Configure and manage virtual networks for Azure administrators Flashcards
1
Q
How are hybrid cloud server deployments established?
A
By using Azure virtual networks to create a private network in Azure and securely connect resources.
2
Q
When cloud resources use Azure virtual network, how is the network segmented?
A
An Azure virtual network is a logical isolation of the Azure cloud resources.
3
Q
Does each network have its own subnet?
A
Each virtual network has its own Classless Inter-Domain Routing (CIDR) block and can be linked to other virtual networks and on-premises networks.
4
Q
What must be considered when creating a hybrid azure network solution?
A
The CIDR blocks (subnets) of the connecting networks must not overlap.
5
Q
In an Azure virtual network, who controls the DNS settings and segmentation?
A
The tenant.
6
Q
When creating a subnet, how many IPs are reserved, and in what order?
A
Azure reserves five IP addresses. The first four addresses and the last address are reserved.
7
Q
How do certain servicers and Azure networks interact?
A
A service might require or create their own subnet; Each service directly deployed into a virtual network has specific requirements for routing and the types of traffic.
8
Q
How is network traffic between all subnets in a virtual network routed by default?
A
Azure routes network traffic between all subnets in a virtual network, by default.
9
Q
Can virtual networks in azure be isolated?
A
You can override Azure’s default routing to prevent Azure routing between subnets.
10
Q
If traffic between two resources in a virtual network should be routed through a virtual network appliance, how should it be deployed?
A
Deploy the resources to different subnets because the virtual network appliance should have its own subnet.
11
Q
How do service endpoints function with virtual networks/subnets?
A
You can limit access to Azure resources with a virtual network service endpoint; Deny access to the resources from the internet.
12
Q
What is the purpose of a network security group?
A
Each network security group contains rules that allow or deny traffic to and from sources and destinations.
13
Q
Define ‘Azure Private Link’
A
provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services.
14
Q
What is the security benefit of Azure Private Link?
A
The service eliminates data exposure to the public internet.
15
Q
When creating a virtual network IP address range, what should be considered in relation to the organization?
A
Plan to use an IP address space that’s not already in use in your organization; The range can be either on-premises or in the cloud, but not both.
16
Q
Can an address space be changed once its created?
A
Once you create the IP address space, it can’t be changed.
17
Q
In a virtual network, can subnets overlap?
A
The range for one subnet can’t overlap with other subnet IP address ranges in the same virtual network.
18
Q
Once a virtual network is deployed, how can resources communicate?
A
You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the internet.
19
Q
What are the two types of Azure IP addresses?
A
private and public.
20
Q
What is the function of a private azure IP address?
A
Enable communication within an Azure virtual network and your on-premises network.
21
Q
How are private Azure IPs assigned when connecting to on-premises resources for a hybrid deployment?
A
Created when you config a VPN gateway or Azure ExpressRoute circuit.
22
Q
What is the function of a Public Azure IP address?
A
Allowing your resource to communicate with the internet and public facing azure services.
23
Q
What are the two ways IP addresses can be assigned in Azure?
A
IP addresses can be statically assigned or dynamically assigned.
24
Q
What is the difference between static and dynamically assigned IP addresses?
A
Static IP addresses don’t change.
25
What are the best scenarios for static IP addresses?
- Role based VMs like DNS servers and DCs
- IP based security models that require static IPs
- TLS Certificates linked to an IP
26
When creating a public IP address to be used with a load balancer, what must be considered when establishing the "SKU" configuration detail?
Must match the SKU of the Azure load balancer.
27
How are static public IP addresses assigned/created?
Assigned when a public IP address is created.
28
How are dynamic public IP addresses assigned/created?
Assigned after a public IP address is associated to an Azure resource and is started for the first time.
29
In what circumstances would a dynamic IP address change?
If a resource such as a virtual machine is stopped (deallocated) and then restarted through Azure.
30
In what circumstances would a static IP address change?
Static addresses aren't released until a public IP address resource is deleted.
31
What are the typical resources a public IP address is associated with?
Virtual machine network interfaces, internet-facing load balancers, VPN gateways, and application gateways.
32
What is the purpose of the "SKU" configuration detail when creating an Azure public IP address?
Your SKU choice affects the IP assignment method, security, available resources, and redundancy options.
33
What are the typical resources a private IP address is associated with?
Virtual machine network interfaces, internal load balancers, and application gateways.
34
How are private IP addresses assigned/allocated?
Allocated from the address range of the virtual network subnet that a resource is deployed in.
35
Can private IP addresses be dynamic?
Yes; Can be dynamic or static.
36
How are dynamic private IP addresses assigned in Azure?
Azure assigns the next available unassigned or unreserved IP address in the subnet's address range.
37
What resources can a network security group be applied to?
You can assign a network security group to a subnet or a network interface.
38
How do network security groups secure network?
Contains a list of security rules that allow or deny inbound or outbound network traffic.
39
Can a network security group be assigned to multiple networks/sunets?
A network security group can be associated multiple times.
40
What is the purpose of a virtual DMZ?
Acts as a buffer between resources within your virtual network and the internet.
41
How many network security groups can be associate with a subnet/network?
Each subnet can have a maximum of one associated network security group.
42
How do network security groups function when assigned to a subnet?
Restricts traffic flow to all machines that reside within the subnet.
43
How do network security groups function when assigned to a virtual NIC?
Controls all traffic that flows through a NIC.
44
How many network security groups can be associate with a virtual NIC?
Each network interface that exists in a subnet can have zero, or one, associated network security groups.
45
When a network security group is created, what does Azure include by default?
Azure creates the default security rules in each network security group that you create.
46
What are the two most important default rules created when deploying a network security group?
"DenyAllInbound" traffic and "AllowInternetOutbound" traffic.
47
What are other security rules to be specified when creating a network security group?
Name; Priority; Port/Protocol; Source/Destination IP; Action (allow/deny)
48
How are rules processed in a network security group?
All security rules for a network security group are processed in priority order.
49
In what order are rules in a network security group processes?
When a rule has a low Priority value, the rule has a higher priority or precedence in terms of order processing.
50
Can default security rules be removed?
No.
51
How can default security rules be overrided?
By creating another security rule that has a lower Priority setting for your network security group.
52
How many default inbound rules does Azure define in a network security group?
3
53
What are the 3 default inbound traffic rules in a network security group?
1. AllowVnetInBound
2. AllowAzureLoadBalancerInBound
3. DenyAllInBound
54
How many default outbound rules does Azure define in a network security group?
3
55
Where are the default outbound rules Azure defines in a network security group?
1. AllowVnetOutBound
2. AllowAzureLoadBalancerOutBound
3. AllowAllOutBound
56
What is the purpose of the 3 default outbound rules in a network security group?
Only allow outbound traffic
57
What is the purpose of the 3 default inbound rules in a network security group?
These rules deny all inbound traffic except traffic from your virtual network and Azure load balancers.
58
For inbound traffic, in what order does Azure process network security group rules between subnets and NICs?
Azure first processes network security group security rules for any associated subnets and then any associated network interfaces.
59
For outbound traffic, in what order does Azure process network security group rules between subnets and NICs?
Azure first evaluates network security group security rules for any associated network interfaces followed by any associated subnets.
60
When creating a network security group, what should be considered to ensure connectivity between a subnet and a NIC?
If you have a subnet or NIC in your network security group, you must define an allow rule at each level. Otherwise, the traffic is denied for any level that doesn't provide an allow rule definition.
61
Define 'intra-subnet traffic'
VMs in the same subnet to sending traffic to each other.
62
Is intra-subnet traffic enabled by default?
Yes.
63
How can intra-subnet traffic be disabled?
By defining a rule in the network security group to deny all inbound and outbound traffic.
64
When assigning priorities to rules in a network security group, what is best practice?
Leave gaps in your priority numbering, such as 100, 200, 300, and so. The gaps in the numbering allow you to add new rules without having to edit existing rules.
65
How can an admin be sure if rules in a network security group are being applied?
By using "Effective security rules" in the azure portal.
66
Define an 'Application security group'
Enable you to configure network security as a natural extension of an application's structure; Group VMs and define network security policies based on those groups.
67
How can application security groups be utilized along side network security groups?
Join VMs to an application security group. Then use the application security group as a source or destination in the network security group rules.
68
How can application security groups be leveraged to eliminate network security groups?
By logically grouping VMS by application and purpose with application security groups.
69
How can application security groups decrease the number of rules in network security groups?
Removes the need to create a separate rule for each virtual machine; Dynamically apply new rules to designated application security groups.
70
Does an IP address need to be specified with an application security group?
No.
71
What mechanism/service connects two separate virtual networks to each other?
Azure Virtual Network peering lets you connect virtual networks in the same or different regions.
72
Describe the connection between two virtual subnets using azure virtual network peering
After the networks are peered, the two virtual networks operate as a single network, for connectivity purposes.
73
What are the two types of Azure Virtual Network peering?
regional and global.
74
Define 'Regional virtual network peering'
Connects Azure virtual networks that exist in the same region.
75
Define 'Global virtual network peering'
Connects Azure virtual networks that exist in different regions.
76
Can peering exist between different Azure government cloud regions?
Global peering of virtual networks in different Azure Government cloud regions isn't permitted; Virtual networks in the same Azure Government cloud region can be peered.
77
Does Azure virtual network peering create private network connections between peers?
Yes; Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft Azure backbone network
78
Describe the relationship between resources in a azure virtual network peering
Resources in one virtual network communicate with resources in a different virtual network; The individual virtual networks are still managed as separate resources.
79
What is the purpose of Azure VPN Gateway tranit in a Virtual Network peering?
The virtual network peers can communicate to resources outside the peering.
80
What is the purpose of implementing an Azure VPN Gateway in a peered virtual network?
To act as a transit point to access resources in another network.
81
In order for an admin to implement a virtual network peering, what roles must be assigned to their account?
Network Contributor or Classic Network Contributor.
82
In a peering of virtual networks, what is the second network referred to as?
The remote network.
83
What indicates a successfully established peering?
Both virtual networks in the peering have a status of Connected.
84
When virtual network peering is deployed, how do other virtual network and resources interact with the peering?
The communication capabilities in a peering are available to only the virtual networks and resources in the peering. Other mechanisms have to be used to enable traffic to and from resources and networks outside the private peering network.
85
What are the 3 ways to extend connectivity of your peering to resources and virtual networks outside your peering network?
1. Hub and spoke networks
2. User-defined routes
3. Service chaining
86
Define a virtual hub and spoke virtual network peering
The hub virtual network can host a Azure VPN gateway and each spoke can peer with a different virtual network to increase peering capabilities.
87
Define 'User-defined route (UDR)' virtual network peering
Enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway.
88
Define 'Service chaining' virtual network peering
Used to direct traffic from one virtual network to a virtual appliance or gateway.
89
Define Azure 'system routes'
Used to direct network traffic between virtual machines, on-premises networks, and the internet.
90
Where is information about system routes recorded?
In a route table.
91
What is the purpose of a route table?
Contains a set of rules (called routes) that specifies how packets should be routed in a virtual network.
92
How are packets routed through a system route?
Each packet is handled based on the associated route table; Packets are matched to routes by using the destination.
93
What occurs when a matching route can't be found for a packet?
The packet is dropped.
94
In a user-defined route (UDR), what can the net hop target be configured as?
Virtual network gateway
Virtual network
Internet
Network virtual appliance (NVA)
95
Where are user-defined routes (UDRs) stored?
In a route table
96
Can multiple subnets access a route table?
Yes.
97
Does Microsoft charge the tenant for creating route tables in Azure?
No.
98
How do service endpoints change the way virtual networks use IP addresses?
Private IP addresses are used as the source IP when accessing the Azure service from a virtual network.
99
How are service endpoints secured?
Virtual network rules.
100
How can public internet access be removed with a service endpoint?
Virtual network rules used to create service endpoints can remove public internet access?
101
How is traffic routed with a service endpoint?
Through the Microsoft Azure backbone network.
102
Where are service endpoints confiugred?
Service endpoints are configured through the subnet.
103
What is the purpose of implementing a service endpoint?
Secure resources traffic in a virtual network with virtual network rules; Removing public internet access to resources, and allowing traffic only from your virtual network.
104
How can you extend the company's private address space with direct connections to Azure resources?
Virtual network service endpoints extend the private address space in Azure.
105
What is the purpose of Azure Load Balancer?
To efficiently distribute incoming and outgoing network traffic across back-end servers and resources.
106
What are the two types of load balancers Azure allows you to deploy?
public or internal; or combined config.
107
What are the four necessary components to configure an Azure load balancer?
1. Front-end IP configuration
2. Back-end pools
3. Health probes
4. Load-balancing rules
108
Describe 'Front-end IP configuration' when implementing an Azure load balancer?
Specifies the public IP or internal IP that your load balancer responds to.
109
Describe 'Back-end pools' when implementing an Azure load balancer?
Services and resources that traffic will be distributed between.
110
Describe 'Health probes' when implementing an Azure load balancer?
Ensure the resources in the backend are healthy and are able to receive requests.
111
Describe 'Load-balancing rules' when implementing an Azure load balancer?
Determine how traffic is distributed to back-end resources.
112
What are the 3 SKUs available for Azure Load Balancer?
Basic, Standard, and Gateway.
113
How many pools does a Basic and Standard SKU allow?
The Basic SKU allows up to 300 pools, and the Standard SKU allows up to 1,000 pools.
114
What resources can be implemented in a backend pool?
Availability sets, virtual machines, or Azure Virtual Machine Scale Sets.
115
Define a 'HTTP Health probe'
Load balancer probes back-end pool endpoints every 15 seconds via http(s).
116
How is a resource considered healthy during an HTTP probe?
The resource is considered healthy if it responds with an HTTP 200 message within the specified timeout period.
117
What is the default timeout period in an HTTP health probe?
Default is 31 seconds.
118
Define a 'TCP Health probe'
Relies on establishing a successful TCP session to a defined probe port; If the connection is refused, the probe fails.
119
To configure a probe what 4 settings must be specified?
Port, URI, Interval, and unhealthy threshold.
120
What must be previously configured before implementing a load balancing rule?
A frontend, backend, and health probe for your load balancer.
121
By default, how does Azure distribute load balanced traffic?
Distributes network traffic equally among.
122
By default, how does Azure load balancer route traffic to an available endpoint in a pool?
Uses a five-tuple hash to map traffic to available servers.
123
What does the five-tuple hash used to distribute traffic between servers in a pool include?
Source/Destination IP and port, and protocol type.
124
Define 'Session persistance'
Specifies how to handle traffic from a client.
125
How are successive requests from a client trafficked in a load balanced solution by default?
Successive requests from a client go to any virtual machine in your pool.
126
What are the 3 available settings for session persistence?
1. None/default - Any VM can handle the request
2. Client IP: Successive requests from the same client IP address go to the same virtual machine.
3. Client IP and protocol: Successive requests from the same client IP address and protocol combination go to the same virtual machine.
127
Define 'Azure application gateway'
A load balancer to manage traffic to web apps.
128
What are Azure Application Gateway's two primary methods for routing traffic?
1. Path-based routing
2. Multi-site routing
129
Define 'Path-based routing' or ‘URL-based routing’
Route traffic to backend server pools based on URL Paths of the request.
130
Define 'Multi-site routing'
Configures more than one web application on the same application gateway instance.
131
Can the Azure Application Gateway redirect traffic?
Yes.
132
How is multi-site routing performed?
Register multiple CNAMEs for the IP address of your application gateway and specify the name of each site; Application Gateway uses separate listeners to wait for requests for each site.
133
What is the purpose of implementing an HTTP(s) listener when deploying an application gateway?
Receive the traffic and route the requests to the back-end pool based on routing rules.
134
What is the function of a routing rule in an application gateway configuration?
Defines how to analyze the request to direct the request to the appropriate back-end pool.
135
What are the two types of listeners?
Basic or Multi-site.
136
Define a 'basic' listener
Routes a request based on the path in the URL.
137
Define a 'Multi-site' listener
Routes a request based on the path in the URL and handle TLS/SSL certificates
138
List a few configurations that a routing rule can establish
Encryption; Protocol; Session persistence; request timeout; health probes.
139
What is the status code range of a healthy agent after a health probe?
200-399
140
What is the smallest supported subnet in Azure virtual Network?
/29
141
What is the largest supported subnet in Azure virtual Network?
/2
142
Define 'Azure DNS'
A hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.
143
Can Azure DNS be used to register DNS names?
No.
144
With Azure DNS, can it be used to manage private DNS?
Yes.
145
Define an 'Apex domain'
Your domain's highest level
146
Define an 'Azure alias record'
enable a zone apex domain to reference other Azure resources from the DNS zone.
147
What resources can an alias record point towards?
A Traffic Manager profile
Azure Content Delivery Network endpoints
A public IP resource
A front-end profile
148
How can azure alias records ensure DNS records are current?
When the underlying IP address of a resource, service, or application is changed, the alias record ensures that any associated DNS records are automatically refreshed.
149
What is the next hop for traffic sent to the IP '0.0.0.0'
The internet.
150
Define a 'virtual network gateway'
Sends encrypted traffic between Azure and on-premises over the internet and to send encrypted traffic between Azure networks.
151
What is the purpose of a User-defined route?
Ro override the default system routes so traffic can be routed through firewalls or NVAs.
152
If multiple routes are available in a route table, how does Azure select the best route?
Azure uses the route with the longest prefix match.
153
What is Azure's priority of routing rules?
1. User-define routes
2. BGP routes
3. System routes
154
Define a network virtual appliance (NVA)
A VM that consists of layers like:
a firewall
a WAN optimizer
application-delivery controllers
routers
load balancers
IDS/IPS
proxies
155
Where are network virtual appliances (NVAs) located?
You can deploy NVAs chosen from providers in Azure Marketplace.
