Networking Flashcards
Service Endpoints
used to extend the private address space of an azure virtual network and to extend the identity of a virutal network to Azure services over a direct connection.
Traffic originating from your virtual network and headed toward your Azure service never leaves the Microsoft Azure backbone network
Private Link
can be used to privately access a specific service instance from your virtual netowkr or from youron-prem network
You can control outbound network access from an Azure subent with Azure Fireall. With Azure Firewall you can configure:
Application rules that define qualified domain names (FQDN, like www.google.com), that be be accessed from a subnet
Network rules that defind source address, protocol, destination port and destination address
Network Security Groups (NSGs)
-Rules that allow or deny inbound network traffic to, or outbound network traffic from, many kinds of Azure resources
-You can create custom rules
While you cant delete the default rules, you can create rules to overide them
-Can be assigned to a specfic NIC or to aan entire subnet
One pre requirement for JIT in VIM is:
that the VM needs a NSG associted to it
Application Security Group
-You can group the NICs of several different VMs on the same Vnet, then apply a NSG rule to only those grouped NICs
-this allows you to create different traffic rules for different groups of NICs on the same Vnet
-Using a separate Application Security Group for each group of VMs allows you to manage the NSG rules for each different group fo VMs
-All network interfaces assigned to an ASG have to exist in the same virutal network that the first network interface assigned to the ASG is in.
The following are default rules in NSG
AllowVnetInbound
AllowAzureLoadBalancerInbound
DenyAllInbound
AllowVnet Outbound
AllowInternetOutbound
DenyAllOutbound
Connect an individual workstation directly to an Azure Virtual Network with Point-2-Site VPN
Virtual Network Gateway
Gateway subnet
Self-signed certificate
client configuration package
Point-2-Site
-Allows you to establish a connection between a single computer in your on-prem network with your virtual network
-often used to allow remote workers to connect into your Azure VirtualNetwork through an encrypted tunnel over the internet
Site-2-Site VPN
you need to configure:
Virutal Network Gateway
Gateway subnet
Local Network Gateway
VPN connection
Site-2-Site VPN
-when you want to connect to an entire on-prem network to an Azure Virtual Network, you can use a site-to-site VPN
-establishes a secure, encrypted connection over the internet between an Azure VPN gateway that’s deployed in the virtual network and the on-prem VPN device
Azure VPN Gateway
-VPN Gateway is used to send and receive encrypted traffic between an Azure virtual network and an on-prem network
-this traffic is sent over the public internet
-it can be used to send encrypted traffic between Azure virtual networks over the Microsoft network
-you can only define one VPN gateway per Vnet
-each VPN Gateway supports multiple connections to it
-when created a gateway subnet is also made
-once the gatewat is deployed, you can create an IPSec or IKE VPN tunnel between the newly deployed VNet gateway and any one of a number of other gateways
Remember that when there is a site-2-site connection between an Azure VNet and an onprem data center, you have to define a:
Gateway subnet in the Azure VNet. All traffic from onprem would flow via the gateway subnet
Azure ExpressRoute
lets you connect your onprem network to the Microsoft cloud via a private connection rather than the public internet
Azure DDos Protection
2 tiers
Basic: auto enabled, always on traffic monitoring, real time mitigationg
Standard: mitigated volumetric attacks, protocol attacks, application layer attacks
