Intro to Azure Virtual Networks Flashcards
What is a VNet?
Azure Virtual Networks (VNets) are the fundamental building block of your private network in Azure. VNets enable you to build complex virtual networks that are similar to an on-premises network, with other benefits of Azure infrastructure such as scale, availability, and isolation.
What are the 5 Capabilities of VNets?
- Communication with the internet - All resources in a VNet can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections.
- Communication between Azure resources - There are three key mechanisms through which Azure resources can communicate: VNets, VNet service endpoints, and VNet peering. Virtual Networks can connect not only VMs, but other Azure Resources, such as the App Service Environment, Azure Kubernetes Service, and Azure Virtual Machine Scale Sets. You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the cloud.
- Communication between on-premises resources - Securely extend your data center. You can connect your on-premises computers and networks to a virtual network using any of the following options: Point-to-site virtual private network (VPN), Site-to-site VPN, Azure ExpressRoute.
- Filtering network traffic - You can filter network traffic between subnets using any combination of network security groups and network virtual appliances.
- Routing network traffic - Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. You can implement route tables or border gateway protocol (BGP) routes to override the default routes Azure creates.
What are the useable address ranges of a VNet?
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
What address ranges can’t you use for VNets?
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS)
What are the 5 Addresses azure reserves in a subnet. Use 192.168.1.0/24 as an example.
192.168.1.0
192.168.1.1 (Reserved by Azure for the default gateway.)
192.168.1.2, 192.168.1.3 (Reserved by Azure to map the Azure DNS IPs to the VNet space.)
192.168.1.255 (Network broadcast address.)
Name 4 things you must consider when implementing a VNet
- Ensure nonoverlapping address spaces. Make sure your VNet address space (CIDR block) doesn’t overlap with your organization’s other network ranges.
- Is any security isolation required?
- Do you need to mitigate any IP addressing limitations?
- Are there connections between Azure VNets and on-premises networks?
- Is there any isolation required for administrative purposes?
- Are you using any Azure services that create their own VNets?
What is the smallest & largest subnet prefix you can use for IPv4 & IPv6?
The smallest supported IPv4 subnet is /29, and the largest is /2 (using CIDR subnet definitions). IPv6 subnets must be exactly /64 in size.
Name 4 things to consider when implementing subnets.
- Each subnet must have a unique address range, specified in Classless Inter-Domain Routing (CIDR) format.
- Certain Azure services require their own subnet.
- Subnets can be used for traffic management. For example, you can create subnets to route traffic through a network virtual appliance.
- You can limit access to Azure resources to specific subnets with a virtual network service endpoint. You can create multiple subnets, and enable a service endpoint for some subnets, but not others.
Can a resource be created in any regions virtual network?
A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
How many virtual networks can you deploy in an azure subscription?
You can deploy as many virtual networks as you need within each subscription, up to the subscription limit.
What is an Availability zone and what do they provide?
A zone made up of one or more datacenters equipped with independent power, cooling, and networking. It’s designed to ensure high-availability of your Azure services.
Name and describe the 3 categories AZ’s fall into.
- Zonal services - Resources can be pinned to a specific zone. For example, virtual machines, managed disks, or standard IP addresses can be pinned to a specific zone. This planning allows for increased resilience by having one or more instances of resources spread across zones.
- Zone-redundant services - Resources are replicated or distributed across zones automatically. Azure replicates the data across three zones so that a zone failure doesn’t impact its availability.
- Nonregional services Service is available from Azure geographies and is resilient to zone-wide outages.
What does a public IP do?
Public IP addresses enable Internet resources to communicate with Azure resources and enable Azure resources to communicate outbound with Internet and public-facing Azure services.
Name 6 resources that can use PIPs.
Virtual machine network interfaces
Virtual machine scale sets
Public Load Balancers
Virtual Network Gateways (VPN/ER)
NAT gateways
Application Gateways
Azure Firewall
Bastion Host
Route Server
What is the difference between a dynamic IP & a static IP?
A dynamic public IP address is an assigned address that can change over the lifespan of the Azure resource. The dynamic IP address is allocated when you create or start a virtual machine (VM). The IP address is released when you stop or delete the VM.
A static public IP address is an assigned address that doesn’t change over the lifespan of the Azure resource. To ensure that the IP address for the resource remains the same, set the allocation method explicitly to static. In this case, an IP address is assigned immediately. The IP address is released only when you delete the resource or change the IP allocation method to dynamic.
What are the 2 SKU’s available for PIPs?
Basic:
- For IPv4: Dynamic or Static; For IPv6: Dynamic.
- Adjustable Idle timeout of 4-30mins. Default is 4 mins. Fixed outbound idle timeout of 4 mins also.
- Open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
- Availability zones, routing preference & global tiers not supported.
Standard:
- Static allocation method only.
- Adjustable Idle timeout of 4-30mins. Default is 4 mins. Fixed outbound idle timeout of 4 mins also.
- AZ’s Supported. Standard IPs can be nonzonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where there are three availability zones.
- Routing preference supported to enable more granular control of how traffic is routed between Azure and the Internet.
- Global tier supported via cross-region load balancers.
How are PIPs assigned?
Public IP prefixes are assigned from a pool of addresses in each Azure region. You create a public IP address prefix in an Azure region and subscription by specifying a name and prefix size.
What are the 2 types of DNS azure supports and briefly explain them?
Public DNS:
Public DNS services resolve names and IP addresses for resources and services accessible over the internet such as web servers. Azure DNS is a hosting service for DNS domain that provides name resolution by using Microsoft Azure infrastructure. DNS domains in Azure DNS are hosted on Azure’s global network of DNS name servers. Azure DNS uses anycast networking. Each DNS query is directed to the closest available DNS server.
Private DNS:
Private DNS services resolve names and IP addresses for resources and services
When resources deployed in virtual networks need to resolve domain names to internal IP addresses, they can use one the three methods:
Azure DNS Private Zones
Azure-provided name resolution
Name resolution that uses your own DNS server
Name 3 things you must consider when implementing DNS.
- The name of the zone must be unique within the resource group, and the zone must not exist already.
- The same zone name can be reused in a different resource group or a different Azure subscription.
- Where multiple zones share the same name, each instance is assigned different name server addresses.
- Root/Parent domain is registered at the registrar and pointed to Azure NS.
- Child domains are registered in AzureDNS directly.
What is DNS delegation
When DNS queries for a domain are sent to Azure DNS resolvers. The domain has to be delegated to Azure DNS from the parent domain (typically on Domain registrars site)
How do you set up child zones?
If you want to set up a separate child zone, you can delegate a subdomain in Azure DNS. For example, after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.contoso.com.
Setting up a subdomain follows the same process as typical delegation. The only difference is that NS records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain registrar.
What is a record set?
A record set is a collection of records in a zone that have the same name and are the same type.
A record set can’t contain two identical records. Empty record sets (with zero records) can be created, but don’t appear on the Azure DNS name servers. Record sets of type CNAME can contain one record at most.
Briefly explain the 3 flavours of Private DNS.
- Azure provided DNS: Azure provides its own free default internal DNS. Azure provided name resolution provides only basic authoritative DNS capabilities. If you use this option, the DNS zone names and records are automatically managed by Azure. You can’t control the DNS zone names or the life cycle of DNS records.
- Azure DNS private zones: Private DNS zones in Azure are available to internal resources only. They’re global in scope, so you can access them from any region, any subscription, any VNet, and any tenant. If you have permission to read the zone, you can use it for name resolution. Private DNS zones are highly resilient, being replicated to regions all throughout the world. They aren’t available to resources on the internet.
- ON-Premises DNS: If you have an external DNS server, for example an on-premises server, you can use custom DNS configuration on your VNet to integrate the two. Organizations often use an internal Azure private DNS zone for auto registration, and then use a custom configuration to forward queries external zones from an external DNS server.
Name the 2 types of forwarding used in DNS.
- Forwarding - specifies another DNS server (SOA for a zone) to resolve the query if the initial server can’t.
- Conditional forwarding - specifies a DNS server for a named zone, so that all queries for that zone are routed to the specified DNS server.
What is VNet peering?
A virtual connection between 2 VNets in the same or different region using the Microsoft backbone infrastructure .
What are the 2 types of VNet peerings?
- Regional VNet peering connects Azure virtual networks in the same region.
- Global VNet peering connects Azure virtual networks in different regions. The peered virtual networks can exist in any Azure public cloud region or China cloud regions, but not in Government cloud regions. You can only peer virtual networks in the same region in Azure Government cloud regions.
Name a few benefits of using VNet peering.
- A low-latency, high-bandwidth connection between resources in different virtual networks.
- The ability to apply network security groups in either virtual network to block access to other virtual networks or subnets.
- The ability to transfer data between virtual networks across Azure subscriptions, Microsoft Entra tenants, deployment models, and Azure regions.
- The ability to peer virtual networks created through the Azure Resource Manager.
- The ability to peer a virtual network created through Resource Manager to one created through the classic deployment model.
- No downtime to resources in either virtual network is required when creating the peering, or after the peering is created.
How does Virtual Gateway Transit work?
When virtual networks are peered, you configure a VPN gateway in the peered virtual network as a transit point. In this case, a peered virtual network uses the remote gateway to gain access to other resources. A virtual network can have only one gateway. Gateway transit is supported for both VNet Peering and Global VNet Peering.
Name 3 ways a VNet can access an external resource via Gateway Transit.
When you Allow Gateway Transit the virtual network can communicate to resources outside the peering. For example, the subnet gateway could:
- Use a site-to-site VPN to connect to an on-premises network.
- Use a VNet-to-VNet connection to another virtual network.
- Use a point-to-site VPN to connect to a client.
What is service chaining & how does it work?
Its when you direct traffic from a VNet to a specific network virtual appliance (NVA).
To enable service chaining, add user-defined routes pointing to virtual machines in the peered virtual network as the next hop IP address. User-defined routes can also point to virtual network gateways.
How are routes assigned by default in azure?
Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table.
What are 3 types of Next-Hop Azure uses by default and briefly explain them.
- Virtual network: Routes traffic between address ranges within the address space of a virtual network.
- Internet: Routes traffic specified by the address prefix to the Internet. The system default route specifies the 0.0.0.0/0 address prefix. Azure routes traffic for any address not specified by an address range within a virtual network to the Internet, unless the destination address is for an Azure service. Azure routes any traffic destined for its service directly to the service over the backbone network, rather than routing the traffic to the Internet.
- None: Traffic routed to the None next hop type is dropped, rather than routed outside the subnet. Azure automatically creates default routes for the following address prefixes:
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16: Reserved for private use in RFC 1918.
100.64.0.0/10: Reserved in RFC 6598.
Explain how Azure uses the following next-hop types.
- VNet Peering
- Virtual Network Gateway
- Virtual Network ServiceEndpoint
Virtual network (VNet) peering: When you create a virtual network peering between two virtual networks, a route is added for each address range within the address space of each virtual network.
Virtual network gateway: When you add a virtual network gateway to a virtual network, Azure adds one or more routes with Virtual network gateway as the next hop type. The source is listed as virtual network gateway because the gateway adds the routes to the subnet.
VirtualNetworkServiceEndpoint: Azure adds the public IP addresses for certain services to the route table when you enable a service endpoint to the service. Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for.
What is the caveat of a VNG in regards to routes propagated?
There are limits to the number of routes you can propagate to an Azure virtual network gateway, so you should summarize on-premises routes to the largest address ranges possible. For more information on the number of routes, you can propagate, see Networking limits.
What Next-hops can be used for custom routes?
- Virtual appliance: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall. When you create a route with the virtual appliance hop type, you also specify a next hop IP address. The IP address can be:
- The private IP address of a network interface attached to a virtual machine.
- The private IP address of an Azure internal load balancer.
- Virtual network gateway: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. The virtual network gateway must be created with type VPN.
- None: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.
- Virtual network: Specify when you want to override the default routing within a virtual network.
- Internet: Specify when you want to explicitly route traffic destined to an address prefix to the Internet.
What is forced tunnelling and how does it work?
Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing.
Forced tunneling in Azure is configured using virtual network custom user-defined routes.
Each virtual network subnet has a built-in, system routing table. The system routing table has the following three groups of routes:
- Local VNet routes: Route directly to the destination VMs in the same virtual network.
- On-premises routes: Route to the Azure VPN gateway.
- Default route: Route directly to the Internet. Packets destined to the private IP addresses not covered by the previous two routes are dropped.
What is a route server & what are some of its benefits?
Azure Route Server simplifies dynamic routing between your network virtual appliance (NVA) and your virtual network. Azure Route Server is a fully managed service and is configured with high availability.
- You no longer need to manually update the routing table on your NVA whenever your virtual network addresses are updated.
- You no longer need to update User-Defined Routes manually whenever your NVA announces new routes or withdraw old ones.
- You can peer multiple instances of your NVA with Azure Route Server.
- The interface between NVA and Azure Route Server is based on a common standard protocol. As long as your NVA supports BGP, you can peer it with Azure Route Server.
- You can deploy Azure Route Server in any of your new or existing virtual network.
What is an effective route?
The route populated in the route table of a NIC used to route traffic for a prefix.
Name some steps you might perform to resolve a routing issue.
- Add a custom route to override a default route. Learn how to add a custom route.
- Change or remove a custom route that causes traffic to be routed to an undesired location. Learn how to change or delete a custom route.
- Ensure that the route table is associated to the correct subnet (the one that contains the network interface). Learn how to associate a route table to a subnet.
- Ensure that devices such as Azure VPN gateway or network virtual appliances are operating as intended.
What does a NAT Gateway do?
NAT services provide mappings for a single IP address, a range of IP addresses defined by an IP Prefix, and a range of ports associated with an IP address.
How does NAT work?
NAT is compatible with standard SKU public IP address resources or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT maps all traffic to the range of IP addresses of the prefix. NAT allows flows to be created from the virtual network to the Internet. Return traffic from the Internet is only allowed in response to an active flow.
How does dynamic NAT work?
By using port network address translation (PNAT or PAT), NAT provides up to 64,000 concurrent flows for UDP and TCP respectively, for each attached public IP address. NAT can support up to 16 public IP addresses.
What are some limitations of NAT?
- NAT is compatible with standard SKU public IP, public IP prefix, and load balancer resources. Basic resources (for example basic load balancer) and any products derived from them aren’t compatible with NAT. Basic resources must be placed on a subnet not configured with NAT.
- IPv4 address family is supported. NAT doesn’t interact with IPv6 address family. NAT can’t be deployed on a subnet with an IPv6 prefix.
- NAT can’t span multiple virtual networks.
- IP fragmentation isn’t supported.
