Networking: Routing and Service Endpoints Flashcards
System routes
Azure uses system routes to direct network traffic between virtual machines, on-premises networks, and the Internet.
- Traffic between VMs in the same subnet.
- Between VMs in different subnets in the same virtual network.
- Data flow from VMs to the Internet.
User-Defined Routes
UDRs control network traffic by defining routes that specify the next hop of the traffic flow. The hop can be a virtual network gateway, virtual network, internet, or virtual appliance.
UDRs : Create a routing Table
You provide Name, Subscription, Resource Group, and Location. You also decide to use Virtual network gateway route propagation (Routes are automatically added to the route table for all subnets with Virtual network gateway propagation enabled.).
UDRs : To Create a custom route specify…
Specify RouteName, Address prefix, Next hop type,
UDR: Associate the Route Table
You need to associate a subnet with the routing table in. Each subnet can have 0 or 1 route table associated to it.
Specify: The name, Address Range, NAT Gateway, NSG and RouteTable
VNet service endpoint
provides the identity of your virtual network to the Azure service.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses
VNet service endpoint
provides the identity of your virtual network to the Azure service.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses
VNet service endpoint
provides the identity of your virtual network to the Azure service.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses
VNet service endpoint
provides the identity of your virtual network to the Azure service.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses
Why use a VNET service endpoint? Improved security for your Azure service resources.
VNet private address spaces can be overlapping and so, cannot be used to uniquely identify traffic originating from your VNet.
When service endpoints are enabled in your virtual network, you secure Azure service resources to your virtual network by adding a virtual network rule. The rule improves security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.
Why use a VNET service endpoint? Optimal routing
Today, any routes in your virtual network that force Internet traffic to your premises and/or virtual appliances, known as forced-tunneling, also force Azure service traffic to take the same route as the Internet traffic. Service endpoints provide optimal routing for Azure traffic.
Why use a VNET service enpoint? Microsoft Backbone Network
Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.
Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic. Learn more about user-defined routes and forced-tunneling.
Service Endpoint Services: Azure Storage
Generally available in all Azure regions. This endpoint gives traffic an optimal route to the Azure Storage service. Each storage account supports up to 100 virtual network rules.
Service Endpoint Services: Azure SQL Database and Azure SQL Data Warehouse.
Generally available in all Azure regions. A firewall security feature that controls whether the database server for your single databases and elastic pool in Azure SQL Database or for your databases in SQL Data Warehouse accepts communications that are sent from particular subnets in virtual networks.
Service Endpoint Services: Azure Cosmos DB.
Generally available in all Azure regions. You can configure the Azure Cosmos account to allow access only from a specific subnet of virtual network (VNet).
By enabling Service endpoint to access Azure Cosmos DB on the subnet within a virtual network, the traffic from that subnet is sent to Azure Cosmos DB with the identity of the subnet and Virtual Network.
Once the Azure Cosmos DB service endpoint is enabled, you can limit access to the subnet by adding it to your Azure Cosmos account.
