Virtual Networking Flashcards

1
Q

Virtual Networks

A

Is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets

-A VNet spans all Availability Zones within a Region
-You can change VMs between subnets
-You can have a VM with multiple network interfaces in different subnets

Implementation:
1. Create a Virtual Network: The network space isolated from other public or private networks
2. Create Subnet(s): Spaces that can be carved up within a virtual network for further isolation
3. Network Interface(s): Provides connectivity (using automatically assigned private IP)

Considerations:
-Address Space: IPv4 (supporting subnets from /2 to /29) and IPv6 (supporting /64 subnets only)
-DNS: DNS is provided for you, but you can use custom DNS servers also (per VNet or NIC)
-Protocols: TCP, UDP and ICMP TCP/IP are supported. Unicast (excluding DHCP) is supported

Default Connectivity:
-Connectivity between subnets
-Connectivity to the Internet
-System connectivity (VNet peering, etc)

https://tutorialsdojo.com/azure-virtual-network-vnet/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IP Addressing

A

Private IP Addressing:
1. Association: Associated by resource configuration, or network interface (VMs). (Depends on the resource)
2. Address Allocation: Addresses can be either dynamic or static, but cannot be reserved in advance
3. Address Availability: Azure reserves the first four, and last IP addresses in the subnet for system use

Public IP Addressing
1. Association: Independent resource (basic or standard) that can be associated with other resources
Basic: Inbound connectitivy is allowed by default
Standard: No inbound connectivity is allowed, except for what you choose to allow

  1. Address Allocation:
    Dynamic: Assigned when associated (basic)
    Static: Assigned when created (basic or standard)
  2. IP Address Availability: Assigned from a pool, or a Public IP Prefix (sequential range of ip), or a Custom IP address Prefix (BYOIP)

Outbound Connectivity Overview:
-VM Default: If no IP address is assigned, Microsoft will provide a public IP (you don’t have to configure a public IP resource, to get outbound public internet access. When you create a VM it will have outbound internet access by default)
-VM Public IP: If a public IP resource is associated, the VM will use it for outbound access
-Public Load Balancer SNAT: Traffic can be routed out via the public IP of a load balancer
-NAT Gateway: Provides connectivity (ussing automatically assigned private IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Network Security Groups

A

You can filter traffic to and from Azure resources that you have commissioned on an Azure Virtual Network (VNet)

Implmentation
1. Create a Network Security Group: Contains a list of inbound rules and outbound rules.
2. Assignment: An NSG can be assigned to a network interface, or subnet (or both)
3. Security Rules: Each rule defines traffic that should be allowed or denied

-Name: Custom label for describing the NSG rule
-Priority: The lower the number, the higher the priority
-Traffic Definition: Port, Protocol, Source, Destination
-Action: Allow or Deny the traffic as defined

-When a rule is matched, no further rules are processed

-Default Rules: “AllowVnetInBound”, “AllowAzureLoadBalancer”, and “DenyAllInBound” (You can’t delete them)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Augmented Security Rules

A

Service Tags: Microsoft Managed
A group of IP address prefixes that are used to point to Microsoft services for source/destination. Microsoft managed labels within our NSGs, that we can use to point to things that Microsoft knows about.

-Instead of having “Any” in Destination, we can have “SQL.Eastus”
-Simplifies rules for common services
-IP addresses are automatically updated

Application Security Groups: Customer Managed
A way of grouping VMs together for use as a source/destination, more easily than manual IP addressing.

-Instead of having IP address ranges in Source, we can have “ASG-Servers”
-Simplifies rules for customer solutions
-Provide a kind of “tag” for VMs

Limitations
-Network interfaces assigned to an ASG must be from the same VNet as the first assigned interface
-If you use an ASG for both a source and destination field, they must belong to the same VNet
-You cannot create your own custom service tag: all are created/managed by Microsoft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly