Intro to Azure Virtual Networks Flashcards
What is a VNet?
Azure Virtual Networks (VNets) are the fundamental building block of your private network in Azure. VNets enable you to build complex virtual networks that are similar to an on-premises network, with other benefits of Azure infrastructure such as scale, availability, and isolation.
What are the 5 Capabilities of VNets?
- Communication with the internet - All resources in a VNet can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections.
- Communication between Azure resources - There are three key mechanisms through which Azure resources can communicate: VNets, VNet service endpoints, and VNet peering. Virtual Networks can connect not only VMs, but other Azure Resources, such as the App Service Environment, Azure Kubernetes Service, and Azure Virtual Machine Scale Sets. You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the cloud.
- Communication between on-premises resources - Securely extend your data center. You can connect your on-premises computers and networks to a virtual network using any of the following options: Point-to-site virtual private network (VPN), Site-to-site VPN, Azure ExpressRoute.
- Filtering network traffic - You can filter network traffic between subnets using any combination of network security groups and network virtual appliances.
- Routing network traffic - Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. You can implement route tables or border gateway protocol (BGP) routes to override the default routes Azure creates.
What are the useable address ranges of a VNet?
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
What address ranges can’t you use for VNets?
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS)
What are the 5 Addresses azure reserves in a subnet. Use 192.168.1.0/24 as an example.
192.168.1.0
192.168.1.1 (Reserved by Azure for the default gateway.)
192.168.1.2, 192.168.1.3 (Reserved by Azure to map the Azure DNS IPs to the VNet space.)
192.168.1.255 (Network broadcast address.)
Name 4 things you must consider when implementing a VNet
- Ensure nonoverlapping address spaces. Make sure your VNet address space (CIDR block) doesn’t overlap with your organization’s other network ranges.
- Is any security isolation required?
- Do you need to mitigate any IP addressing limitations?
- Are there connections between Azure VNets and on-premises networks?
- Is there any isolation required for administrative purposes?
- Are you using any Azure services that create their own VNets?
What is the smallest & largest subnet prefix you can use for IPv4 & IPv6?
The smallest supported IPv4 subnet is /29, and the largest is /2 (using CIDR subnet definitions). IPv6 subnets must be exactly /64 in size.
Name 4 things to consider when implementing subnets.
- Each subnet must have a unique address range, specified in Classless Inter-Domain Routing (CIDR) format.
- Certain Azure services require their own subnet.
- Subnets can be used for traffic management. For example, you can create subnets to route traffic through a network virtual appliance.
- You can limit access to Azure resources to specific subnets with a virtual network service endpoint. You can create multiple subnets, and enable a service endpoint for some subnets, but not others.
Can a resource be created in any regions virtual network?
A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
How many virtual networks can you deploy in an azure subscription?
You can deploy as many virtual networks as you need within each subscription, up to the subscription limit.
What is an Availability zone and what do they provide?
A zone made up of one or more datacenters equipped with independent power, cooling, and networking. It’s designed to ensure high-availability of your Azure services.
Name and describe the 3 categories AZ’s fall into.
- Zonal services - Resources can be pinned to a specific zone. For example, virtual machines, managed disks, or standard IP addresses can be pinned to a specific zone. This planning allows for increased resilience by having one or more instances of resources spread across zones.
- Zone-redundant services - Resources are replicated or distributed across zones automatically. Azure replicates the data across three zones so that a zone failure doesn’t impact its availability.
- Nonregional services Service is available from Azure geographies and is resilient to zone-wide outages.
What does a public IP do?
Public IP addresses enable Internet resources to communicate with Azure resources and enable Azure resources to communicate outbound with Internet and public-facing Azure services.
Name 6 resources that can use PIPs.
Virtual machine network interfaces
Virtual machine scale sets
Public Load Balancers
Virtual Network Gateways (VPN/ER)
NAT gateways
Application Gateways
Azure Firewall
Bastion Host
Route Server
What is the difference between a dynamic IP & a static IP?
A dynamic public IP address is an assigned address that can change over the lifespan of the Azure resource. The dynamic IP address is allocated when you create or start a virtual machine (VM). The IP address is released when you stop or delete the VM.
A static public IP address is an assigned address that doesn’t change over the lifespan of the Azure resource. To ensure that the IP address for the resource remains the same, set the allocation method explicitly to static. In this case, an IP address is assigned immediately. The IP address is released only when you delete the resource or change the IP allocation method to dynamic.
What are the 2 SKU’s available for PIPs?
Basic:
- For IPv4: Dynamic or Static; For IPv6: Dynamic.
- Adjustable Idle timeout of 4-30mins. Default is 4 mins. Fixed outbound idle timeout of 4 mins also.
- Open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
- Availability zones, routing preference & global tiers not supported.
Standard:
- Static allocation method only.
- Adjustable Idle timeout of 4-30mins. Default is 4 mins. Fixed outbound idle timeout of 4 mins also.
- AZ’s Supported. Standard IPs can be nonzonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where there are three availability zones.
- Routing preference supported to enable more granular control of how traffic is routed between Azure and the Internet.
- Global tier supported via cross-region load balancers.
How are PIPs assigned?
Public IP prefixes are assigned from a pool of addresses in each Azure region. You create a public IP address prefix in an Azure region and subscription by specifying a name and prefix size.
What are the 2 types of DNS azure supports and briefly explain them?
Public DNS:
Public DNS services resolve names and IP addresses for resources and services accessible over the internet such as web servers. Azure DNS is a hosting service for DNS domain that provides name resolution by using Microsoft Azure infrastructure. DNS domains in Azure DNS are hosted on Azure’s global network of DNS name servers. Azure DNS uses anycast networking. Each DNS query is directed to the closest available DNS server.
Private DNS:
Private DNS services resolve names and IP addresses for resources and services
When resources deployed in virtual networks need to resolve domain names to internal IP addresses, they can use one the three methods:
Azure DNS Private Zones
Azure-provided name resolution
Name resolution that uses your own DNS server
Name 3 things you must consider when implementing DNS.
- The name of the zone must be unique within the resource group, and the zone must not exist already.
- The same zone name can be reused in a different resource group or a different Azure subscription.
- Where multiple zones share the same name, each instance is assigned different name server addresses.
- Root/Parent domain is registered at the registrar and pointed to Azure NS.
- Child domains are registered in AzureDNS directly.
What is DNS delegation
When DNS queries for a domain are sent to Azure DNS resolvers. The domain has to be delegated to Azure DNS from the parent domain (typically on Domain registrars site)
How do you set up child zones?
If you want to set up a separate child zone, you can delegate a subdomain in Azure DNS. For example, after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.contoso.com.
Setting up a subdomain follows the same process as typical delegation. The only difference is that NS records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain registrar.
What is a record set?
A record set is a collection of records in a zone that have the same name and are the same type.
A record set can’t contain two identical records. Empty record sets (with zero records) can be created, but don’t appear on the Azure DNS name servers. Record sets of type CNAME can contain one record at most.
Briefly explain the 3 flavours of Private DNS.
- Azure provided DNS: Azure provides its own free default internal DNS. Azure provided name resolution provides only basic authoritative DNS capabilities. If you use this option, the DNS zone names and records are automatically managed by Azure. You can’t control the DNS zone names or the life cycle of DNS records.
- Azure DNS private zones: Private DNS zones in Azure are available to internal resources only. They’re global in scope, so you can access them from any region, any subscription, any VNet, and any tenant. If you have permission to read the zone, you can use it for name resolution. Private DNS zones are highly resilient, being replicated to regions all throughout the world. They aren’t available to resources on the internet.
- ON-Premises DNS: If you have an external DNS server, for example an on-premises server, you can use custom DNS configuration on your VNet to integrate the two. Organizations often use an internal Azure private DNS zone for auto registration, and then use a custom configuration to forward queries external zones from an external DNS server.
Name the 2 types of forwarding used in DNS.
- Forwarding - specifies another DNS server (SOA for a zone) to resolve the query if the initial server can’t.
- Conditional forwarding - specifies a DNS server for a named zone, so that all queries for that zone are routed to the specified DNS server.
