Networking: IP Addresses/NSGs/Firewalls

Question 1

Private vs Public IP Address. Usage:

Answer 1

Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.

Public IP addresses: Used for communication with the Internet, including Azure public-facing services.

Question 2

Static vs Dynamic Addressing (Public IP addresses)

Answer 2

Dynamic addresses are assigned only after a public IP address is associated to an Azure resource, and the resource is started for the first time.

Static addresses are assigned when a public IP address is created.

Question 3

Public IP Address - SKU Choice (Allowed IP Assignment Methods)

Answer 3

Basic SKU - static or dynamic

Standard SKU - static

Question 4

Public IP Address - SKU Choice (Security)

Answer 4

Basic SKU : Open by default

Standard SKU: Secure by default. Closed to inbound traffic

Question 5

Public IP Address - SKU Choice (available resources)

Answer 5

Basic SKU: Network interfaces, VPN Gateways, Application Gateways, and Internet-facing load balancers

Standard SKU: Network interfaces or public standard load balancers

Question 6

Public IP Address - SKU Choice (Redundancy)

Answer 6

Basic SKU: Not zone redundant

Standard SKU: Zone redundancy by default

Question 7

Private IP Address (available resources)

Answer 7

Virtual machine, internal load balancer, application gateway

Question 8

Static vs Dynamic Addressing (PrivateIP addresses)

Answer 8

Dynamic. Azure assigns the next available unassigned or unreserved IP address in the subnet’s address range.

Static. You select and assign any unassigned or unreserved IP address in the subnet’s address range.

Question 9

Azure Reserved IP Addresses within each subnet

Answer 9

x. x.x.0: Network address
x. x.x.1: Reserved by Azure for the default gateway
x. x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
x. x.x.255: Network broadcast address

Question 10

Network Security Group Rule Properties

Answer 10

Name
Priority
Port
Protocol (Any, TCP, UDP)
Source (Any, IP Addresses, Service tag)
Destination (Any, IP Addresses, Virtual Network)
Action ( allow or deny)

Question 11

NSGs Default inbound rules

Answer 11

These rules deny all inbound traffic except from the virtual network and Azure load balancer

Priority, Name, Port, Protocol, Source, Destination, Action
65000, AllowVNetInBound, Any, Any, VirutalNetwork, VirtualNetwork, Allow

65001, AllowAzureLoadBalancerInBound, Any, Any, AzureLoadBalancer, Any, Allow

65500, DenyAllInBound, Any, Any, Any, Any, Deny

Note: Rules are enacted in descending order of Priority

Question 12

NSGs default outbound rules

Answer 12

The rules only allow outbound traffic to the Internet and the virtual network.

Priority, Name, Port, Protocol, Source, Destination, Action
65000, AllowVNetOutBound, Any, Any, VirutalNetwork, VirtualNetwork, Allow

65001, AllowInternetOutBound, Any, Any, Any, Internet, Allow

65500, DenyAllOutBound, Any, Any, Any, Any, Deny

Question 13

Determining NSG effective rules

Answer 13

NSGs are evaluated independently, and an “allow” rule must exist at both levels (i.e., subnet and NIC levels) otherwise traffic will not be allowed.

Question 14

Hub-and-Spoke network topology for deploying firewalls

Answer 14

Hub is a virtual network (containing Azure Firewall, VPN Gateway, Azure Bastion) in Azure that acts a central point of connectivity to your on-premises network

Spokes are virtual networks (containing resource subnets) that peer with the hub and can be used to isolate workloads .

Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.

Question 15

Firewall rules (NAT rules)

Answer 15

Each rule in the NAT rule collection is used to translate your firewall public IP and port to a private IP and port.

Name: A label for the rule.
Protocol: TCP or UDP.
Source Address: * (Internet), a specific Internet address, or a CIDR block.
Destination Address: The external address of the firewall that the rule will inspect.
Destination Ports: The TCP or UDP ports that the rule will listen to on the external IP address of the firewall.
Translated Address: The IP address of the service (virtual machine, internal load balancer, and so on) that privately hosts or presents the service.
Translated Port: The port that the inbound traffic will be routed to by the Azure Firewall.

Question 16

Firewall (Network rules)

Answer 16

Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule.

Name: A friendly label for the rule.
Protocol: TCP, UDP, ICMP (ping and traceroute) or Any.
Source Address: The address or CIDR block of the source.
Destination Addresses: The addresses or CIDR blocks of the destination(s).
Destination Ports: The destination port of the traffic.

Question 17

Firewall rules (Application rules)

Answer 17

Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet.

Name: A friendly label for the rule.
Source Addresses: The IP address of the source.
Protocol:
Port: HTTP/HTTPS and the port that the web server is listening on.
Target FQDNs: The domain name of the service, such as www.contoso.com. Wildcards can be used. An FQDN tag represents a group of FQDNs associated with well known Microsoft services. Example FQDN tags include Windows Update, App Service Environment, and Azure Backup.

Question 18

Firewall rule processing.

Answer 18

Network rules first, then Application rules)

Question 19

Public IP Addresses

Answer 19

Use a public IP address for public-facing services.

Question 20

Dynamic public IP addresses

Answer 20

are assigned addresses that can change over the lifespan of the Azure resource. (The dynamic IP address is allocated when you create or start a VM. The IP address is released when you stop or delete the VM.)

Question 21

Static public IP addresses

Answer 21

are assigned addresses that won’t change over the lifespan of the Azure resource.

Question 22

Public IP Addresses - Basic vs Standard SKU

Answer 22

Basic - always open, available for inbound traffic only, no availability zones, no routing preferences

Standard - always use static allocation. are secure (closed to inbound traffic by default), support routing preferences

Question 23

Public IP Address Prefix

Answer 23

a reserved, static range of public IP addresses.

When you define a Public IP address prefix, associated public IP addresses are assigned from a pool for an Azure region.

The benefit of a public IP address prefix is that you can specify firewall rules for a known range of IP addresses.

You create a public IP address prefix by specifying a name and prefix size. The prefix size is the number of reserved addresses available for use.

Question 24

Private IP Addresses

Answer 24

are used for communication within an Azure Virtual Network, including virtual networks and your on-premises networks

Question 25

Dynamic private IP addresses

Answer 25

are assigned through a DHCP lease and can change over the lifespan of the Azure resource.

Question 26

Static private IP addresses

Answer 26

are assigned through a DHCP reservation and don’t change throughout the lifespan of the Azure resource. Static private IP addresses persist if a resource is stopped or deallocated.