Virtual Networks Flashcards
What is the relationship between virtual networks region and resource regions?
They must necessarily match, a vnet can’t host machines from another region.
What is CIDR notation!?
It is a way to limit the number of available up address of a virtual network or subnet. An ip consists of 4 parts delimited by a dot. Each one is called an octet referencing the 8 binary bits in a byte.
CIDR notation is an up followed by a forward slash and a number from 1 to 32. The number following the forward slash is a mask or in other words locks a certain number of binary bits from being changed. This has the effect of limiting the range of up values that can be used.
10.0.1.255/32 32 fully locks all the bits meaning that 10.0.1.255 is the only allowed up in this range.
192.0.2.0/24 is an IPv4 CIDR address where the first 24 bits, or 192.0.2, is locked meaning that the last cores can be any value from 0 to 255 giving the user 255 ip addresses to use.
What’s the cost of virtual networks?
Virtual Network in Azure is free of charge. Every subscription can create up to 50 Virtual Networks across all regions. VNET Peering links two virtual networks – either in the same region, or in different regions - and enables you to route traffic between them using private IP addresses (carry a nominal charge).
What is a NIC network security group ?
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
How to add a resource to a vnet?
Normally there is an option during creation which vnet to deploy to and in the event that you don’t want to deploy to an existing vnet, usually azure will offer to create one as part of the deployment.
What are the restrictions on creating subnets in a vnet?
The subnets must all exist within the up range defined by the vnet cidr range.
The subnets must not have any overlapping IPs.
Changing the subnet range of IPs will only work if there are no resources on the subnet whose IPs will be displaced after the up range change.
How to set a code range of up ip 10.0.1.X for the 64 IPs starting at the last octet being 64?
10.0.1.64/26
This includes all ops from ( and including) 10.0.1.64 to ( and including) 10.0.1.127
Are public ip address free?
No. At the time of writing it’s around $0.004 per hour, which is around 10c per day.
What’s the difference between a basic and a standard public ip address? What other options are there?
Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual machine or a load balancer front end. If you’re creating a public IP address in a region that supports availability zones, the Availability zone setting is set to Zone-redundant by default.
You can also have a dynamic or static ip (dynamic is fine if you’re using a dns service to map your domain to your ip and if its automatically updated as ip address changes)
What is a network security attached to?
A network interface card
What is a network interface card attached to in teens of vm resources?
To a virtual machine
How to edit the inbound and outbound security group rules from the azure portal?
From the network security group resource ui.
What the default port for tcp traffic?
TCP operates over a wide range of ports. For example rdp is forced to use port 3389 but it uses tcp protocol.
What port does Remote Desktop need to be open to communicate with a vm?
3389
What is a user defined route?
When you create subnets, Azure creates system routes that enable all resources in a subnet to communicate with each other. You can override the system routes by creating UDRs. This way, you can force traffic to follow a particular route.
What is the purpose of a firewall?
To filter/control traffic crossing a network threshold.
What is the connection between user defined routes and network tables?
Route tables contain default routes and optionally you can add user defined routes. Networks have a set of default traffic rules which demand how to direct network traffic within the network.
A route table can be modified to change the rules which govern how network traffic is managed.
You midgut want to do this to redirect inbound and outbound traffic through a network firewall in order to control the websites employees can access.
How to create a route table?
From the azure ui, choose route tables then click create.
Associate the route table to the target vnet and subnet.
Add the rules you want.
Route tables exist independently and can be associated to multiple vnets.
What does the route table option ‘propagate gateway routes’ do?
It includes the network routes implicit from other resources like vpn to vpn peering or a network gateway.
What is the ip address which represents any ip from anywhere?
0.0.0.0/0
What are the parameters used to configure one route of a route table?
- name
- destination ip/cidr
- next hop type ( what is the traffic being directed to)
- next hop address ( destination ip)
What does NAT stand for?
Network address translation
What is the difference between Nat , network and application rules in azure firewalls ( not in azure-104)?
The three types of rules can be broken down into two sets:
NAT: This is a routing rule, directing traffic from a public IP address to a private IP address. A hidden network rule is automatically created to allow the traffic.
Network Rules and Application Rules: These rules specify what traffic is allowed through the Azure Firewall.
So when a packet is being inspected to determine if it is allowed or not (not is the default) then only Network Rules and Application Rules are used for filtering. Only application rules can filter using domain names.
What is port 53 for?
The standard port for DNS is port 53. DNS client applications use the DNS protocol to query and request information from DNS servers, and the server returns the results to the client using the same port. Port 53 is used for both TCP and UDP communication.
What is a WAN?
Wide area network. WAN networks allow distant locations be on the same network. Azure virtual wan is a global resource which must be added to a particular resource group.
Azure acts as a hub connecting the different sites, analogous to a vnet peering connection.
How are WANs priced?
There is an ongoing cost per hub in the WAN.
It’s about 6$ per day for the WAN to exist then there are additional costs depending on bandwidth and other WAN features.
Can resources on different vnets communicate ?
No. But with vnet peering and ensuring that vnet addresses do not overlap between two vnets , a vnet peering allows two vnets to be joined.
What is hub and spoke model of network topology?
One central network hub which has vnet peerings with each of the other vnets I.e the hub can speak with all cheers and all vnets can communicate with the hub but vnets cannot communicate with each other except via the hub.
If you add a vnet peering , how many network links do you configure?
2, one from A to B and the other from B to A
Which virtual network deployment model should you use when configuring a peering?
Resource manager.
There is an option for classic but this is deprecated and will be removed soon.
Can you add peerings to vnets under other subscriptions?
Yes, provided that you know the subscription and vnet name
Does a vnet peering by pass firewall and network security group restrictions?
No, you need the peering and the allowed passage of traffic configured to be able to communicate
How are peerings priced?
Though vnets are free, peering in the same region are $0.01 per gigabyte ingree and $0.01 per gigabyte of egress.
If the peerings are global ( different zones are defined) the price of ingress per gb goes from $0.035 to $0.044 and the same for egress.
What is a gateway subnet?
The gateway subnet is part of the IP address range of your subnet and will be forcibly named GatewaySubnet and will have some IPs reserved for azures use.
They are used with azure virtual network gateways.
What is an azure virtual network gateway?
It is an entrance/ exit from a vnet allowing traffic to pass outside of the vnet. They can be VPN based or expressroute based and can be route based ( recommend) or policy based.
How much do azure virtual network gaeways cost?
It depends on the properties of the gate way such as bandwidth and the number of site to site tunnels or point to site tunnels.
They are priced though started with $0.04 per hour for the basic and the next level up $0.19 per hour
Where should you deploy an azure virtual network gateway to?
To gateway subnet.
How long do virtual network gateways take to deploy?
A bit longer than other resources, maybe 15 minutes
What is a vnet to vnet connection?
A virtual network gateway to connect two vnets ( encrypted traffic, less performant) and vnet peering ( not encrypted but can travel massive distances via the backbone without ever going across the public internet threshold).
Note that you have to make two connect connections ( one from each vnet towards the other) for the connection to allow no directional traffic.
Can vnets from different subscriptions have a peering connection?
Yes but not via the portal. You need to use powershell commands.
How does dns the domain name system work in azure?
Ip addresses are mapped to domain names and when accessing a domain name like eBay.com, the dns service will forward send back the associated ip address.
There are 3 options in azure
- Azure provides dns (default)
- You provide dns (running your own dns server)
- Azure private dns ( an azure service )
What are the features of azure provided dns?
No config
On the same vnet hostnames can be used to connect to each other
On the same vnet host name is all that’s required to connect to another machine, not the fully qualified domain name
What are the features of azure private dns?
DNS service is only for azure internal networks, outside of your azure infra the domain names won’t be available or in service.
Create custom domain names ( staging.local, dev.local etc.). Custom domain requires minimum of two labels I.e label.label and can have up to 34 labels.
Azure private dns caveats
Works for vnet to vnet VMs but does not work for azure app services as these are by nature exposed or at least exposable to the public internet.
What are the differences between an azure public des zone and a private dns zone?
Private ones exist only within azure. Public ones are designed to align with existing public dns mappings so to create a public dns for your.name.com you need proof that you have purchased that domain name and that it is live on the public internet dns resolution service
What’s the beef with private dns and .local?
There are some cases on sine operating systems where they don’t behave as expected. So avoid if possible.
How to set up a private dns zone?
Create the dns zone with your chosen domain name. Then link to a vnet and probably you want to add auto registration so new resources are added to the private dns (see photo).
You can update the first post of the fully qualified domain name by changing the name in the record set from the resource’s azure ui. This doesn’t change any actual metadata associated to the resource but it does make the fully qualified domain name more useful and customisable.
How to allow pinging between two VMs in a private dns zone?
You need to first set up a role to super the ping traffic protocol on the ping port with:
New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
Then you can ping using the fully qualified domain name assuming you are on the vnet ( for example using cloud shell). Remember this is a private dns so it’s only shipped to azure.
When creating a public dns zone, why should you not use/register a production dns domain name?
You must use a registered domain name for public dns zones, and what you’re doing is asking azure to respond to all requests to the domain name you configure. If you were to use an in production domain name then you would need all your users to navigate to an azure domain directly instead of to your company’s registered domain.
Instead , set up the azure public dns using a non production domain and then from within your company’s domain registrar (namecheap, go daddy etc) add a dns record to redirect traffic to the azure domain. This way consumers still navigate to you.company.domain.com but the traffic is redirected to the much.uglier.but.functional.azure.domain.merde
How can yo check the dns I’m configuration is working correctly?
Using the nslookup powershell command.
Why might traffic to a web server using an azure public dns not reach the renderer and respond as expected?
Don’t forget to ensure that the security group allows the tour of network traffic you’re using.
What is a network security group?
Essentially it is a filter which allows or denies traffic to cross it’s threshold. It is a static list of rules often called an access control list.
Traversing traffic either meets the criteria set up in the access control list or it does not. If it does not, it is denied access to cross the network threshold. If does meet the criteria, the access control list will forward the traffic to it’s requested destination?
How many network security groups should you aim to have?
As few as possible. This limits the risk of leaving network entry points open by accident.
How much do network security groups cost?
Nothing, they are free.
How can you review the inbound and outbound rules of a network security group?
In the azure portal ui of the NSG there are two tabs in the blade pointing to inbound and outbount network security rules. From here you can add the rules you want.
What are the default rules of a new NSG?
As in the photo, there are by default 3 rules. They cannot be removed but their priority has been set to th elowest possible value, so you can create rules of a higher priority (i.e. a lower number in the priority field) and traffic will be tested against those rules first.
If you create rules and there is a gap where traffic isn’t handled by your custom rules, they will still be handled by these default rules.
Can your NSG have two rules with the same priority?
No. Every rule must have a discrete and unique place in the hierarchy of rules.
What can a NSG be applied to?
- A vnet
- a subnet
- a network interface card
What’s the risk associated with this scenario?
Having multiple NSG means that it’s more difficult to ensure absolute coherence between them. Here there is a NSG on the subnet which may let traffic through but the NSG on the network interface card must be aligned with this, or the traffic will not reach its destination despite a correctly configured NSG on the subnet level. This can be confusing to debug and is the reason why it’s recommended to have the fewest NSGs possible.
On creating a NSG, is it immediately active?
No, it needs to attached to a network or network interface card before traffic begins being passed through its rules.
How to add and remove a MSG from a network interface card?
Go to the vm, then to settings then to network security groups in the blade menu, then where the NSG is selected, change it to none.
What is effective security rules?
It’s a link in networking overviews which overlays all NSGs affecting the resource with the NSG attached. It’s accessed from the resources networking section of the blade menu.
It highlights all the NSGs which affect the resource ( it may not be obvious just looking at the resources ).
Sources and destinations are fully qualified so you can see in the case of 2 network security groups , the ip range which can pass through the NSG to the resource ( see photo).
What’s the difference between a network security group and an application security group?
NSGs are explicit and work with ip addresses for the source and destination. This can lead to confusing and difficult to manage NSGs as different resources have different IPs and they may change over time ( meaning a patch to your NSG rules would need to be made in accordance ).
Application security groups are essentially a way to map a resource to a name, and azure will take care of updating the ip address associated with the name if and when it’s necessary automatically. Then in your NSGs you point to the application security group instead of the ip. This gives a less manual option to manage NSGs with a changing infrastructure or application landscape.
This makes the network security group rules clearer and easier to reason about.
What’s the difference between a public and private ip ?
Public ip is used to access resource from outside the azure network infrastructure. A private ip is only functional from within the azure networking infrastructure.
How many application security groups can be associated with a network security group?
1
What types of network surveillance and troubleshooting are not available on cloud infra like Azure but are on an on-prem data centre?
Physical devices that process the traffic running through the physical cables like packet sniffers.
Cloud solutions are deployed to shared physical infrastructure so it would be almost impossible to sniff a packet without other company’s packets in it (also the physical infra may be hundreds or thousands of miles away).
What is the purpose of Network Watcher?
Azure Network Watcher is a service for:
1. Network Diagnostics: Identifies network connectivity issues.
2. Performance Monitoring: Monitors network performance between different points.
3. Traffic Analysis: Provides insights into the network traffic of Azure resources.
4. Network Security Group Flow Logs: Views information about ingress and egress IP traffic.
5. Connectivity Checks: Tests network connections to and from Azure resources.
6. Alerts and Metrics: Sets up alerts and views metrics to monitor network health and status.
What is the network watcher topology tool used for?
It essentially creates a visual representation of the selected network. This is a good way of visualising a set of networks and resources from a birds eye view.
What is the network watcher connection monitor tool used for?
It is used for monitoring network connections. It verifies if a direct TCP or HTTP connection can be established between a source and a destination and provides insights into the reachability of the network endpoint and monitor connection and pack loss stats.
You can monitor connections between Azure VMs, between an Azure VM and an on-premises machine, or between an Azure VM and a public IP address.
What is the network performance monitor for (retired tech)?
This is going to be retired in Feb 2024 but there is no guarantee that it won’t be on the exam.
It’s purpose was to monitor packets going between azure endpoints.
What is the purpose of IP Flow Verify tool in the Azure network watcher toolset?
This uses the 5 tuple to check whether traffic can pass from one resource to another. Essentially it is used to validate that a NSG’s rules are behaving as expected for a single flow under test
What is the purpose of the NSG diagnostics tool in the azure network watcher toolset?º
This tool helps you diagnose issues related to NSG rules. If traffic isn’t flowing as expected to your VM, NSG diagnostics generates a report that lists the effective and applied security rules, and provides recommendations to help resolve issues. It’s more about understanding what NSG rules are in place and helping to fix any problems with them.
What is the difference between IP flow verify and NSG diagnostics in the azure network watcher toolset?
In summary, IP Flow Verify is about confirming if a specific network flow is allowed or denied, while NSG Diagnostics is more about understanding and fixing issues with your NSG rules as a whole.
What is the purpose of next hop diagnostics in the Azure Network Watcher toolset?
It is used to debug route tables and when given a source and destination ip, it will return the next hop type (e.g. “VNet Peering”, “Internet”, “Virtual Appliance”,) and the ip address.
If the traffic is routed directly to the destination then the next hop type will be none and the IP column will be empty.
What is the purpose of the effective security rules of the network watcher toolset?
It’s a compiled set of security rules which are effective at the time. This can help to give an overview of the security group rules when they are spread across multliple NSGs.
What is the purpose of VPN troubleshoot in the azure network watcher toolset?
If there is a VPN attached to a network, this tool can test its health and properties.
What is the purpose of the packet capture tool in the azure network watcher toolset?
It is used to capture packets which may be helpful to troubleshoot certain connectivity issues or diagnosing data leaks.
What is the purpose of the connection troubleshoot tool in the network watcher toolset?
Troubleshoot the ability of a TCP connection between two resources. The primary purpose of it is to check if the connection is possible and to eliminate the possibility that the problem is related to the Azure infrastructure rather than the configured networking settings and resources.
What is the metrics and quotas link for in the blade menu of the network watcher UI?
It shows the progress bar of all things with a quota or limited use.
What are the NSG Flow logs?
It contains inbound and outbound rules for a particular NSG. You have to create these rules specifying the NSG to target. A storage account is required to hold these logs (stored in JSON). You can set a retention policy in days while creating a flow log.
What are Azure network watcher diagnostic logs?
Azure Network Watcher Diagnostic Logs:
1. Collect network-related logs from Azure resources.
2. Provide insights into network activity and troubleshooting.
3. Include logs from:
- Network Security Groups
- VPN Gateway
- Azure Firewall
- Load Balancer
- Application Gateway
4. Logs can be sent to:
- Azure Storage (for archival)
- Azure Monitor Logs (for analysis)
- Azure Event Hubs (for telemetry)
- 3rd party or Microsoft data processing solutions
Does a new Azure network watcher diagnostic log backdate?
No
Is Azure network watcher diagnostic logs immediate?
No, network issues will not show up for some time , there is some lag between real time events and the diagnostic logging.
How can you query your diagnostic logs?
Using the Monitor service and writing a kusto query language query against a specific data source.
