Azure virtual networking

Question 1

What is the purpose of Azure virtual networks and virtual subnets

Answer 1

an Azure network is like an extension of your on-premises network with resources that link to other Azure resources.

They enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.

Question 2

Azure virtual networks provide the following key networking capabilities:

Answer 2

-Isolation and segmentation
-Internet communications
-Communicate between Azure resources
-Communicate with on-premises resources
-Route network traffic
-Filter network traffic
-Connect virtual networks

Question 3

Azure virtual networking supports both public and private endpoints to enable communication between external or internal resources with other internal resources.

Describe both public and private endpoints

Answer 3

Public endpoints have a public IP address and can be accessed from anywhere in the world.

Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.

Question 4

Azure virtual network allows you to create multiple isolated virtual networks.

Describe how so

Answer 4

When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. The IP range only exists within the virtual network and isn’t internet routable. You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.

For name resolution, you can use the name resolution service built into Azure. You also can configure the virtual network to use either an internal or an external DNS server.

Question 5

How can you enable Internet communications with Azure virtual networking?

Answer 5

You can enable incoming connections from the internet by assigning a public IP address to an Azure resource, or putting the resource behind a public load balancer.

Question 6

You want to enable Azure resources to communicate securely with each other. You can do that in one of two ways:

Answer 6

-Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.

-Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.

Question 7

Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three mechanisms for you to achieve this connectivity:

Answer 7

Point-to-site virtual private network connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.

Site-to-site virtual private networks link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.

Azure ExpressRoute provides dedicated private connectivity to Azure that doesn’t travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.

Question 8

By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. You also can control routing and override those settings, as follows:

Answer 8

Route tables allow you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.

Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.

Question 9

Azure virtual networks enable you to filter traffic between subnets by using the following approaches:

Answer 9

Network security groups are Azure resources that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.

Network virtual appliances are specialized VMs that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.

Question 10

You can link virtual networks together by using virtual network peering.

What is virtual network peering?

Answer 10

Peering allows two virtual networks to connect directly to each other. Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions. This feature allows you to create a global interconnected network through Azure.

User-defined routes (UDR) allow you to control the routing tables between subnets within a virtual network or between virtual networks. This allows for greater control over network traffic flow.

Question 11

How does a virtual private network (VPN) work?

Answer 11

A virtual private network (VPN) uses an encrypted tunnel within another network. VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet). Traffic is encrypted while travelling over the untrusted network to prevent eavesdropping or other attacks. VPNs can enable networks to safely and securely share sensitive information.

Question 12

What is a VPN gateway and what do they do?

Answer 12

A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:

-Connect on-premises data centres to virtual networks through a site-to-site connection.
-Connect individual devices to virtual networks through a point-to-site connection.
-Connect virtual networks to other virtual networks through a network-to-network connection.

All data transfer is encrypted inside a private tunnel as it crosses the internet. You can deploy only one VPN gateway in each virtual network. However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises data centres.

Question 13

When setting up a VPN gateway, you must specify the type of VPN - either policy-based or route-based.

what is the primary distinction between those two?

Answer 13

The primary distinction between these two types is how they determine which traffic needs encryption. In Azure, regardless of the VPN type, the method of authentication employed is a preshared key.

Question 14

What are Policy-based VPN gateways?

Answer 14

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

Question 15

What are Route-based gateways?

Answer 15

In Route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They’re more resilient to topology changes such as the creation of new subnets.

Question 16

When should you use a route-based VPN gateway?

Answer 16

if you need any of the following types of connectivity:

Connections between virtual networks
Point-to-site connections
Multisite connections
Coexistence with an Azure ExpressRoute gateway

Question 17

High-availability scenarios
If you’re configuring a VPN to keep your information safe, you also want to be sure that it’s a highly available and fault-tolerant VPN configuration. There are a few ways to maximize the resiliency of your VPN gateway:

Answer 17

Active/standby
Active/active
ExpressRoute failover
ExpressRoute failover

Question 18

Describe the purpose of the active/standby configuration

Answer 18

By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention. Connections are interrupted during this failover, but they typically restore within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.

Question 19

Describe the purpose of the active/active configuration

Answer 19

With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.

Question 20

Describe the purpose of the ExpressRoute failover

Answer 20

Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in. However, they aren’t immune to physical problems that affect the cables delivering connectivity or outages that affect the complete ExpressRoute location. In high-availability scenarios, where there’s risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway that uses the internet as an alternative method of connectivity. In this way, you can ensure there’s always a connection to the virtual networks.

Question 21

Describe the purpose of Zone-redundant gateways

Answer 21

In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This configuration brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure availability zones physically and logically separates gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. These gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses.

Question 22

What is an Azure express route?

Answer 22

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft Cloud over a private connection, with the help of a connectivity provider

With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365. This feature lets you connect offices, data centres, or other facilities to the Microsoft cloud. Each location would have its own ExpressRoute circuit.

Question 23

what are the different ways Azure express routes establish connections and how are these beneficial?

Answer 23

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don’t go over the public Internet.

This setup allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.

Question 24

There are several benefits to using ExpressRoute as the connection service between Azure and on-premises networks

Answer 24

Connectivity to Microsoft cloud services across all regions in the geopolitical region.
Global connectivity to Microsoft services across all regions with the ExpressRoute Global Reach.
Dynamic routing between your network and Microsoft via Border Gateway Protocol (BGP).
Built-in redundancy in every peering location for higher reliability.

Question 25

ExpressRoute enables direct access to the following services in all regions:

Answer 25

Microsoft Office 365
Microsoft Dynamics 365
Azure compute services, such as Azure Virtual Machines
Azure cloud services, such as Azure Cosmos DB and Azure Storage

Question 26

How do express routes allow global connectivity?

Answer 26

You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits. For example, say you had an office in Asia and a datacenter in Europe, both with ExpressRoute circuits connecting them to the Microsoft network. You could use ExpressRoute Global Reach to connect those two facilities, allowing them to communicate without transferring data over the public internet.

Question 27

How do express routes allow for dynamic routing?

Answer 27

ExpressRoute uses the BGP. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.

Question 28

How do express routes have built-in redundancy?

Answer 28

Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature.

Question 29

ExpressRoute connectivity models

ExpressRoute supports four models that you can use to connect your on-premises network to the Microsoft cloud:

Answer 29

CloudExchange colocation
Point-to-point Ethernet connection
Any-to-any connection
Directly from ExpressRoute sites

Question 30

Describe Colocation at a cloud exchange

Answer 30

Colocation refers to your datacenter, office, or other facility being physically colocated at a cloud exchange, such as an ISP. If your facility is colocated at a cloud exchange, you can request a virtual cross-connect to the Microsoft cloud.

Question 31

Describe Point-to-point Ethernet connection

Answer 31

Point-to-point ethernet connection refers to using a point-to-point connection to connect your facility to the Microsoft cloud.

Question 32

Describe Any-to-any networks

Answer 32

With any-to-any connectivity, you can integrate your wide area network (WAN) with Azure by providing connections to your offices and datacenters.

Azure integrates with your WAN connection to provide a connection like you would have between your datacenter and any branch offices.

Question 33

Describe the ExpressRoute model: Directly from ExpressRoute sites

Answer 33

You can connect directly to Microsoft’s global network at a peering location strategically distributed across the world. ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.

Question 34

Security considerations for Express route?

Answer 34

With ExpressRoute, your data doesn’t travel over the public internet, reducing the risks associated with internet communications. ExpressRoute is a private connection from your on-premises infrastructure to your Azure infrastructure. Even if you have an ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent over the public internet.