What should you do?

Topic 1, Contoso Ltd, Case Study

Background

Contoso, Ltd. is a financial services company based in Boston. MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.

General

Contoso’s Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region. Users connect to resources from Windows 10 computers by using the built-in SSTP VPN software.

Recent changes

The company implements the following changes:

Extend the IP address space of VNet1 and create subnets in the new IP address space. Allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.

Enable a service endpoint on contosostoragel to provide direct access to the storage content from all Configure all business critical VM workloads to use encryption keys stored in all five key vaults.

Enable a private endpoint on CosmbsDBT to provide direct access to its content from VNetl.

Develop an automated process to deploy Azure VMs by using A2ure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.

Deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.

Deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.

Requirements

General requirements

You must adhere to the principle of least privilege when granting access to resources.

Reverse DNS lookup

You must identify the reason for the differences between reverse DNS lookup results in the

hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmnameJ.contoso.com for all three virtual networks.

Public DNS lookup

You must verify that the Azure public DNS rone is currently used to resolve DNS name requests for www.contoso.com and recommend.a solution that uses the Azure public DNS zone.

Windows VPN

You must verify if VPN client connectivity issues are related to routing and recommend a solution.

MacOS VPN

You must verify if Remote ID and local ID VPN client settings on the MAcOS devices are properly configured.

Azure Storage connectivity

You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on- premises connections to contosostorage are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.

Cosmos DB connectivity

You must verify if on-premises connections to ContosoDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.

DNS issues

Reverse DNS lookups from VNetl return two records. One DNS record is in the format

[vmname].contoso.com and the other DNS record is in the format

[vmname].internal.cloudapp.net. Reverse DNS lookups from VNet2 and VNet3 return DNS

names in the format

[vmname].internal.cloudapp.net.

VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.

Public DNS lookup

You are notified that name resolution requests for www,contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.

Connectivity and routing issues

Window VPN

Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.

Sales department VPN.

The sales department users connect by using the MacOs VPN client.

Azure Storage Connectivity

Server Message Block (SMB)-mount from VMs on VNet2 and VNet3 to file shares In contosostorage1 are failing

Azure Storage Explorer connection using access keys from on-premses computer to

contosostorage1 are failing

Cosmos DB connectivity

You observe that connections to ConsomosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to

CosmosDB1 from VNet1 are using the private endpoint.

Azure Key vault

Access attempts to Azure Key vault oy VM workloads intermittently fail with the HTTP response code 429. You must identify the reason for the failures and recommend a solution.

SharePoint

SharePoint In VNet2

SharePoint traffic between tiers is blocked by NSGs which is causing application failures. You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.

SharePoint in VNet3.

ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3. You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.

Permission issues

Azure Biccp

You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.

Data engineering team

You must identify the role-based access control (RBAQ roles required by the data engineering team to access the storage account by using Azure portal. The team requires minimum permissions to backup and restore blobs in contosostorage1. The Contoso data engineering tearn.js unable to view the contosostorage1 account in the Azure portal.

Azure VM deployment

Azure VM deployments that uses Azure Bicep are failing with an authorization error. The error indicates three are insufficient access permissions retrieve password of the local administrator account in the key vault.

VM1 and VM2

RT12 must be configured to route internal traffic from VM1 through VM2. You observe that internet traffic from VM1 is routed directly to the internet.

VM2

You configure VM2 to route internet traffic from VM1. After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You that routing for VM2 is configured correctly.

HOTSPOT

You need to troubleshoot the Azure Key Vault issues.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

View Answer

Answer:

Explanation:

Box 1: Key Vault transaction limit.

Based on the given scenario, the issue is related to the number of transactions per second (TPS) being throttled. The Azure Key Vault has a transaction limit, which varies depending on the service tier. In the provided images, the error message states that the request rate is too large, indicating that the transaction limit has been reached. To resolve this issue, you can either distribute the transactions over a longer period, implement a retry policy, or consider upgrading to a higher service tier if the current tier’s transaction limit is insufficient for your needs.

Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits

Box: 2 Distribute requests across additional Azure Key vaults

In the provided scenario, the issue is that the Azure Key Vault is experiencing throttling due to too many requests per second. Throttling occurs when the number of requests exceeds the allowed limits for a given time period. To resolve this issue, you should distribute the requests across additional Azure Key Vaults. By doing so, you can balance the load and prevent exceeding the request limits, thus avoiding throttling.

Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling