AZ-104: Configure and manage virtual networks for Azure administrators Flashcards

Question 1

Q

What is Azure virtual networking?

Answer

A

Azure virtual networks enable Azure resources, such as virtual machines, web apps, and databases, to communicate with: each other, users on the Internet, and on-premises client computers. You can think of an Azure network as a set of resources that links other Azure resources

Question 2

Q

Isolation and segmentation

Answer

A

Azure allows you to create multiple isolated virtual networks. When you set up a virtual network, you define a private Internet Protocol (IP) address space, using either public or private IP address ranges. You can then segment that IP address space into subnets, and allocate part of the defined address space to each named subnet.

For name resolution, you can use the name resolution service that’s built in to Azure, or you can configure the virtual network to use either an internal or an external Domain Name System (DNS) server

Question 3

Q

Internet communications

Answer

A

A VM in Azure can connect out to the Internet by default. You can enable incoming connections from the Internet by defining a public IP address or a public load balancer. For VM management, you can connect via the Azure CLI, Remote Desktop Protocol (RDP), or Secure Shell (SSH

Question 4

Q

Communicate between Azure resources

Answer

A

Virtual networks

Virtual networks can connect not only VMs, but other Azure resources, such as the App Service Environment, Azure Kubernetes Service, and Azure virtual machine scale sets.

Service endpoints

You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks, thereby improving security and providing optimal routing between resources

Question 5

Q

Communicate with on-premises resources

Answer

A

Point-to-site Virtual Private Networks

This approach is like a Virtual Private Network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it’s working in the opposite direction. In this case, the client computer initiates an encrypted VPN connection to Azure, connecting that computer to the Azure virtual network

Question 6

Q

Communicate with on-premises resources 2

Answer

A

Site-to-site Virtual Private Networks A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the Internet

Question 7

Q

Communicate with on-premises resources 3

Answer

A

Azure ExpressRoute

For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. Azure ExpressRoute provides dedicated private connectivity to Azure that does not travel over the Internet

Question 8

Q

Route tables

Answer

A

A route table allows you to define rules as to how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.

Question 9

Q

Border Gateway Protocol (BGP

Answer

A

Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks

Question 10

Q

Connect virtual networks / network peering

Answer

A

You can link virtual networks together using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, allowing you to create a global interconnected network through Azure

Question 11

Q

Address overlapping

Answer

A

Can’t have two address spaces overlapping in the same virtual network

Question 12

Q

Subnet

Answer

A

Subnet names must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.

Question 13

Q

Network security group

Answer

A

Network security group

Network security groups have security rules that enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. You create the network security group separately, and then associate it with the virtual network.

Question 14

Q

What is a VPN gateway?

Answer

A

An Azure virtual network gateway provides an endpoint for incoming connections from on-premises locations to Azure over the Internet

Each virtual network can have only one VPN gateway. All connections to that VPN gateway share the available network bandwidth

Question 15

Q

gateway type

Answer

A

A key setting is the gateway type. The gateway type determines the way the gateway functions. For a VPN gateway, the gateway type is “vpn”. Options for VPN gateways includ

Question 16

Q

Plan a VPN gateway

Answer

A

When you’re planning a VPN gateway, there are three architectures to consider:

Point to site over the Internet
Site to site over the Internet
Site to site over a dedicated network, such as Azure ExpressRoute

Question 17

Q

Design considerations

Answer

A

When you design your VPN gateways to connect virtual networks, you must consider the following factors:

Subnets cannot overlap

It is vital that a subnet in one location does not contain the same address space as in another location.

IP addresses must be unique

You cannot have two hosts with the same IP address in different locations, as it will be impossible to route traffic between those two hosts and the network-to-network connection will fail.

VPN gateways need a gateway subnet called GatewaySubnet

It must have this name for the gateway to work, and it should not contain any other resources.

Question 18

Q

Create a VPN gateway

Answer

A

RouteBased

Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. Route-based connections are typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).

Question 19

Q

Create a VPN gateway 2

Answer

A

PolicyBased

Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. A policy-based connection is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.

Question 20

Q

Azure ExpressRoute

Answer

A

Microsoft Azure ExpressRoute enables organizations to extend their on-premises networks into the Microsoft Cloud over a private connection implemented by a connectivity provider. This arrangement means that the connectivity to the Azure datacenters doesn’t go over the Internet but across a dedicated link. ExpressRoute also facilitates efficient connections with other Microsoft cloud-based services, such as Microsoft 365 and Dynamics 365

Question 21

Q

ExpressRoute connectivity models

Answer

A

IP VPN network (any-to-any)

Virtual cross-connection through an Ethernet exchange

Point-to-point Ethernet connection

Question 22

Q

What is layer 3 connectivity?

Answer

A

Microsoft uses an industry-standard dynamic routing protocol (BGP) to exchange routes between your on-premises network, your instances in Azure, and Microsoft public addresses. We establish multiple BGP sessions with your network for different traffic profiles.

Question 23

Q

Any-to-any (IPVPN) networks

Answer

A

IPVPN providers typically provide connectivity between branch offices and your corporate datacenter over managed layer 3 connections. With ExpressRoute, the Azure datacenters appear as if they were another branch office

Question 24

Q

Virtual cross-connection through an Ethernet Exchange

Answer

A

If your organization is co-located with a cloud exchange facility, you request cross-connections to the Microsoft Cloud through your provider’s Ethernet exchange. These cross-connections to the Microsoft Cloud can operate at either layer 2 or layer 3 managed connections, as in the networking OSI model

Question 25

Q

Point-to-point Ethernet connection

Answer

A

Point-to-point Ethernet links can provide layer 2 or managed layer 3 connections between your on-premises datacenters or offices to the Microsoft Cloud

Question 26

Q

What are ExpressRoute circuits

Answer

A

What are ExpressRoute circuits
An ExpressRoute circuit is the logical connection between your on-premises infrastructure and the Microsoft Cloud

An ExpressRoute circuit isn’t equivalent to a network connection or a network device. Each circuit is defined by a GUID, called a service or s-key. This s-key provides the connectivity link between Microsoft, your connectivity provider, and your organization - it isn’t a cryptographic secret. Each s-key has a one-to-one mapping to an Azure ExpressRoute circuit

Question 27

Q

Routing domains

Answer

A

ExpressRoute circuits then map to routing domains, with each ExpressRoute circuit having multiple routing domains. These domains are the same as the two peerings listed above. In an active-active configuration, each pair of routers would have each routing domain configured identically, thus providing high availability. The Azure private peering names represent the IP addressing schemes

Question 28

Q

Azure private peering

Answer

A

Azure private peering connects to Azure compute services such as virtual machines and cloud services that are deployed with a virtual network. As far as security goes, the private peering domain is simply an extension of your on-premises network into Azure

You can connect only one virtual network to the private peering domain

Question 29

Q

Microsoft peering

Answer

A

Microsoft peering supports connections to cloud-based SaaS offerings, such as Microsoft 365 and Dynamics 365. This peering option provides bi-directional connectivity between your company’s WAN and Microsoft cloud services.

Question 30

Q

ExpressRoute health

Answer

A

As with most features in Microsoft Azure, you can monitor ExpressRoute connections to ensure that they are performing satisfactorily. Monitoring includes coverage of the following areas:

Availability
Connectivity to virtual networks
Bandwidth utilization
The key tool for this monitoring activity is Network Performance Monitor, particularly NPM for ExpressRoute.

Question 31

Q

Azure Ip Addressing

Answer

A

In Azure, you typically would implement a network security group and a firewall. You use subnets to isolate front-end services, including web servers and DNS, and back-end services like databases and storage systems

Question 32

Q

Basic properties of Azure virtual networks

Answer

A

A virtual network is your network in the cloud. You can divide your virtual network into multiple subnets. Each subnet has a portion of the IP address space that is assigned to your virtual network. You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed in it.

Question 33

Q

Basic properties of Azure virtual networks

Answer

A

The smallest subnet that is supported uses a /29 subnet mask. The largest supported subnet uses a /8 subnet mask

Question 34

Q

Address overlapping

Answer

A

There can be no IP address overlap for interconnected networks

Question 35

Q

0.0.0 to 10.255.255.255
16.0.0 to 172.31.255.255
168.0.1 to 192.168.255.255

Answer

A

not routable over the internet

Question 36

Q

Public IP addresses

Answer

A

Basic IP
Basic IPs are open by default. We recommend that you use network security groups to restrict inbound or outbound traffic.
They do not support availability zone scenarios. You must use a Standard SKU public IP for an availability zone scenario

Question 37

Q

Standard Public IP

Answer

A

Standard IPs are secure by default and closed to inbound traffic. You must explicitly allow inbound traffic by using a network security group

Standard IPs are zone-redundant by default and optionally zonal (they can be created zonal and guaranteed in a specific availability zone)

Question 38

Q

Public IP 2

Answer

A

Public IP addresses can’t be moved between regions; all IP addresses are region-specific. If your business needs to have datacenters in different regions, you would have a different public IP address range for each region. You can use technology like Azure Traffic Manager to balance between region-specific instances

To ensure a static range of public IP addresses, you can create a public IP address prefix. You can’t specify the addresses when you create the prefix, but after the prefix is created, the addresses will be fixed

Question 39

Q

classless inter-domain routing (CIDR) format

Answer

A

CIDR is a way to represent a block of network IP addresses. An IPv4 CIDR, specified as part of the IP address, shows the length of the network prefix

Question 40

Q

Subnet

Answer

A

The address range can’t overlap with other subnets in the virtual network or with the on-premises network

Question 41

Q

azure reserved address

Answer

A

The first three IP addresses are reserved for all subnets by default in Azure. For protocol conformance, the first and last IP addresses of all subnets also are reserved. An internal DHCP service within Azure assigns and maintains the lease of IP addresses. The .1, .2, .3, and last IP addresses are not visible or configurable by the Azure customer. These addresses are reserved and used by internal Azure services

Remember that Azure uses the first three addresses on each subnet. The first and last IP addresses of the subnets also are reserved for protocol conformance. Therefore, the number of possible addresses on an Azure subnet is 2^n-5, where n represents the number of host bits

Question 42

Q

Connect services by using virtual network peering

Answer

A

In peered virtual networks, traffic between virtual machines is routed through the Azure network. The traffic uses only private IP addresses. It doesn’t rely on internet connectivity, gateways, or encrypted connections. The traffic is always private, and it takes advantage of the high bandwidth and low latency of the Azure backbone network

Question 43

Q

types of peering connections

Answer

A

Virtual network peering connects virtual networks in the same Azure region, such as two virtual networks in North Europe.
Global virtual network peering connects virtual networks that are in different Azure regions, such as a virtual network in North Europe and a virtual network in West Europe

Question 44

Q

Reciprocal connections

Answer

A

you have to create connections in each virtual network.

Question 45

Q

Cross-subscription virtual network peering

Answer

A

When you use virtual network peering across subscriptions, you might find that an administrator of one subscription doesn’t administer the peer network’s subscription. The administrator might not be able to configure both ends of the connection. To peer the virtual networks when both subscriptions are in different Azure Active Directory tenants, the administrators of each subscription must grant the peer subscription’s administrator the Network Contributor role on their virtual network

Question 46

Q

Transitivity

Answer

A

Virtual network peering is nontransitive. Only virtual networks that are directly peered can communicate with each other. The virtual networks can’t communicate with the peers of their peers.

for example, that your three virtual networks (A, B, C) are peered like this: A B C. Resources in A can’t communicate with resources in C because that traffic can’t transit through virtual network B. If you need communication between virtual network A and virtual network C, you must explicitly peer these two virtual networks

Question 47

Q

Gateway transit

Answer

A

You can configure transitive connections on-premises if you use virtual network gateways as transit points. Using gateway transit, you can enable on-premises connectivity without deploying virtual network gateways to all your virtual networks. This method might reduce cost and complexity. By using gateway peering, you can configure a single virtual network as a hub network. Connect this hub network to your on-premises datacenter and share its virtual network gateway with peers.

Question 48

Q

Overlapping address spaces

Answer

A

IP address spaces of connected networks within Azure and between Azure and your on-premises system can’t overlap. This is also true for peered virtual networks. Keep this rule in mind when you’re planning your network design. In any networks you connect through virtual network peering, VPN, or ExpressRoute, assign different address spaces that don’t overlap

Question 49

Q

VPNs use the internet to connect your on-premises datacenter to the Azure backbone through an encrypted tunnel. You can use a site-to-site configuration to connect virtual networks together through VPN gateways. VPN gateways have higher latency than virtual network peering setups. They’re more complex to manage, and they can cost more.

When virtual networks are connected through both a gateway and virtual network peering, traffic flows through the peering configuration

Question 50

Q

command to peer connections

Answer

A

az network vnet peering create \
> –name SalesVNet-To-MarketingVNet \
> –remote-vnet MarketingVNet \
> –resource-group learn-65e72839-7c90-4f1b-b29a-cbbdebc8dab7 \
> –vnet-name SalesVNet \
> –allow-vnet-access

Question 51

Q

Network security groups

Answer

A

Network security groups filter network traffic to and from Azure resources. Network security groups contain security rules that you configure to allow or deny inbound and outbound traffic. You can use network security groups to filter traffic between VMs or subnets, both within a virtual network and from the internet

Question 52

Q

Network security group assignment and evaluation

Answer

A

Network security groups are assigned to a network interface or a subnet. When you assign a network security group to a subnet, the rules apply to all network interfaces in that subnet. You can restrict traffic further by associating a network security group to the network interface of a VM

Question 53

Q

Network security group assignment and evaluation 2

Answer

A

Inbound traffic is first evaluated by the network security group applied to the subnet, and then by the network security group applied to the network interface. Conversely, outbound traffic from a VM is first evaluated by the network security group applied to the network interface, and then by the network security group applied to the subnet

Question 54

Q

Network security group assignment and evaluation 3

Answer

A

Each subnet and network interface can have one network security group applied to it. Network security groups support TCP, UDP, and ICMP, and operate at Layer 4 of the OSI model

Question 55

Q

processing rules by rule number

Answer

A

For example, suppose your company has created a security rule to allow inbound traffic on port 3389 (RDP) to your web servers, with a priority of 200. Next, suppose that another admin has created a rule to deny inbound traffic on port 3389, with a priority of 150. The deny rule takes precedence, because it’s processed first. The rule with priority 150 is processed before the rule with priority 200

Question 56

Q

Default security rules

Answer

A

When you create a network security group, Azure creates several default rules. These default rules can’t be changed, but can be overridden with your own rules. These default rules allow connectivity within a virtual network and from Azure load balancers. They also allow outbound communication to the internet, and deny inbound traffic from the internet.

Question 57

Q

Service tags

Answer

A

You use service tags to simplify network security group security even further. You can allow or deny traffic to a specific Azure service, either globally or per region

Service tags represent a group of IP addresses, and help simplify the configuration of your security rules. For resources that you can specify by using a tag, you don’t need to know the IP address or port details.

Question 58

Q

Virtual network service endpoints

Answer

A

Use virtual network service endpoints to extend your private address space in Azure by providing a direct connection to your Azure services. Service endpoints let you secure your Azure resources to only your virtual network. Service traffic will remain on the Azure backbone, and doesn’t go out to the internet

Question 59

Q

How service endpoints work

Answer

A

To enable a service endpoint, you must do the following two things:

Turn off public access to the service.
Add the service endpoint to a virtual network.
When you enable a service endpoint, you restrict the flow of traffic, and enable your Azure VMs to access the service directly from your private address space. Devices cannot access the service from a public network. On a deployed VM vNIC, if you look at Effective routes, you’ll notice the service endpoint as the Next Hop Type

Question 60

Q

Service endpoints and hybrid networks

Answer

A

Service resources that you’ve secured by using virtual network service endpoints are not, by default, accessible from on-premises networks. To access resources from an on-premises network, use NAT IPs. If you use ExpressRoute for connectivity from on-premises to Azure, you have to identify the NAT IP addresses that are used by ExpressRoute. By default, each circuit uses two NAT IP addresses to connect to the Azure backbone network. You then need to add these IP addresses into the IP firewall configuration of the Azure service resource (for example, Azure Storage)

Question 61

Q

What is Azure Bastion?

Answer

A

Azure Bastion provides a secure remote connection from the Azure portal to Azure virtual machines (VMs) over Transport Layer Security (TLS). Provision Azure Bastion to the same Azure virtual network as your VMs or to a peered virtual network. Then connect to any VM on that virtual network or a peered virtual network directly from the Azure portal

Question 62

Q

Provide secure RDP and SSH connectivity to an internal VM

Answer

A

You can use Azure Bastion to easily open an RDP or SSH session from the Azure portal to a VM that’s not publicly exposed. Azure Bastion connects to your virtual machines over private IP. You don’t have to expose RDP ports, SSH ports, or public IP addresses for your internal VMs

Question 63

Q

Azure Bastion Key Features

Answer

A

Traffic initiated from Azure Bastion to target virtual machines stays within the virtual network or between peered virtual networks.
There’s no need to apply NSGs to the Azure Bastion subnet, because it’s hardened internally. For additional security, you can configure NSGs to allow only remote connections to the target virtual machines from the Azure Bastion host.
Azure Bastion helps protect against port scanning. RDP ports, SSH ports, and public IP addresses aren’t publicly exposed for your VMs.
Azure Bastion helps protect against zero-day exploits. It sits at the perimeter of your virtual network. So you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform keeps Azure Bastion up to date.
The service integrates with native security appliances for an Azure virtual network, like Azure Firewall.
You can use the service to monitor and manage remote connections

Question 64

Q

How does Azure Bastion work?

Answer

A

An Azure Bastion deployment is per virtual network or peered virtual network. It’s not per subscription, account, or virtual machine (VM). After you provision an Azure Bastion service in your virtual network, the RDP or SSH experience is available to all your VMs in the same virtual network

Answer 64

A

Browser connects to the Azure Bastion host. The browser connects to Azure Bastion over the internet by using Transport Layer Security (TLS) and the public IP of the Azure Bastion host. Azure Gateway Manager manages portal connections to the Azure Bastion service on port 443 or 4443.
Bastion connects to the VM by using RDP or SSH. Azure Bastion is deployed in a separate subnet called AzureBastionSubnet within the virtual network. You create the subnet when you deploy Azure Bastion. The subnet can have address spaces with a /27 subnet mask or larger. Don’t deploy other Azure resources to this subnet or change the subnet name.
Bastion streams the VM to the browser. Azure Bastion uses an HTML5-based web client that’s automatically streamed to your local device. The Azure Bastion service packages the session information by using a custom protocol. The packages are transmitted through TLS

Answer 65

A

Direction Allow
Inbound RDP and SSH connections from the Azure Bastion subnet IP address range to your VM subnet.
Inbound TCP access from the internet on port 443 to the Azure Bastion public IP.
Inbound TCP access from Azure Gateway Manager on ports 443 or 4443. Azure Gateway Manager manages portal connections to the Azure Bastion service.
Outbound TCP access from the Azure platform on port 443. This traffic is used for diagnostic logging.

Answer 66

A

Before you can deploy Azure Bastion, you need a virtual network. You can use an existing virtual network or deploy Azure Bastion as you create a virtual network. Create a subnet in the virtual network called AzureBastionSubnet. If you have a VM that’s on the same or a peered virtual network, you complete the deployment in the Azure portal by selecting Azure Bastion when you connect to the VM

Answer 67

A

Azure Bastion can log information about remote user sessions. Review the logs to see who connected to which workloads, at what time, from where, and other relevant logging information.

To generate these logs, you must configure diagnostic settings on Azure Bastion. It can take several hours for the logs to stream to a storage account. The following sections show you how to configure Azure Bastion diagnostic settings so you can try this in your own subscription later.

Answer 68

A

Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.

In this unit, you’ll learn what DNS is and how it works. Then learn about Azure DNS, and why you would use it.

Answer 69

A

A DNS server carries out one of two primary functions:

Maintains a local cache of recently accessed or used domain names and their IP addresses. This cache provides a faster response to a local domain lookup request. If the DNS server can’t find the requested domain, it passes the request to another DNS server. This process repeats at each DNS server until either a match is made, or the search times out.
Maintains the key-value pair database of IP addresses and any host or subdomain that the DNS server has authority over. This function is often associated with mail, web, and other internet domain services

Answer 70

A

In order for a computer, server, or other network-enabled device to access web-based resources, it must reference a DNS server.

When you connect by using your on-premises network, the DNS settings come from your server. When you connect by using an external location, like a hotel, the DNS settings come from the internet service provider (ISP).

Answer 71

A

As the administrator for your company, you want to set up a DNS server by using Azure DNS. In this instance, the DNS server will act as a start of authority (SOA) for your domain

Answer 72

A

A is the host record, and is the most common type of DNS record. It maps the domain or host name to the IP address.
CNAME is the canonical name, or the alias for an A record. If you had different domain names that all accessed the same website, you would use CNAME.
MX is the mail exchange record. It maps mail requests to your mail server, whether hosted on-premises or in the cloud.
TXT is the text record. It’s used to associate text strings with a domain name. Azure and Microsoft 365 use TXT records to verify domain ownership.

The SOA and NS records are created automatically when you create a DNS zone by using Azure DNS.

Answer 73

A

Azure DNS allows you to host and manage your domains by using a globally distributed name server infrastructure. It allows you to manage all of your domains by using your existing Azure credentials.

Azure DNS acts as the SOA for the domain.

You can’t use Azure DNS to register a domain name. You use a third-party domain registrar to register your domain

Answer 74

A

Security features
Azure DNS provides the following security features:

Role-based access control, which gives you fine-grained control over users’ access to Azure resources. You can monitor their usage, and control the resources and services they have access to.
Activity logs, which let you track changes to a resource, and pinpoint where faults occurred.
Resource locking, which gives a greater level of control to restrict or remove access to resource groups, subscriptions, or any Azure resources.

Answer 75

A

Ease of use
Azure DNS can manage DNS records for your Azure services, and provide DNS for your external resources. Azure DNS uses your same Azure credentials, support contract, and billing as your other Azure services.

You can manage your domains and records by using the Azure portal, Azure PowerShell cmdlets, or the Azure CLI. Applications that require automated DNS management can integrate with the service by using the REST API and SDKs.

Answer 76

A

Azure DNS handles the translation of external domain names to an IP address. Azure DNS lets you create private zones. These provide name resolution for virtual machines (VMs) within a virtual network, and between virtual networks, without having to create a custom DNS solution. This allows you to use your own custom domain names rather than the Azure-provided names

Answer 77

A

To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone.

Private DNS zones have the following benefits:

There’s no need to invest in a DNS solution. DNS zones are supported as part of the Azure infrastructure.
All DNS record types are supported: A, CNAME, TXT, MX, SOA, AAAA, PTR, and SVR.
Host names for VMs in your virtual network are automatically maintained.
Split-horizon DNS support allows the same domain name to exist in both private and public zones. It resolves to the correct one based on the originating request location

Answer 78

A

To verify the success of the domain delegation, query the start of authority (SOA) record. The SOA record was automatically created when the Azure DNS zone was set up. You can do this by using a third-party tool, like nslookup.

Answer 79

A

Link your virtual network to a private DNS zone
To link the private DNS zone to a virtual network, you create a virtual network link. In the Azure portal, go to the private zone and select Virtual network links

Answer 80

A

The DNS zone holds all the configuration records associated with your domain

Answer 81

A

By default, the NS and SOA records are automatically created. The NS record defines the Azure DNS name spaces and contains the four Azure DNS record sets. You use all four record sets when you update the registrar.

The SOA record represents your domain, and is used when other DNS servers are searching for your domain.

Make a note of the NS record values. You need them in the next section

Answer 82

A

The primary record to create is the A record. This record contains the pairing between the IP address and the domain name. The A record can have multiple entries, called record sets. In record sets, the domain name remains constant, while the IP addresses are different

Answer 83

A

The apex domain is the highest level of your domain. In our case, that’s wideworldimports.com. Note that the apex domain is also sometimes referred to as the zone apex or root apex. It’s often represented by the @ symbol in your DNS zone records.

If you check the DNS zone for wideworldimports.com, you’ll see there are two apex domain records: NS and SOA. The NS and SOA records are automatically created when you created the DNS zone.

CNAME records that you might need for an Azure Traffic Manager profile or Azure Content Delivery Network endpoints aren’t supported at the zone apex level. Alias records are supported at the zone apex level

Answer 84

A

Azure alias records enable a zone apex domain to reference other Azure resources from the DNS zone. You don’t need to create complex redirection policies. You can also use an Azure alias to route all traffic through Traffic Manager.

The Azure alias record can point to the following Azure resources:

A Traffic Manager profile
Azure Content Delivery Network endpoints
A public IP resource
A front door profile

You know that the A record and CNAME record don’t support direct connection to Azure resources like your load balancers. You’ve been tasked with finding out how to link the apex domain with a load balancer

Answer 85

A

Prevents dangling DNS records: A dangling DNS record occurs when the DNS zone records aren’t up-to-date with changes to IP addresses. Alias records prevent dangling references by tightly coupling the lifecycle of a DNS record with an Azure resource.

Updates DNS record set automatically when IP addresses change: When the underlying IP address of a resource, service, or application is changed, the alias record ensures that any associated DNS records are automatically refreshed.

Hosts load-balanced applications at the zone apex: Alias records allow for zone apex resource routing to Traffic Manager.

Points zone apex to Azure Content Delivery Network endpoints: With alias records, you can now directly reference your Azure Content Delivery Network instance.

Answer 86

A

network virtual appliance (NVA)

Answer 87

A

Network traffic in Azure is automatically routed across Azure subnets, virtual networks, and on-premises networks. This routing is controlled by system routes, which are assigned by default to each subnet in a virtual network. With these system routes, any Azure virtual machine that is deployed to a virtual network can communicate with all other Azure virtual machines in subnets in that network. These virtual machines are also potentially accessible from on-premises through a hybrid network or the internet

Answer 88

A

Use a virtual network gateway to send encrypted traffic between Azure and on-premises over the internet and to send encrypted traffic between Azure networks. A virtual network gateway contains routing tables and gateway services.

Answer 89

A

Virtual network endpoints extend your private address space in Azure by providing a direct connection to your Azure resources. This connection restricts the flow of traffic: your Azure virtual machines can access your storage account directly from the private address space and deny access from a public virtual machine. As you enable service endpoints, Azure creates routes in the route table to direct this traffic

Answer 90

A

you use a user-defined route to override the default system routes so that traffic can be routed through firewalls or NVA

Answer 91

A

A virtual appliance is typically a firewall device used to analyze or filter traffic that is entering or leaving your network. You can specify the private IP address of a NIC attached to a virtual machine so that IP forwarding can be enabled. Or you can provide the private IP address of an internal load balancer.

Answer 92

A

Use to indicate when you want routes for a specific address to be routed to a virtual network gateway. The virtual network gateway is specified as a VPN for the next hop type

Answer 93

A

A network gateway in your on-premises network can exchange routes with a virtual network gateway in Azure by using BGP. BGP is the standard routing protocol that is normally used to exchange routing and information among two or more networks. BGP is used to transfer data and information between different host gateways like on the internet or between autonomous systems

Answer 94

A

You typically use BGP to advertise on-premises routes to Azure when you’re connected to an Azure datacenter through Azure ExpressRoute. You can also configure BGP if you connect to an Azure virtual network by using a VPN site-to-site connection.

Answer 95

A

A network virtual appliance (NVA) is a virtual appliance that consists of various layers like:

a firewall
a WAN optimizer
application-delivery controllers
routers
load balancers
IDS/IPS
proxies

You can use an NVA to filter traffic inbound to a virtual network, to block malicious requests, and to block requests made from unexpected resources.

Answer 96

A

Network virtual appliances or NVAs are virtual machines that control the flow of network traffic by controlling routing. You typically use them to manage traffic flowing from a perimeter-network environment to other networks or subnets

Answer 97

A

The virtual private network (VPN) gateway options in Azure can help your company meet these connectivity requirements. You’ll see how this is done by creating and testing VPNs to securely connect sites to Azure

Answer 98

A

A VPN gateway is a type of Virtual Network Gateway. VPN gateways are deployed in Azure virtual networks and enable the following connectivity

Connect on-premises datacenters to Azure virtual networks through a site-to-site connection.
Connect individual devices to Azure virtual networks through a point-to-site connection.
Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection

All transferred data is encrypted in a private tunnel as it crosses the internet. You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations, including other Azure virtual networks or on-premises datacenters

Answer 99

A

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through. Key features of policy-based VPN gateways in Azure include:

Support for IKEv1 only.
Use of static routing, where combinations of address prefixes from both networks control how traffic is encrypted and decrypted through the VPN tunnel. The source and destination of the tunneled networks are declared in the policy and don’t need to be declared in routing tables.
Policy-based VPNs must be used in specific scenarios that require them, such as for compatibility with legacy on-premises VPN devices.

Answer 100

A

Virtual network. Deploy an Azure virtual network with enough address space for the additional subnet that you’ll need for the VPN gateway. The address space for this virtual network must not overlap with the on-premises network that you’ll be connecting to. Remember that you can deploy only one VPN gateway within a virtual network.

Answer 101

A

GatewaySubnet. Deploy a subnet called GatewaySubnet for the VPN gateway. Use at least a /27 address mask to make sure you have enough IP addresses in the subnet for future growth. You can’t use this subnet for any other services

Answer 102

A

Public IP address. Create a Basic-SKU dynamic public IP address if using a non-zone-aware gateway. This address provides a public-routable IP address as the target for your on-premises VPN device. This IP address is dynamic, but it won’t change unless you delete and re-create the VPN gateway

Answer 103

A

Local network gateway. Create a local network gateway to define the on-premises network’s configuration: where the VPN gateway will connect and what it will connect to. This configuration includes the on-premises VPN device’s public IPv4 address and the on-premises routable networks. This information is used by the VPN gateway to route packets that are destined for on-premises networks through the IPSec tunnel

Answer 104

A

Virtual network gateway. Create the virtual network gateway to route traffic between the virtual network and the on-premises datacenter or other virtual networks. The virtual network gateway can be either a VPN or ExpressRoute gateway, but this module deals only with VPN virtual network gateways

Answer 105

A

Connection. Create a Connection resource to create a logical connection between the VPN gateway and the local network gateway.

The connection is made to the on-premises VPN device’s IPv4 address as defined by the local network gateway.
The connection is made from the virtual network gateway and its associated public IP address.

Answer 106

A

To connect your datacenter to a VPN gateway, you’ll need these on-premises resources:

A VPN device that supports policy-based or route-based VPN gateways
A public-facing (internet-routable) IPv4 address

Answer 107

A

By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention. Connections are interrupted during this failover, but they’re typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.

Answer 108

A

With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.

Answer 109

A

ExpressRoute failover
Another high availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in but aren’t immune to physical problems that affect the cables delivering connectivity or outages affecting the complete ExpressRoute location. In high availability scenarios, where there’s risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway which uses the internet as an alternative method of connectivity, thus ensuring there’s always a connection to the Azure virtual networks

Answer 110

A

In regions that support availability zones, VPN and ExpressRoute gateways can be deployed in a zone-redundant configuration. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. These require different gateway SKUs and leverage Standard public IP addresses instead of Basic public IP addresses

Answer 111

A

Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private. Establishing an ExpressRoute connection enables you to connect to Microsoft cloud services like Azure, Office 365, and Dynamics 365. Security is enhanced, connections are more reliable, latency is minimal, and throughput is greatly increased

Answer 112

A

ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point, any-to-any network, or they can be virtual cross-connections through an exchange

Answer 113

A

Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available

Answer 114

A

Co-located providers can normally offer both Layer 2 and Layer 3 connections between your infrastructure, which might be located in the co-location facility, and the Microsoft cloud. For example, if your datacenter is co-located at a cloud exchange such as an internet service provider (ISP), you can request a virtual cross-connection to the Microsoft cloud

Answer 115

A

Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and Microsoft Azure. You can connect your offices or datacenters to Azure by using the point-to-point links. For example, if you have an on-premises datacenter, you can use a point-to-point Ethernet link to connect to Microsoft

Answer 116

A

With any-to-any connectivity, you can integrate your wide area network (WAN) with Microsoft Azure by providing connections to your offices and datacenters. Azure will integrate with your WAN connection to provide a seamless connection, just like you would have between your datacenter and any branch offices

Answer 117

A

ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ExpressRoute partner. The partner provides the edge service: an authorized and authenticated connection that operates through a partner-controlled router. The edge service is responsible for extending your network to the Microsoft cloud

Answer 118

A

The partner sets up connections to an endpoint in an ExpressRoute location (implemented by a Microsoft edge router). These connections enable you to peer your on-premises networks with the virtual networks available through the endpoint. These connections are called circuits.

Answer 119

A

An ExpressRoute connectivity partner or cloud exchange provider that can set up a connection from your on-premises networks to the Microsoft cloud.
An Azure subscription that is registered with your chosen ExpressRoute connectivity partner.
An active Microsoft Azure account that can be used to request an ExpressRoute circuit.
An active Office 365 subscription, if you want to connect to the Microsoft cloud and access Office 365 services

Answer 120

A

ExpressRoute works by peering your on-premises networks with networks running in the Microsoft cloud

Answer 121

A

Ensure that BGP sessions for routing domains have been configured. Depending on your partner, this might be their or your responsibility. Additionally, for each ExpressRoute circuit, Microsoft requires redundant BGP sessions between Microsoft’s routers and your peering routers.
You or your providers need to translate the private IP addresses used on-premises to public IP addresses by using a NAT service. Microsoft will reject anything except public IP addresses through Microsoft peering.
Reserve several blocks of IP addresses in your network for routing traffic to the Microsoft cloud. You configure these blocks as either a /29 subnet or two /30 subnets in your IP address space. One of these subnets is used to configure the primary circuit to the Microsoft cloud, and the other implements a secondary circuit. You use the first address in these subnets to communicate with services in the Microsoft cloud. Microsoft uses the second address to establish a BGP session

Answer 122

A

Use private peering to connect to Azure IaaS and PaaS services deployed inside Azure virtual networks. The resources that you access must all be located in one or more Azure virtual networks with private IP addresses. You can’t access resources through their public IP address over a private peering

Answer 123

A

Use Microsoft peering to connect to Azure PaaS services, Office 365 services, and Dynamics 365.

Answer 124

A

SKU Select Standard if you have up to 10 virtual networks and only need to connect to resources in the same geopolitical region. Otherwise, select Premium.

Answer 125

A

Configure private peering
You use private peering to connect your network to your virtual networks running in Azure. To configure private peering, you must provide the following information:

Peer ASN. The autonomous system number for your side of the peering. This ASN can be public or private, and 16 bits or 32 bits.
Primary subnet. This is the address range of the primary /30 subnet that you created in your network. You’ll use the first IP address in this subnet for your router. Microsoft uses the second for its router.
Secondary subnet. This is the address range of your secondary /30 subnet. This subnet provides a secondary link to Microsoft. The first two addresses are used to hold the IP address of your router and the Microsoft router.
VLAN ID. This is the VLAN on which to establish the peering. The primary and secondary links will both use this VLAN ID.
Shared key. This is an optional MD5 hash that’s used to encode messages passing over the circuit.

Answer 126

A

Microsoft guarantees a minimum of 99.95 percent availability for an ExpressRoute dedicated circuit.

Answer 127

A

An Azure site-to-site VPN connection enables you to connect your on-premises network to Azure over an IPsec tunnel to build a hybrid network solution. You configure an on-premises VPN device with a public IP address. You connect this device to an Azure virtual network through an Azure virtual network gateway

Answer 128

A

With point-to-site VPN, you can establish a secure connection to a network from individual computers located on-premises. This solution is useful for someone who wants to connect to Azure from remote locations such as a home or customer site. Point-to-site is useful if you have only a few clients that need to connect to a virtual network

Answer 129

A

Azure Load Balancer is a service you can use to distribute traffic across multiple virtual machines

Answer 130

A

Availability set 99.95% Protection from hardware failures within datacenters
Availability zone 99.99% Protection from entire datacenter failure

Answer 131

A

An availability set is a logical grouping that you use to isolate virtual machine resources from each other when they’re deployed. Azure ensures that the virtual machines you put in an availability set run across multiple physical servers, compute racks, storage units, and network switches. If there’s a hardware or software failure, only a subset of your virtual machines is affected. Your overall solution stays operational. Availability sets are essential for building reliable cloud solutions

Answer 132

A

An availability zone offers groups of one or more datacenters that have independent power, cooling, and networking. The virtual machines in an availability zone are placed in different physical locations within the same region. Use this architecture when you want to ensure that, when an entire datacenter fails, you can continue to serve users

Answer 133

A

Basic load balancers allow:

Port forwarding
Automatic reconfiguration
Health probes
Outbound connections through source network address translation (SNAT)
Diagnostics through Azure Log Analytics for public-facing load balancers

Basic load balancers can be used only with availability sets.

Answer 134

A

Standard load balancers support all of the basic features. They also allow:

HTTPS health probes
Availability zones
Diagnostics through Azure Monitor, for multidimensional metrics
High availability (HA) ports
Outbound rules
A guaranteed SLA (99.99% for two or more virtual machines)

Answer 135

A

An external load balancer operates by distributing client traffic across multiple virtual machines. An external load balancer permits traffic from the internet. The traffic might come from browsers, module apps, or other sources. In a healthcare organization, the balancer distributes the load of all the browsers that run the client healthcare application

Answer 136

A

An internal load balancer distributes a load from internal Azure resources to other Azure resources. For example, if you have front-end web servers that need to call business logic that’s hosted on multiple middle-tier servers, you can distribute that load evenly by using an internal load balancer. No traffic is allowed from internet sources. In a healthcare organization, the load balancer distributes a load across the internal application tier

Answer 137

A

A public load balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of a virtual machine in the back-end pool. The responses are then returned to the client. By applying load-balancing rules, you distribute specific types of traffic across multiple virtual machines or services

Answer 138

A

Five-tuple hash. The default distribution mode for Load Balancer is a five-tuple hash. The tuple is composed of the source IP, source port, destination IP, destination port, and protocol type. Because the source port is included in the hash and the source port changes for each session, clients might be directed to a different virtual machine for each session.

Answer 139

A

The default five-tuple hash in Load Balancer is incompatible with this service. If you want to use Load Balancer with your Remote Desktop servers, use source IP affinity.

Answer 140

A

You can configure an internal load balancer in almost the same way as an external load balancer, but with these differences:

When you create the load balancer, for the Type value, select Internal. When you select this setting, the front-end IP address of the load balancer isn’t exposed to the internet.
Assign a private IP address instead of a public IP address for the front end of the load balancer.
Place the load balancer in the protected virtual network that contains the virtual machines you want to handle the requests.

Answer 141

A

Load Balancer uses a health probe to determine the availability of each VM that’s referenced by addresses in the back-end pool. Load Balancer only sends requests to VMs that indicate they’re healthy

Answer 142

A

Azure Load Balancer includes a number of components:

A front-end IP address
A back-end pool of VM addresses
One or more routing rules
A health probe
A collection of VMs, typically in a virtual network

Answer 143

A

Load Balancer stores the IP addresses of these VMs in a repository commonly referred to as a back-end pool. Load Balancer exposes its own front-end IP address to clients. When a client sends a request to this address, Load Balancer selects the IP address of a VM from the back-end pool. Load Balancer then routes the request through this back-end IP address to the VM

Answer 144

A

You can start additional VM instances and add their IP addresses to the back-end pool at any time. Load Balancer includes these new instances when it distributes user requests.

Load Balancer can expose more than one public front-end IP address, and might have multiple back-end pools. This scheme enables you to reuse the same instance of Load Balancer to handle requests for different systems.

Answer 145

A

You define load-balancing rules to specify how requests directed toward each front-end IP address are mapped to a back-end pool. A load-balancing rule also specifies the protocol to match against, and optionally the source (client) and destination ports. Incoming requests arriving on a front-end IP address that don’t match the protocol and port requirements are discarded by Load Balancer. A load-balancing rule can also configure session persistence so that a given client is likely to have its requests routed to the same VM. In this way, applications running on a VM take advantage of caching to hold session-specific information

Answer 146

A

Load Balancer needs to determine whether each VM referenced by the back-end pool is available for handling requests. You add a health probe to do this. A health probe sends regular ping messages to a port that you specify for the VMs in the back-end pool. You provide a service on the VMs that responds to these ping messages, with an HTTP 200 (OK) message

Answer 147

A

The application is unreachable.
The VMs running the application are unreachable.
Response times are slow.
User requests are timing out

Answer 148

A

Probing issues result when one or more VMs in the back-end pool fail to respond to health probe requests. These issues could be a result of:

An incorrect probe configuration, such as the wrong URL or port.
A VM that fails to respond to the probe because the required port isn’t open

Answer 149

A

Data path issues occur when a Load Balancer is unable to route a client request to the application that runs on a VM in the back-end pool. Possible causes include:

A network security group rule or firewall is blocking the ports or IP addresses used by the application.
A VM is down or not responding. The VM might be turned off or failing, or there’s a security issue such as an expired certificate on the server.
The application isn’t responding. The VMs might be overloaded, the application is listening on an incorrect port, or the application is crashing

Answer 150

A

With Azure Monitor, you can capture and examine diagnostic logs and performance data for Load Balancer

Answer 151

A

You can visualize metrics for Load Balancer by using the Metrics page in the Azure portal. From a connectivity troubleshooting perspective, the most important metrics are Data Path Availability and Health Probe Status

Answer 152

A

The Health Probe Status metric is similar, but it only applies to the health probe for the VMs rather than the complete path through Load Balancer. Again, the Avg aggregation for this metric yields a value between 0 (all VMs are unhealthy and failing to respond) and 100, where all VMs are responding to the health probe.

Answer 153

A

The Resource health page for Load Balancer reports on the general state of your system. You access this page in the portal from Azure Monitor. Select Service Health, select Resource Health, and then select Load Balancer as the resource type.

Answer 154

A

The PsPing command tests ping connectivity through an endpoint. This command also measures the latency and bandwidth availability to a service. To verify that a route is available from your client to a VM through Load Balancer, use the following command. Replace and with the IP address and front-end port of the Load Balancer instance.

Answer 155

A

The tcping utility is similar to ping except that it operates over a TCP connection instead of ICMP, which Load Balancer doesn’t route. Use tcping as follows

Answer 156

A

Azure Load Balancer is limited to only load balancing and handling port-forwarding for the TCP and UDP protocols. You can’t use Load Balancer to manage requests submitted by using other network protocols such as ICMP.

Load Balancer operates at layer 4 in the ISO network stack and doesn’t examine or otherwise manipulate the contents of network packets. You can’t use it to implement content-based routing.

Answer 157

A

Application Gateway manages the requests that client applications can send to a web app. Application Gateway routes traffic to a pool of web servers based on the URL of a request. This is known as application layer routing. The pool of web servers can be Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers.

Answer 158

A

Clients send requests to your web apps to the IP address or DNS name of the gateway. The gateway routes requests to a selected web server in the back-end pool, using a set of rules configured for the gateway to determine where the request should go.

Answer 159

A

Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers. For example, you could direct requests with the path /video/* to a back-end pool containing servers that are optimized to handle video streaming, and direct /images/* requests to a pool of servers that handle image retrieval

Answer 160

A

Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site. Application Gateway uses separate listeners to wait for requests for each site. Each listener passes the request to a different rule, which can route the requests to servers in a different back-end pool. For example, you could configure Application Gateway to direct all requests for http://contoso.com to servers in one back-end pool, and requests for http://fabrikam.com to another back-end pool. The following diagram shows this configuration.

Answer 161

A

Application Gateway will automatically load balance requests sent to the servers in each back-end pool using a round-robin mechanism. However, you can configure session stickiness, if you need to ensure that all requests for a client in the same session are routed to the same server in a back-end pool

Answer 162

A

Operating at OSI Layer 7 enables load balancing to take advantage of the other features that Application Gateway provides. These features include:

Support for the HTTP, HTTPS, HTTP/2 and WebSocket protocols.
A web application firewall to protect against web application vulnerabilities.
End-to-end request encryption.
Autoscaling, to dynamically adjust capacity as your web traffic load changes.

Answer 163

A

Front-end IP address
Client requests are received through a front-end IP address. You can configure Application Gateway to have a public IP address, a private IP address, or both. Application Gateway can’t have more than one public and one private IP address

Answer 164

A

Application Gateway uses one or more listeners to receive incoming requests. A listener accepts traffic arriving on a specified combination of protocol, port, host, and IP address. Each listener routes requests to a back-end pool of servers following routing rules that you specify. A listener can be Basic or Multi-site. A Basic listener only routes a request based on the path in the URL. A Multi-site listener can also route requests using the hostname element of the URL.

Listeners also handle SSL certificates for securing your application between the user and Application Gateway

Answer 165

A

A routing rule binds a listener to the back-end pools. A rule specifies how to interpret the hostname and path elements in the URL of a request, and direct the request to the appropriate back-end pool. A routing rule also has an associated set of HTTP settings. These settings indicate whether (and how) traffic is encrypted between Application Gateway and the back-end servers, and other configuration information such as:

Protocol (HTTP or HTTPS).
Session stickiness, to pass all requests in a client session to the same web server rather than distributing them across servers with load balancing.
Connection draining, to enable the graceful removal of servers from a back-end pool.
Request timeout period, in seconds.
Health probes, specifying a probe URL, time out periods, and other parameters used to determine whether a server in the back-end pool is available.

Answer 166

A

A back-end pool references a collection of web servers. You provide the IP address of each web server and the port on which it listens for requests when configuring the pool. Each pool can specify a fixed set of virtual machines, a virtual machine scale-set, an app hosted by Azure App Services, or a collection of on-premises servers. Each back-end pool has an associated load balancer that distributes work across the pool

Answer 167

A

The web application firewall (WAF) is an optional component that handles incoming requests before they reach a listener. The web application firewall checks each request for many common threats, based on the Open Web Application Security Project (OWASP). These include:

SQL-injection
Cross-site scripting
Command injection
HTTP request smuggling
HTTP response splitting
Remote file inclusion
Bots, crawlers, and scanners
HTTP protocol violations and anomalies

Answer 168

A

Health probes are an important part in assisting the load balancer to determine which servers are available for load balancing in a back-end pool. Application Gateway uses a health probe to send a request to a server. If the server returns an HTTP response with a status code between 200 and 399, the server is deemed healthy.

If you don’t configure a health probe, Application Gateway creates a default probe that waits for 30 seconds before deciding that a server is unavailable.

Answer 169

A

Application Gateway requires a virtual network in which to operate. You must create this virtual network and a dedicated subnet before setting up Application Gateway. Application Gateway uses a number of private addresses for internal use and for communicating with each instance if the gateway scales out. For example, If you plan on scaling out to four instances, create a /28 size subnet. If you’re likely to scale to more instances, then create a bigger subnet.

You can expose the Application Gateway through a public IP address, or you can or keep it private by only giving it a private IP inside virtual network. This is useful if you have internal sites that you would like to use Application Gateway to provide load balancing

Answer 170

A

Network Watcher is an Azure service that combines tools in a central place to diagnose the health of Azure networks. The Network Watcher tools are divided into two categories:

Monitoring tools
Diagnostic tools

Answer 171

A

Network Watchers provides three monitoring tools:

Topology
Connection Monitor
Network Performance Monitor
Let’s look at each of these tools.

Answer 172

A

The topology tool generates a graphical display of your Azure virtual network, its resources, its interconnections, and their relationships with each other.

Suppose you have to troubleshoot a virtual network created by your colleagues. Unless you were involved in the creation process of the network, you might not know about all the aspects of the infrastructure. You can use the topology tool to visualize and understand the infrastructure you’re dealing with before you start troubleshooting.

Answer 173

A

The Connection Monitor tool provides a way to check that connections work between Azure resources. To check that two VMs can communicate if you want them to, use this tool.

This tool also measures the latency between resources. It can catch changes that will affect connectivity, such as changes to the network configuration or changes to network security group (NSG) rules. It can probe VMs at regular intervals to look for failures or changes.

If there’s an issue, Connection Monitor tells you why it occurred and how to fix it. Along with monitoring VMs, Connection Monitor can examine an IP address or fully qualified domain name (FQDN)

Answer 174

A

The Network Performance Monitor tool enables you to track and alert on latency and packet drops over time. It gives you a centralized view of your network.

When you decide to monitor your hybrid connections by using Network Performance Monitor, check that the associated workspace is in a supported region.

You can use Network Performance Monitor to monitor endpoint-to-endpoint connectivity:

Between branches and datacenters.
Between virtual networks.
For your connections between on-premises and the cloud.
For Azure ExpressRoute circuits.

Answer 175

A

Network Watcher diagnostic tools
Network Watcher includes six diagnostic tools:

IP flow verify
Next hop
Effective security rules
Packet capture
Connection troubleshoot
VPN troubleshoot

Answer 176

A

The IP flow verify tool tells you if packets are allowed or denied for a specific virtual machine. If a network security group denies a packet, the tool tells you the name of that group so that you can fix the problem.

This tool uses a 5-tuple packet parameter-based verification mechanism to detect whether packets inbound or outbound are allowed or denied from a VM. Within the tool, you specify a local and remote port, the protocol (TCP or UDP), the local IP, the remote IP, the VM, and the VM’s network adapter

Answer 177

A

When a VM sends a packet to a destination, it might take multiple hops in its journey. For example, if the destination is a VM in a different virtual network, the next hop might be the virtual network gateway that routes the packet to the destination VM.

With the next hop tool, you can determine how a packet gets from a VM to any destination. You specify the source VM, source network adapter, source IP address, and destination IP address. The tool then determines the packet’s destination. You can use this tool to diagnose problems caused by incorrect routing table

Answer 178

A

The effective security rules tool in Network Watcher displays all the effective NSG rules applied to a network interface.

Network security groups (NSGs) are used in Azure networks to filter packets based on their source and destination IP address and port numbers. NSGs are vital to security because they help you carefully control the surface area of the VMs that users can access. Keep in mind, though, that a mistakenly configured NSG rule might prevent legitimate communication. As a result, NSGs are a frequent source of network problems.

For example, if two VMs can’t communicate because an NSG rule blocks them, it can be difficult to diagnose which rule is causing the problem. You’ll use the effective security rules tool in Network Watcher to display all the effective NSG rules and help you diagnose which rule is causing the specific problem.

To use the tool, you choose a VM and its network adapter. The tool displays all the NSG rules that apply to that adapter. It’s easy to determine a blocking rule by viewing this list.

You can also use the tool to spot vulnerabilities for your VM caused by unnecessary open ports.

Answer 179

A

You use the packet capture tool to record all of the packets sent to and from a VM. You’ll then review the captured to gather statistics about network traffic or diagnose anomalies, such as unexpected network traffic on a private virtual network.

The packet capture tool is a virtual machine extension that is remotely started through Network Watcher and happens automatically when you start a packet capture session.

Keep in mind that there is a limit to the amount of packet capture sessions allowed per region. The default usage limit is 100 packet capture sessions per region, and the overall limit is 10,000. These limits are for the number of sessions only, not saved captures. You can save packets captured in Azure Storage or locally on your computer.

Packet capture has a dependency on the Network Watcher Agent VM Extension installed on the VM. For links to instructions that detail the installation of the extension on both Windows and Linux VMs, see the “Learn more” section at the end of this module.

Answer 180

A

You use the connection troubleshoot tool to check TCP connectivity between a source and destination VM. You can specify the destination VM by using an FQDN, a URI, or an IP address.

If the connection is successful, information about the communication is displayed, including:

The latency in milliseconds.
The number of probe packets sent.
The number of hops in the complete route to the destination.
If the connection is unsuccessful, you’ll see details of the fault. Fault types include:

CPU. The connection failed because of high CPU utilization.
Memory. The connection failed because of high memory utilization.
GuestFirewall. The connection was blocked by a firewall outside Azure.
DNSResolution. The destination IP address couldn’t be resolved.
NetworkSecurityRule. The connection was blocked by an NSG.
UserDefinedRoute. There’s an incorrect user route in a routing table.

Answer 181

A

You can use the VPN troubleshoot tool to diagnose problems with virtual network gateway connections. This tool runs diagnostics on a virtual network gateway connection and returns a health diagnosis.

When you start the VPN troubleshoot tool, Network Watcher diagnoses the health of the gateway or connection and returns the appropriate results. The request is a long-running transaction

Answer 182

A

In flow logs, you can view information about ingress and egress IP traffic on network security groups. Flow logs show outbound and inbound flows on a per-rule basis, based on the network adapter that the flow applies. NSG flow logs show whether traffic was allowed or denied based on the 5-tuple information captured. This information includes:

Source IP
Source port
Destination IP
Destination port
Protocol

Flow logs store data in a JSON file. It can be difficult to gain insights into this data by manually searching the log files, especially if you have a large infrastructure deployment in Azure. You can solve this problem by using Power BI.

In Power BI, you can visualize NSG flow logs by, for example:

Top talkers (IP address)
Flows by direction (inbound and outbound)
Flows by decision (allowed and denied)
Flows by destination port

Answer 183

A

In Network Watcher, diagnostic logs are a central place to enable and disable logs for Azure network resources. These resources might include NSGs, public IPs, load balancers, and app gateways. After you’ve enabled the logs that interest you, you can use the tools to query and view log entries.

You can import diagnostic logs into Power BI and other tools to analyze them

Answer 184

A

To investigate user and app activity across your cloud networks, use traffic analytics.

The tool gives insights into network activity across subscriptions. You can diagnose security threats such as open ports, VMs communicating with known bad networks, and traffic flow patterns. Traffic analytics analyzes NSG flow logs across Azure regions and subscriptions. You can use the data to optimize network performance.

This tool requires Log Analytics. The Log Analytics workspace must exist in a supported region.

Brainscape's Knowledge GenomeTM

AZ-104: Configure and manage virtual networks for Azure administrators Flashcards

Brainscape's Knowledge Genome^TM