Task 03: Validate Configuration
Objective: Confirm Key Vault access, Log Analytics configuration, and monitoring readiness
Key Vault Validation
1. Test Secret Operations
Azure CLI:
# Set a test secret
az keyvault secret set \
--vault-name kv-{cid}-{env}-mgmt \
--name deployment-validation \
--value "Phase04-Complete-$(date +%Y%m%d)"
# Retrieve the secret
az keyvault secret show \
--vault-name kv-{cid}-{env}-mgmt \
--name deployment-validation \
--query value -o tsv
PowerShell:
# Test from Azure PowerShell
$SecretValue = ConvertTo-SecureString "TestValue123" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName "kv-{cid}-{env}-mgmt" -Name "test-secret" -SecretValue $SecretValue
# Retrieve
Get-AzKeyVaultSecret -VaultName "kv-{cid}-{env}-mgmt" -Name "test-secret" -AsPlainText
2. Verify Access Policies
Azure Portal:
- Key vaults → Select Key Vault → Access policies
- Verify these principals have access:
- Azure Local Cloud management group
- CI/CD service principal (Azure Local Cloud-cicd)
- Deployment administrator accounts
3. Check Security Settings
Azure Portal: Key Vault → Properties
Verify:
- Soft delete: Enabled (90-day retention)
- Purge protection: Enabled (production)
- Public network access: Enabled or Disabled per policy
- Private endpoint: Created (if configured)
Log Analytics Validation
1. Verify Workspace Configuration
Azure Portal:
- Log Analytics workspaces → Select workspace
- Settings → Workspace configuration
- Verify:
- Retention: 30-90 days (per requirements)
- Data cap: Configured if required
- Solutions: Installed if configured
2. Test Data Ingestion
Azure Portal: Log Analytics → Logs
Run query:
// Check for recent Activity Log entries
AzureActivity
| where TimeGenerated > ago(1h)
| summarize count() by ResourceProvider
| order by count_ desc
Expected: Shows activity from recent deployment.
3. Check Diagnostic Settings
Verify resources sending logs to Log Analytics:
Azure CLI:
# Check diagnostic settings for VPN Gateway
az monitor diagnostic-settings list \
--resource /subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/virtualNetworkGateways/{vpn-gw-name}
Verify:
- VPN Gateway logs enabled
- Bastion logs enabled
- Key Vault audit logs enabled
- NSG flow logs enabled (if configured)
Monitoring Setup
1. Verify Optional Monitoring Servers
If NDM server deployed:
Azure Portal:
- Virtual machines → NDM server VM
- Verify:
- VM running
- Monitoring agent installed
- SNMP configured (if applicable)
2. Check Resource Tags
Verify all resources have appropriate tags:
Azure CLI:
az resource list \
--resource-group rg-{cid}-{env}-{region}-management \
--query '[].{Name:name, Tags:tags}' \
--output table
Expected tags:
CustomerEnvironmentManagedBy = "Azure Local Cloud CI/CD"CostCenter(if configured)
Final Validation Checklist
Key Vault
- Secret operations working (set/get)
- Access policies correctly configured
- Azure Local Cloud group can access
- CI/CD service principal can access
- Soft delete enabled
- Purge protection enabled (production)
Log Analytics
- Workspace active and collecting data
- Recent activity logs visible
- Retention configured correctly
- Diagnostic settings enabled for key resources
Monitoring
- Optional servers running (if deployed)
- Resource tags applied
- Monitoring agents installed (if configured)
Overall Deployment
- All resources in expected state
- Connectivity tests passed
- Access controls working
- Logging and monitoring operational
- Documentation updated with actual values
Post-Deployment Tasks
1. Document Deployment Details
Create deployment record:
Deployment Date: YYYY-MM-DD
Customer: {Customer Name}
Environment: {env}
Region: {region}
VPN Gateway: vpngw-{cid}-{env}-{region}
Key Vault: kv-{cid}-{env}-mgmt
Log Analytics: law-{cid}-{env}-{region}
Bastion: bas-{cid}-{env}-{region}
2. Store Credentials in Key Vault
Store important credentials:
# Local admin password (if applicable)
az keyvault secret set --vault-name kv-{cid}-{env}-mgmt \
--name "vm-admin-password" --value "{secure-password}"
# VPN PSK (if not already stored)
az keyvault secret set --vault-name kv-{cid}-{env}-mgmt \
--name "vpn-psk-cluster-c01" --value "{pre-shared-key}"
3. Update Network Documentation
Document for network team:
- Azure VNet CIDR:
10.100.1.0/24 - VPN Gateway public IPs
- BGP ASN and IPs
- DNS resolver IP
Completion
Phase 04 deployment complete! ✅
All management infrastructure deployed, validated, and ready for Azure Local cluster deployment.
Next Steps
- Coordinate with on-premises team to verify VPN connectivity
- Configure monitoring alerts in Log Analytics
- Store additional secrets as needed
- Proceed to Phase 05: Identity & Security
Navigation
| Previous | Up | Next |
|---|---|---|
| Task 02 - Test Connectivity | Phase 03 - Validation | Phase 05 - Identity & Security |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2026-03-24 | Azure Local Cloudnology Team | Initial release |