Tutorial / Cram Notes
Virtual networks (VNets) and subnets are fundamental components when setting up an Azure environment, providing the backbone for network communication within Azure as well as between Azure and on-premises networks. As a prospective AZ-104 Microsoft Azure Administrator, understanding how to create and configure these is essential.
Creating and Configuring Azure Virtual Networks (VNets)
An Azure Virtual Network provides a private network in the cloud, with full control over IP address ranges, DNS settings, security policies, and routing. To create a VNet:
- Sign in to the Azure portal.
- In the search bar, type ‘Virtual Network’ and select it.
- Click on ‘Create’ to start the configuration process.
- Select the appropriate subscription and resource group or create a new one, if necessary.
- Now, enter a name for your VNet and select the region.
- Specify the IP address range for the VNet using CIDR notation like 10.1.0.0/16. Ensure the range does not overlap with other networks you need to connect with.
Advanced settings can be configured as required, including DNS servers and whether to enable or disable the Azure system route.
After validating the inputs, click ‘Create’ to deploy your VNet. The deployment can take a few minutes.
Configuring Subnets within VNets
Once a virtual network is established, you can configure subnets, which divide the network into one or more segments, improving organization, security, and efficiency.
- Navigate to the VNet you’ve created and select ‘Subnets’ from the options.
- Click on ‘+ Subnet’ to add a new subnet.
- Provide a name for your subnet.
- Define the subnet’s address range, selecting a subset of the address space defined for the VNet. For instance, 10.1.1.0/24.
- Configure any required settings like Network Security Group (NSG) or routing table.
- Save the configuration.
Creating a subnet effectively breaks up your address space into useable blocks, where each can have its own security and configurations. For instance, you might have separate subnets for frontend services, backend services, and a database layer, each with different access controls and policies.
Security with Network Security Groups and Route Tables
You can secure and control the flow of traffic in and out of VNets and subnets using Network Security Groups (NSGs) and Route Tables.
- NSGs contain a list of security rules that allow or deny network traffic to resources connected to Azure VNets. These can be associated with either subnets or individual VM network interfaces (NICs).
- Route Tables define how packets are forwarded within the VNet and to external destinations. Routing tables are associated with subnets and can be modified to create custom routes.
Connectivity Options
Azure VNets can also be connected to other VNets or on-premises networks using various connectivity options:
- VNet-to-VNet allows you to connect two VNets in the same or different regions.
- Site-to-Site VPN is for connecting on-premises networks to Azure over an IPsec VPN tunnel.
- ExpressRoute offers a private connection from an on-premises network to Azure VNets, bypassing the internet for greater reliability and speeds.
An Example Scenario: Deploying a Three-Tier Application
| Component | Subnet Name | Subnet Address Range | Purpose |
|---|---|---|---|
| Web tier | WebSubnet | 10.1.1.0/24 | To host VMs for the frontend |
| Business tier | BusinessSubnet | 10.1.2.0/24 | To host application logic VMs |
| Data tier | DataSubnet | 10.1.3.0/24 | To host databases and storage |
| Gateway subnet | GatewaySubnet | 10.1.255.0/27 | For the VPN or ExpressRoute gateway |
After configuring the VNets and subnets, you would then associate appropriate NSGs with each subnet, defining rules that allow traffic only on necessary ports (e.g., HTTP/HTTPS for the WebSubnet).
In this setup, clear separation of duties is maintained, and security boundaries are defined at the network level, which aligns with Azure best practices and provides a robust environment for deploying applications.
Best Practices for VNets and Subnets:
- Plan IP addressing carefully to avoid conflicts and ensure scalability.
- Secure and restrict access to subnets using NSGs.
- Use service endpoints to securely connect to Azure services.
- When connecting to on-premises networks, consider high-availability options such as redundant VPN connections or ExpressRoute.
In summary, mastery over the creation, configuration, and management of VNets and subnets is vital for Azure Administrators and the AZ-104 exam. By understanding how to implement these components in Azure, administrators can design and build secure, scalable networks tailored to the needs of any organization.
Practice Test with Explanation
True or False: Azure Virtual Networks (VNet) can span multiple Azure regions.
- False
An Azure Virtual Network is scoped to a single Azure region; however, multiple virtual networks from different regions can be connected using VNet peering.
Which of the following is a valid IPv4 address space for Azure virtual networks?
- A) 0/8
- B) 0/24
- C) 0/4
- D) 0/16
B) 0/24
0/24 is within the range of private IPv4 addresses that can be used in Azure VNet. The others are reserved for special purposes such as loopback (A), multicast (C), and link-local (D).
True or False: Network Security Groups (NSGs) can be applied to subnets within an Azure Virtual Network.
- True
NSGs can be associated with either subnets or individual VM instances within a VNet to filter network traffic.
What is the minimum subnet size you can create within an Azure VNet?
- A) /30
- B) /29
- C) /28
- D) /27
B) /29
The smallest subnet you can create within an Azure VNet is a /29, which provides up to 3 usable IP addresses for VMs and other resources.
True or False: When you delete a VNet, all the resources connected to it are automatically deleted.
- False
Deleting a VNet does not automatically delete the resources within it. You must delete or dissociate resources like VMs before deleting the VNet.
True or False: Azure Virtual Networks are automatically connected to the internet.
- True
By default, Azure VNets have outbound connectivity to the internet, and inbound connectivity can be configured.
When creating a VNet peering between two virtual networks, what must be ensured about their IP address spaces?
- A) They must overlap.
- B) They must be identical.
- C) They must be from different address families.
- D) They must not overlap.
D) They must not overlap.
VNet peering requires that the IP address spaces of the VNets do not overlap to prevent routing issues.
Multiple select: Which of the following can be used to connect VNets to on-premises networks?
- A) Azure VPN Gateway
- B) Network Security Groups
- C) Azure ExpressRoute
- D) VNet peering
A) Azure VPN Gateway, C) Azure ExpressRoute
Azure VPN Gateway and Azure ExpressRoute are both services to connect VNets to on-premises networks. NSGs are used for filtering traffic, and VNet peering is for connecting VNets within Azure.
True or False: VNet peering connections are non-transitive by default.
- True
By default, VNet peering is non-transitive, which means you cannot route traffic through a peered VNet to a third VNet. You need to establish peering individually.
In an Azure Virtual Network, what is the purpose of a service endpoint?
- A) To act as a connection point for ExpressRoute
- B) To provide a direct connection to Azure PaaS services from a subnet
- C) To connect to on-premises datacenters
- D) To act as a gateway for internet access
B) To provide a direct connection to Azure PaaS services from a subnet
Service endpoints provide secure and direct connectivity to Azure PaaS services over the Azure backbone network.
True or False: A subnet can be moved to another VNet after it has been created.
- False
Once a subnet is created in a particular VNet, it cannot be moved to another VNet. You must delete and recreate it in the desired VNet if needed.
Which of the following is NOT a feature of the Azure Load Balancer?
- A) Forward traffic to a specific VM based on rules
- B) Distribute network traffic across multiple VMs
- C) Apply network security rules to traffic
- D) Provide a public IP address for inbound connectivity
C) Apply network security rules to traffic
Applying network security rules is a function of Network Security Groups, not the Azure Load Balancer. The Load Balancer is responsible for balancing traffic and providing public IP addresses.
Interview Questions
What is a virtual network in Azure?
A virtual network in Azure is a logically isolated network that provides a secure environment to run your resources.
What are some benefits of using a virtual network in Azure?
Some benefits of using a virtual network in Azure include increased security, network traffic management, and scalability.
How do you create a virtual network in Azure using the portal?
To create a virtual network in Azure using the portal, you can follow the quick-create guide found in the Azure documentation.
What is a subnet in Azure?
A subnet in Azure is a range of IP addresses in your virtual network that can be used to isolate and manage network traffic.
How do you manage subnets in Azure?
To manage subnets in Azure, you can navigate to the Subnets service in the Azure portal and configure subnet settings as needed.
What are some features of subnet management in Azure?
Some features of subnet management in Azure include address space configuration, network security group configuration, and service endpoints configuration.
How do you extend a subnet in Azure?
To extend a subnet in Azure, you can navigate to the Subnets service in the Azure portal, select the subnet you want to extend, and add a new “Gateway subnet” with the desired address space and name.
What is the purpose of a network security group in Azure?
A network security group in Azure is a way to filter network traffic and enforce security rules for resources in your virtual network.
How can you configure a network security group in Azure?
You can configure a network security group in Azure by creating a new security group, specifying the security rules, and associating the security group with your virtual network.
What is an Azure Virtual Network Gateway?
An Azure Virtual Network Gateway is a type of virtual network resource that allows you to connect your virtual network to other virtual networks, on-premises networks, or the Internet.
How can you monitor and analyze network traffic in Azure?
You can monitor and analyze network traffic in Azure using the Azure Network Watcher service, which provides tools for troubleshooting and diagnosing network issues.
How can you configure a custom DNS server in Azure?
You can configure a custom DNS server in Azure by creating a new DNS zone and specifying the custom DNS server’s IP address in the virtual network settings.
Can you create a virtual network in Azure using PowerShell or the Azure CLI?
Yes, you can create a virtual network in Azure using PowerShell or the Azure CLI.
What is the maximum number of subnets you can create in a single virtual network in Azure?
The maximum number of subnets you can create in a single virtual network in Azure is 4096.
Can you change the address space of a subnet in Azure after it has been created?
No, you cannot change the address space of a subnet in Azure after it has been created. You will need to delete and recreate the subnet with the desired address space.
Great post on configuring virtual networks and subnets! Very helpful for my AZ-104 prep.
This blog really clarified the difference between Azure VNet and Subnets for me.
Can anyone provide more detail on NSG (Network Security Groups) and their role in virtual networks?
I found the section on routing tables a bit confusing. Could someone explain it in simpler terms?
Does anyone know if there are limitations on the number of virtual networks you can create in Azure?
Super useful information on subnets! Just what I needed.
Appreciate the detailed walkthrough.
What’s the best practice for subnetting a VNet?