AZ-104: Configure and manage virtual networks for Azure administrators Flashcards
(185 cards)
1
Q
What is Azure virtual networking?
A
Azure virtual networks enable Azure resources, such as virtual machines, web apps, and databases, to communicate with: each other, users on the Internet, and on-premises client computers. You can think of an Azure network as a set of resources that links other Azure resources
2
Q
Isolation and segmentation
A
Azure allows you to create multiple isolated virtual networks. When you set up a virtual network, you define a private Internet Protocol (IP) address space, using either public or private IP address ranges. You can then segment that IP address space into subnets, and allocate part of the defined address space to each named subnet.
For name resolution, you can use the name resolution service that’s built in to Azure, or you can configure the virtual network to use either an internal or an external Domain Name System (DNS) server
3
Q
Internet communications
A
A VM in Azure can connect out to the Internet by default. You can enable incoming connections from the Internet by defining a public IP address or a public load balancer. For VM management, you can connect via the Azure CLI, Remote Desktop Protocol (RDP), or Secure Shell (SSH
4
Q
Communicate between Azure resources
A
Virtual networks
Virtual networks can connect not only VMs, but other Azure resources, such as the App Service Environment, Azure Kubernetes Service, and Azure virtual machine scale sets.
Service endpoints
You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks, thereby improving security and providing optimal routing between resources
5
Q
Communicate with on-premises resources
A
Point-to-site Virtual Private Networks
This approach is like a Virtual Private Network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it’s working in the opposite direction. In this case, the client computer initiates an encrypted VPN connection to Azure, connecting that computer to the Azure virtual network
6
Q
Communicate with on-premises resources 2
A
Site-to-site Virtual Private Networks A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the Internet
7
Q
Communicate with on-premises resources 3
A
Azure ExpressRoute
For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. Azure ExpressRoute provides dedicated private connectivity to Azure that does not travel over the Internet
8
Q
Route tables
A
A route table allows you to define rules as to how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
9
Q
Border Gateway Protocol (BGP
A
Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks
10
Q
Connect virtual networks / network peering
A
You can link virtual networks together using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, allowing you to create a global interconnected network through Azure
11
Q
Address overlapping
A
Can’t have two address spaces overlapping in the same virtual network
12
Q
Subnet
A
Subnet names must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
13
Q
Network security group
A
Network security group
Network security groups have security rules that enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. You create the network security group separately, and then associate it with the virtual network.
14
Q
What is a VPN gateway?
A
An Azure virtual network gateway provides an endpoint for incoming connections from on-premises locations to Azure over the Internet
Each virtual network can have only one VPN gateway. All connections to that VPN gateway share the available network bandwidth
15
Q
gateway type
A
A key setting is the gateway type. The gateway type determines the way the gateway functions. For a VPN gateway, the gateway type is “vpn”. Options for VPN gateways includ
16
Q
Plan a VPN gateway
A
When you’re planning a VPN gateway, there are three architectures to consider:
Point to site over the Internet
Site to site over the Internet
Site to site over a dedicated network, such as Azure ExpressRoute
17
Q
Design considerations
A
When you design your VPN gateways to connect virtual networks, you must consider the following factors:
Subnets cannot overlap
It is vital that a subnet in one location does not contain the same address space as in another location.
IP addresses must be unique
You cannot have two hosts with the same IP address in different locations, as it will be impossible to route traffic between those two hosts and the network-to-network connection will fail.
VPN gateways need a gateway subnet called GatewaySubnet
It must have this name for the gateway to work, and it should not contain any other resources.
18
Q
Create a VPN gateway
A
RouteBased
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. Route-based connections are typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
19
Q
Create a VPN gateway 2
A
PolicyBased
Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. A policy-based connection is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
20
Q
Azure ExpressRoute
A
Microsoft Azure ExpressRoute enables organizations to extend their on-premises networks into the Microsoft Cloud over a private connection implemented by a connectivity provider. This arrangement means that the connectivity to the Azure datacenters doesn’t go over the Internet but across a dedicated link. ExpressRoute also facilitates efficient connections with other Microsoft cloud-based services, such as Microsoft 365 and Dynamics 365
21
Q
ExpressRoute connectivity models
A
IP VPN network (any-to-any)
Virtual cross-connection through an Ethernet exchange
Point-to-point Ethernet connection
22
Q
What is layer 3 connectivity?
A
Microsoft uses an industry-standard dynamic routing protocol (BGP) to exchange routes between your on-premises network, your instances in Azure, and Microsoft public addresses. We establish multiple BGP sessions with your network for different traffic profiles.
23
Q
Any-to-any (IPVPN) networks
A
IPVPN providers typically provide connectivity between branch offices and your corporate datacenter over managed layer 3 connections. With ExpressRoute, the Azure datacenters appear as if they were another branch office
24
Q
Virtual cross-connection through an Ethernet Exchange
A
If your organization is co-located with a cloud exchange facility, you request cross-connections to the Microsoft Cloud through your provider’s Ethernet exchange. These cross-connections to the Microsoft Cloud can operate at either layer 2 or layer 3 managed connections, as in the networking OSI model
25
Point-to-point Ethernet connection
Point-to-point Ethernet links can provide layer 2 or managed layer 3 connections between your on-premises datacenters or offices to the Microsoft Cloud
26
What are ExpressRoute circuits
What are ExpressRoute circuits
An ExpressRoute circuit is the logical connection between your on-premises infrastructure and the Microsoft Cloud
An ExpressRoute circuit isn't equivalent to a network connection or a network device. Each circuit is defined by a GUID, called a service or s-key. This s-key provides the connectivity link between Microsoft, your connectivity provider, and your organization - it isn't a cryptographic secret. Each s-key has a one-to-one mapping to an Azure ExpressRoute circuit
27
Routing domains
ExpressRoute circuits then map to routing domains, with each ExpressRoute circuit having multiple routing domains. These domains are the same as the two peerings listed above. In an active-active configuration, each pair of routers would have each routing domain configured identically, thus providing high availability. The Azure private peering names represent the IP addressing schemes
28
Azure private peering
Azure private peering connects to Azure compute services such as virtual machines and cloud services that are deployed with a virtual network. As far as security goes, the private peering domain is simply an extension of your on-premises network into Azure
You can connect only one virtual network to the private peering domain
29
Microsoft peering
Microsoft peering supports connections to cloud-based SaaS offerings, such as Microsoft 365 and Dynamics 365. This peering option provides bi-directional connectivity between your company's WAN and Microsoft cloud services.
30
ExpressRoute health
As with most features in Microsoft Azure, you can monitor ExpressRoute connections to ensure that they are performing satisfactorily. Monitoring includes coverage of the following areas:
Availability
Connectivity to virtual networks
Bandwidth utilization
The key tool for this monitoring activity is Network Performance Monitor, particularly NPM for ExpressRoute.
31
Azure Ip Addressing
In Azure, you typically would implement a network security group and a firewall. You use subnets to isolate front-end services, including web servers and DNS, and back-end services like databases and storage systems
32
Basic properties of Azure virtual networks
A virtual network is your network in the cloud. You can divide your virtual network into multiple subnets. Each subnet has a portion of the IP address space that is assigned to your virtual network. You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed in it.
33
Basic properties of Azure virtual networks
The smallest subnet that is supported uses a /29 subnet mask. The largest supported subnet uses a /8 subnet mask
34
Address overlapping
There can be no IP address overlap for interconnected networks
35
10. 0.0.0 to 10.255.255.255
172. 16.0.0 to 172.31.255.255
192. 168.0.1 to 192.168.255.255
not routable over the internet
36
Public IP addresses
Basic IP
Basic IPs are open by default. We recommend that you use network security groups to restrict inbound or outbound traffic.
They do not support availability zone scenarios. You must use a Standard SKU public IP for an availability zone scenario
37
Standard Public IP
Standard IPs are secure by default and closed to inbound traffic. You must explicitly allow inbound traffic by using a network security group
Standard IPs are zone-redundant by default and optionally zonal (they can be created zonal and guaranteed in a specific availability zone)
38
Public IP 2
Public IP addresses can't be moved between regions; all IP addresses are region-specific. If your business needs to have datacenters in different regions, you would have a different public IP address range for each region. You can use technology like Azure Traffic Manager to balance between region-specific instances
To ensure a static range of public IP addresses, you can create a public IP address prefix. You can't specify the addresses when you create the prefix, but after the prefix is created, the addresses will be fixed
39
classless inter-domain routing (CIDR) format
CIDR is a way to represent a block of network IP addresses. An IPv4 CIDR, specified as part of the IP address, shows the length of the network prefix
40
Subnet
The address range can't overlap with other subnets in the virtual network or with the on-premises network
41
azure reserved address
The first three IP addresses are reserved for all subnets by default in Azure. For protocol conformance, the first and last IP addresses of all subnets also are reserved. An internal DHCP service within Azure assigns and maintains the lease of IP addresses. The .1, .2, .3, and last IP addresses are not visible or configurable by the Azure customer. These addresses are reserved and used by internal Azure services
Remember that Azure uses the first three addresses on each subnet. The first and last IP addresses of the subnets also are reserved for protocol conformance. Therefore, the number of possible addresses on an Azure subnet is 2^n-5, where n represents the number of host bits
42
Connect services by using virtual network peering
In peered virtual networks, traffic between virtual machines is routed through the Azure network. The traffic uses only private IP addresses. It doesn't rely on internet connectivity, gateways, or encrypted connections. The traffic is always private, and it takes advantage of the high bandwidth and low latency of the Azure backbone network
43
types of peering connections
Virtual network peering connects virtual networks in the same Azure region, such as two virtual networks in North Europe.
Global virtual network peering connects virtual networks that are in different Azure regions, such as a virtual network in North Europe and a virtual network in West Europe
44
Reciprocal connections
you have to create connections in each virtual network.
45
Cross-subscription virtual network peering
When you use virtual network peering across subscriptions, you might find that an administrator of one subscription doesn't administer the peer network's subscription. The administrator might not be able to configure both ends of the connection. To peer the virtual networks when both subscriptions are in different Azure Active Directory tenants, the administrators of each subscription must grant the peer subscription's administrator the Network Contributor role on their virtual network
46
Transitivity
Virtual network peering is nontransitive. Only virtual networks that are directly peered can communicate with each other. The virtual networks can't communicate with the peers of their peers.
for example, that your three virtual networks (A, B, C) are peered like this: A B C. Resources in A can't communicate with resources in C because that traffic can't transit through virtual network B. If you need communication between virtual network A and virtual network C, you must explicitly peer these two virtual networks
47
Gateway transit
You can configure transitive connections on-premises if you use virtual network gateways as transit points. Using gateway transit, you can enable on-premises connectivity without deploying virtual network gateways to all your virtual networks. This method might reduce cost and complexity. By using gateway peering, you can configure a single virtual network as a hub network. Connect this hub network to your on-premises datacenter and share its virtual network gateway with peers.
48
Overlapping address spaces
IP address spaces of connected networks within Azure and between Azure and your on-premises system can't overlap. This is also true for peered virtual networks. Keep this rule in mind when you're planning your network design. In any networks you connect through virtual network peering, VPN, or ExpressRoute, assign different address spaces that don't overlap
49
VPNs use the internet to connect your on-premises datacenter to the Azure backbone through an encrypted tunnel. You can use a site-to-site configuration to connect virtual networks together through VPN gateways. VPN gateways have higher latency than virtual network peering setups. They're more complex to manage, and they can cost more.
When virtual networks are connected through both a gateway and virtual network peering, traffic flows through the peering configuration
VPN
50
command to peer connections
az network vnet peering create \
> --name SalesVNet-To-MarketingVNet \
> --remote-vnet MarketingVNet \
> --resource-group learn-65e72839-7c90-4f1b-b29a-cbbdebc8dab7 \
> --vnet-name SalesVNet \
> --allow-vnet-access
51
Network security groups
Network security groups filter network traffic to and from Azure resources. Network security groups contain security rules that you configure to allow or deny inbound and outbound traffic. You can use network security groups to filter traffic between VMs or subnets, both within a virtual network and from the internet
52
Network security group assignment and evaluation
Network security groups are assigned to a network interface or a subnet. When you assign a network security group to a subnet, the rules apply to all network interfaces in that subnet. You can restrict traffic further by associating a network security group to the network interface of a VM
53
Network security group assignment and evaluation 2
Inbound traffic is first evaluated by the network security group applied to the subnet, and then by the network security group applied to the network interface. Conversely, outbound traffic from a VM is first evaluated by the network security group applied to the network interface, and then by the network security group applied to the subnet
54
Network security group assignment and evaluation 3
Each subnet and network interface can have one network security group applied to it. Network security groups support TCP, UDP, and ICMP, and operate at Layer 4 of the OSI model
55
processing rules by rule number
For example, suppose your company has created a security rule to allow inbound traffic on port 3389 (RDP) to your web servers, with a priority of 200. Next, suppose that another admin has created a rule to deny inbound traffic on port 3389, with a priority of 150. The deny rule takes precedence, because it's processed first. The rule with priority 150 is processed before the rule with priority 200
56
Default security rules
When you create a network security group, Azure creates several default rules. These default rules can't be changed, but can be overridden with your own rules. These default rules allow connectivity within a virtual network and from Azure load balancers. They also allow outbound communication to the internet, and deny inbound traffic from the internet.
57
Service tags
You use service tags to simplify network security group security even further. You can allow or deny traffic to a specific Azure service, either globally or per region
Service tags represent a group of IP addresses, and help simplify the configuration of your security rules. For resources that you can specify by using a tag, you don't need to know the IP address or port details.
58
Virtual network service endpoints
Use virtual network service endpoints to extend your private address space in Azure by providing a direct connection to your Azure services. Service endpoints let you secure your Azure resources to only your virtual network. Service traffic will remain on the Azure backbone, and doesn't go out to the internet
59
How service endpoints work
To enable a service endpoint, you must do the following two things:
Turn off public access to the service.
Add the service endpoint to a virtual network.
When you enable a service endpoint, you restrict the flow of traffic, and enable your Azure VMs to access the service directly from your private address space. Devices cannot access the service from a public network. On a deployed VM vNIC, if you look at Effective routes, you'll notice the service endpoint as the Next Hop Type
60
Service endpoints and hybrid networks
Service resources that you've secured by using virtual network service endpoints are not, by default, accessible from on-premises networks. To access resources from an on-premises network, use NAT IPs. If you use ExpressRoute for connectivity from on-premises to Azure, you have to identify the NAT IP addresses that are used by ExpressRoute. By default, each circuit uses two NAT IP addresses to connect to the Azure backbone network. You then need to add these IP addresses into the IP firewall configuration of the Azure service resource (for example, Azure Storage)
61
What is Azure Bastion?
Azure Bastion provides a secure remote connection from the Azure portal to Azure virtual machines (VMs) over Transport Layer Security (TLS). Provision Azure Bastion to the same Azure virtual network as your VMs or to a peered virtual network. Then connect to any VM on that virtual network or a peered virtual network directly from the Azure portal
62
Provide secure RDP and SSH connectivity to an internal VM
You can use Azure Bastion to easily open an RDP or SSH session from the Azure portal to a VM that's not publicly exposed. Azure Bastion connects to your virtual machines over private IP. You don't have to expose RDP ports, SSH ports, or public IP addresses for your internal VMs
63
Azure Bastion Key Features
Traffic initiated from Azure Bastion to target virtual machines stays within the virtual network or between peered virtual networks.
There's no need to apply NSGs to the Azure Bastion subnet, because it's hardened internally. For additional security, you can configure NSGs to allow only remote connections to the target virtual machines from the Azure Bastion host.
Azure Bastion helps protect against port scanning. RDP ports, SSH ports, and public IP addresses aren't publicly exposed for your VMs.
Azure Bastion helps protect against zero-day exploits. It sits at the perimeter of your virtual network. So you don't need to worry about hardening each of the virtual machines in your virtual network. The Azure platform keeps Azure Bastion up to date.
The service integrates with native security appliances for an Azure virtual network, like Azure Firewall.
You can use the service to monitor and manage remote connections
64
How does Azure Bastion work?
An Azure Bastion deployment is per virtual network or peered virtual network. It's not per subscription, account, or virtual machine (VM). After you provision an Azure Bastion service in your virtual network, the RDP or SSH experience is available to all your VMs in the same virtual network
65
How does Azure Bastion work? 2
Browser connects to the Azure Bastion host. The browser connects to Azure Bastion over the internet by using Transport Layer Security (TLS) and the public IP of the Azure Bastion host. Azure Gateway Manager manages portal connections to the Azure Bastion service on port 443 or 4443.
Bastion connects to the VM by using RDP or SSH. Azure Bastion is deployed in a separate subnet called AzureBastionSubnet within the virtual network. You create the subnet when you deploy Azure Bastion. The subnet can have address spaces with a /27 subnet mask or larger. Don't deploy other Azure resources to this subnet or change the subnet name.
Bastion streams the VM to the browser. Azure Bastion uses an HTML5-based web client that's automatically streamed to your local device. The Azure Bastion service packages the session information by using a custom protocol. The packages are transmitted through TLS
66
Verify Azure Bastion
Direction Allow
Inbound RDP and SSH connections from the Azure Bastion subnet IP address range to your VM subnet.
Inbound TCP access from the internet on port 443 to the Azure Bastion public IP.
Inbound TCP access from Azure Gateway Manager on ports 443 or 4443. Azure Gateway Manager manages portal connections to the Azure Bastion service.
Outbound TCP access from the Azure platform on port 443. This traffic is used for diagnostic logging.
67
Deploy an Azure Bastion host in the Azure portal
Before you can deploy Azure Bastion, you need a virtual network. You can use an existing virtual network or deploy Azure Bastion as you create a virtual network. Create a subnet in the virtual network called AzureBastionSubnet. If you have a VM that's on the same or a peered virtual network, you complete the deployment in the Azure portal by selecting Azure Bastion when you connect to the VM
68
Configure diagnostic settings to generate audit logs
Azure Bastion can log information about remote user sessions. Review the logs to see who connected to which workloads, at what time, from where, and other relevant logging information.
To generate these logs, you must configure diagnostic settings on Azure Bastion. It can take several hours for the logs to stream to a storage account. The following sections show you how to configure Azure Bastion diagnostic settings so you can try this in your own subscription later.
69
What is Azure DNS?
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.
In this unit, you'll learn what DNS is and how it works. Then learn about Azure DNS, and why you would use it.
70
How does DNS work?
A DNS server carries out one of two primary functions:
Maintains a local cache of recently accessed or used domain names and their IP addresses. This cache provides a faster response to a local domain lookup request. If the DNS server can't find the requested domain, it passes the request to another DNS server. This process repeats at each DNS server until either a match is made, or the search times out.
Maintains the key-value pair database of IP addresses and any host or subdomain that the DNS server has authority over. This function is often associated with mail, web, and other internet domain services
71
DNS server assignment
In order for a computer, server, or other network-enabled device to access web-based resources, it must reference a DNS server.
When you connect by using your on-premises network, the DNS settings come from your server. When you connect by using an external location, like a hotel, the DNS settings come from the internet service provider (ISP).
72
DNS settings for your domain
As the administrator for your company, you want to set up a DNS server by using Azure DNS. In this instance, the DNS server will act as a start of authority (SOA) for your domain
73
DNS record types
A is the host record, and is the most common type of DNS record. It maps the domain or host name to the IP address.
CNAME is the canonical name, or the alias for an A record. If you had different domain names that all accessed the same website, you would use CNAME.
MX is the mail exchange record. It maps mail requests to your mail server, whether hosted on-premises or in the cloud.
TXT is the text record. It's used to associate text strings with a domain name. Azure and Microsoft 365 use TXT records to verify domain ownership.
The SOA and NS records are created automatically when you create a DNS zone by using Azure DNS.
74
What is Azure DNS? 2
Azure DNS allows you to host and manage your domains by using a globally distributed name server infrastructure. It allows you to manage all of your domains by using your existing Azure credentials.
Azure DNS acts as the SOA for the domain.
You can't use Azure DNS to register a domain name. You use a third-party domain registrar to register your domain
75
Security features Azure DNS
Security features
Azure DNS provides the following security features:
Role-based access control, which gives you fine-grained control over users' access to Azure resources. You can monitor their usage, and control the resources and services they have access to.
Activity logs, which let you track changes to a resource, and pinpoint where faults occurred.
Resource locking, which gives a greater level of control to restrict or remove access to resource groups, subscriptions, or any Azure resources.
76
Ease of use
Ease of use
Azure DNS can manage DNS records for your Azure services, and provide DNS for your external resources. Azure DNS uses your same Azure credentials, support contract, and billing as your other Azure services.
You can manage your domains and records by using the Azure portal, Azure PowerShell cmdlets, or the Azure CLI. Applications that require automated DNS management can integrate with the service by using the REST API and SDKs.
77
Private domains
Azure DNS handles the translation of external domain names to an IP address. Azure DNS lets you create private zones. These provide name resolution for virtual machines (VMs) within a virtual network, and between virtual networks, without having to create a custom DNS solution. This allows you to use your own custom domain names rather than the Azure-provided names
78
Private domains 2
To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone.
Private DNS zones have the following benefits:
There's no need to invest in a DNS solution. DNS zones are supported as part of the Azure infrastructure.
All DNS record types are supported: A, CNAME, TXT, MX, SOA, AAAA, PTR, and SVR.
Host names for VMs in your virtual network are automatically maintained.
Split-horizon DNS support allows the same domain name to exist in both private and public zones. It resolves to the correct one based on the originating request location
79
START OF AUTHORITY
To verify the success of the domain delegation, query the start of authority (SOA) record. The SOA record was automatically created when the Azure DNS zone was set up. You can do this by using a third-party tool, like nslookup.
80
Link your virtual network to a private DNS zone
Link your virtual network to a private DNS zone
To link the private DNS zone to a virtual network, you create a virtual network link. In the Azure portal, go to the private zone and select Virtual network links
81
DNS zone
The DNS zone holds all the configuration records associated with your domain
82
note
By default, the NS and SOA records are automatically created. The NS record defines the Azure DNS name spaces and contains the four Azure DNS record sets. You use all four record sets when you update the registrar.
The SOA record represents your domain, and is used when other DNS servers are searching for your domain.
Make a note of the NS record values. You need them in the next section
83
A record
The primary record to create is the A record. This record contains the pairing between the IP address and the domain name. The A record can have multiple entries, called record sets. In record sets, the domain name remains constant, while the IP addresses are different
84
What is an apex domain?
The apex domain is the highest level of your domain. In our case, that's wideworldimports.com. Note that the apex domain is also sometimes referred to as the zone apex or root apex. It's often represented by the @ symbol in your DNS zone records.
If you check the DNS zone for wideworldimports.com, you'll see there are two apex domain records: NS and SOA. The NS and SOA records are automatically created when you created the DNS zone.
CNAME records that you might need for an Azure Traffic Manager profile or Azure Content Delivery Network endpoints aren't supported at the zone apex level. Alias records are supported at the zone apex level
85
What are alias records?
Azure alias records enable a zone apex domain to reference other Azure resources from the DNS zone. You don't need to create complex redirection policies. You can also use an Azure alias to route all traffic through Traffic Manager.
The Azure alias record can point to the following Azure resources:
A Traffic Manager profile
Azure Content Delivery Network endpoints
A public IP resource
A front door profile
You know that the A record and CNAME record don't support direct connection to Azure resources like your load balancers. You've been tasked with finding out how to link the apex domain with a load balancer
86
Uses for alias records
Prevents dangling DNS records: A dangling DNS record occurs when the DNS zone records aren't up-to-date with changes to IP addresses. Alias records prevent dangling references by tightly coupling the lifecycle of a DNS record with an Azure resource.
Updates DNS record set automatically when IP addresses change: When the underlying IP address of a resource, service, or application is changed, the alias record ensures that any associated DNS records are automatically refreshed.
Hosts load-balanced applications at the zone apex: Alias records allow for zone apex resource routing to Traffic Manager.
Points zone apex to Azure Content Delivery Network endpoints: With alias records, you can now directly reference your Azure Content Delivery Network instance.
87
network virtual appliance (NVA)
network virtual appliance (NVA)
88
Azure routing
Network traffic in Azure is automatically routed across Azure subnets, virtual networks, and on-premises networks. This routing is controlled by system routes, which are assigned by default to each subnet in a virtual network. With these system routes, any Azure virtual machine that is deployed to a virtual network can communicate with all other Azure virtual machines in subnets in that network. These virtual machines are also potentially accessible from on-premises through a hybrid network or the internet
89
Virtual network gateway
Use a virtual network gateway to send encrypted traffic between Azure and on-premises over the internet and to send encrypted traffic between Azure networks. A virtual network gateway contains routing tables and gateway services.
90
Virtual network service endpoint
Virtual network endpoints extend your private address space in Azure by providing a direct connection to your Azure resources. This connection restricts the flow of traffic: your Azure virtual machines can access your storage account directly from the private address space and deny access from a public virtual machine. As you enable service endpoints, Azure creates routes in the route table to direct this traffic
91
User-defined routes
you use a user-defined route to override the default system routes so that traffic can be routed through firewalls or NVA
92
Virtual appliance
A virtual appliance is typically a firewall device used to analyze or filter traffic that is entering or leaving your network. You can specify the private IP address of a NIC attached to a virtual machine so that IP forwarding can be enabled. Or you can provide the private IP address of an internal load balancer.
93
Virtual network gateway
Use to indicate when you want routes for a specific address to be routed to a virtual network gateway. The virtual network gateway is specified as a VPN for the next hop type
94
Border gateway protocol
A network gateway in your on-premises network can exchange routes with a virtual network gateway in Azure by using BGP. BGP is the standard routing protocol that is normally used to exchange routing and information among two or more networks. BGP is used to transfer data and information between different host gateways like on the internet or between autonomous systems
95
Border gateway protocol 2
You typically use BGP to advertise on-premises routes to Azure when you're connected to an Azure datacenter through Azure ExpressRoute. You can also configure BGP if you connect to an Azure virtual network by using a VPN site-to-site connection.
96
What is an NVA?
A network virtual appliance (NVA) is a virtual appliance that consists of various layers like:
```
a firewall
a WAN optimizer
application-delivery controllers
routers
load balancers
IDS/IPS
proxies
```
You can use an NVA to filter traffic inbound to a virtual network, to block malicious requests, and to block requests made from unexpected resources.
97
Network virtual appliance
Network virtual appliances or NVAs are virtual machines that control the flow of network traffic by controlling routing. You typically use them to manage traffic flowing from a perimeter-network environment to other networks or subnets
98
VPN GATEWAY ON PREM
The virtual private network (VPN) gateway options in Azure can help your company meet these connectivity requirements. You'll see how this is done by creating and testing VPNs to securely connect sites to Azure
99
Azure VPN gateways
A VPN gateway is a type of Virtual Network Gateway. VPN gateways are deployed in Azure virtual networks and enable the following connectivity
Connect on-premises datacenters to Azure virtual networks through a site-to-site connection.
Connect individual devices to Azure virtual networks through a point-to-site connection.
Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection
All transferred data is encrypted in a private tunnel as it crosses the internet. You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations, including other Azure virtual networks or on-premises datacenters
100
Policy-based VPNs
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through. Key features of policy-based VPN gateways in Azure include:
Support for IKEv1 only.
Use of static routing, where combinations of address prefixes from both networks control how traffic is encrypted and decrypted through the VPN tunnel. The source and destination of the tunneled networks are declared in the policy and don't need to be declared in routing tables.
Policy-based VPNs must be used in specific scenarios that require them, such as for compatibility with legacy on-premises VPN devices.
101
Required Azure resources
Virtual network. Deploy an Azure virtual network with enough address space for the additional subnet that you'll need for the VPN gateway. The address space for this virtual network must not overlap with the on-premises network that you'll be connecting to. Remember that you can deploy only one VPN gateway within a virtual network.
102
Required Azure resources 2
GatewaySubnet. Deploy a subnet called GatewaySubnet for the VPN gateway. Use at least a /27 address mask to make sure you have enough IP addresses in the subnet for future growth. You can't use this subnet for any other services
103
Required Azure resources 3
Public IP address. Create a Basic-SKU dynamic public IP address if using a non-zone-aware gateway. This address provides a public-routable IP address as the target for your on-premises VPN device. This IP address is dynamic, but it won't change unless you delete and re-create the VPN gateway
104
Required Azure resources 4
Local network gateway. Create a local network gateway to define the on-premises network's configuration: where the VPN gateway will connect and what it will connect to. This configuration includes the on-premises VPN device's public IPv4 address and the on-premises routable networks. This information is used by the VPN gateway to route packets that are destined for on-premises networks through the IPSec tunnel
105
Required Azure resources 5
Virtual network gateway. Create the virtual network gateway to route traffic between the virtual network and the on-premises datacenter or other virtual networks. The virtual network gateway can be either a VPN or ExpressRoute gateway, but this module deals only with VPN virtual network gateways
106
Required Azure resources 6
Connection. Create a Connection resource to create a logical connection between the VPN gateway and the local network gateway.
The connection is made to the on-premises VPN device's IPv4 address as defined by the local network gateway.
The connection is made from the virtual network gateway and its associated public IP address.
107
Required on-premises resources
To connect your datacenter to a VPN gateway, you'll need these on-premises resources:
A VPN device that supports policy-based or route-based VPN gateways
A public-facing (internet-routable) IPv4 address
108
Active/standby
By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention. Connections are interrupted during this failover, but they're typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.
109
Active/active
With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration. In this configuration, you assign a unique public IP address to each instance. You then create separate tunnels from the on-premises device to each IP address. You can extend the high availability by deploying an additional VPN device on-premises.
110
ExpressRoute failover
ExpressRoute failover
Another high availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in but aren't immune to physical problems that affect the cables delivering connectivity or outages affecting the complete ExpressRoute location. In high availability scenarios, where there's risk associated with an outage of an ExpressRoute circuit, you can also provision a VPN gateway which uses the internet as an alternative method of connectivity, thus ensuring there's always a connection to the Azure virtual networks
111
Zone-redundant gateways
In regions that support availability zones, VPN and ExpressRoute gateways can be deployed in a zone-redundant configuration. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. These require different gateway SKUs and leverage Standard public IP addresses instead of Basic public IP addresses
112
ExpressRoute overview
Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private. Establishing an ExpressRoute connection enables you to connect to Microsoft cloud services like Azure, Office 365, and Dynamics 365. Security is enhanced, connections are more reliable, latency is minimal, and throughput is greatly increased
113
Layer 3 connectivity
ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point, any-to-any network, or they can be virtual cross-connections through an exchange
114
Built-in redundancy
Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available
115
Co-location at a cloud exchange
Co-located providers can normally offer both Layer 2 and Layer 3 connections between your infrastructure, which might be located in the co-location facility, and the Microsoft cloud. For example, if your datacenter is co-located at a cloud exchange such as an internet service provider (ISP), you can request a virtual cross-connection to the Microsoft cloud
116
Point-to-point Ethernet connection
Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and Microsoft Azure. You can connect your offices or datacenters to Azure by using the point-to-point links. For example, if you have an on-premises datacenter, you can use a point-to-point Ethernet link to connect to Microsoft
117
Any-to-any networks
With any-to-any connectivity, you can integrate your wide area network (WAN) with Microsoft Azure by providing connections to your offices and datacenters. Azure will integrate with your WAN connection to provide a seamless connection, just like you would have between your datacenter and any branch offices
118
Architecture of ExpressRoute
ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ExpressRoute partner. The partner provides the edge service: an authorized and authenticated connection that operates through a partner-controlled router. The edge service is responsible for extending your network to the Microsoft cloud
119
Architecture of ExpressRoute 2
The partner sets up connections to an endpoint in an ExpressRoute location (implemented by a Microsoft edge router). These connections enable you to peer your on-premises networks with the virtual networks available through the endpoint. These connections are called circuits.
120
Prerequisites for ExpressRoute 3
An ExpressRoute connectivity partner or cloud exchange provider that can set up a connection from your on-premises networks to the Microsoft cloud.
An Azure subscription that is registered with your chosen ExpressRoute connectivity partner.
An active Microsoft Azure account that can be used to request an ExpressRoute circuit.
An active Office 365 subscription, if you want to connect to the Microsoft cloud and access Office 365 services
121
pre reques
ExpressRoute works by peering your on-premises networks with networks running in the Microsoft cloud
122
ExpressRoute has a number of network and routing requirements:
Ensure that BGP sessions for routing domains have been configured. Depending on your partner, this might be their or your responsibility. Additionally, for each ExpressRoute circuit, Microsoft requires redundant BGP sessions between Microsoft’s routers and your peering routers.
You or your providers need to translate the private IP addresses used on-premises to public IP addresses by using a NAT service. Microsoft will reject anything except public IP addresses through Microsoft peering.
Reserve several blocks of IP addresses in your network for routing traffic to the Microsoft cloud. You configure these blocks as either a /29 subnet or two /30 subnets in your IP address space. One of these subnets is used to configure the primary circuit to the Microsoft cloud, and the other implements a secondary circuit. You use the first address in these subnets to communicate with services in the Microsoft cloud. Microsoft uses the second address to establish a BGP session
123
ExpressRoute supports two peering schemes 1
Use private peering to connect to Azure IaaS and PaaS services deployed inside Azure virtual networks. The resources that you access must all be located in one or more Azure virtual networks with private IP addresses. You can't access resources through their public IP address over a private peering
124
ExpressRoute supports two peering schemes:2
Use Microsoft peering to connect to Azure PaaS services, Office 365 services, and Dynamics 365.
125
SKU
SKU Select Standard if you have up to 10 virtual networks and only need to connect to resources in the same geopolitical region. Otherwise, select Premium.
126
Configure private peering
Configure private peering
You use private peering to connect your network to your virtual networks running in Azure. To configure private peering, you must provide the following information:
Peer ASN. The autonomous system number for your side of the peering. This ASN can be public or private, and 16 bits or 32 bits.
Primary subnet. This is the address range of the primary /30 subnet that you created in your network. You'll use the first IP address in this subnet for your router. Microsoft uses the second for its router.
Secondary subnet. This is the address range of your secondary /30 subnet. This subnet provides a secondary link to Microsoft. The first two addresses are used to hold the IP address of your router and the Microsoft router.
VLAN ID. This is the VLAN on which to establish the peering. The primary and secondary links will both use this VLAN ID.
Shared key. This is an optional MD5 hash that's used to encode messages passing over the circuit.
127
Availability and connectivity
Microsoft guarantees a minimum of 99.95 percent availability for an ExpressRoute dedicated circuit.
128
Site-to-site VPN
An Azure site-to-site VPN connection enables you to connect your on-premises network to Azure over an IPsec tunnel to build a hybrid network solution. You configure an on-premises VPN device with a public IP address. You connect this device to an Azure virtual network through an Azure virtual network gateway
129
Point-to-site VPN
With point-to-site VPN, you can establish a secure connection to a network from individual computers located on-premises. This solution is useful for someone who wants to connect to Azure from remote locations such as a home or customer site. Point-to-site is useful if you have only a few clients that need to connect to a virtual network
130
Distribute traffic with Azure Load Balancer
Azure Load Balancer is a service you can use to distribute traffic across multiple virtual machines
131
sla agreements for load balancing
Availability set 99.95% Protection from hardware failures within datacenters
Availability zone 99.99% Protection from entire datacenter failure
132
Availability sets
An availability set is a logical grouping that you use to isolate virtual machine resources from each other when they're deployed. Azure ensures that the virtual machines you put in an availability set run across multiple physical servers, compute racks, storage units, and network switches. If there's a hardware or software failure, only a subset of your virtual machines is affected. Your overall solution stays operational. Availability sets are essential for building reliable cloud solutions
133
Availability zones
An availability zone offers groups of one or more datacenters that have independent power, cooling, and networking. The virtual machines in an availability zone are placed in different physical locations within the same region. Use this architecture when you want to ensure that, when an entire datacenter fails, you can continue to serve users
134
Basic load balancers allow:
Basic load balancers allow:
Port forwarding
Automatic reconfiguration
Health probes
Outbound connections through source network address translation (SNAT)
Diagnostics through Azure Log Analytics for public-facing load balancers
Basic load balancers can be used only with availability sets.
135
Standard load balancers
Standard load balancers support all of the basic features. They also allow:
HTTPS health probes
Availability zones
Diagnostics through Azure Monitor, for multidimensional metrics
High availability (HA) ports
Outbound rules
A guaranteed SLA (99.99% for two or more virtual machines)
136
external load balancer
An external load balancer operates by distributing client traffic across multiple virtual machines. An external load balancer permits traffic from the internet. The traffic might come from browsers, module apps, or other sources. In a healthcare organization, the balancer distributes the load of all the browsers that run the client healthcare application
137
internal load balancer
An internal load balancer distributes a load from internal Azure resources to other Azure resources. For example, if you have front-end web servers that need to call business logic that's hosted on multiple middle-tier servers, you can distribute that load evenly by using an internal load balancer. No traffic is allowed from internet sources. In a healthcare organization, the load balancer distributes a load across the internal application tier
138
public load balancer
A public load balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of a virtual machine in the back-end pool. The responses are then returned to the client. By applying load-balancing rules, you distribute specific types of traffic across multiple virtual machines or services
139
Five-tuple hash
Five-tuple hash. The default distribution mode for Load Balancer is a five-tuple hash. The tuple is composed of the source IP, source port, destination IP, destination port, and protocol type. Because the source port is included in the hash and the source port changes for each session, clients might be directed to a different virtual machine for each session.
140
Load Balancer and Remote Desktop Gateway
The default five-tuple hash in Load Balancer is incompatible with this service. If you want to use Load Balancer with your Remote Desktop servers, use source IP affinity.
141
Configure an internal load balancer
You can configure an internal load balancer in almost the same way as an external load balancer, but with these differences:
When you create the load balancer, for the Type value, select Internal. When you select this setting, the front-end IP address of the load balancer isn't exposed to the internet.
Assign a private IP address instead of a public IP address for the front end of the load balancer.
Place the load balancer in the protected virtual network that contains the virtual machines you want to handle the requests.
142
health probe
Load Balancer uses a health probe to determine the availability of each VM that's referenced by addresses in the back-end pool. Load Balancer only sends requests to VMs that indicate they're healthy
143
Azure Load Balancer includes a number of components:
Azure Load Balancer includes a number of components:
```
A front-end IP address
A back-end pool of VM addresses
One or more routing rules
A health probe
A collection of VMs, typically in a virtual network
```
144
Front-end IP address and back-end pool
Load Balancer stores the IP addresses of these VMs in a repository commonly referred to as a back-end pool. Load Balancer exposes its own front-end IP address to clients. When a client sends a request to this address, Load Balancer selects the IP address of a VM from the back-end pool. Load Balancer then routes the request through this back-end IP address to the VM
145
Scalability
You can start additional VM instances and add their IP addresses to the back-end pool at any time. Load Balancer includes these new instances when it distributes user requests.
Load Balancer can expose more than one public front-end IP address, and might have multiple back-end pools. This scheme enables you to reuse the same instance of Load Balancer to handle requests for different systems.
146
Routing rules
You define load-balancing rules to specify how requests directed toward each front-end IP address are mapped to a back-end pool. A load-balancing rule also specifies the protocol to match against, and optionally the source (client) and destination ports. Incoming requests arriving on a front-end IP address that don't match the protocol and port requirements are discarded by Load Balancer. A load-balancing rule can also configure session persistence so that a given client is likely to have its requests routed to the same VM. In this way, applications running on a VM take advantage of caching to hold session-specific information
147
Health probes
Load Balancer needs to determine whether each VM referenced by the back-end pool is available for handling requests. You add a health probe to do this. A health probe sends regular ping messages to a port that you specify for the VMs in the back-end pool. You provide a service on the VMs that responds to these ping messages, with an HTTP 200 (OK) message
148
Symptoms and causes of failure with Load Balancer
The application is unreachable.
The VMs running the application are unreachable.
Response times are slow.
User requests are timing out
149
Probing issues
Probing issues result when one or more VMs in the back-end pool fail to respond to health probe requests. These issues could be a result of:
An incorrect probe configuration, such as the wrong URL or port.
A VM that fails to respond to the probe because the required port isn't open
150
Data path issues
Data path issues occur when a Load Balancer is unable to route a client request to the application that runs on a VM in the back-end pool. Possible causes include:
A network security group rule or firewall is blocking the ports or IP addresses used by the application.
A VM is down or not responding. The VM might be turned off or failing, or there's a security issue such as an expired certificate on the server.
The application isn't responding. The VMs might be overloaded, the application is listening on an incorrect port, or the application is crashing
151
Use Azure Monitor to troubleshoot Load Balancer
With Azure Monitor, you can capture and examine diagnostic logs and performance data for Load Balancer
152
Monitor connectivity
You can visualize metrics for Load Balancer by using the Metrics page in the Azure portal. From a connectivity troubleshooting perspective, the most important metrics are Data Path Availability and Health Probe Status
153
The Health Probe Status metric
The Health Probe Status metric is similar, but it only applies to the health probe for the VMs rather than the complete path through Load Balancer. Again, the Avg aggregation for this metric yields a value between 0 (all VMs are unhealthy and failing to respond) and 100, where all VMs are responding to the health probe.
154
View service health
The Resource health page for Load Balancer reports on the general state of your system. You access this page in the portal from Azure Monitor. Select Service Health, select Resource Health, and then select Load Balancer as the resource type.
155
Use PsPing
The PsPing command tests ping connectivity through an endpoint. This command also measures the latency and bandwidth availability to a service. To verify that a route is available from your client to a VM through Load Balancer, use the following command. Replace and with the IP address and front-end port of the Load Balancer instance.
156
Use tcping
The tcping utility is similar to ping except that it operates over a TCP connection instead of ICMP, which Load Balancer doesn't route. Use tcping as follows
157
Limitations of Load Balancer
Azure Load Balancer is limited to only load balancing and handling port-forwarding for the TCP and UDP protocols. You can't use Load Balancer to manage requests submitted by using other network protocols such as ICMP.
Load Balancer operates at layer 4 in the ISO network stack and doesn't examine or otherwise manipulate the contents of network packets. You can't use it to implement content-based routing.
158
Route traffic with Application Gateway
Application Gateway manages the requests that client applications can send to a web app. Application Gateway routes traffic to a pool of web servers based on the URL of a request. This is known as application layer routing. The pool of web servers can be Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers.
159
How Application Gateway routes requests
Clients send requests to your web apps to the IP address or DNS name of the gateway. The gateway routes requests to a selected web server in the back-end pool, using a set of rules configured for the gateway to determine where the request should go.
160
Path-based routing
Path-based routing enables you to send requests with different paths in the URL to a different pool of back-end servers. For example, you could direct requests with the path /video/* to a back-end pool containing servers that are optimized to handle video streaming, and direct /images/* requests to a pool of servers that handle image retrieval
161
Multiple site hosting
Multiple site hosting enables you to configure more than one web application on the same application gateway instance. In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site. Application Gateway uses separate listeners to wait for requests for each site. Each listener passes the request to a different rule, which can route the requests to servers in a different back-end pool. For example, you could configure Application Gateway to direct all requests for http://contoso.com to servers in one back-end pool, and requests for http://fabrikam.com to another back-end pool. The following diagram shows this configuration.
162
Load balancing in Application Gateway
Application Gateway will automatically load balance requests sent to the servers in each back-end pool using a round-robin mechanism. However, you can configure session stickiness, if you need to ensure that all requests for a client in the same session are routed to the same server in a back-end pool
163
Load balancing in Application Gateway 2
Operating at OSI Layer 7 enables load balancing to take advantage of the other features that Application Gateway provides. These features include:
Support for the HTTP, HTTPS, HTTP/2 and WebSocket protocols.
A web application firewall to protect against web application vulnerabilities.
End-to-end request encryption.
Autoscaling, to dynamically adjust capacity as your web traffic load changes.
164
Front-end IP address
Front-end IP address
Client requests are received through a front-end IP address. You can configure Application Gateway to have a public IP address, a private IP address, or both. Application Gateway can't have more than one public and one private IP address
165
Listeners
Application Gateway uses one or more listeners to receive incoming requests. A listener accepts traffic arriving on a specified combination of protocol, port, host, and IP address. Each listener routes requests to a back-end pool of servers following routing rules that you specify. A listener can be Basic or Multi-site. A Basic listener only routes a request based on the path in the URL. A Multi-site listener can also route requests using the hostname element of the URL.
Listeners also handle SSL certificates for securing your application between the user and Application Gateway
166
Routing rules
A routing rule binds a listener to the back-end pools. A rule specifies how to interpret the hostname and path elements in the URL of a request, and direct the request to the appropriate back-end pool. A routing rule also has an associated set of HTTP settings. These settings indicate whether (and how) traffic is encrypted between Application Gateway and the back-end servers, and other configuration information such as:
Protocol (HTTP or HTTPS).
Session stickiness, to pass all requests in a client session to the same web server rather than distributing them across servers with load balancing.
Connection draining, to enable the graceful removal of servers from a back-end pool.
Request timeout period, in seconds.
Health probes, specifying a probe URL, time out periods, and other parameters used to determine whether a server in the back-end pool is available.
167
Back-end pools
A back-end pool references a collection of web servers. You provide the IP address of each web server and the port on which it listens for requests when configuring the pool. Each pool can specify a fixed set of virtual machines, a virtual machine scale-set, an app hosted by Azure App Services, or a collection of on-premises servers. Each back-end pool has an associated load balancer that distributes work across the pool
168
WAF
The web application firewall (WAF) is an optional component that handles incoming requests before they reach a listener. The web application firewall checks each request for many common threats, based on the Open Web Application Security Project (OWASP). These include:
```
SQL-injection
Cross-site scripting
Command injection
HTTP request smuggling
HTTP response splitting
Remote file inclusion
Bots, crawlers, and scanners
HTTP protocol violations and anomalies
```
169
Health probes
Health probes are an important part in assisting the load balancer to determine which servers are available for load balancing in a back-end pool. Application Gateway uses a health probe to send a request to a server. If the server returns an HTTP response with a status code between 200 and 399, the server is deemed healthy.
If you don't configure a health probe, Application Gateway creates a default probe that waits for 30 seconds before deciding that a server is unavailable.
170
Application Gateway network requirements
Application Gateway requires a virtual network in which to operate. You must create this virtual network and a dedicated subnet before setting up Application Gateway. Application Gateway uses a number of private addresses for internal use and for communicating with each instance if the gateway scales out. For example, If you plan on scaling out to four instances, create a /28 size subnet. If you're likely to scale to more instances, then create a bigger subnet.
You can expose the Application Gateway through a public IP address, or you can or keep it private by only giving it a private IP inside virtual network. This is useful if you have internal sites that you would like to use Application Gateway to provide load balancing
171
What is Network Watcher?
Network Watcher is an Azure service that combines tools in a central place to diagnose the health of Azure networks. The Network Watcher tools are divided into two categories:
Monitoring tools
Diagnostic tools
172
Network Watcher monitoring tools
Network Watchers provides three monitoring tools:
Topology
Connection Monitor
Network Performance Monitor
Let's look at each of these tools.
173
What is the topology tool?
The topology tool generates a graphical display of your Azure virtual network, its resources, its interconnections, and their relationships with each other.
Suppose you have to troubleshoot a virtual network created by your colleagues. Unless you were involved in the creation process of the network, you might not know about all the aspects of the infrastructure. You can use the topology tool to visualize and understand the infrastructure you're dealing with before you start troubleshooting.
174
What is the Connection Monitor tool?
The Connection Monitor tool provides a way to check that connections work between Azure resources. To check that two VMs can communicate if you want them to, use this tool.
This tool also measures the latency between resources. It can catch changes that will affect connectivity, such as changes to the network configuration or changes to network security group (NSG) rules. It can probe VMs at regular intervals to look for failures or changes.
If there's an issue, Connection Monitor tells you why it occurred and how to fix it. Along with monitoring VMs, Connection Monitor can examine an IP address or fully qualified domain name (FQDN)
175
What is the Network Performance Monitor tool?
The Network Performance Monitor tool enables you to track and alert on latency and packet drops over time. It gives you a centralized view of your network.
When you decide to monitor your hybrid connections by using Network Performance Monitor, check that the associated workspace is in a supported region.
You can use Network Performance Monitor to monitor endpoint-to-endpoint connectivity:
Between branches and datacenters.
Between virtual networks.
For your connections between on-premises and the cloud.
For Azure ExpressRoute circuits.
176
Network Watcher diagnostic tools
| Network Watcher includes six diagnostic tools:
Network Watcher diagnostic tools
Network Watcher includes six diagnostic tools:
```
IP flow verify
Next hop
Effective security rules
Packet capture
Connection troubleshoot
VPN troubleshoot
```
177
IP flow verify tool
The IP flow verify tool tells you if packets are allowed or denied for a specific virtual machine. If a network security group denies a packet, the tool tells you the name of that group so that you can fix the problem.
This tool uses a 5-tuple packet parameter-based verification mechanism to detect whether packets inbound or outbound are allowed or denied from a VM. Within the tool, you specify a local and remote port, the protocol (TCP or UDP), the local IP, the remote IP, the VM, and the VM's network adapter
178
What is the next hop tool?
When a VM sends a packet to a destination, it might take multiple hops in its journey. For example, if the destination is a VM in a different virtual network, the next hop might be the virtual network gateway that routes the packet to the destination VM.
With the next hop tool, you can determine how a packet gets from a VM to any destination. You specify the source VM, source network adapter, source IP address, and destination IP address. The tool then determines the packet's destination. You can use this tool to diagnose problems caused by incorrect routing table
179
What is the effective security rules tool?
The effective security rules tool in Network Watcher displays all the effective NSG rules applied to a network interface.
Network security groups (NSGs) are used in Azure networks to filter packets based on their source and destination IP address and port numbers. NSGs are vital to security because they help you carefully control the surface area of the VMs that users can access. Keep in mind, though, that a mistakenly configured NSG rule might prevent legitimate communication. As a result, NSGs are a frequent source of network problems.
For example, if two VMs can't communicate because an NSG rule blocks them, it can be difficult to diagnose which rule is causing the problem. You'll use the effective security rules tool in Network Watcher to display all the effective NSG rules and help you diagnose which rule is causing the specific problem.
To use the tool, you choose a VM and its network adapter. The tool displays all the NSG rules that apply to that adapter. It's easy to determine a blocking rule by viewing this list.
You can also use the tool to spot vulnerabilities for your VM caused by unnecessary open ports.
180
What is the packet capture tool?
You use the packet capture tool to record all of the packets sent to and from a VM. You'll then review the captured to gather statistics about network traffic or diagnose anomalies, such as unexpected network traffic on a private virtual network.
The packet capture tool is a virtual machine extension that is remotely started through Network Watcher and happens automatically when you start a packet capture session.
Keep in mind that there is a limit to the amount of packet capture sessions allowed per region. The default usage limit is 100 packet capture sessions per region, and the overall limit is 10,000. These limits are for the number of sessions only, not saved captures. You can save packets captured in Azure Storage or locally on your computer.
Packet capture has a dependency on the Network Watcher Agent VM Extension installed on the VM. For links to instructions that detail the installation of the extension on both Windows and Linux VMs, see the "Learn more" section at the end of this module.
181
What is the connection troubleshoot tool?
You use the connection troubleshoot tool to check TCP connectivity between a source and destination VM. You can specify the destination VM by using an FQDN, a URI, or an IP address.
If the connection is successful, information about the communication is displayed, including:
The latency in milliseconds.
The number of probe packets sent.
The number of hops in the complete route to the destination.
If the connection is unsuccessful, you'll see details of the fault. Fault types include:
CPU. The connection failed because of high CPU utilization.
Memory. The connection failed because of high memory utilization.
GuestFirewall. The connection was blocked by a firewall outside Azure.
DNSResolution. The destination IP address couldn't be resolved.
NetworkSecurityRule. The connection was blocked by an NSG.
UserDefinedRoute. There's an incorrect user route in a routing table.
182
What is the VPN troubleshoot tool?
You can use the VPN troubleshoot tool to diagnose problems with virtual network gateway connections. This tool runs diagnostics on a virtual network gateway connection and returns a health diagnosis.
When you start the VPN troubleshoot tool, Network Watcher diagnoses the health of the gateway or connection and returns the appropriate results. The request is a long-running transaction
183
Flow logs
In flow logs, you can view information about ingress and egress IP traffic on network security groups. Flow logs show outbound and inbound flows on a per-rule basis, based on the network adapter that the flow applies. NSG flow logs show whether traffic was allowed or denied based on the 5-tuple information captured. This information includes:
```
Source IP
Source port
Destination IP
Destination port
Protocol
```
Flow logs store data in a JSON file. It can be difficult to gain insights into this data by manually searching the log files, especially if you have a large infrastructure deployment in Azure. You can solve this problem by using Power BI.
In Power BI, you can visualize NSG flow logs by, for example:
Top talkers (IP address)
Flows by direction (inbound and outbound)
Flows by decision (allowed and denied)
Flows by destination port
184
Diagnostic logs
In Network Watcher, diagnostic logs are a central place to enable and disable logs for Azure network resources. These resources might include NSGs, public IPs, load balancers, and app gateways. After you've enabled the logs that interest you, you can use the tools to query and view log entries.
You can import diagnostic logs into Power BI and other tools to analyze them
185
Traffic analytics
To investigate user and app activity across your cloud networks, use traffic analytics.
The tool gives insights into network activity across subscriptions. You can diagnose security threats such as open ports, VMs communicating with known bad networks, and traffic flow patterns. Traffic analytics analyzes NSG flow logs across Azure regions and subscriptions. You can use the data to optimize network performance.
This tool requires Log Analytics. The Log Analytics workspace must exist in a supported region.
