Design & Implement Hybrid networking Flashcards
What is a VPN Gateway?
An Azure VPN gateway is a specific type of virtual network gateway that is used to send and receive encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
What is a virtual network gateway?
A virtual network gateway is composed of two or more special VMs that are deployed to a specific subnet called the gateway subnet. Virtual network gateway VMs host routing tables and run specific gateway services.
What 3 architectures must you consider when planning your vpn-gw?
- Point to site over the internet
- Site to site over the internet
- Site to site over a dedicated network, such as Azure ExpressRoute
What planning factors must be considered when planning for a vpn-gw?
- Throughput - Mbps or Gbps
- Backbone - Internet or private?
- Availability of a public (static) IP address
- VPN device compatibility
- Multiple client connections or a site-to-site link?
- VPN gateway type
- Azure VPN Gateway SKU
What is the max throughput for a single tunnel?
1 Gbps
How is the Aggregated Throughput calculated?
Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have numerous P2S connections, it can negatively impact a S2S connection due to throughput limitations.
Name the 2 VPN types and describe them briefly.
Policy-Based:
Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies. The policy (or traffic selector) is defined as an access list in the VPN device configuration.
Route-Based:
RouteBased VPNs use “routes” in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards).
What 3 limitations should you be aware of with Policy-Based VPNs?
- Policy based VPNs which support IKEv1 protocols can be used with Basic Gateway SKUs only.
- You can have only one tunnel when using a PolicyBased VPN.
- You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway configurations require a RouteBased VPN.
What is the recommended subnet size for a VPN-GW?
/27 or larger.
What 2 things do you need when setting up your on-premises VPN devices?
- Shared key
- Public IP of your VPN-GW
What are the 5 available HA options & briefly describe them.
- VPN-GW Redundancy (act/stdby) - 2 instances of azure VPN-GWs in a HA state. Automatic failover when disruption occurs. Planned disruption can be 10-15 secs whereas unplanned can be 1-3 mins.
- Multiple on-prem VPN devices - You can use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway. Multiples connections from your on-prem devices are required to your azure VPN-GW. BGP is required. Same On-prem networks should be advertised through both tunnels. ECMP should be enabled. Each connection is counted against the maximum number of tunnels for your Azure VPN gateway, 10 for Basic and Standard SKUs, and 30 for HighPerformance SKU.
- Active-Active VGWs - here both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. Each Azure gateway instance has a unique public IP address, and each establishes an IPsec/IKE S2S VPN tunnel to your on-premises VPN device. Both VPN tunnels are part of the same connection. Traffic from your Azure virtual network to your on-premises network is routed through both tunnels simultaneously.
- Dual redundancy Active-Active - Here you create and set up the Azure VPN gateway in an active-active configuration and create two local network gateways and two connections for your two on-premises VPN devices. All gateways and tunnels are active from the Azure side, so the traffic is spread among all four tunnels simultaneously. By spreading the traffic, you may see slightly better throughput over the IPsec tunnels.
- Highly Available VNet-To-VNet - You can create active-active VPN gateways for both virtual networks, and connect them together to form the same full mesh connectivity of four tunnels between the two VNets. VNet-to-VNet topology only needs one connection for each gateway. Additionally, BGP is optional unless transit routing over the VNet-to-VNet connection is required.
What diagnostic Logs can you use to troubleshoot issues related to your VPN-GW?
- GatewayDiagnosticLog - Contains diagnostic logs for gateway configuration events, primary changes, and maintenance events.
- TunnelDiagnosticLog - Contains tunnel state change events. Tunnel connect/disconnect events have a summarized reason for the state change if applicable.
- RouteDiagnosticLog - Logs changes to static routes and BGP events that occur on the gateway.
- IKEDiagnosticLog - Logs IKE control messages and events on the gateway.
- P2SDiagnosticLog - Logs point-to-site control messages and events on the gateway.
What is a P2S VPN?
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer.
What are the 3 protocols used by P2S VPNs?
- OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).
- Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later).
- IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
Name and describe the 3 authentication methods supported by P2S connections.
- Authenticate using native Azure certificate authentication:
A client certificate on the device is used to authenticate the connecting user. Client certificates are generated from a trusted root certificate and then installed on each client computer. The validation of the client certificate happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure. - Authenticate using native Microsoft Entra ID authentication:
Native authentication allows users to connect to Azure using their Microsoft Entra ID credentials. Native authentication is only supported for OpenVPN protocol and Windows 10 and requires the use of the Azure VPN Client. With this authentication, you can use conditional access and multifactor authentication (MFA) features for VPN. - Authenticate using Active Directory Domain Services:
allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the server. Organizations can also use their existing RADIUS deployment.
The RADIUS server is deployed either on-premises or in your Azure VNet. During authentication, the Azure VPN Gateway passes authentication messages back and forth between the RADIUS server and the connecting device. Thus, the Gateway must be able to communicate with the RADIUS server. If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.
The RADIUS server can also integrate with certificate services. Integrating the RADIUS server with certificate services means you don’t need to upload root certificates and revoked certificates to Azure.
What is a virtual WAN?
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.
Name some features a Virtual WAN supports.
- Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).
- Site-to-site VPN connectivity.
- Remote user VPN connectivity (point-to-site).
- Private connectivity (ExpressRoute).
- Intra-cloud connectivity (transitive connectivity for virtual networks).
- VPN ExpressRoute inter-connectivity.
- Routing, Azure Firewall, and encryption for private connectivity.
Name the 2 Virtual WAN SKUs and their features.
- Basic:
- Hub type is basic.
- S2S VPN supported only. - Standard:
- Hub type is Standard
- Supports ExpressRoute, User VPN (P2S), VPN (site-to-site), Inter-hub and VNet-to-VNet transiting through the virtual hub, Azure Firewall and NVA in a virtual WAN.
What is a virtual hub?
A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. The minimum address space is /24 to create a hub. If you use anything in the range from /25 to /32, it produces an error during creation.
What is a hub gateway?
A hub gateway isn’t the same as a virtual network gateway that you use for ExpressRoute and VPN Gateway. For example, when using Virtual WAN, you don’t create a site-to-site connection from your on-premises site directly to your VNet. Instead, you create a site-to-site connection to the hub. The traffic always goes through the hub gateway. Virtual WAN lets your VNets take advantage of scaling easily through the virtual hub and the virtual hub gateway.
What determines the aggregate throughput of the gateway?
Gateway scale units determine the aggregate throughput of the gateway in the virtual hub. Each type of gateway scale unit (site-to-site, user-vpn, and ExpressRoute) is configured separately.
What pre-requisites must be in place before connecting a cross-tenant VNet to another VNet using the Virtual WAN hub?
- A Virtual WAN and virtual hub in the parent subscription.
- A virtual network configured in a subscription in the remote tenant.
- Nonoverlapping address spaces in the remote tenant and address spaces within any other VNets already connected to the parent virtual hub.
How is routing managed in the virtual WAN Hub?
It’s provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP). This router also provides transit connectivity between virtual networks that connect to a virtual hub and can support up to an aggregate throughput of 50 Gbps. These routing capabilities apply to Standard Virtual WAN customers.
Where is a NVA deployed?
The NVAs available in the Azure Marketplace can be deployed directly into a virtual hub and nowhere else. Each is deployed as a Managed Application, which allows Azure Virtual WAN to manage the configuration of the NVA. They can’t be deployed within an arbitrary VNet.
Name and describe the 2 resource groups created when a NVA is deployed.
- Customer Resource Group - This contains an application placeholder for the Managed Application. Partners can use this resource group to expose whatever customer properties they choose here.
- Managed Resource Group - Customers can’t configure or change resources in this resource group directly.
Do you need to create connection resources to connect your branch sites to your NVA?
Unlike Azure VPN Gateway configurations, you don’t need to create Site resources, Site-to-Site connection resources, or point-to-site connection resources to connect your branch sites to your NVA in the Virtual WAN hub.
You still need to create Hub-to-VNet connections to connect your Virtual WAN hub to your Azure VNets.
What is an NVA Infrastructure unit and how does it work?
An NVA Infrastructure Unit is a unit of aggregate bandwidth capacity for an NVA in the Virtual WAN hub. An NVA Infrastructure Unit is similar to a VPN Scale Unit in terms of the way you think about capacity and sizing.
- One NVA Infrastructure Unit represents 500 Mbps of aggregate bandwidth for all branch site connections coming into this NVA.
- Azure supports from 1-80 NVA Infrastructure Units for a given NVA virtual hub deployment.
- Each partner may offer different NVA Infrastructure Unit bundles that are a subset of all supported NVA Infrastructure Unit configurations.
