Virtual Networks Flashcards
What is the relationship between virtual networks region and resource regions?
They must necessarily match, a vnet can’t host machines from another region.
What is CIDR notation!?
It is a way to limit the number of available up address of a virtual network or subnet. An ip consists of 4 parts delimited by a dot. Each one is called an octet referencing the 8 binary bits in a byte.
CIDR notation is an up followed by a forward slash and a number from 1 to 32. The number following the forward slash is a mask or in other words locks a certain number of binary bits from being changed. This has the effect of limiting the range of up values that can be used.
10.0.1.255/32 32 fully locks all the bits meaning that 10.0.1.255 is the only allowed up in this range.
192.0.2.0/24 is an IPv4 CIDR address where the first 24 bits, or 192.0.2, is locked meaning that the last cores can be any value from 0 to 255 giving the user 255 ip addresses to use.
What’s the cost of virtual networks?
Virtual Network in Azure is free of charge. Every subscription can create up to 50 Virtual Networks across all regions. VNET Peering links two virtual networks – either in the same region, or in different regions - and enables you to route traffic between them using private IP addresses (carry a nominal charge).
What is a NIC network security group ?
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
How to add a resource to a vnet?
Normally there is an option during creation which vnet to deploy to and in the event that you don’t want to deploy to an existing vnet, usually azure will offer to create one as part of the deployment.
What are the restrictions on creating subnets in a vnet?
The subnets must all exist within the up range defined by the vnet cidr range.
The subnets must not have any overlapping IPs.
Changing the subnet range of IPs will only work if there are no resources on the subnet whose IPs will be displaced after the up range change.
How to set a code range of up ip 10.0.1.X for the 64 IPs starting at the last octet being 64?
10.0.1.64/26
This includes all ops from ( and including) 10.0.1.64 to ( and including) 10.0.1.127
Are public ip address free?
No. At the time of writing it’s around $0.004 per hour, which is around 10c per day.
What’s the difference between a basic and a standard public ip address? What other options are there?
Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual machine or a load balancer front end. If you’re creating a public IP address in a region that supports availability zones, the Availability zone setting is set to Zone-redundant by default.
You can also have a dynamic or static ip (dynamic is fine if you’re using a dns service to map your domain to your ip and if its automatically updated as ip address changes)
What is a network security attached to?
A network interface card
What is a network interface card attached to in teens of vm resources?
To a virtual machine
How to edit the inbound and outbound security group rules from the azure portal?
From the network security group resource ui.
What the default port for tcp traffic?
TCP operates over a wide range of ports. For example rdp is forced to use port 3389 but it uses tcp protocol.
What port does Remote Desktop need to be open to communicate with a vm?
3389
What is a user defined route?
When you create subnets, Azure creates system routes that enable all resources in a subnet to communicate with each other. You can override the system routes by creating UDRs. This way, you can force traffic to follow a particular route.
What is the purpose of a firewall?
To filter/control traffic crossing a network threshold.
What is the connection between user defined routes and network tables?
Route tables contain default routes and optionally you can add user defined routes. Networks have a set of default traffic rules which demand how to direct network traffic within the network.
A route table can be modified to change the rules which govern how network traffic is managed.
You midgut want to do this to redirect inbound and outbound traffic through a network firewall in order to control the websites employees can access.
How to create a route table?
From the azure ui, choose route tables then click create.
Associate the route table to the target vnet and subnet.
Add the rules you want.
Route tables exist independently and can be associated to multiple vnets.
What does the route table option ‘propagate gateway routes’ do?
It includes the network routes implicit from other resources like vpn to vpn peering or a network gateway.
What is the ip address which represents any ip from anywhere?
0.0.0.0/0
What are the parameters used to configure one route of a route table?
- name
- destination ip/cidr
- next hop type ( what is the traffic being directed to)
- next hop address ( destination ip)
What does NAT stand for?
Network address translation
What is the difference between Nat , network and application rules in azure firewalls ( not in azure-104)?
The three types of rules can be broken down into two sets:
NAT: This is a routing rule, directing traffic from a public IP address to a private IP address. A hidden network rule is automatically created to allow the traffic.
Network Rules and Application Rules: These rules specify what traffic is allowed through the Azure Firewall.
So when a packet is being inspected to determine if it is allowed or not (not is the default) then only Network Rules and Application Rules are used for filtering. Only application rules can filter using domain names.
What is port 53 for?
The standard port for DNS is port 53. DNS client applications use the DNS protocol to query and request information from DNS servers, and the server returns the results to the client using the same port. Port 53 is used for both TCP and UDP communication.
What is a WAN?
Wide area network. WAN networks allow distant locations be on the same network. Azure virtual wan is a global resource which must be added to a particular resource group.
Azure acts as a hub connecting the different sites, analogous to a vnet peering connection.
How are WANs priced?
There is an ongoing cost per hub in the WAN.
It’s about 6$ per day for the WAN to exist then there are additional costs depending on bandwidth and other WAN features.
Can resources on different vnets communicate ?
No. But with vnet peering and ensuring that vnet addresses do not overlap between two vnets , a vnet peering allows two vnets to be joined.
What is hub and spoke model of network topology?
One central network hub which has vnet peerings with each of the other vnets I.e the hub can speak with all cheers and all vnets can communicate with the hub but vnets cannot communicate with each other except via the hub.
If you add a vnet peering , how many network links do you configure?
2, one from A to B and the other from B to A
Which virtual network deployment model should you use when configuring a peering?
Resource manager.
There is an option for classic but this is deprecated and will be removed soon.
Can you add peerings to vnets under other subscriptions?
Yes, provided that you know the subscription and vnet name
Does a vnet peering by pass firewall and network security group restrictions?
No, you need the peering and the allowed passage of traffic configured to be able to communicate
How are peerings priced?
Though vnets are free, peering in the same region are $0.01 per gigabyte ingree and $0.01 per gigabyte of egress.
If the peerings are global ( different zones are defined) the price of ingress per gb goes from $0.035 to $0.044 and the same for egress.
How does dns the domain name system work in azure?
Ip addresses are mapped to domain names and when accessing a domain name like eBay.com, the dns service will forward send back the associated ip address.
There are 3 options in azure
- Azure provides dns (default)
- You provide dns (running your own dns server)
- Azure private dns ( an azure service )
How to set up a private dns zone?
Create the dns zone with your chosen domain name. Then link to a vnet and probably you want to add auto registration so new resources are added to the private dns (see photo).
You can update the first post of the fully qualified domain name by changing the name in the record set from the resource’s azure ui. This doesn’t change any actual metadata associated to the resource but it does make the fully qualified domain name more useful and customisable.
How can yo check the dns I’m configuration is working correctly?
Using the nslookup powershell command.
How can you review the inbound and outbound rules of a network security group?
In the azure portal ui of the NSG there are two tabs in the blade pointing to inbound and outbount network security rules. From here you can add the rules you want.
What are the default rules of a new NSG?
As in the photo, there are by default 3 rules. They cannot be removed but their priority has been set to th elowest possible value, so you can create rules of a higher priority (i.e. a lower number in the priority field) and traffic will be tested against those rules first.
If you create rules and there is a gap where traffic isn’t handled by your custom rules, they will still be handled by these default rules.
What’s the risk associated with this scenario?
Having multiple NSG means that it’s more difficult to ensure absolute coherence between them. Here there is a NSG on the subnet which may let traffic through but the NSG on the network interface card must be aligned with this, or the traffic will not reach its destination despite a correctly configured NSG on the subnet level. This can be confusing to debug and is the reason why it’s recommended to have the fewest NSGs possible.
How to add and remove a MSG from a network interface card?
Go to the vm, then to settings then to network security groups in the blade menu, then where the NSG is selected, change it to none.
What is effective security rules?
It’s a link in networking overviews which overlays all NSGs affecting the resource with the NSG attached. It’s accessed from the resources networking section of the blade menu.
It highlights all the NSGs which affect the resource ( it may not be obvious just looking at the resources ).
Sources and destinations are fully qualified so you can see in the case of 2 network security groups , the ip range which can pass through the NSG to the resource ( see photo).
What’s the difference between a network security group and an application security group?
NSGs are explicit and work with ip addresses for the source and destination. This can lead to confusing and difficult to manage NSGs as different resources have different IPs and they may change over time ( meaning a patch to your NSG rules would need to be made in accordance ).
Application security groups are essentially a way to map a resource to a name, and azure will take care of updating the ip address associated with the name if and when it’s necessary automatically. Then in your NSGs you point to the application security group instead of the ip. This gives a less manual option to manage NSGs with a changing infrastructure or application landscape.
This makes the network security group rules clearer and easier to reason about.
What is the metrics and quotas link for in the blade menu of the network watcher UI?
It shows the progress bar of all things with a quota or limited use.
How can you query your diagnostic logs?
Using the Monitor service and writing a kusto query language query against a specific data source.
