Azure VNets and hybrid networking

Question 1

Capabilities of Vnets

Answer 1

Communication with internet
Communication between Az resources
Communication between on premise resources
Filtering network traffic
Routing network traffic

Question 2

All resources in a VNet can communicate outbound to the internet, by default - True/ False

Answer 2

True - All resources in a VNet can communicate outbound to the internet, by default

Question 3

Communication between Azure resources - 3 Key Mechanisms

Answer 3

VNets,
VNet service endpoints and
VNet peering

Question 4

How can an inbound internet connectivity be set up for a vnet?

Answer 4

You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer.

Question 5

You can connect your on-premises computers and networks to a virtual network using any of the following options: 3 options

Answer 5

Point-to-site virtual private network (VPN),
Site-to-site VPN,
Azure ExpressRoute.

Question 6

You can filter network traffic between subnets using –

Answer 6

1. NSGs

2. NVAs - network virtual appliances like firewalls, gateways, proxies, and Network Address Translation (NAT) services.

Question 7

Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. To override the default routes that Azure creates you can implement -

Answer 7

Route tables or

Border gateway protocol (BGP)

Question 8

Design considerations for Az Vnet

Answer 8

1. Address space and subnets
2. Naming Convention
3. Regions and Subscriptions
4. Availability Zones

Question 9

Azure reserves ____ IP addresses within each subnet

Answer 9

5

Question 10

A well-chosen name helps you quickly identify the –

Answer 10

1. Resource’s type
2. Associated workload
3. Deployment environment
4. Azure region

Question 11

There are four levels you can specify a scope:

Answer 11

Management group,
Subscription,
Resource group, and
Resource.

Question 12

Scopes are _____, with each level of ______making the scope more specific.

Answer 12

hierarchical; hierarchy

Question 13

Two subnets, within different virtual networks, can have same name - True/ False

Answer 13

True - Subnets are scoped to Virtual Networks

Question 14

A resource can be created in a virtual network that exists in the _____ region and subscription as the resource - same/ different

Answer 14

same

Question 15

Azure Availability Zone

Answer 15

1. Azure Availability Zone enables you to define unique physical locations within a region.
2. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
3. Designed to ensure high-availability of your Azure services, the physical separation of Availability Zones within a region protects applications and data from datacenter failures.

Question 16

You can add address spaces after creating the virtual network - True/ False

Answer 16

True

Question 17

A public IP address

Answer 17

1. Enables Internet resources to communicate with Azure resources
2. Enables Azure resources to communicate outbound with Internet
3. Enables Azure resources to communicate with other public-facing Azure services

Question 18

A public IP address in Azure is not dedicated to a specific resource, until it’s assigned by a network engineer - True/ False

Answer 18

False - A public IP address in Azure is dedicated to a specific resource, until it’s unassigned by a network engineer

Question 19

A resource without a public IP assigned can communicate outbound through –

Answer 19

network address translation(NAT) services, where Azure dynamically assigns an available IP address that isn’t dedicated to the resource.

Question 20

Public resources like web servers must be accessible from the internet. You want to ensure that you plan ______that support these requirements.

Answer 20

Public IP addresses

Question 21

Default outbound IP access for Azure VM

Answer 21

Azure provides an default outbound access IP for Azure Virtual Machines which aren’t assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The default outbound access IP mechanism provides an outbound IP address that isn’t configurable.

Question 22

The default outbound access IP is disabled –

Answer 22

1. When a public IP address is assigned to the virtual machine
2. When the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules
3. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine

Question 23

Some of the resources you can associate a public IP address resource with:

Answer 23

1. Virtual machine network interfaces
2. Internet-facing load balancers
3. VPN gateways
4. Application gateways
5. Azure Firewall

Question 24

The default ip address allocation method is_____: dynamic or static

Answer 24

Dynamic. To ensure that the IP address for the resource remains the same (or static), one has to set the allocation method explicitly to static.

Question 25

A static public ip address is released when –

Answer 25

1. You delete the resource or

2. Change the IP allocation method to dynamic.

Question 26

A dynamic public ip address is released when –

Answer 26

1. You stop the resource

2. You delete the resource

Question 27

SKUs of Public IP Address

Answer 27

1. Basic SKU

2. Standard SKU

Question 28

Public IP Address - Basic SKU vs Standard SKU

Answer 28

1. Basic IPs are open by default, so the use of Network security groups is recommended for restricting inbound or outbound traffic.
2. Standard IPs are secure by default and closed to inbound traffic. You must explicitly allow inbound traffic by using a network security group.
3. Basic IPs do not support availability zone scenarios
4. Standard IPs are zone-redundant by default

Question 29

You can’t bring your own public IP addresses from on-premises networks into Azure - True/ False

Answer 29

True

Question 30

Public IP addresses can’t be moved between _____; all IP addresses are _____-specific. Region/Subscription/VNet

Answer 30

Region
If your business needs to have datacenters in different regions, you will have a different public IP address range for each region

Question 31

Public IP address prefix

Answer 31

1. To ensure a static range of public IP addresses
2. The advantage of a public IP address prefix is that you can specify firewall rules for these IP addresses with the knowledge that they will not change.
3. You can assign the addresses from a public IP address prefix to any resource in Azure that supports public IP addresses.

Question 32

DNS is split into two areas:

Answer 32

Public, and Private DNS

Question 33

Integrating on-premises DNS with Azure VNets

Answer 33

Forwarding takes two forms:

Organizations often use an internal Azure private DNS zone for auto registration, and then use a custom configuration to forward queries from external zones to an external DNS server. Forwarding takes two forms
Forwarding - specifies another DNS server (SOA for a zone) to resolve the query if the initial server cannot.

Conditional forwarding - specifies a DNS server for a named zone, so that all queries for that zone are routed to the specified DNS server.

If the DNS server is outside Azure, it doesn’t have access to Azure DNS on 168.63.129.16. In this scenario, setup a DNS resolver inside your VNet, forward queries to it, and then have it forward queries to 168.63.129.16 (Azure DNS). Essentially, you’re using forwarding because 168.63.129.16 is not routable, and therefore not accessible to external clients.

Question 34

Application owners need to use dynamic IP addresses for specific resources on their VNet. Which SKU must they choose? Basic or Standard or Both

Answer 34

Basic - Standard SKU public IP addresses always use the static allocation method. Basic SKU public IPs can be assigned by using static or dynamic allocation methods.

Question 35

Network traffic between peered virtual networks is ____public/ private.

Answer 35

private. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure, and no public Internet, gateways, or encryption is required in the communication between the virtual networks.

Question 36

Connects Azure virtual networks in the same region.

Answer 36

Regional VNet peering

Question 37

Connects Azure virtual networks in different regions

Answer 37

Global VNet peering

Question 38

Advantages of Peering

Answer 38

1. Low-latency,
2. High-bandwidth connection
3. Ability to apply network security groups in either virtual network
4. Ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions.

Question 39

Is there a downtime to resources in either virtual network during the creation of peering?

Answer 39

No

Question 40

When you add a peering on one virtual network, the second virtual network configuration is automatically added - True/ False

Answer 40

True

Question 41

Is gateway transit supported for vnet peering? Yes/ No

Answer 41

Yes. Gateway transit is supported for both VNet Peering and Global VNet Peering.

Question 42

A virtual network can have only ____gateway(s). one/ multiple

Answer 42

one. A virtual network cannot be associated with more than one gateway.

Question 43

Gateway transit _____peered virtual networks to share the gateway and get access to resources. allows/ disallows

Answer 43

allows

Question 44

When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.

Answer 44

Site-to-site vpn to connect on premise
point-to-site vpn to connect to a client
vnet-to-vnet

Question 45

Service Chaining =

Answer 45

User Defined Route tables

Question 46

Virtual appliance:

Answer 46

A virtual appliance is a virtual machine that typically runs a network application, such as a firewall.

Question 47

When you create a route with the virtual appliance hop type, you also specify a next hop IP address. The IP address can be:

Answer 47

1. The private IP address of a network interface attached to a virtual machine.
2. The private IP address of an Azure internal load balancer.

Question 48

You can specify the following next hop types when creating a user-defined route:

Answer 48

1. Virtual Appliance
2. Virtual Network Gateway: The virtual network gateway must be created with type VPN.
3. Virtual Network
4. Internet
5. None: when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.

Question 49

Virtual network gateway route propagation.

Answer 49

Routes are automatically added to the route table for all subnets with Virtual network gateway propagation enabled. When you are using ExpressRoute, propagation ensures all subnets get the routing information.

Question 50

Each subnet can have __________number of route table associated to it.

Answer 50

zero or one

Question 51

The virtual appliance

Answer 51

1. shouldn’t have a public IP address and

2. IP forwarding should be enabled.

Question 52

Forced Tunelling

Answer 52

1. Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.
2. This is a critical security requirement for most enterprise IT policies.
3. If you don’t configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.

Question 53

Each virtual network subnet has a built-in, system routing table. The system routing table has the following three groups of routes:

Answer 53

1. Local VNet routes: Route directly to the destination VMs in the same virtual network
2. On-premises routes: Route to the Azure VPN gateway.
3. Default route: Route directly to the Internet.

Question 54

Purpose of NAT

Answer 54

1. Rather than purchasing an IPv4 address for each resource that requires internet access, you can use a NAT service to map outgoing requests from internal resources to an external IP address, so that communication can take place.
2. NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.
3. No further configuration is necessary, and you don’t need to create any user-defined routes.

Question 55

NAT is compatible with the following standard SKU resources:

Answer 55

1. Load balancer
2. Public IP address
3. Public IP prefix

Question 56

Limitations of NAT

Answer 56

1. Basic resources (for example basic load balancer) and any products derived from them aren’t compatible with NAT
2. IPv4 address family is supported.
3. NAT can’t span multiple virtual networks.

Question 57

Networks that connect on-premises resources and virtual resources are known as ______networks.

Answer 57

hybrid

Question 58

One option for connecting an on-premises network to an Azure VNET is a VPN connection.

Answer 58

They are encrypted tunnel, typically deployed to connect two or more trusted private networks to one another over an untrusted network, usually the public Internet.

Question 59

VPN gateways support multiple connections, which enable them to route VPN tunnels that use any available bandwidth. True/ False

Answer 59

True. All connections to that VPN gateway share the available network bandwidth.

Question 60

VPN gateways cannot be used for connections between virtual networks in Azure. True/ False

Answer 60

False. VPN gateways can also be used for connections between virtual networks in Azure

Question 61

When you’re planning a Vnet gateway, there are three architectures to consider:

Answer 61

1. Point to site over the internet
2. Site to site over the internet
3. Site to site over a dedicated network, such as Azure ExpressRoute

Question 62

Factors that you need to cover during your planning process include:

Answer 62

1. Throughput - Mbps or Gbps
2. Backbone - Internet or private?
3. Availability of a public (static) IP address
4. VPN device compatibility
5. Multiple client connections or a site-to-site link?
6. VPN gateway type
7. Azure VPN Gateway SKU

Question 63

Types of Vnet Gateways

Answer 63

VPN Gateway (point-to-site and site-to-site) or ExpressRoute Gateway

Question 64

Types of VPN Gateways

Answer 64

Route based or Policy based.

Question 65

VPN Gateway - Generation

Answer 65

Generation 1 or Generation 2. You cannot change generations or SKUs across generations.

Question 66

VPN Gateways require a gateway subnet. You can create a Gateway subnet before you create a VPN gateway, or you can create it during the creation of the VPN Gateway.

Answer 66

1. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings
2. Never deploy anything else (for example, additional VMs) to the gateway subnet.
3. The gateway subnet must be named GatewaySubnet to work properly. Naming the gateway subnet GatewaySubnet tells Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.
4. While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. This will accommodate most configurations.

Question 67

High availability options for VPN connections

Answer 67

1. VPN Gateway redundancy (Active-standby)
2. Multiple on-premises VPN devices
3. Active-active Azure VPN gateway
4. Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

Question 68

The local network gateway typically refers to the on-premises location.

Answer 68

You give the site a name by which Azure can refer to it, then specify the IP address or FQDN of the on-premises VPN device for the connection.

Question 69

To configure your VPN device, you will need:

Answer 69

1. A shared key. The same shared key that you specify when creating the VPN connection.
2. The public IP address of your VPN gateway. The IP address can be new or existing.

Question 70

Active-standby VPN configuration

Answer 70

1. Every Azure VPN gateway consists of two instances in an active-standby configuration.
2. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically and resume the S2S VPN or VNet-to-VNet connections.
3. The switch over will cause a brief interruption.

Question 71

Multiple on-premises VPN devices

Answer 71

1. You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect multiple VPN devices from the same on-premises network to Azure, you need to create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.
2. BGP is required for this configuration
3. ECMP (Equal Cost Multi Path routing) is required

Question 72

Multiple on-premises VPN devices vs. Active-standby VPN configuration

Answer 72

1. Both are Active- standby modes
2. Same failover behavior
3. Multiple on-prem VPN devices setup setup guards against failures or interruptions on-premises network and VPN devices.

Question 73

Active-active VPN gateways

Answer 73

1. Both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device
2. Each Azure gateway instance will have a unique public IP address
3. The traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously

Question 74

Dual-redundancy VPN devices setup

Answer 74

1. You create and set up the Azure VPN gateway in an active-active configuration and create two local network gateways and two connections for your two on-premises VPN devices
2. The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.
3. All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously
4. BGP is required to allow the two connections to the same on-premises network.

Question 75

An Azure VPN gateway is made up of these elements:

Answer 75

1. Virtual network gateway
2. Local network gateway
3. Connection
4. Gateway subnet

Question 76

A _____ VPN gateway connection lets you create a secure connection to your virtual network from another virtual network or a physical network. site-to-site (S2S) or point-to-site (P2S)

Answer 76

site-to-site (S2S)

Question 77

A ______VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer - site-to-site (S2S) or point-to-site (P2S)

Answer 77

point-to-site (P2S)

Question 78

Point-to-site authentication methods - 3 methods

Answer 78

1. Authenticate using native Azure certificate authentication
2. Authenticate using native Azure Active Directory authentication
3. Authenticate using Active Directory (AD) Domain Server

Question 79

For Point-to-site connection using Active Directory (AD) Domain Server authentication, which type of server is required?

Answer 79

Radius server

Question 80

Azure Virtual WAN

Answer 80

A Virtual WAN is a security delineation; each instance of a Virtual WAN is self-contained in terms of connectivity and hence also provides security isolation.

Question 81

Each Virtual WAN is implemented as a _____topology,

Answer 81

hub and spoke

Question 82

Organizations will generally require ___instance(s) of a Virtual WAN. one or multiple

Answer 82

one

Question 83

Each virtual WAN can have ___ hubs. one or multiple

Answer 83

multiple. All hubs are connected in a full mesh topology in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) transitive connectivity

Question 84

Virtual WAN SKU

Answer 84

1. Basic - Site-to-site VPN only available
2. Standard - ExpressRoute, User VPN (P2S), VPN (site-to-site), Inter-hub and VNet-to-VNet transiting through the virtual hub

Question 85

The minimum address space is _____ to create a hub.

Answer 85

/24

Question 86

You don’t need to explicitly plan the subnet address space for the services in the virtual hub. True/ False

Answer 86

True. Because Azure Virtual WAN is a managed service, it creates the appropriate subnets in the virtual hub for the different gateways/services (for example, VPN gateways, ExpressRoute gateways, User VPN point-to-site gateways, Firewall, routing, etc.).

Question 87

A virtual hub can contain ______ gateway(s). one or multiple

Answer 87

multiple gateways. A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall.

Question 88

Virtual Hub routing - connections. Each connection is associated to one route table.

Answer 88

1. VPN connection: Connects a VPN site to a virtual hub VPN gateway.
2. ExpressRoute connection: Connects an ExpressRoute circuit to a virtual hub ExpressRoute gateway.
3. P2S configuration connection: Connects a User VPN (Point-to-site) configuration to a virtual hub User VPN (Point-to-site) gateway.
4. Hub virtual network connection: Connects virtual networks to a virtual hub.

Question 89

Multiple connections cannot be associated to the same route table. - True or False

Answer 89

False

Question 90

By default, all connections are associated to a Default route table in a Azure virtual hub. True or False

Answer 90

True. Each virtual hub has its own Default route table, which can be edited to add a static route(s).

Question 91

Azure Virtual hub route propagation - With which configuration connections, routes are propagated from the virtual hub to the on-premises router using BGP?

Answer 91

a VPN connection, ExpressRoute connection, or P2S configuration connection

Question 92

Routes can be propagated to one or multiple route tables. True or False

Answer 92

True.

Question 93

Labels provide a mechanism to logically group route tables.

Answer 93

This is especially helpful during propagation of routes from connections to multiple route tables.

Question 94

For Standard Virtual WAN Customers with pre-existing routes in virtual hub: you will need to first delete them and then attempt creating new route tables. True or False

Answer 94

True. If you have pre-existing routes in Routing section for the hub in Azure portal, you will need to first delete them, and then create new route tables. In case of Basic Virtual WAN Customers with pre-existing routes in virtual hub, you have to delete the rote tables and then upgrade your Basic Virtual WAN to Standard Virtual WAN.

Question 95

NVA - Network Virtual Appliance- NVAs are deployed directly into a _____ and have an ______facing public IP address.

Answer 95

Virtual WAN hub; externally

Question 96

NVA deployment process

Answer 96

1. Choose the NVA offer to deploy to hub

2. Azure Marketplace Managed Application - Choose deployment settings and aggregate capacity

Question 97

Once the NVA has been provisioned into the virtual hub, any additional configuration need not be performed via the NVA partners portal or management application. You can access the NVA directly. True or False

Answer 97

False. Once the NVA has been provisioned into the virtual hub, any additional configuration must be performed via the NVA partners portal or management application. You cannot access the NVA directly.

Question 98

When you create an NVA in the Virtual WAN hub, like all Managed Applications, there will be two Resource Groups created in your subscription.

Answer 98

1. Customer Resource Group- Partners can use this to expose whatever customer properties they choose here.
2. Managed Resource Group - Customers cannot configure or change resources in this resource group directly, as this is controlled by the publisher of the Managed Application. This Resource Group will contain the NetworkVirtualAppliances resource.

Question 99

Unlike Azure VPN Gateway configurations, you do not need to create Site resources, Site-to-Site connection resources, or point-to-site connection resources to connect your branch sites to your NVA in the Virtual WAN hub. True or False

Answer 99

True. This is all managed via the NVA partner. You still need to create Hub-to-VNet connections to connect your Virtual WAN hub to your Azure VNets.

Question 100

An NVA Infrastructure Unit

Answer 100

Is a unit of aggregate bandwidth capacity for an NVA in the Virtual WAN hub.