Networking in Azure Flashcards
What Azure Virtual Network?
You can create your own isolated network in Azure. It’s not visible outside Azure or by other virtual networks. You can control the traffic in and out of the network.
What is a subnet and why would you need one?
You can separate public and private resources using subnets. E.g. in the example where a user accesses an app on the cloud:
User -> Load Balancer -> VM -> Database
The user should be able to access the load balancer via the internet and the LB can distribute the request/traffic but the user should not be able to directly access the VM or DB. Therefore put the LB in a public subnet and the VM and Db in a private subnet.
VMs in a VNet are given private IP addresses.
What is network peering?
Network peering can be used to connect two or more VNets in Azure so that they appear as 1.
What is a DDoS attack?
Someone sends a huge amount of traffic to your service to make it crash, slow or ramp up your costs. Stands for Distributed Denial of Service attack.
What are the 2 DDoS offerings within Azure?
DDoS Basic: Identifies and blocks DDoS attacks by default for no cost.
DDoS Standard: Mitigated 60 different types of DDoS and provides analytics. Get a cost guarantee and
What is Azure Firewall and it’s key features?
A managed network security service that controls traffic into and out of your virtual network.
Stateful: Once traffic is permitted once, it will allow it thereafter.
Centralized config: Can control multiple VNets with one firewall.
What is a Network Security Group and how does it differ to Azure Firewall?
Azure firewall sits outside of your VNet but NSG sits inside the VNet and before your cloud resources. It defines a number of inbound and outbound security rules based on IP, protocol, source. Eg. Restrict outbound traffic from VMs that software downloads come from or restrict DB access to web servers.
What is Azure Private Link and when is it needed?
Azure Private Link allows access to PaaS services from resources in your VNet using private endpoints i.e. not via the internet. This means all the data pulled from the DB doesn’t flow through the internet.
What are Security Best Practices/Defence in Depth? (The layers of security)
Infra - Azure’s responsibility
Perimeter - DDoS and Firewall
Network - Inside the VNet
Compute - access to VMs
Applications - Use Azure Key Vault for keys or secrets
Data - encrypt at rest and in transit
What are Azure’s Zero Trust principles?
Verify explicitly using all info: Location, device, resource, time, identity
Least privilege access - only access what they need for the least amount of time
Assume breach to figure out what security layers you have
How might you set up a hybrid cloud with on-premise servers with a virtual network?
VPN and Azure Express Route
VPN is an encrypted internet connection from on-premise to Azure.
ExpressRoute is private connectivity or a dedicated connection not over the internet.
What is Azure Arc and what is the use case?
Is a centralised management solution to manage a hybrid cloud e.g. you have kubernetes deployments in multiple clouds and on-premise