Virtual Networking Flashcards
Virtual Networks
Is a logical representation of your network in the cloud. It allows you to define your own private IP address space and segment the network into subnets
-A VNet spans all Availability Zones within a Region
-You can change VMs between subnets
-You can have a VM with multiple network interfaces in different subnets
Implementation:
1. Create a Virtual Network: The network space isolated from other public or private networks
2. Create Subnet(s): Spaces that can be carved up within a virtual network for further isolation
3. Network Interface(s): Provides connectivity (using automatically assigned private IP)
Considerations:
-Address Space: IPv4 (supporting subnets from /2 to /29) and IPv6 (supporting /64 subnets only)
-DNS: DNS is provided for you, but you can use custom DNS servers also (per VNet or NIC)
-Protocols: TCP, UDP and ICMP TCP/IP are supported. Unicast (excluding DHCP) is supported
Default Connectivity:
-Connectivity between subnets
-Connectivity to the Internet
-System connectivity (VNet peering, etc)
https://tutorialsdojo.com/azure-virtual-network-vnet/
IP Addressing
Private IP Addressing:
1. Association: Associated by resource configuration, or network interface (VMs). (Depends on the resource)
2. Address Allocation: Addresses can be either dynamic or static, but cannot be reserved in advance
3. Address Availability: Azure reserves the first four, and last IP addresses in the subnet for system use
Public IP Addressing
1. Association: Independent resource (basic or standard) that can be associated with other resources
Basic: Inbound connectitivy is allowed by default
Standard: No inbound connectivity is allowed, except for what you choose to allow
- Address Allocation:
Dynamic: Assigned when associated (basic)
Static: Assigned when created (basic or standard) - IP Address Availability: Assigned from a pool, or a Public IP Prefix (sequential range of ip), or a Custom IP address Prefix (BYOIP)
Outbound Connectivity Overview:
-VM Default: If no IP address is assigned, Microsoft will provide a public IP (you don’t have to configure a public IP resource, to get outbound public internet access. When you create a VM it will have outbound internet access by default)
-VM Public IP: If a public IP resource is associated, the VM will use it for outbound access
-Public Load Balancer SNAT: Traffic can be routed out via the public IP of a load balancer
-NAT Gateway: Provides connectivity (ussing automatically assigned private IP)
Network Security Groups
You can filter traffic to and from Azure resources that you have commissioned on an Azure Virtual Network (VNet)
Implmentation
1. Create a Network Security Group: Contains a list of inbound rules and outbound rules.
2. Assignment: An NSG can be assigned to a network interface, or subnet (or both)
3. Security Rules: Each rule defines traffic that should be allowed or denied
-Name: Custom label for describing the NSG rule
-Priority: The lower the number, the higher the priority
-Traffic Definition: Port, Protocol, Source, Destination
-Action: Allow or Deny the traffic as defined
-When a rule is matched, no further rules are processed
-Default Rules: “AllowVnetInBound”, “AllowAzureLoadBalancer”, and “DenyAllInBound” (You can’t delete them)
Augmented Security Rules
Service Tags: Microsoft Managed
A group of IP address prefixes that are used to point to Microsoft services for source/destination. Microsoft managed labels within our NSGs, that we can use to point to things that Microsoft knows about.
-Instead of having “Any” in Destination, we can have “SQL.Eastus”
-Simplifies rules for common services
-IP addresses are automatically updated
Application Security Groups: Customer Managed
A way of grouping VMs together for use as a source/destination, more easily than manual IP addressing.
-Instead of having IP address ranges in Source, we can have “ASG-Servers”
-Simplifies rules for customer solutions
-Provide a kind of “tag” for VMs
Limitations
-Network interfaces assigned to an ASG must be from the same VNet as the first assigned interface
-If you use an ASG for both a source and destination field, they must belong to the same VNet
-You cannot create your own custom service tag: all are created/managed by Microsoft