This tool helps you troubleshoot network connectivity issues from a virtual machine to a given endpoint.It tests for reachability from the virtual machine to the endpoint and provides information about why a connection fails1. In this case, you can use this tool to troubleshoot the connectivity issues from the on-premises environment to CosmosDB1.

This will ensure that the route table RT12, which has a route to direct internet traffic to the virtual network gateway VNG1, is applied to the subnet where VM1 is located. This will override the default route that sends internet traffic to the internet gateway.

To resolve the VM2 routing issue, you should modify the IP configuration setting of the Azure network interface resource of VM2. This will ensure that VM2 can communicate with other resources in the virtual network.

Troubleshooting connectivity problems between Azure VMs involves several steps such as checking whether NIC is misconfigured, whether network traffic is blocked by NSG or UDR, whether network traffic is blocked by VM firewall, whether VM app or service is listening on the port and whether the problem is caused by SNAT1.

Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.

The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).

The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet All of the VNets are

connected by using virtual network peering.

The company's subscription contains the following Azure virtual machines (VMs):

The Web Server (IIS) role is installed on VM4 The operating system firewall for each VM allows inbound ping requests.

The company's subscription includes the following network security groups (NSGs):

NSG1, NSG2. NSG3, and NSG5 use the default inbound security rules. NSG4. NSG5. and NSG10 use the default outbound security rules. NSG4 has the following inbound security rule:

NSG10 has the following inbound security rules:

Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.

The virtual network peering connections are in the following table.

You provision a virtual network gateway named VNetGW in the perimeter network. The virtual network gateway uses SKU VpnGw1 and the public IP address 16.4.4.4 The virtual network gateway will provide:

* Network routing to customer data centers using site-to-site VPN connections.

* Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.

The company's site-to-site VPN connections with customers are shown in the following table.

The point-to-site VPN is configured as shown in the following table;

The company's user and group memberships are shown in the following table:

The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.

Azure AD Connect is installed on an on-premises server named SRV1. In addition;

* The server uses a pass-through authentication agent.

* The SSPR feature is enabled

* The SSPR feature is applied only to a group named SSPR-group

* The scheduling agents' internet connectivity must be blocked when connected to the point-to-site VPN.

* Sales employees must use the default VPN client on MacOS computers to connect to Azure.

* Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.

* Pass-through authentication is required for all users.

* Azure AD multi-factor authentication (MFA) is requited for all users.

* All admin user accounts must be in an organizational unit (OU) named Admins.

The error 8344 insufficient access rights to perform the operation indicates that the Azure AD Connect service account does not have the required permissions to synchronize the Admin1 account. This could be because the Admin1 account is in an organizational unit (OU) that has security inheritance disabled, which prevents the service account from inheriting the necessary permissions from the parent OU. To resolve this issue, you should enable security inheritance in AD DS for the OU that contains the Admin1 account. This will allow the service account to synchronize the Admin1 account to Azure AD. Alternatively, you could also grant the service account explicit permissions on the Admin1 account, but this would be more tedious and less scalable than enabling security inheritance.

To troubleshoot the issue reported by Blue Yonder Airlines, you need to review the IKEDiagnosticLog, which contains information about the Internet Key Exchange (IKE) protocol that is used to establish IPsec VPN connections. The IKEDiagnosticLog can help you identify the cause of the VPN disconnections and IPsec failure to connect errors, such as mismatched authentication parameters, incorrect pre-shared keys, or network connectivity issues. You can enable and download the IKEDiagnosticLog from the Azure portal or by using PowerShell commands