AZ-700

Question 1

Azure Virtual Network (VNet)

Answer 1

cloud representation of a physical network

divided into subnets

all VNets must have at least one subnet

handles DHCP services

can be secured using an ACL (NSG)

Question 2

Public Prefix

Question 3

Subnet

Question 4

Virtual Machine

Question 5

Network Interface Card

Question 6

Virtual Network Gateway

Question 7

DNS Zone

Question 8

Private DNS Zone

Question 9

VNet Peering

Question 9

Virtual Hub

Question 9

Virtual WAN

Answer 9

1 s2s scale unit = 500 Mbps

1 Express Route scale unit = 2 Gbps

Question 10

VPN Site

Answer 10

similar to virtual gateway

Question 11

Route Table

Question 12

Load Balancer

Question 13

Application Load Balancer

Question 14

Traffic Manager

Question 15

Azure Front Door Service

Question 16

Rewrite set

Question 17

Application Gateway

Question 18

Forced Tunneling

Answer 18

Configure forced tunneling
1. Create a resource group.
New-AzResourceGroup -Name ‘ForcedTunneling’ -Location ‘North Europe’

2. Create a virtual network and specify subnets.
3. Create the local network gateways.
   Example:
   $lng1 = New-AzLocalNetworkGateway -Name “DefaultSiteHQ” -ResourceGroupName “ForcedTunneling” -Location “North Europe” -GatewayIpAddress “111.111.111.111” -AddressPrefix “192.168.1.0/24”
4. Create the virtual network gateway.
5. Assign a default site to the virtual network gateway. The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.

$LocalGateway = Get-AzLocalNetworkGateway -Name “DefaultSiteHQ” -ResourceGroupName “ForcedTunneling”
$VirtualGateway = Get-AzVirtualNetworkGateway -Name “Gateway1” -ResourceGroupName “ForcedTunneling”
Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

6. Establish the Site-to-Site VPN connections.
   Details omitted.

Question 19

ExpressRoute

Answer 19

Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.

Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure’s cloud services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute

Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)

Question 20

Basic Load Balancer

Answer 20

VMs behind Basic Load Balancers
Virtual machine scale sets with Basic Load Balancers
Redis Cache
Application Gateway (v1) SKU
Service Fabric
API Management (stv1)
Active Directory Domain Service (ADDS)
Logic Apps
HDInsight
Azure Batch
App Service Environment
You can connect to these resources via ExpressRoute or VNet-to-VNet through VNet Gateways.

Question 21

Private IP Addressing

Answer 21

Available IPs is 5 less than the range - .0 = network, .1 = gateway, 2 & .3 = DNS, and .255 = broadcast

IPv4 is mandatory, IPv6 is optional

IPv6 is always /64

DHCP is default; static is optional

Question 22

Public IP

Answer 22

Tied to regions

2 skus - Basic & Static

• Basic is dynamic or static and certain amount for free; open by default
  
  • no AZ support
• Standard = static only; locked down by default; AZ support
• Sometimes SKU needs to match service. EG. Basic load balancer uses standard public IP

Question 23

Public IP Prefix

Answer 23

contiguous block of public IPs

Question 24

Peering

Answer 24

uses native Azure backbone different regions use Global VNet Peering Cannot peer across clouds (e.g. US to China or Gov) Created in each direction Cannot Peer with overlapping IP space

Question 25

Gateway Transit

Answer 25

Gateway subnet probably allows me to talk to on prem from a hub vnet To allow spoke to talk to on-prem, need to enable to features: - Hub to spoke side of peering - allow gateway transit - "Use this virtual network's gateway or Route Server" - On spoke to hub side of peering - use remote gateway - "Use the remote virtual network's gateway or Route Server" - spokes can only use one hub's remote gateway

Question 26

User Defined Routing

Answer 26

link a route table to a subnet within a vnet within the same region; next-hop doesn't have to be on the same subnet useful to view the "Effective routes" on the NIC of a VM

Question 27

NAT Gateway

Answer 27

attach public ips/prefixes with a standard sku link nat gateway to a subnet within the same region only supports IPv4; there is a cap on the number of pub ip's you can add (16?) can attach to a zone, or a region, but cannot be zone-redundant

Question 28

Azure DNS

Question 29

Network Security Group

Question 30

Application Security Group (ASG)

Answer 30

basically just a tag can only use it in the same region in which it was created makes the acl based on the tag instead of an IP address

Question 31

Service Endpoint

Answer 31

seems like another ACL tag might let something like vnet1-subnet1 talk to storage account1

Question 32

Private Endpoint

Answer 32

an IP in the subnet that represents a (private) for a custom resource, need to put a (standard) lb in front of it, and a private link service in front of the LB, and then the private endpoint can point to that. i think the private link service also does nat a new DNS zone is used -- usually something like privatelink.azurewebsites.net

Question 33

App Service Plan

Answer 33

- each individual app will have its own private endpoint; this is to get to the app - 3 options to get the app outbound to the vnet: 1) regional vnet integration, 2) gateway required integration (p2s vpn to a gateway), 3) hybrid connections

Question 34

Azure Firewall

Answer 34

- has its own subnet, which is at least a /26 - fw appliances will have an internal ip that gets targeted via UDR by things like vpn, or - standard and premium sku - premium adds TLS inspection, IDPS, URL filtering and Web categories - 3 types of policies - nat rules, network rules, and application rules

Question 35

NSG Flow Logs

Answer 35

needs a storage account sends to log analytics workspace, and then traffic analytics happens on that

Question 36

Network Watcher