Virtual Networking Flashcards
What type of DNS record should you create to ensure Azure can verify the domain name?
MX
TXT
What does a NS record do?
Tells recursive name servers which name servers are authoritative for a zone
If you have a registered DNS domain and then create a public Azure DNS zone with the same name, how do you ensure the records created in the zone are resolvable?
Modify the NS records in the DNS domain registrar so they point to your Azure DNS NS records
What is the benefit of having multiple NS records?
Redundancy of your DNS service
How would you create Azure AD DNS records in a custom domain for a domain you already registered?
- Add the custom domain name to your directory
- Add a DNS entry for the domain name at the registrar
- Verify the custom domain name
Which IP addresses are reserved by Azure in each subnet?
.0 network address
.1 gateway address
.2 and .3 DNS
.255 broadcast
Whats the smallest possible subnet in Azure? (CIDR)
/29
3 possible addresses (8 addresses, but 5 are reserved)
What networking solution provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope?
Azure Internal Load Balancer (ILB)
What networking tool provides SQL injection protection?
Azure Web Application Firewall (WAF)
What protection does an application gateway with Azure Web Application Firewall (WAF) provide?
Centralized protection of your web apps from common exploits and vulnerabilities; like SQL injections and cross-site scripting
What is a virtual hub?
- A Microsoft-manged VNET
- The hub contains various service endpoints to enable connectivity; the core of your network in a region
What do Azure Private DNS zones do?
Provide name resolution within a virtual network and between virtual networks
What is Azure Log Analytics workspace?
A unique Log Analytics environment with its own data repository, data sources, and solutions
What do NSG flow logs allow you to view?
Information about ingress and egress IP traffic through a NSG
What additional capabilities does a Standard load balancer offer over a Basic load balancer?
- Supports diagnostics
- Global VNet Peering support
- Compatible with Availability Zones
- Supports HA ports
What might prevent you from being able to peer two VNets?
Address spaces overlapping
What does a backend pool define?
- Critical component of the load balancer
- The group of resources that will serve traffic for a given load-balancing rule
What is a floating IP?
- Enables traffic to bypass the load balancer and go directly to the backend servers
- Enables multiple applications in the backend pool to use the same port
Why might you use a floating IP?
- If you want to reuse the backend port across multiple rules
- Clustering for high availability
What should you do if you make changes to the topology of your network and have Windows VPN clients?
The VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied
What does enabling auto registration on an azure DNS private zone do?
Makes it so when you link a VNet with a private DNS zone, a DNS record gets created for each VM deployed in the VNet
What are some restrictions Azure has in place for auto registration?
- Only works for VMs
- Only can be used by private Azure DNS zones
- Only created for one NIC, and NIC needs to be using DHCP
What subnets can you assign a NSG to?
A subnet in the same region of the NSG
How would you add or delete address ranges from a VNet’s address space if the VNet is already peered?
Remove peering
Make changes
Recreate peering
Now (2022) you can make changes and sync the networks after changes are complete
Are you able to move a NIC across RGs?
Yes, but the location will not change
How would you enable a webapp to access the resources in a VNet?
Connect the webapp to the VNet using webapp VNet integration
What does enabling session persistence do?
Maps a client’s session to a specific server
What is the default port for RDP?
TCP port 3389
With what tool does Azure DNS support importing and exporting zone files?
Azure CLI
What does an inbound NAT rule do?
Forwards incoming traffic to a specific VM
What does a load balancer rule do?
Forward traffic to a backend pool
What can a basic load balancer balance traffic between?
Backend pool endpoints for VMs in a single availability set or VMSS
What type of DNS zones can you link VNets to?
Private zones only
What steps are necessary for connecting your on-premises network to Azure using a site-to-site VPN?
- Create a VNet
- Create a gateway subnet
- Create a VPN gateway
- Create a local gateway
- Create a VPN connection
Can you connect VNets in different regions from different subscriptions?
Yes, by using a VNet-to-VNet connection
What does a Point-to-Site (P2S) VPN gateway connection do?
Lets you create a secure connection to your VNet from an individual client computer
Useful when you have only a few clients that need to connect to a VNet
What does each client computer need to connect to a VNet using a Point-to-Site connection?
- A client certificate installed
- You can generate one from the self-signed root certificate, then export and install it
What are service endpoints used for?
Enabling private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet
What is an Application Security Group (ASG)?
A logical collection of VMs (NICs)
How do you use ASGs?
- Application Security Group
- You join VMs (NICs) to the ASG, then use the ASG as a source or destination in the NSG rules
What is needed to set up a site-to-site VPN?
- Local gateway
- Gateway subnet
- VPN gateway
- A connection to connect the local gateway and VPN gateway
What do public load balancers do?
- Load balance Internet traffic to your VMs
- Load balancer and the public IP address SKU must match when you use them with public IP addresses
What must we have before creating a NIC?
A VNet
What is IP flow verify used for?
- Used when a VM becomes unable to communicate with another resource because of a security rule
- Tests the communication, informs if the connection succeeds or fails, and tells you which rule causes the communication failure
What feature of Azure Network Watcher would you use to validate connectivity from a VM to an external host?
Connection troubleshoot
If you have two configured DNS servers, NIC and VNET, which takes precedence?
NIC configured DNS servers
What can Connection Monitor tell you?
- Latency over time
- Round-trip time to make the connection
- Inspects traffic over a specific port
What are the pre-requisites of VMs/VMSSs for load balancers with a standard SKU?
VMs must be connected to the same virtual network
What Azure networking component is redundant by default?
Azure VPN gateways have two instances for redundancy
What is the default DNS suffix for Azure provisioned DNS if no specific DNS is configured in the network?
internal.cloudapp.net
What is an Azure Load Balancer health probe?
- A feature that detects the health status of your application instances, helping you detect application failures, manage load, and plan for downtime
- Sends a request to the instances to check if they are available and responding to requests
- Can be configured to use different protocols, like TCP, HTTP, or HTTPS
What type of VPN is required for a P2S connection?
A Route-based VPN type
How do Policy-based VPNs handle traffic?
- Uses the combination of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels
- Only available with Basic SKU
- Does not support P2S connectivity
How do Route-based VPNs handle traffic?
- Uses any-to-any (wildcard) traffic selectors
- Lets routing tables direct traffic to different IPsec tunnels
How can virtual networks be linked to a private DNS zone?
- Registration virtual network (can have multiple but only one registration zone)
- Resolution virtual network (can have multiple, and multiple resolution zones)
What does the Packet capture function of Network Watcher do?
- Intercepts data packets and stores them temporarily so it can be analyzed, for a maximum of a 5 hour interval
- Inspects network traffic and helps diagnose network anomalies
What do you need to configure when creating a load balancer?
- Frontend IP address
If you want to apply rules, you also need - Health probe
- Backend pool
How would you set up a virtual WAN site-to-site portal?
- Create Virtual WAN
- Create Virtual Hub
- Create VPN sites
- Connect VPN sites to virtual hub
What OSI layer does Azure Load Balancer operate at?
L4
What OSI layer does Azure App Gateway operate at?
L7
What is an A record used for?
To map a DNS/domain name to an IP address
What network security policy supports kubernet networking?
Calico Network Policies
Why would you create a route table?
Custom routes are helpful when you want to route traffic between subnets through a network virtual appliance (NVA)
What are site-to-site VPN gateway connections used for?
To connect your on-premises network to an azure VNet over an IPsec/IKE VPN tunnel
How is the subnet of the target VM selected if a subnet with the same name doesn’t exist?
Alphabetical order
Are there any firewall resource group restrictions?
Yes
The firewall, VNet, and the public IP address must all be in the same resource group
What resource can you select when using connection monitor?
A region
What is Azure Bastion?
- A service you deploy that lets you connect to a VM using your browser/Azure portal or via the native SSH or RDP client installed on your computer
- You provision it inside your VNet and it provides secure RDP/SSH connectivity to your VM directly from the Azure portal over TLS. Your VM doesn’t need a public IP, agent, or special client software.
When configuring Azure Bastion, what’s the difference between using a Basic SKU and a Standard SKU?
- Basic creates two instances
- Standard allows you to specify the number of instances; host scaling
- Standard allows use of the native client, letting you connect via Azure CLI and expands your sign-in options to include AAD and local SSH key pair
- Standard supports global tier IPs
What kind of IP addresses does Azure Bastion support?
Standard SKU public IPs that are static
What resources do you need to consider moving when moving a VM from one subscription to another?
All dependent resources must be moved along with it
ie. Disk (OS), NIC, VNet
How would you enable multi-user authorization for a Recovery Services vault?
- Create resource guard
- Enable MUA on vault
- Authorize critical operations on vault
In what order would you deploy resources in an ARM template to deploy a VM?
VNet
NIC
VM
How would you migrate VMs to Azure using Azure Site Recovery?
- Create Recovery Service Vault
- Configure VNet
- Configure extended network
What is the recommended subnet size for Azure Bastion?
/26 or larger
How is traffic handled between VMs in peered VNets?
Using the Microsoft backbone infrastructure
What are service tags?
- Group of IP address prefixes from a given Azure Service
- Used in place of specific IP addresses when you create security rules and routes
What can you create Service Endpoints for?
Azure services
What are private links used for?
- Connect privately to Azure Monitor without opening public network access
- Ensure monitoring data is only accessed through authorized private networks
- Keep all traffic inside the Azure backbone network
What’s the difference been an A record and a CNAME record?
If the IP address changes, a CNAME entry is still valid, whereas an A record must be updated
For what OS is private networking supported for?
Linux containers
