Virtual Networking

Question 1

What type of DNS record should you create to ensure Azure can verify the domain name?

Answer 1

MX
TXT

Question 2

What does a NS record do?

Answer 2

Tells recursive name servers which name servers are authoritative for a zone

Question 3

If you have a registered DNS domain and then create a public Azure DNS zone with the same name, how do you ensure the records created in the zone are resolvable?

Answer 3

Modify the NS records in the DNS domain registrar so they point to your Azure DNS NS records

Question 4

What is the benefit of having multiple NS records?

Answer 4

Redundancy of your DNS service

Question 5

How would you create Azure AD DNS records in a custom domain for a domain you already registered?

Answer 5

• Add the custom domain name to your directory
• Add a DNS entry for the domain name at the registrar
• Verify the custom domain name

Question 6

Which IP addresses are reserved by Azure in each subnet?

Answer 6

.0 network address
.1 gateway address
.2 and .3 DNS
.255 broadcast

Question 7

Whats the smallest possible subnet in Azure? (CIDR)

Answer 7

/29
3 possible addresses (8 addresses, but 5 are reserved)

Question 8

What networking solution provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope?

Answer 8

Azure Internal Load Balancer (ILB)

Question 9

What networking tool provides SQL injection protection?

Answer 9

Azure Web Application Firewall (WAF)

Question 10

What protection does an application gateway with Azure Web Application Firewall (WAF) provide?

Answer 10

Centralized protection of your web apps from common exploits and vulnerabilities; like SQL injections and cross-site scripting

Question 11

What is a virtual hub?

Answer 11

• A Microsoft-manged VNET
• The hub contains various service endpoints to enable connectivity; the core of your network in a region

Question 12

What do Azure Private DNS zones do?

Answer 12

Provide name resolution within a virtual network and between virtual networks

Question 13

What is Azure Log Analytics workspace?

Answer 13

A unique Log Analytics environment with its own data repository, data sources, and solutions

Question 14

What do NSG flow logs allow you to view?

Answer 14

Information about ingress and egress IP traffic through a NSG

Question 15

What additional capabilities does a Standard load balancer offer over a Basic load balancer?

Answer 15

• Supports diagnostics
• Global VNet Peering support
• Compatible with Availability Zones
• Supports HA ports

Question 16

What might prevent you from being able to peer two VNets?

Answer 16

Address spaces overlapping

Question 17

What does a backend pool define?

Answer 17

• Critical component of the load balancer
• The group of resources that will serve traffic for a given load-balancing rule

Question 18

What is a floating IP?

Answer 18

• Enables traffic to bypass the load balancer and go directly to the backend servers
• Enables multiple applications in the backend pool to use the same port

Question 19

Why might you use a floating IP?

Answer 19

• If you want to reuse the backend port across multiple rules
• Clustering for high availability

Question 20

What should you do if you make changes to the topology of your network and have Windows VPN clients?

Answer 20

The VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied

Question 21

What does enabling auto registration on an azure DNS private zone do?

Answer 21

Makes it so when you link a VNet with a private DNS zone, a DNS record gets created for each VM deployed in the VNet

Question 22

What are some restrictions Azure has in place for auto registration?

Answer 22

• Only works for VMs
• Only can be used by private Azure DNS zones
• Only created for one NIC, and NIC needs to be using DHCP

Question 23

What subnets can you assign a NSG to?

Answer 23

A subnet in the same region of the NSG

Question 24

How would you add or delete address ranges from a VNet’s address space if the VNet is already peered?

Answer 24

Remove peering
Make changes
Recreate peering

Now (2022) you can make changes and sync the networks after changes are complete

Question 25

Are you able to move a NIC across RGs?

Answer 25

Yes, but the location will not change

Question 26

How would you enable a webapp to access the resources in a VNet?

Answer 26

Connect the webapp to the VNet using webapp VNet integration

Question 27

What does enabling session persistence do?

Answer 27

Maps a client’s session to a specific server

Question 28

What is the default port for RDP?

Answer 28

TCP port 3389

Question 29

With what tool does Azure DNS support importing and exporting zone files?

Answer 29

Azure CLI

Question 30

What does an inbound NAT rule do?

Answer 30

Forwards incoming traffic to a specific VM

Question 31

What does a load balancer rule do?

Answer 31

Forward traffic to a backend pool

Question 32

What can a basic load balancer balance traffic between?

Answer 32

Backend pool endpoints for VMs in a single availability set or VMSS

Question 33

What type of DNS zones can you link VNets to?

Answer 33

Private zones only

Question 34

What steps are necessary for connecting your on-premises network to Azure using a site-to-site VPN?

Answer 34

• Create a VNet
• Create a gateway subnet
• Create a VPN gateway
• Create a local gateway
• Create a VPN connection

Question 35

Can you connect VNets in different regions from different subscriptions?

Answer 35

Yes, by using a VNet-to-VNet connection

Question 36

What does a Point-to-Site (P2S) VPN gateway connection do?

Answer 36

Lets you create a secure connection to your VNet from an individual client computer
Useful when you have only a few clients that need to connect to a VNet

Question 37

What does each client computer need to connect to a VNet using a Point-to-Site connection?

Answer 37

• A client certificate installed
• You can generate one from the self-signed root certificate, then export and install it

Question 38

What are service endpoints used for?

Answer 38

Enabling private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet

Question 39

What is an Application Security Group (ASG)?

Answer 39

A logical collection of VMs (NICs)

Question 40

How do you use ASGs?

Answer 40

• Application Security Group
• You join VMs (NICs) to the ASG, then use the ASG as a source or destination in the NSG rules

Question 41

What is needed to set up a site-to-site VPN?

Answer 41

• Local gateway
• Gateway subnet
• VPN gateway
• A connection to connect the local gateway and VPN gateway

Question 42

What do public load balancers do?

Answer 42

• Load balance Internet traffic to your VMs
• Load balancer and the public IP address SKU must match when you use them with public IP addresses

Question 43

What must we have before creating a NIC?

Answer 43

A VNet

Question 44

What is IP flow verify used for?

Answer 44

• Used when a VM becomes unable to communicate with another resource because of a security rule
• Tests the communication, informs if the connection succeeds or fails, and tells you which rule causes the communication failure

Question 45

What feature of Azure Network Watcher would you use to validate connectivity from a VM to an external host?

Answer 45

Connection troubleshoot

Question 46

If you have two configured DNS servers, NIC and VNET, which takes precedence?

Answer 46

NIC configured DNS servers

Question 47

What can Connection Monitor tell you?

Answer 47

• Latency over time
• Round-trip time to make the connection
• Inspects traffic over a specific port

Question 48

What are the pre-requisites of VMs/VMSSs for load balancers with a standard SKU?

Answer 48

VMs must be connected to the same virtual network

Question 49

What Azure networking component is redundant by default?

Answer 49

Azure VPN gateways have two instances for redundancy

Question 50

What is the default DNS suffix for Azure provisioned DNS if no specific DNS is configured in the network?

Answer 50

internal.cloudapp.net

Question 51

What is an Azure Load Balancer health probe?

Answer 51

• A feature that detects the health status of your application instances, helping you detect application failures, manage load, and plan for downtime
• Sends a request to the instances to check if they are available and responding to requests
• Can be configured to use different protocols, like TCP, HTTP, or HTTPS

Question 52

What type of VPN is required for a P2S connection?

Answer 52

A Route-based VPN type

Question 53

How do Policy-based VPNs handle traffic?

Answer 53

• Uses the combination of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels
• Only available with Basic SKU
• Does not support P2S connectivity

Question 54

How do Route-based VPNs handle traffic?

Answer 54

• Uses any-to-any (wildcard) traffic selectors
• Lets routing tables direct traffic to different IPsec tunnels

Question 55

How can virtual networks be linked to a private DNS zone?

Answer 55

• Registration virtual network (can have multiple but only one registration zone)
• Resolution virtual network (can have multiple, and multiple resolution zones)

Question 56

What does the Packet capture function of Network Watcher do?

Answer 56

• Intercepts data packets and stores them temporarily so it can be analyzed, for a maximum of a 5 hour interval
• Inspects network traffic and helps diagnose network anomalies

Question 57

What do you need to configure when creating a load balancer?

Answer 57

• Frontend IP address
  If you want to apply rules, you also need
• Health probe
• Backend pool

Question 58

How would you set up a virtual WAN site-to-site portal?

Answer 58

• Create Virtual WAN
• Create Virtual Hub
• Create VPN sites
• Connect VPN sites to virtual hub

Question 59

What OSI layer does Azure Load Balancer operate at?

Answer 59

L4

Question 60

What OSI layer does Azure App Gateway operate at?

Answer 60

L7

Question 61

What is an A record used for?

Answer 61

To map a DNS/domain name to an IP address

Question 62

What network security policy supports kubernet networking?

Answer 62

Calico Network Policies

Question 63

Why would you create a route table?

Answer 63

Custom routes are helpful when you want to route traffic between subnets through a network virtual appliance (NVA)

Question 64

What are site-to-site VPN gateway connections used for?

Answer 64

To connect your on-premises network to an azure VNet over an IPsec/IKE VPN tunnel

Question 65

How is the subnet of the target VM selected if a subnet with the same name doesn’t exist?

Answer 65

Alphabetical order

Question 66

Are there any firewall resource group restrictions?

Answer 66

Yes
The firewall, VNet, and the public IP address must all be in the same resource group

Question 67

What resource can you select when using connection monitor?

Answer 67

A region

Question 68

What is Azure Bastion?

Answer 68

• A service you deploy that lets you connect to a VM using your browser/Azure portal or via the native SSH or RDP client installed on your computer
• You provision it inside your VNet and it provides secure RDP/SSH connectivity to your VM directly from the Azure portal over TLS. Your VM doesn’t need a public IP, agent, or special client software.

Question 69

When configuring Azure Bastion, what’s the difference between using a Basic SKU and a Standard SKU?

Answer 69

• Basic creates two instances
• Standard allows you to specify the number of instances; host scaling
• Standard allows use of the native client, letting you connect via Azure CLI and expands your sign-in options to include AAD and local SSH key pair
• Standard supports global tier IPs

Question 70

What kind of IP addresses does Azure Bastion support?

Answer 70

Standard SKU public IPs that are static

Question 71

What resources do you need to consider moving when moving a VM from one subscription to another?

Answer 71

All dependent resources must be moved along with it
ie. Disk (OS), NIC, VNet

Question 72

How would you enable multi-user authorization for a Recovery Services vault?

Answer 72

• Create resource guard
• Enable MUA on vault
• Authorize critical operations on vault

Question 73

In what order would you deploy resources in an ARM template to deploy a VM?

Answer 73

VNet
NIC
VM

Question 74

How would you migrate VMs to Azure using Azure Site Recovery?

Answer 74

• Create Recovery Service Vault
• Configure VNet
• Configure extended network

Question 75

What is the recommended subnet size for Azure Bastion?

Answer 75

/26 or larger

Question 76

How is traffic handled between VMs in peered VNets?

Answer 76

Using the Microsoft backbone infrastructure

Question 77

What are service tags?

Answer 77

• Group of IP address prefixes from a given Azure Service
• Used in place of specific IP addresses when you create security rules and routes

Question 78

What can you create Service Endpoints for?

Answer 78

Azure services

Question 79

What are private links used for?

Answer 79

• Connect privately to Azure Monitor without opening public network access
• Ensure monitoring data is only accessed through authorized private networks
• Keep all traffic inside the Azure backbone network

Question 80

What’s the difference been an A record and a CNAME record?

Answer 80

If the IP address changes, a CNAME entry is still valid, whereas an A record must be updated

Question 81

For what OS is private networking supported for?

Answer 81

Linux containers