Mod 3 - Understand Azure Networking

Question 1

VNet

Answer 1

Creates a block of IPs that can be specified to smaller subnets. Ex. West US region use 192.168.0.0/26»192.168.1.0/24

Question 2

How many and which IPs does azure reserve?

Answer 2

Ex. 10.1.0.0/24» reserves .1-.3, first useable is .4

Question 3

Can VNets have connectivity to another VNet by default?

Answer 3

VNets don’t have connectivity from one VNet to another even if in same region.

Question 4

Can all VMs on different subnets in a VNet communicate to each other by default

Answer 4

By default all VMs on different subnets in a VNet can communicate to each other ex. Ping and has outbound internet access, doesn’t have inbound unless you setup network security group.

Question 5

Service Endpoint

Answer 5

A virtual network service endpoint provides the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network

can deploy this to Give resource private IP addr on the VNet so other resources on the VNet can connect to it privately, not all resources can support this option ex. Two MS SQL servers need to be in the same region

Question 6

Do PaaS Storage accounts gets FQDN by default

Answer 6

Yes, PaaS Storage accounts by default gets FQDN which resolves to Public IP, so VMs in a subnet connect outbound to public IP to connect to storage account. Not a good idea for security.

Question 7

What field do you configure your VNet address block in?

Answer 7

• Address Space

Question 8

How do you deploy a VNET in azure GUI

Answer 8

1. Search for Virtual Networks in Azure Portal
2. Click Create
   a. Basics
   i. Set Sub and RG field
   ii. Set Name and region
   b. IP Address
   i. Set address space
   ii. Add subnets
   c. Publish

Question 9

Will a VM default to Private or Public IP of VNET during setup

Answer 9

private IP of VNET

Question 10

What year or newer VNETs use the new Resource Manager VNET deployment model?

Answer 10

2019 or newer. only older VNETs use classic mode

Question 11

what is VNET Peering

Answer 11

Peering allows two virtual networks to connect directly to each other.

Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet

Question 12

Why is VNET Peering useful?

Answer 12

Useful for setting up a quick connection to another VNET

Question 13

Does Peering use VPN encryptions ex. IPSec

Answer 13

No, this is L2 traffic so uses MACsec, frames have encryption

Question 14

How do you setup peering in azure gui

Answer 14

Go to VNET settings»Pick Peering setting»Add Peering»Set all options to Allow traffic between VNETS

Question 15

Site to Site VPN

Answer 15

: encrypted logical tunnel that routes traffic privately between two networks with tech such as IPSEC. With azure can use these to connect on-prem hosts to VMs on azure cloud

Question 16

Point to Site VPN

Answer 16

VPN connection that connects directly to remote GW

Question 17

Why use P2S VPN

Answer 17

Used for remote users that travel and need VPN connection directly to azure cloud OR for a few on-prem users who need direct connection

Question 18

what is VNET Gateway

Answer 18

Represents end-point remote firewall connects to

Question 19

what subnet does VNET Gateway use

Answer 19

Uses it’s own Gateway subnet with a Public IP. On-Prem FW connects to Public IP of this GW

Question 20

when is a Gateway Subnet created

Answer 20

Deployed when you create a VNET GW

Question 21

Local Network Gateway

Answer 21

GW deployed in Azure and represents on-prem FW

Question 22

how is Local Network Gateway used

Answer 22

VNET GW sees this and knows what is the remote peer to connect to. Builds a connection logically to local network GW which is on-prem FW. Specifies what the public IP it’s connecting to and the private subnets allowed to come in from the on-prem network

Question 23

what are the three Requirements for Azure to establish S2S

Answer 23

1. VNET GW
2. 2. Gateway Subnet
3. 3. Local Network Gateway

Question 24

WHAT are two key things for VNET GW config

Answer 24

a. Need to configure S2S(site to site)/ IPSEC Parameters (HAGLE acronym) on GW
i. Hashing algorithm
ii. Authentication method(Pre shared key)
iii. Group( Diffe-Heilmann group)
iv. Lifetime
v. Encryption algorithm
b. Remote Peer NOT configured on VNET GW

Question 25

What are the two example uses for Express Route

Answer 25

• Used for large companies
• Used for SLA’s that require extra security and speed

Question 26

Is ExpressRoute cheap?

Answer 26

No, * Expensive

Question 27

what is expressroute

Answer 27

Creates a direct connection to azure backbone infrastructure via an ISP with a dedicated circuit

Question 28

can you use Azure DNS to buy a domain name

Answer 28

NO

Question 29

what are the 5 benefits of azure DNS

Answer 29

• Reliability and performance
  -uses anycast networking
• Security
  -uses RBAC, resource locking
• Ease of Use
  -can sue automation ex. az cli
• Customizable virtual networks
  -supports private DNS domains
• Alias records

Question 30

what is AzureDNS and how does it affect VMs

Answer 30

Service for a VNET that allows you set what DNS servers exist for the VNET. Any VM deployed in the VNET now will get directed to those DNS servers