Azure networking
How does s VPN gateway work?
1. Create the VPN Gateway where two or more VMs are automatically configured and deployed to the gateway subnet 2. create connection configurations a. create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet) b. create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site) c. create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.
What is Azure DDoS Protection Standard?
Azure DDoS Protection Standard, provides enhanced DDoS mitigation features to defend against DDoS attacks. Key feature: Always-on traffic monitoring: monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. DDoS mitigation policies
Describe ExpressRoute & Site-to-Site coexistence
Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages: - You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute. - Alternatively, you can use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.
Traffic Manager Routing Methods
::Weighted routing: Choose weighted when you want to distribute traffic across a set of endpoints, either evenly, or based on different weights. The probability of choosing an endpoint is based on the weights assigned to all available endpoints. Performance routing: If you have endpoints in different geographic locations, you can use performance routing to send users to the endpoint that has the best performance for the user. routing method uses an internet latency table, which actively tracks network latencies to the endpoints from locations around the globe. Geographic routing: Users are directed to specific endpoints based on where their DNS query originates. EX. European users can be directed to an endpoint in Europe that has specific terms and conditions for regional compliance. Multivalue routing: Get multiple healthy endpoints in a single DNS query response. The caller can make client-side retries with other endpoints if an endpoint is unresponsive. Subnet routing: Maps the set of user IP address ranges to specific endpoints within a Traffic Manager profile. ex. using subnet routing, a customer can route all requests from their corporate office to a different endpoint, where they might be testing an internal-only version of the app. Priority routing: Traffic Manager sends all traffic to the primary (highest-priority) endpoint. The Traffic Manager profile contains a prioritized list of service endpoints.
How does DNS work?
A DNS server carries out one of two primary functions: 1. Maintains a local . cache of recently accessed or used domain names and their IP addresses. This cache provides a faster response to a local domain lookup request. If the DNS server can't find the requested domain, it passes the request to another DNS server. This process repeats at each DNS server until either a match is made or the search times out. 2. Maintains the key-value pair database of IP addresses and any host or subdomain over which the DNS server has authority. This function is often associated with mail, web, and other internet domain services.
Describe Point-to-Site VPN
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer This solution is useful for remote workers who want to connect to Azure VNets from a remote location, such as from home or a conference. Use: OpenVPN® Protocol, Secure Socket Tunneling Protocol (SSTP), IKEv2 VPN
Describe Site-to-Site VPN
A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S connections can be used for cross-premises and hybrid configurations. - requires a VPN device located on-premises that has a public IP address assigned to it.
Describe health probes
A health probe allows the load balancer to monitor the status of your app. The health probe dynamically adds or removes VMs from the load balancer rotation based on their response to health checks. When a probe fails to respond, the load balancer stops sending new connections to the unhealthy instances. HTTP custom probe. The load balancer regularly probes your endpoint (every 15 seconds, by default). The instance is healthy if it responds with an HTTP 200 within the timeout period (default of 31 seconds). Any status other than HTTP 200 causes the probe to fail. You can specify the port (Port), the URI for requesting the health status from the backend (URI), amount of time between probe attempts (Interval), and the number of failures that must occur for the instance to be considered unhealthy (Unhealthy threshold). TCP custom probe. This probe relies on establishing a successful TCP session to a defined probe port. If the specified listener on the VM exists, the probe succeeds. If the connection is refused, the probe fails. You can specify the Port, Interval, and Unhealthy threshold.
What is a virtual network gateway?
A virtual network gateway serves two purposes: - exchange IP routes between the networks - route network traffic. Used connect your Azure virtual network and your on-premises network Gateway types: VPN or Expressroute
Describe Azure virtual network concerpts
Address space: specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. Regions: VNet is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering. Subscription: VNet is scoped to a subscription.
What is an Azure virtual network?
An Azure virtual network (or VNet) provides the foundation of the Azure networking infrastructure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. Key scenarios that you can accomplish with a virtual network: - communication of Azure resources with the internet - communication between Azure resources - communication with on-premises resources - filtering network traffic - routing network traffic - integration with Azure services.
Describe public load balancer
An external load balancer operates by distributing client traffic across multiple virtual machines. An external load balancer permits traffic from the internet. A public load balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of a virtual machine in the back-end pool. The responses are then returned to the client. By applying load-balancing rules, you distribute specific types of traffic across multiple virtual machines or services. The default distribution mode for Load Balancer is a five-tuple hash. The tuple is composed of source IP, source port, destination IP, destination port, and protocol type.
Describe Internal load balancer
An internal load balancer distributes a load from internal Azure resources to other Azure resources. In addition to balancing requests from users to front-end servers, you can use Azure Load Balancer to distribute traffic from front-end servers evenly among back-end servers.
Azure Application Gateway
Application Gateway manages the requests that client applications send to a web app. Application layer routing routes traffic to a pool of web servers based on the URL of a request. The back-end pool can include Azure virtual machines, Azure virtual machine scale sets, Azure App Service, and even on-premises servers. Azure Application Gateway can be used as an internal application load balancer or as an internet-facing application load balancer.
Describe Application Security Groups
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
What is Azure DNS?
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. Azure DNS allows you to host and manage your domains by using a globally distributed name server infrastructure. It allows you to manage all of your domains by using your existing Azure credentials. Azure DNS can manage DNS records for your Azure services, and provide DNS for your external resources. Azure DNS uses the same Azure credentials, support contract, and billing as your other Azure services.
Describe Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. An Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. configure NAT rules, network rules, and applications rules The smaller the number, the higher the priority. Azure Firewall supports inbound and outbound filtering.
Describe Azure Load Balancer
Azure Load Balancer is a service you can use to distribute traffic across multiple virtual machines. Azure Load Balancer, you can spread user requests across multiple virtual machines or other services, enabling you to scale the app to larger sizes than a single virtual machine can support, and to ensure that users get service, even when a virtual machine fails.
What is Azure Private DNS?
Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain names in the virtual network without the need to configure a custom DNS solution. - you can use your own custom domain name instead of the Azure-provided names during deployment. must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.
What is Azure Virtual WAN?
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. The Virtual WAN hubs can be connected to your branches, virtual networks, and remote users. Azure Virtual WAN is a hub and spoke architecture. The hib allows all network devices plugged into it to communicate directly with each other. Offers: - Enables any-to-any connectivity to workloads distributed globally in virtual networks. - Connects: 1. Working at home and mobile users using point-to-site VPN 2. Branch offices using site-to-site VPN 3.Main campuses and data centers using ExpressRoute for private connections
Describe VNet-to-VNet
Configuring a VNet-to-VNet connection is a simple way to connect VNets. -similar to connecting a VNet to an on-premises site location -use a VPN gateway to provide a secure tunnel using IPsec/IKE.
What is DNS?
DNS, or the Domain Name System, is a protocol within the TCP/IP standard. DNS serves an essential role of translating the human-readable domain names, for example: www.wideworldimports.com, into a known IP address. IP addresses enable computers and network devices to identify and route requests between themselves. Microsoft provides a DNS service through Azure DNS.
What is Azure ExpressRoute?
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider.
What is an Public IP addresses
If you want to connect to a VM from the internet, the VM must have a public IP address associated to it. Public IP addresses allow: - Internet resources to communicate inbound to Azure resources. -Azure resources to communicate to Internet and public-facing Azure services.
What is a DDoS attack?
In a DDoS attack, a perpetrator intentionally floods the system, like a server, website, or other network resource, with fake traffic. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. Some common DDoS attacks are: Volumetric attacks - use multiple infected systems to flood the network layer with a substantial amount of seemingly legitimate traffic. Protocol attacks - They exploit a weakness in TCP. ex, TCP SYN flood, which exploits part of the three-way handshake. The attacker sends a succession of TCP SYN requests, ignoring the SYN+ACK reply. This attack is directed towards a target with the goal of overwhelming the target and making it unresponsive. Resource (application) layer attacks - These layer-7 attacks include exploiting the HTTP protocol, SQL injection attacks, cross-site scripting, and other application attacks.
Describe Network Watcher
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level.
What is an Private IP addresses
Private IPs allow communication between resources in Azure. Azure assigns private IP addresses to resources from the address range of the virtual network subnet where the resource is. 2 Allocation method: Dynamic: Azure assigns the next available unassigned or unreserved IP address in the subnet's address range. Static: You select and assign any unassigned or unreserved IP address in the subnet's address range.
Describe Private Link
Private Link provides secure access to Azure services. Private Link achieves that security by replacing a resource's public endpoint with a private network interface. - The Azure resource becomes, in a sense, a part of your virtual network. - The connection to the resource now uses the Microsoft Azure backbone network instead of the public internet. - You can configure the Azure resource to no longer expose its public IP address, which eliminates that potential security risk. Traffic between your virtual network and the service travels the Microsoft backbone network. With Private LInk the Azure service is assiged an Private IP. -one way communication from from internal netwrok to Azure service. -clients must connect to the private endpoint to access a resource.
Describe Traffic Manager
Problem: Cloud services in one region might become unavailable because of technical issues, such as planned maintenance or scheduled security updates. - company wants to have a failover endpoint so your customers can continue to access its services. Azure Traffic Manager is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness. -uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method.
Describe RouteBased
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface). RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards).
What problem is Private Link solving?
The problem is that your Azure SQL database is exposed to the internet via its public IP address. Security risks are present when an Azure resource is accessed via a public IP address from: - A peered Azure virtual network - An on-premises network that connects to Azure using ExpressRoute and Microsoft peering - A customer's Azure virtual network that connects to an Azure service offered by your company. Problem: When employees, vendors and customers need to access Azure services; Why expose data application and services to the public internet? Private Link is designed to eliminate these security risks by removing the public part of the connection.
How service endpoints work
To enable a service endpoint, you must: 1. Turn off public access to the service. 2. Add the service endpoint to a virtual network. -Adding service endpoints doesn't remove the public endpoint. It simply provides a redirection of traffic. When you enable a service endpoint, you restrict the flow of traffic, and enable your Azure VMs to access the service directly from your private address space. All traffic for the service now is routed to the VirtualNetworkServiceEndpoint, and remains internal to Azure.
What is VPN Gateway?
VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. A VPN gateway is a specific type of virtual network gateway. Each virtual network can have only one VPN gateway. When you create a VPN gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specified.
Describe service endpoint
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. Allows direct connectivity between VNets and Azure services over Azure Servics will see traffic from VNEt and allow traffic from VNET subnets. When accessing the Azure service from a VNET, an private IP address will be used ad the source IP address. Use if only want services to remain secure from unauthorized access; only want them be accessible from specific systems
What is VNET Peering?
Virtual network peering enables you to seamlessly connect two or more Virtual Networks within the same Azure region. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Each virtual network, including a peered virtual network, can have its own gateway.
Describe the VNet Gateway types
Vpn - To send encrypted traffic across the public Internet This is also referred to as a VPN gateway. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway. ExpressRoute - To send network traffic on a private connection. This is also referred to as an ExpressRoute gateway and is the type of gateway used when configuring ExpressRoute.
How Traffic Manager works
When a client attempts to connect to a service, first it resolves the DNS name of the service as an IP address. The client then connects to that IP address to access the service. Traffic Manager uses DNS to direct clients to a specific service endpoint IP address based on the rules of the traffic routing method that's used. Clients connect directly to the selected endpoint; it just gives clients the IP address of where they need to go.
Describe ExpressRoute connectivity models
You can create a connection between your on-premises network and the Microsoft cloud in four different ways: CloudExchange Co-location Point-to-point Ethernet Connection Any-to-any (IPVPN) Connection ExpressRoute Direct
Describe network security group (NSG)
You can limit network traffic to resources in a virtual network using a network security group (NSG). A network security group contains a list of security rules that allow or deny inbound or outbound network traffic. An NSG can be associated to a subnet or a network interface. A network security group can be associated multiple times.
Describe Source IP affinity
aka session affinity or client IP affinity To map traffic to the available servers, the source IP affinity mode uses a two-tuple hash (from the source IP address and destination IP address) or a three-tuple hash (from the source IP address, destination IP address, and protocol type). The hash ensures that requests from a specific client are always sent to the same virtual machine behind the load balancer.
Describe Multi-Site VPN Connectivity
refers to adding Site-to-Site (S2S) connections to a VPN gateway that has an existing connection You can create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. When working with multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with classic VNets). - Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. This type of connection is sometimes referred to as a "multi-site" connection. a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection
Describe PolicyBased VPNs
use the combinations of prefixes(of IP addresses) from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine does NOT use the routing table but a special additional policy to decide whether IP traffic is sent through a VPN tunnel or not. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration.
