Azure VNets and hybrid networking Flashcards
Capabilities of Vnets
Communication with internet Communication between Az resources Communication between on premise resources Filtering network traffic Routing network traffic
All resources in a VNet can communicate outbound to the internet, by default - True/ False
True - All resources in a VNet can communicate outbound to the internet, by default
Communication between Azure resources - 3 Key Mechanisms
VNets,
VNet service endpoints and
VNet peering
How can an inbound internet connectivity be set up for a vnet?
You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer.
You can connect your on-premises computers and networks to a virtual network using any of the following options: 3 options
Point-to-site virtual private network (VPN),
Site-to-site VPN,
Azure ExpressRoute.
You can filter network traffic between subnets using –
- NSGs
2. NVAs - network virtual appliances like firewalls, gateways, proxies, and Network Address Translation (NAT) services.
Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. To override the default routes that Azure creates you can implement -
Route tables or
Border gateway protocol (BGP)
Design considerations for Az Vnet
- Address space and subnets
- Naming Convention
- Regions and Subscriptions
- Availability Zones
Azure reserves ____ IP addresses within each subnet
5
A well-chosen name helps you quickly identify the –
- Resource’s type
- Associated workload
- Deployment environment
- Azure region
There are four levels you can specify a scope:
Management group,
Subscription,
Resource group, and
Resource.
Scopes are _____, with each level of ______making the scope more specific.
hierarchical; hierarchy
Two subnets, within different virtual networks, can have same name - True/ False
True - Subnets are scoped to Virtual Networks
A resource can be created in a virtual network that exists in the _____ region and subscription as the resource - same/ different
same
Azure Availability Zone
- Azure Availability Zone enables you to define unique physical locations within a region.
- Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
- Designed to ensure high-availability of your Azure services, the physical separation of Availability Zones within a region protects applications and data from datacenter failures.
You can add address spaces after creating the virtual network - True/ False
True
A public IP address
- Enables Internet resources to communicate with Azure resources
- Enables Azure resources to communicate outbound with Internet
- Enables Azure resources to communicate with other public-facing Azure services
A public IP address in Azure is not dedicated to a specific resource, until it’s assigned by a network engineer - True/ False
False - A public IP address in Azure is dedicated to a specific resource, until it’s unassigned by a network engineer
A resource without a public IP assigned can communicate outbound through –
network address translation(NAT) services, where Azure dynamically assigns an available IP address that isn’t dedicated to the resource.
Public resources like web servers must be accessible from the internet. You want to ensure that you plan ______that support these requirements.
Public IP addresses
Default outbound IP access for Azure VM
Azure provides an default outbound access IP for Azure Virtual Machines which aren’t assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The default outbound access IP mechanism provides an outbound IP address that isn’t configurable.
The default outbound access IP is disabled –
- When a public IP address is assigned to the virtual machine
- When the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules
- If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine
Some of the resources you can associate a public IP address resource with:
- Virtual machine network interfaces
- Internet-facing load balancers
- VPN gateways
- Application gateways
- Azure Firewall
The default ip address allocation method is_____: dynamic or static
Dynamic. To ensure that the IP address for the resource remains the same (or static), one has to set the allocation method explicitly to static.
A static public ip address is released when –
- You delete the resource or
2. Change the IP allocation method to dynamic.
A dynamic public ip address is released when –
- You stop the resource
2. You delete the resource
SKUs of Public IP Address
- Basic SKU
2. Standard SKU
Public IP Address - Basic SKU vs Standard SKU
- Basic IPs are open by default, so the use of Network security groups is recommended for restricting inbound or outbound traffic.
- Standard IPs are secure by default and closed to inbound traffic. You must explicitly allow inbound traffic by using a network security group.
- Basic IPs do not support availability zone scenarios
- Standard IPs are zone-redundant by default
You can’t bring your own public IP addresses from on-premises networks into Azure - True/ False
True
Public IP addresses can’t be moved between _____; all IP addresses are _____-specific. Region/Subscription/VNet
Region
If your business needs to have datacenters in different regions, you will have a different public IP address range for each region
Public IP address prefix
- To ensure a static range of public IP addresses
- The advantage of a public IP address prefix is that you can specify firewall rules for these IP addresses with the knowledge that they will not change.
- You can assign the addresses from a public IP address prefix to any resource in Azure that supports public IP addresses.
DNS is split into two areas:
Public, and Private DNS
Integrating on-premises DNS with Azure VNets
Forwarding takes two forms:
Organizations often use an internal Azure private DNS zone for auto registration, and then use a custom configuration to forward queries from external zones to an external DNS server. Forwarding takes two forms
Forwarding - specifies another DNS server (SOA for a zone) to resolve the query if the initial server cannot.
Conditional forwarding - specifies a DNS server for a named zone, so that all queries for that zone are routed to the specified DNS server.
If the DNS server is outside Azure, it doesn’t have access to Azure DNS on 168.63.129.16. In this scenario, setup a DNS resolver inside your VNet, forward queries to it, and then have it forward queries to 168.63.129.16 (Azure DNS). Essentially, you’re using forwarding because 168.63.129.16 is not routable, and therefore not accessible to external clients.
Application owners need to use dynamic IP addresses for specific resources on their VNet. Which SKU must they choose? Basic or Standard or Both
Basic - Standard SKU public IP addresses always use the static allocation method. Basic SKU public IPs can be assigned by using static or dynamic allocation methods.
Network traffic between peered virtual networks is ____public/ private.
private. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure, and no public Internet, gateways, or encryption is required in the communication between the virtual networks.
Connects Azure virtual networks in the same region.
Regional VNet peering
Connects Azure virtual networks in different regions
Global VNet peering
Advantages of Peering
- Low-latency,
- High-bandwidth connection
- Ability to apply network security groups in either virtual network
- Ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions.
Is there a downtime to resources in either virtual network during the creation of peering?
No
When you add a peering on one virtual network, the second virtual network configuration is automatically added - True/ False
True
Is gateway transit supported for vnet peering? Yes/ No
Yes. Gateway transit is supported for both VNet Peering and Global VNet Peering.
A virtual network can have only ____gateway(s). one/ multiple
one. A virtual network cannot be associated with more than one gateway.
Gateway transit _____peered virtual networks to share the gateway and get access to resources. allows/ disallows
allows
When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.
Site-to-site vpn to connect on premise
point-to-site vpn to connect to a client
vnet-to-vnet
Service Chaining =
User Defined Route tables
Virtual appliance:
A virtual appliance is a virtual machine that typically runs a network application, such as a firewall.
When you create a route with the virtual appliance hop type, you also specify a next hop IP address. The IP address can be:
- The private IP address of a network interface attached to a virtual machine.
- The private IP address of an Azure internal load balancer.
You can specify the following next hop types when creating a user-defined route:
- Virtual Appliance
- Virtual Network Gateway: The virtual network gateway must be created with type VPN.
- Virtual Network
- Internet
- None: when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.
Virtual network gateway route propagation.
Routes are automatically added to the route table for all subnets with Virtual network gateway propagation enabled. When you are using ExpressRoute, propagation ensures all subnets get the routing information.
Each subnet can have __________number of route table associated to it.
zero or one
The virtual appliance
- shouldn’t have a public IP address and
2. IP forwarding should be enabled.
Forced Tunelling
- Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.
- This is a critical security requirement for most enterprise IT policies.
- If you don’t configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Each virtual network subnet has a built-in, system routing table. The system routing table has the following three groups of routes:
- Local VNet routes: Route directly to the destination VMs in the same virtual network
- On-premises routes: Route to the Azure VPN gateway.
- Default route: Route directly to the Internet.
Purpose of NAT
- Rather than purchasing an IPv4 address for each resource that requires internet access, you can use a NAT service to map outgoing requests from internal resources to an external IP address, so that communication can take place.
- NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.
- No further configuration is necessary, and you don’t need to create any user-defined routes.
NAT is compatible with the following standard SKU resources:
- Load balancer
- Public IP address
- Public IP prefix
Limitations of NAT
- Basic resources (for example basic load balancer) and any products derived from them aren’t compatible with NAT
- IPv4 address family is supported.
- NAT can’t span multiple virtual networks.
Networks that connect on-premises resources and virtual resources are known as ______networks.
hybrid
One option for connecting an on-premises network to an Azure VNET is a VPN connection.
They are encrypted tunnel, typically deployed to connect two or more trusted private networks to one another over an untrusted network, usually the public Internet.
VPN gateways support multiple connections, which enable them to route VPN tunnels that use any available bandwidth. True/ False
True. All connections to that VPN gateway share the available network bandwidth.
VPN gateways cannot be used for connections between virtual networks in Azure. True/ False
False. VPN gateways can also be used for connections between virtual networks in Azure
When you’re planning a Vnet gateway, there are three architectures to consider:
- Point to site over the internet
- Site to site over the internet
- Site to site over a dedicated network, such as Azure ExpressRoute
Factors that you need to cover during your planning process include:
- Throughput - Mbps or Gbps
- Backbone - Internet or private?
- Availability of a public (static) IP address
- VPN device compatibility
- Multiple client connections or a site-to-site link?
- VPN gateway type
- Azure VPN Gateway SKU
Types of Vnet Gateways
VPN Gateway (point-to-site and site-to-site) or ExpressRoute Gateway
Types of VPN Gateways
Route based or Policy based.
VPN Gateway - Generation
Generation 1 or Generation 2. You cannot change generations or SKUs across generations.
VPN Gateways require a gateway subnet. You can create a Gateway subnet before you create a VPN gateway, or you can create it during the creation of the VPN Gateway.
- When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings
- Never deploy anything else (for example, additional VMs) to the gateway subnet.
- The gateway subnet must be named GatewaySubnet to work properly. Naming the gateway subnet GatewaySubnet tells Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.
- While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. This will accommodate most configurations.
High availability options for VPN connections
- VPN Gateway redundancy (Active-standby)
- Multiple on-premises VPN devices
- Active-active Azure VPN gateway
- Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
The local network gateway typically refers to the on-premises location.
You give the site a name by which Azure can refer to it, then specify the IP address or FQDN of the on-premises VPN device for the connection.
To configure your VPN device, you will need:
- A shared key. The same shared key that you specify when creating the VPN connection.
- The public IP address of your VPN gateway. The IP address can be new or existing.
Active-standby VPN configuration
- Every Azure VPN gateway consists of two instances in an active-standby configuration.
- For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically and resume the S2S VPN or VNet-to-VNet connections.
- The switch over will cause a brief interruption.
Multiple on-premises VPN devices
- You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect multiple VPN devices from the same on-premises network to Azure, you need to create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.
- BGP is required for this configuration
- ECMP (Equal Cost Multi Path routing) is required
Multiple on-premises VPN devices vs. Active-standby VPN configuration
- Both are Active- standby modes
- Same failover behavior
- Multiple on-prem VPN devices setup setup guards against failures or interruptions on-premises network and VPN devices.
Active-active VPN gateways
- Both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device
- Each Azure gateway instance will have a unique public IP address
- The traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously
Dual-redundancy VPN devices setup
- You create and set up the Azure VPN gateway in an active-active configuration and create two local network gateways and two connections for your two on-premises VPN devices
- The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.
- All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously
- BGP is required to allow the two connections to the same on-premises network.
An Azure VPN gateway is made up of these elements:
- Virtual network gateway
- Local network gateway
- Connection
- Gateway subnet
A _____ VPN gateway connection lets you create a secure connection to your virtual network from another virtual network or a physical network. site-to-site (S2S) or point-to-site (P2S)
site-to-site (S2S)
A ______VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer - site-to-site (S2S) or point-to-site (P2S)
point-to-site (P2S)
Point-to-site authentication methods - 3 methods
- Authenticate using native Azure certificate authentication
- Authenticate using native Azure Active Directory authentication
- Authenticate using Active Directory (AD) Domain Server
For Point-to-site connection using Active Directory (AD) Domain Server authentication, which type of server is required?
Radius server
Azure Virtual WAN
A Virtual WAN is a security delineation; each instance of a Virtual WAN is self-contained in terms of connectivity and hence also provides security isolation.
Each Virtual WAN is implemented as a _____topology,
hub and spoke
Organizations will generally require ___instance(s) of a Virtual WAN. one or multiple
one
Each virtual WAN can have ___ hubs. one or multiple
multiple. All hubs are connected in a full mesh topology in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) transitive connectivity
Virtual WAN SKU
- Basic - Site-to-site VPN only available
- Standard - ExpressRoute, User VPN (P2S), VPN (site-to-site), Inter-hub and VNet-to-VNet transiting through the virtual hub
The minimum address space is _____ to create a hub.
/24
You don’t need to explicitly plan the subnet address space for the services in the virtual hub. True/ False
True. Because Azure Virtual WAN is a managed service, it creates the appropriate subnets in the virtual hub for the different gateways/services (for example, VPN gateways, ExpressRoute gateways, User VPN point-to-site gateways, Firewall, routing, etc.).
A virtual hub can contain ______ gateway(s). one or multiple
multiple gateways. A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall.
Virtual Hub routing - connections. Each connection is associated to one route table.
- VPN connection: Connects a VPN site to a virtual hub VPN gateway.
- ExpressRoute connection: Connects an ExpressRoute circuit to a virtual hub ExpressRoute gateway.
- P2S configuration connection: Connects a User VPN (Point-to-site) configuration to a virtual hub User VPN (Point-to-site) gateway.
- Hub virtual network connection: Connects virtual networks to a virtual hub.
Multiple connections cannot be associated to the same route table. - True or False
False
By default, all connections are associated to a Default route table in a Azure virtual hub. True or False
True. Each virtual hub has its own Default route table, which can be edited to add a static route(s).
Azure Virtual hub route propagation - With which configuration connections, routes are propagated from the virtual hub to the on-premises router using BGP?
a VPN connection, ExpressRoute connection, or P2S configuration connection
Routes can be propagated to one or multiple route tables. True or False
True.
Labels provide a mechanism to logically group route tables.
This is especially helpful during propagation of routes from connections to multiple route tables.
For Standard Virtual WAN Customers with pre-existing routes in virtual hub: you will need to first delete them and then attempt creating new route tables. True or False
True. If you have pre-existing routes in Routing section for the hub in Azure portal, you will need to first delete them, and then create new route tables. In case of Basic Virtual WAN Customers with pre-existing routes in virtual hub, you have to delete the rote tables and then upgrade your Basic Virtual WAN to Standard Virtual WAN.
NVA - Network Virtual Appliance- NVAs are deployed directly into a _____ and have an ______facing public IP address.
Virtual WAN hub; externally
NVA deployment process
- Choose the NVA offer to deploy to hub
2. Azure Marketplace Managed Application - Choose deployment settings and aggregate capacity
Once the NVA has been provisioned into the virtual hub, any additional configuration need not be performed via the NVA partners portal or management application. You can access the NVA directly. True or False
False. Once the NVA has been provisioned into the virtual hub, any additional configuration must be performed via the NVA partners portal or management application. You cannot access the NVA directly.
When you create an NVA in the Virtual WAN hub, like all Managed Applications, there will be two Resource Groups created in your subscription.
- Customer Resource Group- Partners can use this to expose whatever customer properties they choose here.
- Managed Resource Group - Customers cannot configure or change resources in this resource group directly, as this is controlled by the publisher of the Managed Application. This Resource Group will contain the NetworkVirtualAppliances resource.
Unlike Azure VPN Gateway configurations, you do not need to create Site resources, Site-to-Site connection resources, or point-to-site connection resources to connect your branch sites to your NVA in the Virtual WAN hub. True or False
True. This is all managed via the NVA partner. You still need to create Hub-to-VNet connections to connect your Virtual WAN hub to your Azure VNets.
An NVA Infrastructure Unit
Is a unit of aggregate bandwidth capacity for an NVA in the Virtual WAN hub.