AZ-700: Networking Flashcards
1
Q
True or False: Virtual Networks cannot span across different regions or different subscriptions
A
True
2
Q
True or False: Virtual Networks span across all availability zones in a region
A
True
3
Q
True or False: Broadcast and Multicast are supported in an Azure virtual network
A
False
4
Q
True or False: IPv6 is always /64 CIDR in Azure Networking
A
True
5
Q
True or False: Subnets cannot span availability zones in a region
A
False, they span all of them just like the virtual networks
6
Q
How many IP addresses are “lost” when creating a subnet in Azure
A
5, you lose 1 to network, 1 to default GW, 2 to DNS, and 1 to broadcast
7
Q
Where are static IPs configured?
A
They are configured on a per resource level, not vnet.
Examples: done on the VM under its network interface
8
Q
True or False: you can bring your own individual public IPs into Azure
A
False, Azure has its own set of IPs you need a public ip prefix of atleast /24 to bring it into azure
9
Q
True or False: you can move Azure public IPs across regions
A
False, Azure IPs are per region
10
Q
What are the two SKUs for a public IP in Azure and what are the differences
A
Basic and Standard
Basic -
-Dynamic or Statically assigned
-Open by Default
-No Availability Zone support
Standard-
-Static only
-locked down by default
-Availability Zone support
11
Q
True or False: Load balancers and Public IPs need to have the same SKU tier
A
True
12
Q
What is the name for a contiguous block of public IPs
A
Public IP Prefix
13
Q
What is it called when you connect two unique Vnets in the same region
A
VNET Peering
14
Q
What is it called when you connect two unique Vnets in different regions
A
Global Vnet Peering
15
Q
True or False: you can peer Vnets across different vnet clouds (China, us gov, germany)
A
False
16
Q
True or False: 2 unpeered vnets can natively talk if they are peered to the same tertiary vnet
A
False, vnet peering is not transitive, you would have to peer the two vnets together or have an appliance ( such as a firewall) on the tertiary vnet to route traffic between them
17
Q
What are the two settings that need to be enable for a peered vnet to use the other peers gateway and what need to be enable on each
A
Allow gateway transit must be enabled on the “hub” vnet
Use remote gateway must be enabled on the vnet that needs to use the others gateway
18
Q
Can you use a remote gateway if there is already a gateway in the vnet
A
no
19
Q
Can you set the next “hop” in a route table to a different subnet or even network?
A
Yes
20
Q
Can you connect 2 vnets together without peering them? How would you do it?
A
Yes, with route tables or “user defined routing”
21
Q
What is the IP of Azure DNS
A
168.63.129.16
22
Q
What is an inbuilt option in Azure for custom DNS?
A
Azure private DNS Zone
23
Q
How many private DNS Zones can one Vnet have for registration?
A
1
24
Q
How would you be able to have more than one private dns for a vnet?
A
you can have one for registration and multiple (up to 1000) for resolution
25
How many vnets are allowed per private dns zone that use that zone for Auto-registration?
100
26
How many vnets are allowed per private dns zone that use that zone for resolution?
1000
27
what are the two primary types of dns records added to an azure public dns zone
host and alias
28
What is the first thing you create while making a STS VPN vnet?
Gateway subnet
29
What is needed to configure a point to site VPN that connects to azure ad
Add an enterprise app to azure
30
When using ExpressRoute all inbound traffic goes through what resource by default?
The ExpressRoute Gateway
31
What is fastpath?
Fast Path is a way for inbound traffic to bypass the express route gateway and go straight to a resource
32
Does fast path still require a gateway?
Yes, gateways are still required for things like BGP route propagation and it must be the highest SKU
33
Does outbound express route traffic pass through the gateway?
No it goes straight to the MSEE
34
How many vnet links are allowed per expressroute circuit?
10 for standard for all circuit sizes and it can be increased with premium add on
35
Can you have both microsoft peering and private peering on the same ExpressRoute circuit?
Yes
36
What is required to make microsoft peering "work" once enabled?
A route filter
37
What protocol does a route filter use to advertise services?
BGP
38
With a stardard ExpressRoute SKU what regions can you use?
Any in the same geopolitical region
| Ex. North america to north america, asia to asia
39
With a Premium ExpressRoute SKU what regions can you use?
All regions (Global)
40
Do you pay based on ingress or egress?
egress
41
What is another name for a "meet me"
peering point
42
What ExpressRoute SKU provides local region only
Local SKU
43
What is a faster alternative than having BGP detect a failure and do failover routing
BFD or Bidirectional Forwarding Detection
44
What does BFD stand for?
Bi-Directional Forwarding Detection
45
Is ExpressRoute an encrypted connection?
No
46
What service would you use to encrypt an ExpressRoute-Direct connection inside the meet me
| This is between the customer edge router and the MSEE
MACsec
| This is not end to end, this is inside the meet me only
47
What is an option for encrypting an express route connection
Site to Site VPN
48
What is the service you would use to connect two sites in different geopolitical regions using expressroute
ExpressRoute Global Reach
49
What is supported by the basic SKU of Azure Virtual WAN
S2S VPN only
50
What layer is Azure Load Balancer?
Layer 4
51
What is 5-Tuple
source IP address/port number, destination IP address/port number and the protocol in use
52
What are the two types of load balancers
internal and external
53
What is assigned to the front end of a load balancer
IP Address
54
What are the two SKUs for a load balancer?
Basic and standard
55
what is a 3-tuple
src ip
dest ip
protocol
56
What are two of the load balancing distribution modes
hash based distribution ( Uses 5-tuple hash based distribution by default)
Session persistence - Session persistence is also known session affinity, source IP affinity, or client IP affinity. This distribution mode uses a two-tuple (source IP and destination IP) or three-tuple (source IP, destination IP, and protocol type) hash to route to backend instances. When using session persistence, connections from the same client go to the same backend instance within the backend pool.
57
What layer is Azure App Gateway?
Layer 7 (HTTP/HTTPS)
58
Is Azure App Gateway regional or global?
regional
59
Is Azure Load Balancer regional or global?
Regional
60
Can the web application firewall have a public ip, private, or both
| Pick Two
Public or Both
61
What layer is Azure Traffic Manager?
Layer 4
62
Is Azure Traffic Manager regional or global?
Global
63
What protocol does Azure Traffic Monitor primarily use?
DNS
64
What is the setting needed for Azure Traffic Manager to work like a load balancer
The performance option will resolve the closest target to the requester favoring latency
65
True or False: Azure Traffic Manager can resolve to both Azure Endpoints and External Enpoints such as FQDN or IP
True
66
What is the layer 7, global load balancing solution?
Azure Front Door
67
How does Azure Front Door provide load balancing
it gives an anycast ip address for all points of presence
68
What is the name of the tool used to create inbound and outbound security rules for a vnet
Network Security Groups
69
Is a network security group an edge device
Example: Like a firewall
no
70
Is a network security group an edge device
Example: Like a firewall
no
71
Where is a network security group enforced
at the VNET level
72
Are network security groups regional or global
regional
73
What does Virtual Network actually mean when it is applied in a nsg rule
It means all know ip space
(this would include peered vnets, S2S VPN, and anything else this virtual network would be "aware" of.)
74
How does an application security group work in practice? What is it most similar to?
It is a tag you can use when making security rules
75
What would you use to only allow traffic from one subnet of a vnet into a storage account?
A Service Endpoint: Storage
76
What is an ip address from the network that represents a single instance of a service
Private endpoint
77
Can each app in an app service plane have its own private endpoint
yes
78
What is the minimum network size for Azure Firewall in CIDR
/26
it requires at least 64 addresses
79
How many policies can be applied to one instance of azure firewall?
1
80
What are the three types of rules for azure firewall
NAT rules
L4 Network Rules
Application rules (Layer 7)
81
What is an alias DNS Record called?
CNAME
82
What is an IPV4 DNS Record called?
A
83
What is an IPV6 DNS Record called?
AAAA
84
When configuring global peering, what changes will occur in the peered VNets
A peering entry is added to the routing table in each VNet
85
Does a VPN gateway subnet need to be named GatewaySubnet?
Yes
86
Is it okay to deploy other resources such as VMs in the gateway subnet?
No!!!
87
What are the two things required for your on site VPN device to connect to the Azure VPN Gateway?
Shared Key and Public Ip of the Azure VPN Gateway
88
What is the minimum address space to deploy a hub in azure
/24
89
What does all traffic pass through in an azure virtual wan?
Hub gateway
90
Can you use Virtual WAN to connect a VNet to a virtual hub in a different tenant?
Yes
91
Where are NVAs deployed to in a virtual WAN?
Inside the Virtual WAN Hub
92
How does the application gateway probe the health of something in its backend pool?
a HTTP GET request
93
What is the frequency that azure application gateway probes for health?
30 seconds
94
By default, an HTTP(S) response with status code between ___ and ___ is considered healthy for a probe.
200 and 399
95
Front Door route rules determine whether the incoming request matches the routing rule and route traffic accordingly. What properties are matched?
HTTP protocols (HTTP/HTTPS), Hosts, and Paths.
96
Which tool in Azure automatically collects, analyzes, and integrates log data from your Azure resources?
Microsoft Defender for Cloud
97
If there is an NSG on the NIC and an NSG on the subent, what one gets processed first?
The one on the NIC
98
Filtering of which direction of traffic does Azure Firewall support?
Inbound and Outbound
99
What are the two modes that a WAF policy can use?
WAF policy can either be in Prevention mode or Detection mode.
100
What are the two types of custom rule in a WAF policy?
Match rules and rate limit rules.
101
To enable a Service Endpoint, you must do two things
Turn off public access to the service.
Add the Service Endpoint to a virtual network.
102
What resource is associated with a Private Endpoint that contains the information to configure your Private Endpoint DNS?
The network interface
103
What service allows you to view Network Topology, Next Hop, Verify IP Flow, Packet Captures, NSG Flow Logs, and more.
Azure Network Watcher
104
Is Azure Network Watcher regional or global?
Regional
105
True or False, Automatic registration only works for virtual machine network interfaces and only for the primary interface
True
106
True or False, To manage a subdomain in a separate DNS zone, you need to create an PTR record that contains the name servers of the subdomain’s DNS zone.
False, it needs to be a NS record not PTR
107
By default, an NSG will block traffic to the health service, what needs to be enabled to use the health service?
Adding an inbound rule with the GatewayManager service tag
108
True or false, policy-based VPN gateway can only create one tunnel per gateway
True
109
True or False, By default policy-based VPN has an idle timeout of 10 minutes
False, The timeout is 5 minutes
110
What is the difference between Azure Front Door, Azure Front Door Standard, and Azure Front Door Premium?
Azure Front Door is the basic plan, Azure Front Door standard adds increased content deliver and performance, and Azure Front Door Premium adds increased security
111
You can map a maximum of _____ Private Endpoint interfaces to the same Private Link resource
1000
112
Do you need a load balancer for Azure Private Endpoint?
Yes
113
Which SKU/s of load balancer work with private endpoint?
Only Standard
114
In what order are Azure Firewall rules applied?
Threat intelligence>NAT>Network rules>Application>infrastructure rules
115
Which Firewall Manager feature is available only on the secured virtual hub architecture?
Centralized route management
116
True or False: You can implement a single instance of Firewall Manager for all Azure regions and subscriptions.
True
117
What is the first step when you are setting up Azure DDoS Protection?
first step is to associate virtual networks or IP addresses to DDoS Protection
118
Which Azure DDoS Protection service offers DDoS rapid response support?
Azure DDoS Network Protection
119
Is a star topology and hub-and-spoke the same thing?
Yes
120
Is a virtual WAN a star topology?
Yes
121
Is a virtual WAN a spoke and hub topology?
Yes
122
Is a virtual WAN a mesh topology?
No
123
Is NAT mainly for inbound or outbound connections?
Outbound
124
You plan to use Azure Virtual WAN and deploy a virtual WAN hub that meets the following requirements:
Supports 3 Gbps of point-to-site traffic
Minimizes costs.
You need to recommend how many scale units to use.
What should you recommend?
Scale units for VPN are in 500 Mbps increments, so to reach 3 Gbps, 6 units are required.
125
You have an Azure subscription.
You deploy an Azure virtual WAN by using the Basic WAN type.
What should you include in the solution?
Basic virtual WAN only supports a S2S configuration
126
What are the layer 7 rules for Azure Firewall called
Application Rules
127
In a default route what are the first two routes that have the highest priority in order
Expressroute then gateway
128
What is the prefix for local non routable ipv6 addresses
fd
129
How many ip addresses can be assigned to one network interface
256
130
How many S2S VPN connections can each SKU of route-based VPN gateways support?
Basic: 10 connections
VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ: 30 connections
VpnGw4, VpnGw5, VpnGw4AZ, VpnGw5AZ: 100 connections
131
Which Express Route Gateway SKU supports FastPath?
Standard SKU/ERGw1Az FathPath:No Max Number of Circuit Connectionsz:4
High Perf SKU/ERGw2Az FathPath:No Max Number of Circuit Connections:8
Ultra Performance SKU/ErGw3Az FathPath:Yes Max Number of Circuit Connections:16
132
Enabling Direct Server Return (DSR), known in Azure as Floating IP, involves creating what resource
It involves creating a loopback adapter on the virtual machine and assigning the loopback adapter the IP address of the frontend listener. This way, the virtual machines knows where to send the traffic back to for session affinity.
133
If HA ports are required, which SKU/type is needed for Load Balancers
If HA ports are required, which are only supported on internal Azure Standard Load Balancers
134
What do you get when upgrading from Azure Front Door Standard to Premium
Microsoft managed rule set, Bot protection, and Private link connection to origin
135
What is the minimum address space when you use BYOIP?
| In CIDR
/24
136
What is the main benefit of express route local?
Free egress
137
What SKU of expressroute do you need for Microsoft peering?
Premium
138
What SKU of expressroute supports any region in the same geopolitical boundary?
Expressroute standard
139
What SKU gateway is required for fast path?
Ultra performance/ErGw3Az (not high performance, high does not support fastpath)
140
How would you connect two on prem sites with the microsoft backbone via expressroute?
Use expressroute global reach
141
What tool shows NSGs associated with the virtual machines and the Network interfaces. This tool shows the NSGs that are in the flow of the traffic and blocks traffic flow.
Effective security rules
142
What would be an easy way of allowing a Microsoft service such as windows update through the azure firewall
FQDN tag rule
143
A ____ rule allows certain IPs (or all) to have a destination port/ IP.
DNAT
144
What do you get with azure firewall premium vs standard
Premium gives you: TLS inspection, IDPS, URL filtering, Web categories
| URL filtering is full path instead of just the FQDN included in standard
145
What is the key difference between Service Endpoints and NSGs
NSGs are more focused towards traffic in and out of a vnet
Service endpints are required to lock down a service to specific subnets on specific vnets
146
What resource allows you to make a specific subnet known to a specific Azure service and add an optimal path to service
Service Endpoint
147
# True or False
Service Endpoint Policies allow specific instances of services to be allowed from a virtual network which is not possible with NSG service tags
True
148
True or False most services have a native firewall
| Example: A Storage Account
True
149
Do load balancers support auto-registration
no
150
Can you use IPsec for azure p2s VPN?
No, you can use ikev2, sstp, and openvpn
151
ExpressRoute circuits don't map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?
service key (s-key).
152
ExpressRoute circuits don't map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?
service key (s-key).
153
Max. # IPv4 prefixes supported per expressroute private peering
4,000 by default and 10,000 with premium
154
Max. # IPv4 prefixes supported per expressroute Microsoft peering
200
155
Can a NAT gateway span multiple virtual networks?
no
156
Can a NAT gateway be associated to an IPv6 public IP address or IPv6 public IP prefix?
no ipv4 only
157
True or False: A NAT gateway can be deployed in a gateway subnet.
False
| You cannot deploy a NAT gateway in a gateway subnet
158
Can you add network interfaces from different vnets to the same ASG?
No.
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You can't add network interfaces from different virtual networks to the same application security group.
159
What layer is DNS
layer 7
160
Which type of vpn gateway does s2s vpn need when coexisting with expressroute
Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in Connect to multiple policy-based VPN devices.
161
What service enables you to point a private IP to a specific service
| Think pointing an ip to specifically the blob service on a storage acct.
Private Endpoint
162
Can you have multiple private endpoints for the same instance of a service?
Yes
163
Can private enpoints coexist with other resources such as VMs in the same subnet?
Yes
164
Can you have multiple private endpoints in the same subnet?
Yes
165
True or false: A private endpoint can't connect to services that aren't in the same subscription, region, or a AAD Tenant
False, private endpoints can connect to all of those
166
True or false: a private endpoint has to be created in the same region as the vnet it will be put in to
True, the private endpoint and vnet must be in the same region
167
How many subscriptions can be shared by 1 expressroute circuit?
1 expressroute circuit can be part of up to 10 azure subscriptions
168
Does openvpn support ad authentication for a p2s vpn?
Yes
169
What do you need to add when you want a private endpoint for a custom service?
You need to put a standard load balancer in front of the resources or resource that is hosting the custom service and add the private endpoint to the private endpoint service in front of the load balancer
170
What is a local network gateway in Azure?
The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
171
What is the proper url to probe an active/passive gw
https://YourVirtualNetworkGatewayIP:8081/healthprobe
172
What is the proper url to probe an active/active gw
https://YourVirtualNetworkGatewayIP2:8083/healthprobe
173
True or false: The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
True
174
If you manually create a DNS entry and then delete the resource associated with the DNS record, does it also delete the DNS record?
No, only auto-registered DNS records are deleted when a VM is deleted
175
How big are Express Route Scale Units in a virtual WAN?
2 Gbps each
176
How big are Express Route Scale Units in a virtual WAN?
2 Gbps each
177
Do DNS queries from the internet use the public dns or private?
Public
178
When connecting a web application to a vnet in the same region using Regional virtual network integration, what is needed?
An additional subnet specifically for Regional virtual network integration
179
Does an azure firewall need to be in the same region and resource group as a vnet
Yes
180
How many ips would be in a public ip prefix of /28
16 addresses
181
How are the subnet reservations in azure laid out?
They are always laid out in the following way
Example:
192.168.1.**0** This value identifies the virtual network address.
192.168.1.**1** Azure configures this address as the default gateway.
192.168.1.**2** and 192.168.1.**3** Azure maps these Azure DNS IP addresses to the virtual network space.
192.168.1.**255** This value supplies the virtual network broadcast address.
182
When does a dynamic IP address change?
1. In Azure, when a virtual machine is stopped and then restarted.
2. In the guest OS, when a virtual machine is rebooted or stopped.
3. Each time the virtual machine is accessed.
**1.** In Azure, when a virtual machine is stopped and then restarted.
183
What happens to network traffic that doesn't match any NSG rules?
1. It's allowed by default.
2. It's denied by default.
3. It's postponed until the rules change.
2.It's denied by default.
184
When virtual networks are successfully peered, what's the peering status for both virtual networks in the peering?
1. Initiated
2. Connected
3. Peered
2.Connected
185
True or false: You can implement a public(external) or internal load balancer
True
186
