Virtual Networking

Question 1

Describe an Azure Virtual Networks (VNets) - 4 ways to explain what it is.

Answer 1

Four ways to explain an Azure VNet

• Is a representation of your own network in the cloud.
• It is a logical isolation of the Azure cloud dedicated to your subscription.
• You can use them to provision and manage virtual private networks (VPNs)
• Each has its own CIDR block and can be linked to other VNets and on-prem networks if the CIDR blocks do not overlap.

Question 2

Azure VNet Use Cases (3)

Answer 2

• Create a dedicated private cloud-only VNet
  
  • VMs can dedicate securely in the cloud and still configure endpoint connections for the VMs and services that require internet communication.
• Securely extend your data center with VNETS
  
  • S2S VPNs to securely scale datacenter capacity. VPN Gateway
• Enable hybrid cloud scenarios
  
  • Securely connect cloud apps to on-premises systems

Question 3

Azure VNet Best Practice

Answer 3

Best practice:

• Use an address space that is not already in use in your organization, either on-prem or the cloud (you may later decide to connect an on-prem site)
• Make sure VNet and Subnet is big enough for use case

Question 4

Define Azure Subnets

Answer 4

The parallel of a subnet in a physical network.

• Segmentation of VNet into one or more subnets.
• Provide logical divisions within your network
• Can help
  
  • Improve security within a network
  • Increase performance
  • Improve network management

Address space uses Classless Inter-Domain Routing (CIDR) notation

Question 5

Azure Subnets Considerations

Answer 5

• Service requirements
  
  • For routing, allowed traffic, addresses space, dedicated subnets, on-prem connections (gateways), etc.
• Virtual appliances (NVA)
  
  • These are middleman VMs that manage traffic flow:
    
    • https://azure.microsoft.com/en-us/solutions/network-appliances/
    • https://aviatrix.com/learn-center/cloud-security/azure-network-virtual-appliance/
    • Demilitarized Zone (DMZ) - deploys NVAs to implement security functionality such as firewalls and packet inspection
  • If requiring for traffic b/w resources in the same VNet flow through a NVA, deploy it
• Service endpoints
• Network security groups
  
  • Associate zero or one NSG to each subnet in a VM. You can associate the same or different, NSG to each subnet

Question 6

What are the Five IPs reserved by Azure?

Answer 6

• Restrictions on IP addresses within subnets.
  
  • X.X.X.0 - Network address (ID)
  • X.X.X.1 - Reserved by Azure for the default gateway
  • X.X.X.2, X.X.X.3 - Reserved by Azure to map the Azure DNS IPs to the VNet space
  • X.X.X.255 - Network broadcast address

Question 7

IP Addressing Types? (2)

Answer 7

• Public IP addresses - for communication with the Internet, including Azure public-facing services.

• Private IP addressing - for communication within an Azure VNet, and your on-prem network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure. Can be associated with: VM NICs, load balancers, and application gateways

Question 8

IP Assignment Types? (2)

Answer 8

Assignment Types are Static and Dynamic

Static IPs

• Do not change
• Assigned when a public IP address is created.
• Not released until a public IP address resource is deleted.
• Only available on certain SKUs (see below)

Best for:

• DNS name resolution, where a change in the IP address would require updating host records
• IP address-based security models that require apps or services to have static IPs
• TSL/SSL certificates linked to an IP address
• Firewall rules that allow or deny traffic using IP address ranges
• Role-based VMs such as Domain Controllers and DNS servers

Dynamic IPs

• Assigned only after a public address is associated to an Azure resource
• These can change when VM deallocation and restart occurs.

Question 9

IP Address SKUs (2)

Answer 9

When you create a public IP address you are given a SKU, which affects the IP assignment method, security, available resources, and redundancy

Question 10

Define a Network Security Group (NSG)

Answer 10

Helps you prevent unwanted or unsecure network traffic from being able to reach key systems by limiting network traffic to resources in a VNet.

How: contains a list of security tiles that allow or deny inbound or outbound network trafic

Scope: at the Subnet or Network Interface level

• Subnet
  
  • Create protected subnets (also called a DMZ)
  • Can have zero, or one, associated NSG.
• Network Interfaces
  
  • NGS rules control all traffic that flows through the NIC
    
    • Each NIC that exists in a subnet can have zero, or one, associated NSG.

Question 11

Network Security Group Rules

Answer 11

NSG Rules

• Inbound rules
• Outbound rules
• Parameters you can specify:
  
  • Name
  • Priority
  • Port
  • Protocol
  • Source
  • Destination
  • Action

NSG Notes

• Rules are evaluated independently

Question 12

What is Azure Firewall?

Answer 12

It’s a fully stateful Firewall-as-a-Service with built-in high availability and unrestricted cloud scalability. Centrally create, enforce, and log app and net connectivity policies across subscriptions and VNets.

• Uses a static public IP address for your VNet resources
• Fully integrated with Azure Monitor for logging and analytics

Features

• Built-in high availability
• Availability Zones - span multiple zones
• Unrestricted cloud scalability
• Application FQDN filtering rules
• Network traffic filtering rules
• Threat intelligence
• Multiple public IP addresses

Question 13

Describe a Hub-Spoke Network Topology

Answer 13

Recommended to use a hub-spoke network topology when deploying a firewall

• Hub - a VNet in Azure that acts as a central point of connectivity to your on-premises network
• Spokes - VNets that peer with the hub, and can be used to isolate workloads.
• Traffic flows b/w the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.

Question 14

Benefits of Hub-Spoke Topology

Answer 14

Benefits of topology:

• Cost savings by centralizing services that can be shared by multiple workloads, e.g., NVAs and DNS servers
• Overcome subscription limits by peering VNets from different subscriptions
• Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps)

Use Cases of topology:

• Workloads in different environment that require shared services
  
  • E.g., development and testing environments that require DNS. Shared services are placed in the hub VNet. Each env is deployed to a spoke to maintain isolation.
• Workloads that don’t require connectivity to each other, but require access to shared services.

Central control - e.g., firewalls in the hub and workloads in the spoke.

Question 15

Azure Firewall Rules (2 types)

Answer 15

NAT Rules vs Network Rules

NAT Rules

Destination Network Address Translation (DNAT) - to translate and filter inbound - translates your firewall public IP and port to a private IP and port.

Scenarios: publishing SSH, RDP, or non-HTTP/s apps to the internet

Configuration settings: name, protocol, src addr, dest addr, dest ports, translated address, translated port.

Network Rules

Non-HTTP/S traffic allowed to flow through the firewall must have a network rule.

Scenario: E.g., if resources in one subnet must communicate with resources in another subnet.

Configuration settings: name, protocol, src address, dest addresses, destination port.

Rule Processing

Order of packet inspection:

• Network Rules
• Application Rules (network and applications)

Note: once a rile is found that allows the traffic through, no more rules are checked

Question 16

What is Azure DNS?

Answer 16

Enables you to host your DNS records for your domains on Azure Infrastructure. You can use the same credentials, APIs, tools, and billing as your other Azure services.

Initial domain name: an Azure AD domain is automatically created, e.g., domainname.onmicrosoft.com.

Custom domain name: simplifies the user sign-on experience.

Question 17

Benefits of Azure DNS

Answer 17

Benefits:

• Removes the need for custom DNS solutions
• Use all common DNS records types - A, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT.
• Automatic hostname record management
• Hostname resolution between VNets
• Hostname resolution between virtual networks
• Familiar tools and user experience - uses portal, REST APIs, CLI, PS.
• Split-horizon DNS support
  
  • Available in all Azure regions

Question 18

What are Azure DNS Zones?

Answer 18

Azure DNS Zones

Service to manage and resolve domain names in VNets without needing to add a custom DNS solution.

A DNS Zone hosts the DNS records for a domain

• To start hosting your domain, you need to create a DNS zone for that domain name.
• Each record for your domain is then created inside this zone.

Considerations:

• Zone name must be unique within RG and zone must not exist already
• Same zone name can be reused in a different RG or diff Azure subscription
• For zones with same name, each instance is assigned diff name server addresses
• Root/parent domain is registered at the registrar and pointed to Azure NS (???)
• Child domains are registered in Azure DNS directly

Note: you do not have to own a domain name to create a DNS zone with that domain name in Azure DNS, but you need to own the domain to configure the domain.