AZ-700: Networking Flashcards
True or False: Virtual Networks cannot span across different regions or different subscriptions
True
True or False: Virtual Networks span across all availability zones in a region
True
True or False: Broadcast and Multicast are supported in an Azure virtual network
False
True or False: IPv6 is always /64 CIDR in Azure Networking
True
True or False: Subnets cannot span availability zones in a region
False, they span all of them just like the virtual networks
How many IP addresses are “lost” when creating a subnet in Azure
5, you lose 1 to network, 1 to default GW, 2 to DNS, and 1 to broadcast
Where are static IPs configured?
They are configured on a per resource level, not vnet.
Examples: done on the VM under its network interface
True or False: you can bring your own individual public IPs into Azure
False, Azure has its own set of IPs you need a public ip prefix of atleast /24 to bring it into azure
True or False: you can move Azure public IPs across regions
False, Azure IPs are per region
What are the two SKUs for a public IP in Azure and what are the differences
Basic and Standard
Basic -
-Dynamic or Statically assigned
-Open by Default
-No Availability Zone support
Standard-
-Static only
-locked down by default
-Availability Zone support
True or False: Load balancers and Public IPs need to have the same SKU tier
True
What is the name for a contiguous block of public IPs
Public IP Prefix
What is it called when you connect two unique Vnets in the same region
VNET Peering
What is it called when you connect two unique Vnets in different regions
Global Vnet Peering
True or False: you can peer Vnets across different vnet clouds (China, us gov, germany)
False
True or False: 2 unpeered vnets can natively talk if they are peered to the same tertiary vnet
False, vnet peering is not transitive, you would have to peer the two vnets together or have an appliance ( such as a firewall) on the tertiary vnet to route traffic between them
What are the two settings that need to be enable for a peered vnet to use the other peers gateway and what need to be enable on each
Allow gateway transit must be enabled on the “hub” vnet
Use remote gateway must be enabled on the vnet that needs to use the others gateway
Can you use a remote gateway if there is already a gateway in the vnet
no
Can you set the next “hop” in a route table to a different subnet or even network?
Yes
Can you connect 2 vnets together without peering them? How would you do it?
Yes, with route tables or “user defined routing”
What is the IP of Azure DNS
168.63.129.16
What is an inbuilt option in Azure for custom DNS?
Azure private DNS Zone
How many private DNS Zones can one Vnet have for registration?
1
How would you be able to have more than one private dns for a vnet?
you can have one for registration and multiple (up to 1000) for resolution
How many vnets are allowed per private dns zone that use that zone for Auto-registration?
100
How many vnets are allowed per private dns zone that use that zone for resolution?
1000
what are the two primary types of dns records added to an azure public dns zone
host and alias
What is the first thing you create while making a STS VPN vnet?
Gateway subnet
What is needed to configure a point to site VPN that connects to azure ad
Add an enterprise app to azure
When using ExpressRoute all inbound traffic goes through what resource by default?
The ExpressRoute Gateway
What is fastpath?
Fast Path is a way for inbound traffic to bypass the express route gateway and go straight to a resource
Does fast path still require a gateway?
Yes, gateways are still required for things like BGP route propagation and it must be the highest SKU
Does outbound express route traffic pass through the gateway?
No it goes straight to the MSEE
How many vnet links are allowed per expressroute circuit?
10 for standard for all circuit sizes and it can be increased with premium add on
Can you have both microsoft peering and private peering on the same ExpressRoute circuit?
Yes
What is required to make microsoft peering “work” once enabled?
A route filter
What protocol does a route filter use to advertise services?
BGP
With a stardard ExpressRoute SKU what regions can you use?
Any in the same geopolitical region
Ex. North america to north america, asia to asia
With a Premium ExpressRoute SKU what regions can you use?
All regions (Global)
Do you pay based on ingress or egress?
egress
What is another name for a “meet me”
peering point
What ExpressRoute SKU provides local region only
Local SKU
What is a faster alternative than having BGP detect a failure and do failover routing
BFD or Bidirectional Forwarding Detection
What does BFD stand for?
Bi-Directional Forwarding Detection
Is ExpressRoute an encrypted connection?
No
What service would you use to encrypt an ExpressRoute-Direct connection inside the meet me
This is between the customer edge router and the MSEE
MACsec
This is not end to end, this is inside the meet me only
What is an option for encrypting an express route connection
Site to Site VPN
What is the service you would use to connect two sites in different geopolitical regions using expressroute
ExpressRoute Global Reach
What is supported by the basic SKU of Azure Virtual WAN
S2S VPN only
What layer is Azure Load Balancer?
Layer 4
What is 5-Tuple
source IP address/port number, destination IP address/port number and the protocol in use
What are the two types of load balancers
internal and external
What is assigned to the front end of a load balancer
IP Address
What are the two SKUs for a load balancer?
Basic and standard
what is a 3-tuple
src ip
dest ip
protocol
What are two of the load balancing distribution modes
hash based distribution ( Uses 5-tuple hash based distribution by default)
Session persistence - Session persistence is also known session affinity, source IP affinity, or client IP affinity. This distribution mode uses a two-tuple (source IP and destination IP) or three-tuple (source IP, destination IP, and protocol type) hash to route to backend instances. When using session persistence, connections from the same client go to the same backend instance within the backend pool.
What layer is Azure App Gateway?
Layer 7 (HTTP/HTTPS)
Is Azure App Gateway regional or global?
regional
Is Azure Load Balancer regional or global?
Regional
Can the web application firewall have a public ip, private, or both
Pick Two
Public or Both
What layer is Azure Traffic Manager?
Layer 4
Is Azure Traffic Manager regional or global?
Global
What protocol does Azure Traffic Monitor primarily use?
DNS
What is the setting needed for Azure Traffic Manager to work like a load balancer
The performance option will resolve the closest target to the requester favoring latency
True or False: Azure Traffic Manager can resolve to both Azure Endpoints and External Enpoints such as FQDN or IP
True
What is the layer 7, global load balancing solution?
Azure Front Door
How does Azure Front Door provide load balancing
it gives an anycast ip address for all points of presence
What is the name of the tool used to create inbound and outbound security rules for a vnet
Network Security Groups
Is a network security group an edge device
Example: Like a firewall
no
Is a network security group an edge device
Example: Like a firewall
no
Where is a network security group enforced
at the VNET level
Are network security groups regional or global
regional
What does Virtual Network actually mean when it is applied in a nsg rule
It means all know ip space
(this would include peered vnets, S2S VPN, and anything else this virtual network would be “aware” of.)
How does an application security group work in practice? What is it most similar to?
It is a tag you can use when making security rules
What would you use to only allow traffic from one subnet of a vnet into a storage account?
A Service Endpoint: Storage
What is an ip address from the network that represents a single instance of a service
Private endpoint
Can each app in an app service plane have its own private endpoint
yes
What is the minimum network size for Azure Firewall in CIDR
/26
it requires at least 64 addresses
How many policies can be applied to one instance of azure firewall?
1
What are the three types of rules for azure firewall
NAT rules
L4 Network Rules
Application rules (Layer 7)
What is an alias DNS Record called?
CNAME
What is an IPV4 DNS Record called?
A
What is an IPV6 DNS Record called?
AAAA
When configuring global peering, what changes will occur in the peered VNets
A peering entry is added to the routing table in each VNet
Does a VPN gateway subnet need to be named GatewaySubnet?
Yes
Is it okay to deploy other resources such as VMs in the gateway subnet?
No!!!
What are the two things required for your on site VPN device to connect to the Azure VPN Gateway?
Shared Key and Public Ip of the Azure VPN Gateway
What is the minimum address space to deploy a hub in azure
/24
What does all traffic pass through in an azure virtual wan?
Hub gateway
Can you use Virtual WAN to connect a VNet to a virtual hub in a different tenant?
Yes
Where are NVAs deployed to in a virtual WAN?
Inside the Virtual WAN Hub
How does the application gateway probe the health of something in its backend pool?
a HTTP GET request
What is the frequency that azure application gateway probes for health?
30 seconds
By default, an HTTP(S) response with status code between ___ and ___ is considered healthy for a probe.
200 and 399
Front Door route rules determine whether the incoming request matches the routing rule and route traffic accordingly. What properties are matched?
HTTP protocols (HTTP/HTTPS), Hosts, and Paths.
Which tool in Azure automatically collects, analyzes, and integrates log data from your Azure resources?
Microsoft Defender for Cloud
If there is an NSG on the NIC and an NSG on the subent, what one gets processed first?
The one on the NIC
Filtering of which direction of traffic does Azure Firewall support?
Inbound and Outbound
What are the two modes that a WAF policy can use?
WAF policy can either be in Prevention mode or Detection mode.
What are the two types of custom rule in a WAF policy?
Match rules and rate limit rules.
To enable a Service Endpoint, you must do two things
Turn off public access to the service.
Add the Service Endpoint to a virtual network.
What resource is associated with a Private Endpoint that contains the information to configure your Private Endpoint DNS?
The network interface
What service allows you to view Network Topology, Next Hop, Verify IP Flow, Packet Captures, NSG Flow Logs, and more.
Azure Network Watcher
Is Azure Network Watcher regional or global?
Regional
True or False, Automatic registration only works for virtual machine network interfaces and only for the primary interface
True
True or False, To manage a subdomain in a separate DNS zone, you need to create an PTR record that contains the name servers of the subdomain’s DNS zone.
False, it needs to be a NS record not PTR
By default, an NSG will block traffic to the health service, what needs to be enabled to use the health service?
Adding an inbound rule with the GatewayManager service tag
True or false, policy-based VPN gateway can only create one tunnel per gateway
True
True or False, By default policy-based VPN has an idle timeout of 10 minutes
False, The timeout is 5 minutes
What is the difference between Azure Front Door, Azure Front Door Standard, and Azure Front Door Premium?
Azure Front Door is the basic plan, Azure Front Door standard adds increased content deliver and performance, and Azure Front Door Premium adds increased security
You can map a maximum of _____ Private Endpoint interfaces to the same Private Link resource
1000
Do you need a load balancer for Azure Private Endpoint?
Yes
Which SKU/s of load balancer work with private endpoint?
Only Standard
In what order are Azure Firewall rules applied?
Threat intelligence>NAT>Network rules>Application>infrastructure rules
Which Firewall Manager feature is available only on the secured virtual hub architecture?
Centralized route management
True or False: You can implement a single instance of Firewall Manager for all Azure regions and subscriptions.
True
What is the first step when you are setting up Azure DDoS Protection?
first step is to associate virtual networks or IP addresses to DDoS Protection
Which Azure DDoS Protection service offers DDoS rapid response support?
Azure DDoS Network Protection
Is a star topology and hub-and-spoke the same thing?
Yes
Is a virtual WAN a star topology?
Yes
Is a virtual WAN a spoke and hub topology?
Yes
Is a virtual WAN a mesh topology?
No
Is NAT mainly for inbound or outbound connections?
Outbound
You plan to use Azure Virtual WAN and deploy a virtual WAN hub that meets the following requirements:
Supports 3 Gbps of point-to-site traffic
Minimizes costs.
You need to recommend how many scale units to use.
What should you recommend?
Scale units for VPN are in 500 Mbps increments, so to reach 3 Gbps, 6 units are required.
You have an Azure subscription.
You deploy an Azure virtual WAN by using the Basic WAN type.
What should you include in the solution?
Basic virtual WAN only supports a S2S configuration
What are the layer 7 rules for Azure Firewall called
Application Rules
In a default route what are the first two routes that have the highest priority in order
Expressroute then gateway
What is the prefix for local non routable ipv6 addresses
fd
How many ip addresses can be assigned to one network interface
256
How many S2S VPN connections can each SKU of route-based VPN gateways support?
Basic: 10 connections
VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ: 30 connections
VpnGw4, VpnGw5, VpnGw4AZ, VpnGw5AZ: 100 connections
Which Express Route Gateway SKU supports FastPath?
Standard SKU/ERGw1Az FathPath:No Max Number of Circuit Connectionsz:4
High Perf SKU/ERGw2Az FathPath:No Max Number of Circuit Connections:8
Ultra Performance SKU/ErGw3Az FathPath:Yes Max Number of Circuit Connections:16
Enabling Direct Server Return (DSR), known in Azure as Floating IP, involves creating what resource
It involves creating a loopback adapter on the virtual machine and assigning the loopback adapter the IP address of the frontend listener. This way, the virtual machines knows where to send the traffic back to for session affinity.
If HA ports are required, which SKU/type is needed for Load Balancers
If HA ports are required, which are only supported on internal Azure Standard Load Balancers
What do you get when upgrading from Azure Front Door Standard to Premium
Microsoft managed rule set, Bot protection, and Private link connection to origin
What is the minimum address space when you use BYOIP?
In CIDR
/24
What is the main benefit of express route local?
Free egress
What SKU of expressroute do you need for Microsoft peering?
Premium
What SKU of expressroute supports any region in the same geopolitical boundary?
Expressroute standard
What SKU gateway is required for fast path?
Ultra performance/ErGw3Az (not high performance, high does not support fastpath)
How would you connect two on prem sites with the microsoft backbone via expressroute?
Use expressroute global reach
What tool shows NSGs associated with the virtual machines and the Network interfaces. This tool shows the NSGs that are in the flow of the traffic and blocks traffic flow.
Effective security rules
What would be an easy way of allowing a Microsoft service such as windows update through the azure firewall
FQDN tag rule
A ____ rule allows certain IPs (or all) to have a destination port/ IP.
DNAT
What do you get with azure firewall premium vs standard
Premium gives you: TLS inspection, IDPS, URL filtering, Web categories
URL filtering is full path instead of just the FQDN included in standard
What is the key difference between Service Endpoints and NSGs
NSGs are more focused towards traffic in and out of a vnet
Service endpints are required to lock down a service to specific subnets on specific vnets
What resource allows you to make a specific subnet known to a specific Azure service and add an optimal path to service
Service Endpoint
True or False
Service Endpoint Policies allow specific instances of services to be allowed from a virtual network which is not possible with NSG service tags
True
True or False most services have a native firewall
Example: A Storage Account
True
Do load balancers support auto-registration
no
Can you use IPsec for azure p2s VPN?
No, you can use ikev2, sstp, and openvpn
ExpressRoute circuits don’t map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?
service key (s-key).
ExpressRoute circuits don’t map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?
service key (s-key).
Max. # IPv4 prefixes supported per expressroute private peering
4,000 by default and 10,000 with premium
Max. # IPv4 prefixes supported per expressroute Microsoft peering
200
Can a NAT gateway span multiple virtual networks?
no
Can a NAT gateway be associated to an IPv6 public IP address or IPv6 public IP prefix?
no ipv4 only
True or False: A NAT gateway can be deployed in a gateway subnet.
False
You cannot deploy a NAT gateway in a gateway subnet
Can you add network interfaces from different vnets to the same ASG?
No.
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You can’t add network interfaces from different virtual networks to the same application security group.
What layer is DNS
layer 7
Which type of vpn gateway does s2s vpn need when coexisting with expressroute
Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for ‘policy-based traffic selectors’ as described in Connect to multiple policy-based VPN devices.
What service enables you to point a private IP to a specific service
Think pointing an ip to specifically the blob service on a storage acct.
Private Endpoint
Can you have multiple private endpoints for the same instance of a service?
Yes
Can private enpoints coexist with other resources such as VMs in the same subnet?
Yes
Can you have multiple private endpoints in the same subnet?
Yes
True or false: A private endpoint can’t connect to services that aren’t in the same subscription, region, or a AAD Tenant
False, private endpoints can connect to all of those
True or false: a private endpoint has to be created in the same region as the vnet it will be put in to
True, the private endpoint and vnet must be in the same region
How many subscriptions can be shared by 1 expressroute circuit?
1 expressroute circuit can be part of up to 10 azure subscriptions
Does openvpn support ad authentication for a p2s vpn?
Yes
What do you need to add when you want a private endpoint for a custom service?
You need to put a standard load balancer in front of the resources or resource that is hosting the custom service and add the private endpoint to the private endpoint service in front of the load balancer
What is a local network gateway in Azure?
The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you’ll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
What is the proper url to probe an active/passive gw
https://YourVirtualNetworkGatewayIP:8081/healthprobe
What is the proper url to probe an active/active gw
https://YourVirtualNetworkGatewayIP2:8083/healthprobe
True or false: The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
True
If you manually create a DNS entry and then delete the resource associated with the DNS record, does it also delete the DNS record?
No, only auto-registered DNS records are deleted when a VM is deleted
How big are Express Route Scale Units in a virtual WAN?
2 Gbps each
How big are Express Route Scale Units in a virtual WAN?
2 Gbps each
Do DNS queries from the internet use the public dns or private?
Public
When connecting a web application to a vnet in the same region using Regional virtual network integration, what is needed?
An additional subnet specifically for Regional virtual network integration
Does an azure firewall need to be in the same region and resource group as a vnet
Yes
How many ips would be in a public ip prefix of /28
16 addresses
How are the subnet reservations in azure laid out?
They are always laid out in the following way
Example:
192.168.1.0 This value identifies the virtual network address.
192.168.1.1 Azure configures this address as the default gateway.
192.168.1.2 and 192.168.1.3 Azure maps these Azure DNS IP addresses to the virtual network space.
192.168.1.255 This value supplies the virtual network broadcast address.
When does a dynamic IP address change?
- In Azure, when a virtual machine is stopped and then restarted.
- In the guest OS, when a virtual machine is rebooted or stopped.
- Each time the virtual machine is accessed.
1. In Azure, when a virtual machine is stopped and then restarted.
What happens to network traffic that doesn’t match any NSG rules?
1. It’s allowed by default.
2. It’s denied by default.
3. It’s postponed until the rules change.
2.It’s denied by default.
When virtual networks are successfully peered, what’s the peering status for both virtual networks in the peering?
- Initiated
- Connected
- Peered
2.Connected
True or false: You can implement a public(external) or internal load balancer
True
