Module 2bb - Exploring Azure Core Products - Networking, VPN Gateways General Knowledge Flashcards
What are Dynamic Routing Protocols?
Both Routing Tables and Forwarding Tables direct traffic to different IPSec tunnels
Since the source/destination networks aren’t stored statically (as in Static Routing), data packets are encrypted based on Routing Tables that are created dynamically using routing protocols (like Border Gateway Protocol (BGP)).
What is a VPN used for?
Used to connect two or more trusted networks over an untrusted network (typically the Public Internet). Traffic is encrypted over an encrypted tunnel over that untrusted network to prevent eavesdropping or other attacks.
Hint: ExpressRoute isn’t one of them
High Level: What connectivity capabilities do Azure VPN Gateways provide?
They enable the following:
- SITE-TO-SITE connection - Connect to On-Prem datacenters to AVNs
- POINT-TO-SITE connection - Connect individual devices to AVNs
- NETWORK-TO-NETWORK connection - Connect VNets to other VNets
*Know this for the exam!
You can deploy multiple VPN Gateways in an AVN to manage different types of traffic (egress/ingress, etc.) (T/F)?
False. You can only deploy ONE VPN Gateway in a VNet
You can use ONE Gateway to connect multiple locations, which could be other VNets or On-Prem datacenters
What do the two VPN Gateway deployment types (Route-Based and Policy-Based) have in common wrt Encryption?
- Both use a pre-shared key as the only method of authentication
- Both us IKE (Internet Key Exchange) version 1 or version 2 and IPSec (Internet Protocol Security)
How do VPN Gateway Deployment Types use IKE and IPSec?
IKE is used to setup security association (agreement of the encryption) between two endpoints (endpoints have to agree on the encryption uses)
The association is then passed to IPSec for encryption/decryption of packets encapsulated in the VPN tunnel (then use the agreed upon encryption)
What are Policy-Based VPN Gateways?
Policy-based Gateways statically map IP Addresses to tunnels. They evaluate every data packet’s IP Address, choose which tunnel to send it through and encrypt it
What are Route-Based VPN Gateways and what mechanism decides how to route?
Gateways where IPSec tunnels are modeled as either a Network Interface or a Virtual Tunnel Interface.
IP Routing decides which to use when sending the packet
Wrt Policy-Based VPN Gateways, Static Routing doesn’t require you to specify the source and destination networks in Routing Tables. (T/F)?
Where are Static Routing details defined?
True.
Static Routing uses combinations of address prefixes from both source and destination networks to control the encryption & decryption of traffic through the tunnel.
Both source and destination are declared IN THE POLICY of a Policy-Based VPN Deployment, ergo there is no need to store that info in a Routing Table
Hint: 4 preference scenarios
What situations should you prefer Route-Based VPN Gateways?
- AVN-to-AVN connections
- Point-to-Site connections (i.e. Device to Network VPN connections)
- Multisite connections
- Coexistence with Azure ExpressRoute
When deploying a VPN Gateway, you can create multiple Connections (T/F)?
True. Connections are between the VPN Gateway and the Local Network Gateway
What two (2) things are required for connecting On-Prem devices to a VPN Gateway?
- Configuring your VPN Gateway to be Policy-based or Route-based (Static or Dynamic respectively)
- A public IPv4 Address
How does Active/Standby ensure High-Availability for VPN Gateways?
Connections are failed over to the standby instance without user intervention
What are the recovery times for VPN Gateway failovers, for Planned and Unplanned interruptions?
Interrupted connections are restored:
- Within seconds during PLANNED maintenance
- Within 90 seconds for UNPLANNED disruptions
How does Active/Active ensure High-Availability for VPN Gateways?
TWO (2) Public IP Addresses to two gateway instances have IKE/IPSec S2S tunnels used to connect to your on-Prem and/or devices. Uses BGP Routing on separate tunnels to each IP Address.
