Networking Flashcards
Azure virtual networking
- Virtual networks and subnets enable Azure resources to communicate with each other, with users over the internet, and with on-prem client computers
- Azure Public endpoints have a public IP address and can be access from anywhere in the world
- Azure Private endpoints existing within a virtual network and have a private IP from within the address space of that virtual network
Isolation and segmentation
- When setting up a virtual network, the customer defines a private IP address space by using either public or private IP address ranges. The IP exists only within the virtual network and isn’t internet routable.
- The IP address space can be dividing into subnets and part of the address space can be allocated to each subnet
Internet communications
Customers can enable incoming connections from the internet by assigning a public IP address to an Azure resource, or putting the resource behind a public load balancer.
Communicate between Azure resources
Can be done in two ways:
1. Virtual networks can connect VMs and other Azure resources to each other
2. Service endpoints can connect to other Azure resource types, such as databases
Communicate with on-prem resources
Create a network that spans both a local and cloud environment, via:
1. Point-to-site virtual private network from a computer outside the organisation back into the corporate network
2. Site-to-site virtual private networks link an on-prem VPN device/gateway to the Azure VPN gateway in a virtual network
3. Azure ExpressRoute provides dedicated private connectivity to Azure that doesn’t travel over the internet.
Route network traffic
- Azure routes traffic between subnets on any connector virtual networks, on-prem networks and the internet.
- Routing can also be controlled as follows:
- Route tables allowing customers to define rules about how traffic should be directed
- Border Gateway Protocol (BGP) propagate on-prem BGP routes to Azure virtual networks
Filter network traffic
Azure virtual networks allow for filtering of traffic between subnets by:
1. Using Network security groups that contain inbound and outbound security rules (e.g. block traffic based on IP address, port, protocol)
2. Network virtual appliances are specialised VMs that carry out a particular network function, such as running a firewall.
Connect virtual networks
- Virtual networks can be linked together by using virtual network peering, allowing two networks to connect directly to each other.
- Network traffic between two peered networks is private, travelling on the Microsoft backbone network, never entering the public internet
What is a VPN?
- Uses an encrypted tunnel within another network
- Typically deployed to connect two or more trusted networks to one another over an untrusted network (public internet)
- Traffic is encrypted while travelling over the untrusted network
- VPNs enable networks to safely and securely share sensitive information
VPN Gateways
- Are deployed in a dedicated subnet of the virtual network and enable:
- On-prem datacenter connection to virtual networks via site-to-site connection
- Individual device connection to virtual networks through point-to-point connection
- Virtual network to virtual network connection via network-to-network connection
Types of VPN Gateways
How the gateway determines which traffic needs encryption:
- Policy-based: specify statically the IP address of packets that should be encrypted through each tunnel.
- Route-based: IPSec tunnels are modelled as a network interface or virtual tunnel interface. IP routing decides which tunnel interface to use when sending each packet.
Route-based VPN gateways are used for:
1. Connections between virtual networks
2. Point-to-site connections
3. Multisite connections
4. Coexistence with Azure ExpressRoute gateway
How to maximise the resiliency/availability of a VPN gateway (4 ways)
- Active/standby: (default) when planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections.
- Active/active: assign a unique public IP address to each instance. Then create tunnels from the on-prem decide to each IP address.
- ExpressRoute failover: have resiliency built in (but aren’t immune to physical problems affecting the cables for example)
- Zone-redundant gateways: deploy gateways in Azure availability zones physically and logically, separating gateways within a region while protecting on-prem network network connectivity to Azure from zone-level failures.
Azure ExpressRoute
- Let’s customers extend their on-prem networks into the Microsoft cloud over a private connection (ExpressRoute Circuit)
- Establish connections to Microsoft cloud services, such as Azure and Microsoft 365
- Connections don’t go over the public internet
- Can be used to exchange data across on-prem sites in different global locations
- Dynamic routing
- Built-in redundancy, ensuring connections are highly available
ExpressRoute connectivity models
- Colocation at a cloud exchange: customer’s facility is physically colocated at a cloud exchange
- Point-to-point ethernet: direct connection between facility and Microsoft cloud
- Any-to-any networks: customer integrates their wide are network (WAN) with Azure by providing connections to offices and datacenters.
- Directly from ExpressRoute sites: connect directly at a peering location distributed around the world
Azure DNS
- A hosting service for DNS domains that provides name resolution by using Azure infrastructure.
- DNS domains are highly available and resilient, using anycast networking the closes available DNS server answers each DNS query
- Based on Azure Resource Manager, so uses RBAC for controlling access, includes activity logs for monitoring access, and resource locking to prevent accidental deletion
- Allows for private DNS domains within customer private networks
- Can use alias record sets to refer to Azure resources
