Task 02: Test Connectivity
Objective: Verify network connectivity for VPN, Bastion, and DNS resolution
VPN Connectivity Tests
1. Check VPN Connection Status
Azure Portal Method:
- Navigate to Virtual network gateways
- Select the VPN Gateway
- Click Connections
- Verify connection shows Connected
Azure CLI Method:
az network vpn-connection show \
--name conn-{cid}-cluster-{instance} \
--resource-group rg-{cid}-{env}-{region}-management \
--query connectionStatus
Expected: "Connected"
2. Verify BGP Peering
Azure Portal:
- Virtual network gateways → VPN Gateway
- Select BGP peers
- Verify:
- On-premises BGP peer shows Connected
- Routes are being learned
- Peer IP matches on-prem configuration
Azure CLI:
az network vnet-gateway list-bgp-peer-status \
--name vpngw-{cid}-{env}-{region} \
--resource-group rg-{cid}-{env}-{region}-management
Expected output shows peer with "connectedDuration" value.
3. Test Connectivity to On-Premises
If VPN connection is established and you have access to on-premises:
# From Azure VM or Cloud Shell
ping 10.0.0.1 # Replace with actual on-prem management IP
BGP Convergence Time
BGP peering may take 5-15 minutes after VPN connection is established. If status shows "Connecting," wait and recheck.
Bastion Connectivity Tests
1. Verify Bastion Status
Azure Portal:
- Navigate to Bastions
- Select the Bastion host
- Verify Status: Succeeded
2. Test Bastion Connection (if VMs deployed)
If optional NDM or Utility servers were deployed:
- Azure Portal → Virtual machines
- Select the VM
- Click Connect → Bastion
- Enter credentials
- Verify successful connection
DNS Resolution Tests
1. Verify DNS Resolver
Azure Portal:
- Navigate to Private DNS zones
- Select the management DNS zone
- Check Virtual network links
- Verify linked to management VNet
2. Test DNS Resolution
From Azure Cloud Shell:
# Test DNS resolver for cluster nodes
nslookup c01-n01-prd-ral.azlocal.internal 10.100.1.164
# Replace with:
# - Your cluster node hostname
# - Your DNS resolver IP (from dns subnet)
Expected: Returns the node's IP address.
From Windows VM (if deployed):
# Test DNS resolution
Resolve-DnsName c01-n01-prd-ral.azlocal.internal
# Test DNS forwarding
Resolve-DnsName google.com
3. Verify DNS A Records
Azure Portal:
- Private DNS zones → Select zone
- Click Record sets
- Verify A records for all cluster nodes:
| Name | Type | IP Address |
|---|---|---|
| c01-n01-prd-ral | A | 10.100.3.101 |
| c01-n02-prd-ral | A | 10.100.3.102 |
| c01-n03-prd-ral | A | 10.100.3.103 |
Validation Checklist
VPN Connectivity
- VPN connection status is Connected
- BGP peering established
- Routes learned from on-premises
- On-prem gateway can reach Azure VNet (if testable)
Bastion Connectivity
- Bastion host status is Succeeded
- Can connect to VMs via Bastion (if VMs deployed)
- No connectivity errors
DNS Resolution
- Private DNS zone linked to VNet
- DNS resolver deployed and running
- A records created for all cluster nodes
- DNS resolution working from Azure resources
- Conditional forwarding working (if configured)
Troubleshooting
VPN shows "Connecting" for extended time:
- Verify on-prem gateway configuration matches Azure settings
- Check pre-shared key (PSK) matches both sides
- Confirm on-prem firewall allows IKE/IPsec (UDP 500, 4500)
BGP peering not establishing:
- Verify BGP ASN correct on both sides
- Check BGP IP addresses match configuration
- Confirm no ACLs blocking BGP (TCP port 179)
Bastion connection fails:
- Verify VM is running
- Check NSG allows inbound from Bastion subnet
- Confirm credentials are correct
DNS resolution not working:
- Verify DNS resolver deployed in correct subnet
- Check VNet link exists for Private DNS zone
- Confirm A records created with correct IPs
Navigation
| Previous | Up | Next |
|---|---|---|
| Task 01 - Verify Resources | Phase 03 - Validation | Task 03 - Validate Configuration |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2026-03-24 | Azure Local Cloudnology Team | Initial release |