Personal Azure > AZ-700 > Flashcards
AZ-700 Flashcards
Azure Virtual Network (VNet)
cloud representation of a physical network
divided into subnets
all VNets must have at least one subnet
handles DHCP services
can be secured using an ACL (NSG)
Public Prefix
Subnet
Virtual Machine
Network Interface Card
Virtual Network Gateway
DNS Zone
Private DNS Zone
VNet Peering
Virtual Hub
Virtual WAN
1 s2s scale unit = 500 Mbps
1 Express Route scale unit = 2 Gbps
VPN Site
similar to virtual gateway
Route Table
Load Balancer
Application Load Balancer
Traffic Manager
Azure Front Door Service
Rewrite set
Application Gateway
Forced Tunneling
Configure forced tunneling
1. Create a resource group.
New-AzResourceGroup -Name ‘ForcedTunneling’ -Location ‘North Europe’
- Create a virtual network and specify subnets.
- Create the local network gateways.
Example:
$lng1 = New-AzLocalNetworkGateway -Name “DefaultSiteHQ” -ResourceGroupName “ForcedTunneling” -Location “North Europe” -GatewayIpAddress “111.111.111.111” -AddressPrefix “192.168.1.0/24” - Create the virtual network gateway.
- Assign a default site to the virtual network gateway. The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.
$LocalGateway = Get-AzLocalNetworkGateway -Name “DefaultSiteHQ” -ResourceGroupName “ForcedTunneling”
$VirtualGateway = Get-AzVirtualNetworkGateway -Name “Gateway1” -ResourceGroupName “ForcedTunneling”
Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
- Establish the Site-to-Site VPN connections.
Details omitted.
ExpressRoute
Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.
Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure’s cloud services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute
Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)
Basic Load Balancer
VMs behind Basic Load Balancers
Virtual machine scale sets with Basic Load Balancers
Redis Cache
Application Gateway (v1) SKU
Service Fabric
API Management (stv1)
Active Directory Domain Service (ADDS)
Logic Apps
HDInsight
Azure Batch
App Service Environment
You can connect to these resources via ExpressRoute or VNet-to-VNet through VNet Gateways.
Private IP Addressing
Available IPs is 5 less than the range - .0 = network, .1 = gateway, 2 & .3 = DNS, and .255 = broadcast
IPv4 is mandatory, IPv6 is optional
IPv6 is always /64
DHCP is default; static is optional
Public IP
Tied to regions
2 skus - Basic & Static
- Basic is dynamic or static and certain amount for free; open by default
- no AZ support
- Standard = static only; locked down by default; AZ support
- Sometimes SKU needs to match service. EG. Basic load balancer uses standard public IP
Public IP Prefix
contiguous block of public IPs
Peering
uses native Azure backbone
different regions use Global VNet Peering
Cannot peer across clouds (e.g. US to China or Gov)
Created in each direction
Cannot Peer with overlapping IP space
Gateway Transit
Gateway subnet probably allows me to talk to on prem from a hub vnet
To allow spoke to talk to on-prem, need to enable to features:
- Hub to spoke side of peering - allow gateway transit - “Use this virtual network’s gateway or Route Server”
- On spoke to hub side of peering - use remote gateway - “Use the remote virtual network’s gateway or Route Server”
- spokes can only use one hub’s remote gateway
User Defined Routing
link a route table to a subnet within a vnet within the same region; next-hop doesn’t have to be on the same subnet
useful to view the “Effective routes” on the NIC of a VM
NAT Gateway
attach public ips/prefixes with a standard sku
link nat gateway to a subnet within the same region
only supports IPv4; there is a cap on the number of pub ip’s you can add (16?)
can attach to a zone, or a region, but cannot be zone-redundant
Azure DNS
Network Security Group
Application Security Group (ASG)
basically just a tag
can only use it in the same region in which it was created
makes the acl based on the tag instead of an IP address
Service Endpoint
seems like another ACL tag
might let something like vnet1-subnet1 talk to storage account1
Private Endpoint
an IP in the subnet that represents a (private)
for a custom resource, need to put a (standard) lb in front of it, and a private link service in front of the LB, and then the private endpoint can point to that. i think the private link service also does nat
a new DNS zone is used – usually something like privatelink.azurewebsites.net
App Service Plan
- each individual app will have its own private endpoint; this is to get to the app
- 3 options to get the app outbound to the vnet: 1) regional vnet integration, 2) gateway required integration (p2s vpn to a gateway), 3) hybrid connections
Azure Firewall
- has its own subnet, which is at least a /26
- fw appliances will have an internal ip that gets targeted via UDR by things like vpn, or
- standard and premium sku
- premium adds TLS inspection, IDPS, URL filtering and Web categories
- 3 types of policies - nat rules, network rules, and application rules
NSG Flow Logs
needs a storage account
sends to log analytics workspace, and then traffic analytics happens on that
Network Watcher