Skip to content

Quiz: Azure Troubleshooting

← Back to quiz index

10 questions

L1 (6 questions)

1. An Azure VM can't reach the internet. What do you check?

Show answer 1. VM has a public IP or outbound NAT rule.
2. NSG allows outbound traffic on the required port.
3. Route table has a default route to the internet.
4. Azure Firewall or NVA is not blocking traffic.
5. Note: Azure default outbound access is being deprecated — use NAT Gateway or LB outbound rules.

2. What is the difference between NSG and Azure Firewall?

Show answer NSG: basic L3/L4 filtering (IP, port, protocol) at subnet or NIC level, free. Azure Firewall: managed L3-L7 firewall with FQDN filtering, threat intelligence, TLS inspection, centralized logging, paid service. Use NSG for basic segmentation; Azure Firewall for advanced inspection and centralized policy.

3. How do you debug RBAC permission issues in Azure?

Show answer 1. Check role assignments at resource, resource group, and subscription scope.
2. Use 'Check access' in the portal on the specific resource.
3. Look for deny assignments.
4. Verify the correct identity (user, SP, managed identity) is being used.
5. Check if a custom role has the required actions/dataActions.

4. What is the difference between Azure Load Balancer and Application Gateway?

Show answer Load Balancer: L4 (TCP/UDP), no SSL termination, no path-based routing, very fast. Application Gateway: L7 (HTTP/HTTPS), SSL termination, path/host-based routing, WAF integration, URL rewrites. Use LB for non-HTTP or internal traffic; App Gateway for web applications.

5. How do you troubleshoot Azure storage account access issues?

Show answer 1. Check network rules — storage firewall may restrict to specific VNets/IPs.
2. Verify SAS token or access key is valid and not expired.
3. Check container/blob access level (private, blob, container).
4. RBAC role assignments for Azure AD auth.
5. Private endpoint DNS resolution if using private connectivity.

6. How do you investigate application errors in Azure?

Show answer 1. Application Insights: exception telemetry, dependency tracking, request traces.
2. Azure Monitor Logs (Log Analytics): KQL queries on collected logs.
3. Diagnostic settings on the resource to route logs to Log Analytics.
4. Activity Log for control-plane operations.
5. Resource Health for platform-level issues.

L2 (4 questions)

1. An AKS pod can't connect to an Azure SQL Database. What do you investigate?

Show answer 1. Azure SQL firewall allows the AKS subnet or VNet.
2. Private endpoint is configured if using private connectivity.
3. AKS pod identity (workload identity) has the correct RBAC.
4. Connection string uses the correct server FQDN.
5. NSG on AKS subnet allows outbound to port
1433.
6. DNS resolves the private endpoint correctly.

2. Azure VM boots but RDP/SSH fails. What do you check?

Show answer 1. NSG allows inbound on port 22 (SSH) or 3389 (RDP) from your IP.
2. VM is running (not stopped/deallocated).
3. Boot diagnostics — check serial console for OS-level errors.
4. Azure Bastion as alternative if direct access is blocked.
5. VM guest agent is healthy.
6. OS-level firewall (Windows Firewall, iptables) isn't blocking.

3. An Azure Function times out sporadically. What do you investigate?

Show answer 1. Check execution timeout setting (Consumption plan default: 5 min, max 10 min).
2. Cold start — function is initializing from scratch.
3. Downstream dependency latency (database, API calls).
4. Premium plan for pre-warmed instances.
5. Application Insights for execution traces and dependency call durations.

4. VNet peering is configured but traffic between VNets doesn't flow. What do you check?

Show answer 1. Peering status is 'Connected' on BOTH sides.
2. 'Allow forwarded traffic' and 'Allow gateway transit' settings match on both peers.
3. Route tables don't have conflicting UDRs.
4. NSGs allow traffic between the VNets.
5. Address spaces don't overlap.
6. If using hub-spoke, check 'Use remote gateways' setting.