backend Pool Issues

• Common error: 502 - Web server received an invalid response.
• Use:

bash

CopyEdit

az network application-gateway show-backend-health

1. Listener Misconfigurations

• Ensure HTTP/HTTPS listeners are bound to correct frontend IP and port.
• Certificates must be valid and correctly uploaded for HTTPS.

1. WAF Mode Blocking

• Application Gateway with WAF may block traffic with rules.
• Review logs using:

kusto

CopyEdit

AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog"

1. Probe Path

• Probes must use correct path. E.g., /health vs /api/health.

1. Custom Errors

• Enable diagnostic logging for Application Gateway.
• Check for frequent error codes (502, 403, 504).

Case Studies & Practice Questions

Case Study 1: VPN Connectivity Failure

Scenario: A company has a Site-to-Site VPN connecting its on-premises datacenter to Azure. The connection drops intermittently.

Analysis:

• Check for IKE negotiation failures (found mismatched Phase 1 encryption settings).
• Logs revealed NAT-T was enabled on Azure but not on-premises.
• Resolution: Aligned policies and ensured NAT-T enabled on both ends.

Case Study 2: Service Unavailable via Application Gateway

Scenario: Users are receiving intermittent 502 errors accessing a web app behind Application Gateway.

Analysis:

• Backend health probes showed failure.
• The probe path was /status but the web app used /healthz.
• Resolution: Updated probe configuration and monitored backend health status logs.

Practice Questions

1. Which diagnostic tool in Azure helps you simulate and verify IP traffic flow to a VM?
   A. Log Analytics
   B. IP Flow Verify
   C. Traffic Manager
   D. Azure Monitor

✅ Answer: B. IP Flow Verify
Explanation: IP Flow Verify tests if a packet is allowed or denied based on NSGs and route tables.

1. An ExpressRoute connection is showing 'Not Provisioned' for ServiceProviderProvisioningState. What is the issue?
   A. BGP is misconfigured
   B. Provider has not provisioned the circuit
   C. Route filters are misconfigured
   D. Azure firewall is blocking traffic

✅ Answer: B. Provider has not provisioned the circuit
Explanation: The circuit is pending provisioning from the service...