Tutorial / Cram Notes
Virtual Networks (VNet) are the cornerstone of Azure networking. They allow Azure resources to communicate securely with each other, the internet, and on-premises networks.
- Creating a VNet involves defining a private IP address space using public and private (RFC 1918) addresses.
- Subnets allow you to segment the network into one or more sub-networks, enabling you to group and isolate resources.
Example:
To create a VNet with two subnets, you can use the Azure portal, Azure PowerShell, or Azure CLI.
az network vnet create –name MyVNet –resource-group MyResourceGroup –address-prefix 10.0.0.0/16
az network vnet subnet create –name MySubnet –resource-group MyResourceGroup –vnet-name MyVNet –address-prefix 10.0.1.0/24
Network Security Groups (NSGs)
NSGs are used to filter network traffic to and from Azure resources in an Azure Virtual Network.
- Rules: Each NSG contains a list of security rules that allow or deny network traffic based on source and destination IP address, port, and protocol.
Example:
Creating an NSG to allow HTTP and HTTPS traffic can be done through Azure PowerShell.
New-AzNetworkSecurityGroup -ResourceGroupName MyResourceGroup -Location “East US” -Name MyNSG
New-AzNetworkSecurityRuleConfig -Name AllowHTTP -NetworkSecurityGroup MyNSG -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Verbose
New-AzNetworkSecurityRuleConfig -Name AllowHTTPS -NetworkSecurityGroup MyNSG -Access Allow -Protocol Tcp -Direction Inbound -Priority 110 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 -Verbose
IP Addressing
Managing IP addresses is crucial for Azure network configurations.
- Public IP addresses are used for communication with the Internet.
- Private IP addresses are used for communication within an Azure VNet or on-premises network.
- Static IP vs. Dynamic IP: Azure resources can be assigned either a static IP address that doesn’t change or a dynamic IP address that can change upon reboot or deallocation.
Example:
Assigning a static public IP address to a VM can be accomplished using the Azure CLI.
az vm create –resource-group MyResourceGroup –name MyVM –public-ip-address MyPublicIP –public-ip-address-allocation static
Azure Load Balancer
The Azure Load Balancer distributes traffic across multiple VMs or services, ensuring high availability and reliability.
- Internal Load Balancer (ILB) balances traffic within a VNet or between VNets.
- Public Load Balancer (PLB) balances inbound internet traffic to VMs or services.
Azure DNS
Azure DNS provides hosting of domain names and facilitates domain name resolution for VMs and applications in Azure.
- It supports private and public DNS zones.
- Allows you to manage DNS records like A, MX, PTR, and more.
Virtual Network Peering
Virtual Network Peering allows you to connect two VNets seamlessly.
- Global VNet peering connects VNets across Azure regions.
- Regional VNet peering connects VNets within the same Azure region.
VPN Gateway and ExpressRoute
For connecting an on-premises network to an Azure VNet, Azure offers two solutions:
- VPN Gateway: A VPN gateway sends encrypted traffic across a public connection.
- ExpressRoute: ExpressRoute provides a private connection to Azure services over a dedicated private connection facilitated by a connectivity provider.
Conclusion
Networking in Azure is a vast area with numerous components and configurations. Understanding these fundamental topics, along with practising the setup through different tools and interfaces provided by Azure, is essential for anyone preparing for the AZ-104 exam. By mastering these concepts, an Azure Administrator can ensure a robust and secure network to support various workloads in the cloud.
Practice Test with Explanation
True or False: In Azure, you can only create one virtual network in each subscription.
False
Azure allows the creation of multiple virtual networks within a subscription, each with its own address spaces and subnets.
True or False: Azure Virtual Network can be interconnected with other Azure Virtual Networks using Virtual Network Peering.
True
Virtual Network Peering is a mechanism in Azure that allows different virtual networks to be connected directly and enables resources in those networks to communicate with each other.
Which Azure service provides DNS domain hosting?
- A) Azure Virtual Network
- B) Azure Blob Storage
- C) Azure DNS
- D) Azure Traffic Manager
C) Azure DNS
Azure DNS provides a reliable and secure DNS domain hosting service that allows you to manage and resolve DNS domains in Azure.
What is the purpose of a Network Security Group (NSG) in Azure?
- A) To define subnets within an Azure Virtual Network
- B) To regulate the flow of network traffic in and out of Azure resources
- C) To create a hybrid connection between Azure and on-premises datacenters
- D) To provide DDoS protection to Azure services
B) To regulate the flow of network traffic in and out of Azure resources
NSGs are used to apply and control access by filtering network traffic to and from Azure resources based on rules defined in the group.
True or False: Azure Route Tables allow you to configure custom routes that override Azure’s default system routes.
True
Azure Route Tables let you create custom routes that dictate how packets should be routed within your virtual networks, allowing you to override Azure’s default system routes when necessary.
Which feature must be enabled to ensure low-latency network performance across global Azure regions?
- A) Azure Load Balancer
- B) Azure Application Gateway
- C) Azure Traffic Manager
- D) Azure ExpressRoute
C) Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer that allows you to distribute traffic optimally to services across global Azure regions, ensuring low-latency performance.
True or False: Azure ExpressRoute enables you to set up a private connection to Azure services from an on-premises network.
True
Azure ExpressRoute provides a private, dedicated network connection from on-premises infrastructure to Azure services, bypassing the public internet.
When configuring a public IP address in Azure, which of the following SKUs are available?
- A) Basic only
- B) Standard only
- C) Basic and Standard
- D) Premium only
C) Basic and Standard
Azure provides two SKUs for public IP addresses: Basic and Standard, each with different features and pricing models.
True or False: You can associate a Network Security Group (NSG) with both a virtual network subnet and individual network interfaces (NICs) within the same virtual network.
True
NSGs can be associated with both subnets and NICs, allowing you to apply both broad and granular access control rules in your virtual network environment.
What is the main feature of Azure Front Door Service?
- A) Web Application Firewall
- B) DDoS protection
- C) Traffic load balancing and acceleration
- D) Virtual network peering
C) Traffic load balancing and acceleration
Azure Front Door Service is primarily a scalable and secure entry point for delivering fast, global web applications with features like SSL offloading, path-based load balancing, and acceleration.
Which of the following options best describes Azure Load Balancer?
- A) Regional load balancing service for on-premises servers
- B) Global DNS load balancer
- C) Regional load balancing service for incoming internet traffic
- D) Global traffic routing service for optimized content delivery
C) Regional load balancing service for incoming internet traffic
Azure Load Balancer is a regional Layer 4 (TCP, UDP) load balancer that can distribute incoming internet traffic among healthy service instances in the same region.
True or False: When you deploy an Azure Application Gateway, it automatically provides SSL/TLS termination by default.
True
Azure Application Gateway provides application-level routing and load balancing services which by default include the SSL/TLS termination feature for secure web traffic.
Interview Questions
What is a virtual network (VNet), and why is it important for an App Service in Azure?
A VNet is a logically isolated network that enables you to securely connect your web application to other resources in your Azure environment. It is important for an App Service in Azure to ensure that the application is secure and can communicate with other resources.
How can you create a virtual network (VNet) in Azure?
You can create a VNet in Azure by using the Azure portal or Azure PowerShell.
What are the VNet integration settings for an App Service in Azure?
The VNet integration settings for an App Service in Azure include the VNet, subnet, and IP address settings.
How can you configure VNet integration settings for an App Service in Azure?
You can configure VNet integration settings for an App Service in Azure by using the Azure portal.
What are access restrictions for an App Service in Azure?
Access restrictions for an App Service in Azure enable you to control access to your web application and restrict access from unauthorized users.
How can you configure access restrictions for an App Service in Azure?
You can configure access restrictions for an App Service in Azure by using the Azure portal.
What is the purpose of subnet and IP address settings in VNet integration for an App Service in Azure?
The subnet and IP address settings in VNet integration for an App Service in Azure enable you to define the specific network configuration for your web application.
Can you configure VNet integration for an App Service in Azure to connect to an on-premises network?
Yes, you can configure VNet integration for an App Service in Azure to connect to an on-premises network.
How can you restrict access to your App Service in Azure based on IP addresses?
You can restrict access to your App Service in Azure based on IP addresses by configuring access restrictions in the Azure portal.
What are the benefits of using VNet integration for an App Service in Azure?
The benefits of using VNet integration for an App Service in Azure include enhanced security, the ability to connect to other resources in your Azure environment, and improved network performance.
Can you integrate an App Service in Azure with multiple VNets?
Yes, you can integrate an App Service in Azure with multiple VNets.
Can you configure VNet integration for an existing App Service in Azure?
Yes, you can configure VNet integration for an existing App Service in Azure.
Can you change the VNet integration settings for an App Service in Azure?
Yes, you can change the VNet integration settings for an App Service in Azure at any time.
How can you troubleshoot VNet integration issues for an App Service in Azure?
You can troubleshoot VNet integration issues for an App Service in Azure by reviewing the App Service logs and the VNet integration settings in the Azure portal.
What are some other ways to secure an App Service in Azure besides VNet integration?
Other ways to secure an App Service in Azure include configuring SSL/TLS, using Azure Active Directory, and setting up role-based access control.
Great blog post! The steps you provided for configuring network settings in Azure were very clear.
Thanks for the detailed guide. Could someone explain more about setting up private endpoints?
For those preparing for the AZ-104 exam, understanding VNet peering is crucial. Don’t overlook it!
Could anyone clarify the difference between Network Security Groups (NSGs) and Application Security Groups (ASGs)?
What are some common pitfalls when configuring a VPN Gateway in Azure?
I passed my AZ-104 exam recently. Understanding how to configure network security is key!
Appreciate the blog post!
I found this part confusing. Any tips on configuring routing tables effectively?