Virtual Networking Flashcards
Describe an Azure Virtual Networks (VNets) - 4 ways to explain what it is.
Four ways to explain an Azure VNet
- Is a representation of your own network in the cloud.
- It is a logical isolation of the Azure cloud dedicated to your subscription.
- You can use them to provision and manage virtual private networks (VPNs)
- Each has its own CIDR block and can be linked to other VNets and on-prem networks if the CIDR blocks do not overlap.
Azure VNet Use Cases (3)
- Create a dedicated private cloud-only VNet
- VMs can dedicate securely in the cloud and still configure endpoint connections for the VMs and services that require internet communication.
- Securely extend your data center with VNETS
- S2S VPNs to securely scale datacenter capacity. VPN Gateway
- Enable hybrid cloud scenarios
- Securely connect cloud apps to on-premises systems
Azure VNet Best Practice
Best practice:
- Use an address space that is not already in use in your organization, either on-prem or the cloud (you may later decide to connect an on-prem site)
- Make sure VNet and Subnet is big enough for use case
Define Azure Subnets
The parallel of a subnet in a physical network.
- Segmentation of VNet into one or more subnets.
- Provide logical divisions within your network
- Can help
- Improve security within a network
- Increase performance
- Improve network management
Address space uses Classless Inter-Domain Routing (CIDR) notation
Azure Subnets Considerations
- Service requirements
- For routing, allowed traffic, addresses space, dedicated subnets, on-prem connections (gateways), etc.
- Virtual appliances (NVA)
- These are middleman VMs that manage traffic flow:
- https://azure.microsoft.com/en-us/solutions/network-appliances/
- https://aviatrix.com/learn-center/cloud-security/azure-network-virtual-appliance/
- Demilitarized Zone (DMZ) - deploys NVAs to implement security functionality such as firewalls and packet inspection
- If requiring for traffic b/w resources in the same VNet flow through a NVA, deploy it
- These are middleman VMs that manage traffic flow:
- Service endpoints
- Network security groups
- Associate zero or one NSG to each subnet in a VM. You can associate the same or different, NSG to each subnet
What are the Five IPs reserved by Azure?
- Restrictions on IP addresses within subnets.
- X.X.X.0 - Network address (ID)
- X.X.X.1 - Reserved by Azure for the default gateway
- X.X.X.2, X.X.X.3 - Reserved by Azure to map the Azure DNS IPs to the VNet space
- X.X.X.255 - Network broadcast address
IP Addressing Types? (2)
- Public IP addresses - for communication with the Internet, including Azure public-facing services.
- Private IP addressing - for communication within an Azure VNet, and your on-prem network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure. Can be associated with: VM NICs, load balancers, and application gateways
IP Assignment Types? (2)
Assignment Types are Static and Dynamic
Static IPs
- Do not change
- Assigned when a public IP address is created.
- Not released until a public IP address resource is deleted.
- Only available on certain SKUs (see below)
Best for:
- DNS name resolution, where a change in the IP address would require updating host records
- IP address-based security models that require apps or services to have static IPs
- TSL/SSL certificates linked to an IP address
- Firewall rules that allow or deny traffic using IP address ranges
- Role-based VMs such as Domain Controllers and DNS servers
Dynamic IPs
- Assigned only after a public address is associated to an Azure resource
- These can change when VM deallocation and restart occurs.
IP Address SKUs (2)
When you create a public IP address you are given a SKU, which affects the IP assignment method, security, available resources, and redundancy
Define a Network Security Group (NSG)
Helps you prevent unwanted or unsecure network traffic from being able to reach key systems by limiting network traffic to resources in a VNet.
How: contains a list of security tiles that allow or deny inbound or outbound network trafic
Scope: at the Subnet or Network Interface level
-
Subnet
- Create protected subnets (also called a DMZ)
- Can have zero, or one, associated NSG.
-
Network Interfaces
- NGS rules control all traffic that flows through the NIC
- Each NIC that exists in a subnet can have zero, or one, associated NSG.
- NGS rules control all traffic that flows through the NIC
Network Security Group Rules
NSG Rules
- Inbound rules
- Outbound rules
- Parameters you can specify:
- Name
- Priority
- Port
- Protocol
- Source
- Destination
- Action
NSG Notes
- Rules are evaluated independently
What is Azure Firewall?
It’s a fully stateful Firewall-as-a-Service with built-in high availability and unrestricted cloud scalability. Centrally create, enforce, and log app and net connectivity policies across subscriptions and VNets.
- Uses a static public IP address for your VNet resources
- Fully integrated with Azure Monitor for logging and analytics
Features
- Built-in high availability
- Availability Zones - span multiple zones
- Unrestricted cloud scalability
- Application FQDN filtering rules
- Network traffic filtering rules
- Threat intelligence
- Multiple public IP addresses
Describe a Hub-Spoke Network Topology
Recommended to use a hub-spoke network topology when deploying a firewall
- Hub - a VNet in Azure that acts as a central point of connectivity to your on-premises network
- Spokes - VNets that peer with the hub, and can be used to isolate workloads.
- Traffic flows b/w the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.
Benefits of Hub-Spoke Topology
Benefits of topology:
- Cost savings by centralizing services that can be shared by multiple workloads, e.g., NVAs and DNS servers
- Overcome subscription limits by peering VNets from different subscriptions
- Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps)
Use Cases of topology:
- Workloads in different environment that require shared services
- E.g., development and testing environments that require DNS. Shared services are placed in the hub VNet. Each env is deployed to a spoke to maintain isolation.
- Workloads that don’t require connectivity to each other, but require access to shared services.
Central control - e.g., firewalls in the hub and workloads in the spoke.
Azure Firewall Rules (2 types)
NAT Rules vs Network Rules
NAT Rules
Destination Network Address Translation (DNAT) - to translate and filter inbound - translates your firewall public IP and port to a private IP and port.
Scenarios: publishing SSH, RDP, or non-HTTP/s apps to the internet
Configuration settings: name, protocol, src addr, dest addr, dest ports, translated address, translated port.
Network Rules
Non-HTTP/S traffic allowed to flow through the firewall must have a network rule.
Scenario: E.g., if resources in one subnet must communicate with resources in another subnet.
Configuration settings: name, protocol, src address, dest addresses, destination port.
Rule Processing
Order of packet inspection:
- Network Rules
- Application Rules (network and applications)
Note: once a rile is found that allows the traffic through, no more rules are checked
