Virtual Networks

Question 1

What is the relationship between virtual networks region and resource regions?

Answer 1

They must necessarily match, a vnet can’t host machines from another region.

Question 2

What is CIDR notation!?

Answer 2

It is a way to limit the number of available up address of a virtual network or subnet. An ip consists of 4 parts delimited by a dot. Each one is called an octet referencing the 8 binary bits in a byte.

CIDR notation is an up followed by a forward slash and a number from 1 to 32. The number following the forward slash is a mask or in other words locks a certain number of binary bits from being changed. This has the effect of limiting the range of up values that can be used.

10.0.1.255/32 32 fully locks all the bits meaning that 10.0.1.255 is the only allowed up in this range.

192.0.2.0/24 is an IPv4 CIDR address where the first 24 bits, or 192.0.2, is locked meaning that the last cores can be any value from 0 to 255 giving the user 255 ip addresses to use.

Question 3

What’s the cost of virtual networks?

Answer 3

Virtual Network in Azure is free of charge. Every subscription can create up to 50 Virtual Networks across all regions. VNET Peering links two virtual networks – either in the same region, or in different regions - and enables you to route traffic between them using private IP addresses (carry a nominal charge).

Question 4

What is a NIC network security group ?

Answer 4

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Question 5

How to add a resource to a vnet?

Answer 5

Normally there is an option during creation which vnet to deploy to and in the event that you don’t want to deploy to an existing vnet, usually azure will offer to create one as part of the deployment.

Question 6

What are the restrictions on creating subnets in a vnet?

Answer 6

The subnets must all exist within the up range defined by the vnet cidr range.

The subnets must not have any overlapping IPs.

Changing the subnet range of IPs will only work if there are no resources on the subnet whose IPs will be displaced after the up range change.

Question 7

How to set a code range of up ip 10.0.1.X for the 64 IPs starting at the last octet being 64?

Answer 7

10.0.1.64/26

This includes all ops from ( and including) 10.0.1.64 to ( and including) 10.0.1.127

Question 8

Are public ip address free?

Answer 8

No. At the time of writing it’s around $0.004 per hour, which is around 10c per day.

Question 9

What’s the difference between a basic and a standard public ip address? What other options are there?

Answer 9

Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual machine or a load balancer front end. If you’re creating a public IP address in a region that supports availability zones, the Availability zone setting is set to Zone-redundant by default.

You can also have a dynamic or static ip (dynamic is fine if you’re using a dns service to map your domain to your ip and if its automatically updated as ip address changes)

Question 10

What is a network security attached to?

Answer 10

A network interface card

Question 11

What is a network interface card attached to in teens of vm resources?

Answer 11

To a virtual machine

Question 12

How to edit the inbound and outbound security group rules from the azure portal?

Answer 12

From the network security group resource ui.

Question 13

What the default port for tcp traffic?

Answer 13

TCP operates over a wide range of ports. For example rdp is forced to use port 3389 but it uses tcp protocol.

Question 14

What port does Remote Desktop need to be open to communicate with a vm?

Answer 14

3389

Question 15

What is a user defined route?

Answer 15

When you create subnets, Azure creates system routes that enable all resources in a subnet to communicate with each other. You can override the system routes by creating UDRs. This way, you can force traffic to follow a particular route.

Question 16

What is the purpose of a firewall?

Answer 16

To filter/control traffic crossing a network threshold.

Question 17

What is the connection between user defined routes and network tables?

Answer 17

Route tables contain default routes and optionally you can add user defined routes. Networks have a set of default traffic rules which demand how to direct network traffic within the network.

A route table can be modified to change the rules which govern how network traffic is managed.

You midgut want to do this to redirect inbound and outbound traffic through a network firewall in order to control the websites employees can access.

Question 18

How to create a route table?

Answer 18

From the azure ui, choose route tables then click create.

Associate the route table to the target vnet and subnet.

Add the rules you want.

Route tables exist independently and can be associated to multiple vnets.

Question 19

What does the route table option ‘propagate gateway routes’ do?

Answer 19

It includes the network routes implicit from other resources like vpn to vpn peering or a network gateway.

Question 20

What is the ip address which represents any ip from anywhere?

Answer 20

0.0.0.0/0

Question 21

What are the parameters used to configure one route of a route table?

Answer 21

• name
• destination ip/cidr
• next hop type ( what is the traffic being directed to)
• next hop address ( destination ip)

Question 22

What does NAT stand for?

Answer 22

Network address translation

Question 23

What is the difference between Nat , network and application rules in azure firewalls ( not in azure-104)?

Answer 23

The three types of rules can be broken down into two sets:

NAT: This is a routing rule, directing traffic from a public IP address to a private IP address. A hidden network rule is automatically created to allow the traffic.

Network Rules and Application Rules: These rules specify what traffic is allowed through the Azure Firewall.
So when a packet is being inspected to determine if it is allowed or not (not is the default) then only Network Rules and Application Rules are used for filtering. Only application rules can filter using domain names.

Question 24

What is port 53 for?

Answer 24

The standard port for DNS is port 53. DNS client applications use the DNS protocol to query and request information from DNS servers, and the server returns the results to the client using the same port. Port 53 is used for both TCP and UDP communication.

Question 25

What is a WAN?

Answer 25

Wide area network. WAN networks allow distant locations be on the same network. Azure virtual wan is a global resource which must be added to a particular resource group. Azure acts as a hub connecting the different sites, analogous to a vnet peering connection.

Question 26

How are WANs priced?

Answer 26

There is an ongoing cost per hub in the WAN. It’s about 6$ per day for the WAN to exist then there are additional costs depending on bandwidth and other WAN features.

Question 27

Can resources on different vnets communicate ?

Answer 27

No. But with vnet peering and ensuring that vnet addresses do not overlap between two vnets , a vnet peering allows two vnets to be joined.

Question 28

What is hub and spoke model of network topology?

Answer 28

One central network hub which has vnet peerings with each of the other vnets I.e the hub can speak with all cheers and all vnets can communicate with the hub but vnets cannot communicate with each other except via the hub.

Question 29

If you add a vnet peering , how many network links do you configure?

Answer 29

2, one from A to B and the other from B to A

Question 30

Which virtual network deployment model should you use when configuring a peering?

Answer 30

Resource manager. There is an option for classic but this is deprecated and will be removed soon.

Question 31

Can you add peerings to vnets under other subscriptions?

Answer 31

Yes, provided that you know the subscription and vnet name

Question 32

Does a vnet peering by pass firewall and network security group restrictions?

Answer 32

No, you need the peering and the allowed passage of traffic configured to be able to communicate

Question 33

How are peerings priced?

Answer 33

Though vnets are free, peering in the same region are $0.01 per gigabyte ingree and $0.01 per gigabyte of egress. If the peerings are global ( different zones are defined) the price of ingress per gb goes from $0.035 to $0.044 and the same for egress.

Question 34

What is a gateway subnet?

Answer 34

The gateway subnet is part of the IP address range of your subnet and will be forcibly named GatewaySubnet and will have some IPs reserved for azures use. They are used with azure virtual network gateways.

Question 35

What is an azure virtual network gateway?

Answer 35

It is an entrance/ exit from a vnet allowing traffic to pass outside of the vnet. They can be VPN based or expressroute based and can be route based ( recommend) or policy based.

Question 36

How much do azure virtual network gaeways cost?

Answer 36

It depends on the properties of the gate way such as bandwidth and the number of site to site tunnels or point to site tunnels. They are priced though started with $0.04 per hour for the basic and the next level up $0.19 per hour

Question 37

Where should you deploy an azure virtual network gateway to?

Answer 37

To gateway subnet.

Question 38

How long do virtual network gateways take to deploy?

Answer 38

A bit longer than other resources, maybe 15 minutes

Question 39

What is a vnet to vnet connection?

Answer 39

A virtual network gateway to connect two vnets ( encrypted traffic, less performant) and vnet peering ( not encrypted but can travel massive distances via the backbone without ever going across the public internet threshold). Note that you have to make two connect connections ( one from each vnet towards the other) for the connection to allow no directional traffic.

Question 40

Can vnets from different subscriptions have a peering connection?

Answer 40

Yes but not via the portal. You need to use powershell commands.

Question 41

How does dns the domain name system work in azure?

Answer 41

Ip addresses are mapped to domain names and when accessing a domain name like eBay.com, the dns service will forward send back the associated ip address. There are 3 options in azure 1. Azure provides dns (default) 2. You provide dns (running your own dns server) 3. Azure private dns ( an azure service )

Question 42

What are the features of azure provided dns?

Answer 42

No config On the same vnet hostnames can be used to connect to each other On the same vnet host name is all that’s required to connect to another machine, not the fully qualified domain name

Question 43

What are the features of azure private dns?

Answer 43

DNS service is only for azure internal networks, outside of your azure infra the domain names won’t be available or in service. Create custom domain names ( staging.local, dev.local etc.). Custom domain requires minimum of two labels I.e label.label and can have up to 34 labels.

Question 44

Azure private dns caveats

Answer 44

Works for vnet to vnet VMs but does not work for azure app services as these are by nature exposed or at least exposable to the public internet.

Question 45

What are the differences between an azure public des zone and a private dns zone?

Answer 45

Private ones exist only within azure. Public ones are designed to align with existing public dns mappings so to create a public dns for your.name.com you need proof that you have purchased that domain name and that it is live on the public internet dns resolution service

Question 46

What’s the beef with private dns and .local?

Answer 46

There are some cases on sine operating systems where they don’t behave as expected. So avoid if possible.

Question 47

How to set up a private dns zone?

Answer 47

Create the dns zone with your chosen domain name. Then link to a vnet and probably you want to add auto registration so new resources are added to the private dns (see photo). You can update the first post of the fully qualified domain name by changing the name in the record set from the resource’s azure ui. This doesn’t change any actual metadata associated to the resource but it does make the fully qualified domain name more useful and customisable.

Question 48

How to allow pinging between two VMs in a private dns zone?

Answer 48

You need to first set up a role to super the ping traffic protocol on the ping port with: New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4 Then you can ping using the fully qualified domain name assuming you are on the vnet ( for example using cloud shell). Remember this is a private dns so it’s only shipped to azure.

Question 49

When creating a public dns zone, why should you not use/register a production dns domain name?

Answer 49

You must use a registered domain name for public dns zones, and what you’re doing is asking azure to respond to all requests to the domain name you configure. If you were to use an in production domain name then you would need all your users to navigate to an azure domain directly instead of to your company’s registered domain. Instead , set up the azure public dns using a non production domain and then from within your company’s domain registrar (namecheap, go daddy etc) add a dns record to redirect traffic to the azure domain. This way consumers still navigate to you.company.domain.com but the traffic is redirected to the much.uglier.but.functional.azure.domain.merde

Question 50

How can yo check the dns I’m configuration is working correctly?

Answer 50

Using the nslookup powershell command.

Question 51

Why might traffic to a web server using an azure public dns not reach the renderer and respond as expected?

Answer 51

Don’t forget to ensure that the security group allows the tour of network traffic you’re using.

Question 52

What is a network security group?

Answer 52

Essentially it is a filter which allows or denies traffic to cross it's threshold. It is a static list of rules often called an access control list. Traversing traffic either meets the criteria set up in the access control list or it does not. If it does not, it is denied access to cross the network threshold. If does meet the criteria, the access control list will forward the traffic to it's requested destination?

Question 53

How many network security groups should you aim to have?

Answer 53

As few as possible. This limits the risk of leaving network entry points open by accident.

Question 54

How much do network security groups cost?

Answer 54

Nothing, they are free.

Question 55

How can you review the inbound and outbound rules of a network security group?

Answer 55

In the azure portal ui of the NSG there are two tabs in the blade pointing to inbound and outbount network security rules. From here you can add the rules you want.

Question 56

What are the default rules of a new NSG?

Answer 56

As in the photo, there are by default 3 rules. They cannot be removed but their priority has been set to th elowest possible value, so you can create rules of a higher priority (i.e. a lower number in the priority field) and traffic will be tested against those rules first. If you create rules and there is a gap where traffic isn't handled by your custom rules, they will still be handled by these default rules.

Question 57

Can your NSG have two rules with the same priority?

Answer 57

No. Every rule must have a discrete and unique place in the hierarchy of rules.

Question 58

What can a NSG be applied to?

Answer 58

- A vnet - a subnet - a network interface card

Question 59

What's the risk associated with this scenario?

Answer 59

Having multiple NSG means that it's more difficult to ensure absolute coherence between them. Here there is a NSG on the subnet which may let traffic through but the NSG on the network interface card must be aligned with this, or the traffic will not reach its destination despite a correctly configured NSG on the subnet level. This can be confusing to debug and is the reason why it's recommended to have the fewest NSGs possible.

Question 60

On creating a NSG, is it immediately active?

Answer 60

No, it needs to attached to a network or network interface card before traffic begins being passed through its rules.

Question 61

How to add and remove a MSG from a network interface card?

Answer 61

Go to the vm, then to settings then to network security groups in the blade menu, then where the NSG is selected, change it to none.

Question 62

What is effective security rules?

Answer 62

It’s a link in networking overviews which overlays all NSGs affecting the resource with the NSG attached. It’s accessed from the resources networking section of the blade menu. It highlights all the NSGs which affect the resource ( it may not be obvious just looking at the resources ). Sources and destinations are fully qualified so you can see in the case of 2 network security groups , the ip range which can pass through the NSG to the resource ( see photo).

Question 63

What’s the difference between a network security group and an application security group?

Answer 63

NSGs are explicit and work with ip addresses for the source and destination. This can lead to confusing and difficult to manage NSGs as different resources have different IPs and they may change over time ( meaning a patch to your NSG rules would need to be made in accordance ). Application security groups are essentially a way to map a resource to a name, and azure will take care of updating the ip address associated with the name if and when it’s necessary automatically. Then in your NSGs you point to the application security group instead of the ip. This gives a less manual option to manage NSGs with a changing infrastructure or application landscape. This makes the network security group rules clearer and easier to reason about.

Question 64

What’s the difference between a public and private ip ?

Answer 64

Public ip is used to access resource from outside the azure network infrastructure. A private ip is only functional from within the azure networking infrastructure.

Question 65

How many application security groups can be associated with a network security group?

Answer 65

1

Question 66

What types of network surveillance and troubleshooting are not available on cloud infra like Azure but are on an on-prem data centre?

Answer 66

Physical devices that process the traffic running through the physical cables like packet sniffers. Cloud solutions are deployed to shared physical infrastructure so it would be almost impossible to sniff a packet without other company's packets in it (also the physical infra may be hundreds or thousands of miles away).

Question 67

What is the purpose of Network Watcher?

Answer 67

Azure Network Watcher is a service for: 1. Network Diagnostics: Identifies network connectivity issues. 2. Performance Monitoring: Monitors network performance between different points. 3. Traffic Analysis: Provides insights into the network traffic of Azure resources. 4. Network Security Group Flow Logs: Views information about ingress and egress IP traffic. 5. Connectivity Checks: Tests network connections to and from Azure resources. 6. Alerts and Metrics: Sets up alerts and views metrics to monitor network health and status.

Question 68

What is the network watcher topology tool used for?

Answer 68

It essentially creates a visual representation of the selected network. This is a good way of visualising a set of networks and resources from a birds eye view.

Question 69

What is the network watcher connection monitor tool used for?

Answer 69

It is used for monitoring network connections. It verifies if a direct TCP or HTTP connection can be established between a source and a destination and provides insights into the reachability of the network endpoint and monitor connection and pack loss stats. You can monitor connections between Azure VMs, between an Azure VM and an on-premises machine, or between an Azure VM and a public IP address.

Question 70

What is the network performance monitor for (retired tech)?

Answer 70

This is going to be retired in Feb 2024 but there is no guarantee that it won't be on the exam. It's purpose was to monitor packets going between azure endpoints.

Question 71

What is the purpose of IP Flow Verify tool in the Azure network watcher toolset?

Answer 71

This uses the 5 tuple to check whether traffic can pass from one resource to another. Essentially it is used to validate that a NSG's rules are behaving as expected for a single flow under test

Question 72

What is the purpose of the NSG diagnostics tool in the azure network watcher toolset?º

Answer 72

This tool helps you diagnose issues related to NSG rules. If traffic isn't flowing as expected to your VM, NSG diagnostics generates a report that lists the effective and applied security rules, and provides recommendations to help resolve issues. It's more about understanding what NSG rules are in place and helping to fix any problems with them.

Question 73

What is the difference between IP flow verify and NSG diagnostics in the azure network watcher toolset?

Answer 73

In summary, IP Flow Verify is about confirming if a specific network flow is allowed or denied, while NSG Diagnostics is more about understanding and fixing issues with your NSG rules as a whole.

Question 74

What is the purpose of next hop diagnostics in the Azure Network Watcher toolset?

Answer 74

It is used to debug route tables and when given a source and destination ip, it will return the next hop type (e.g. "VNet Peering", "Internet", "Virtual Appliance",) and the ip address. If the traffic is routed directly to the destination then the next hop type will be none and the IP column will be empty.

Question 75

What is the purpose of the effective security rules of the network watcher toolset?

Answer 75

It's a compiled set of security rules which are effective at the time. This can help to give an overview of the security group rules when they are spread across multliple NSGs.

Question 76

What is the purpose of VPN troubleshoot in the azure network watcher toolset?

Answer 76

If there is a VPN attached to a network, this tool can test its health and properties.

Question 77

What is the purpose of the packet capture tool in the azure network watcher toolset?

Answer 77

It is used to capture packets which may be helpful to troubleshoot certain connectivity issues or diagnosing data leaks.

Question 78

What is the purpose of the connection troubleshoot tool in the network watcher toolset?

Answer 78

Troubleshoot the ability of a TCP connection between two resources. The primary purpose of it is to check if the connection is possible and to eliminate the possibility that the problem is related to the Azure infrastructure rather than the configured networking settings and resources.

Question 79

What is the metrics and quotas link for in the blade menu of the network watcher UI?

Answer 79

It shows the progress bar of all things with a quota or limited use.

Question 80

What are the NSG Flow logs?

Answer 80

It contains inbound and outbound rules for a particular NSG. You have to create these rules specifying the NSG to target. A storage account is required to hold these logs (stored in JSON). You can set a retention policy in days while creating a flow log.

Question 81

What are Azure network watcher diagnostic logs?

Answer 81

Azure Network Watcher Diagnostic Logs: 1. Collect network-related logs from Azure resources. 2. Provide insights into network activity and troubleshooting. 3. Include logs from: - Network Security Groups - VPN Gateway - Azure Firewall - Load Balancer - Application Gateway 4. Logs can be sent to: - Azure Storage (for archival) - Azure Monitor Logs (for analysis) - Azure Event Hubs (for telemetry) - 3rd party or Microsoft data processing solutions

Question 82

Does a new Azure network watcher diagnostic log backdate?

Answer 82

No

Question 83

Is Azure network watcher diagnostic logs immediate?

Answer 83

No, network issues will not show up for some time , there is some lag between real time events and the diagnostic logging.

Question 84

How can you query your diagnostic logs?

Answer 84

Using the Monitor service and writing a kusto query language query against a specific data source.