WGU D338
Virtual network (VNet)
Virtual machines are connected to virtual networks. This connection provides inbound and outbound connectivity to other virtual machines, to on-premises networks, and to the Internet
ARM template Validation
While creating the ARM template using the Azure portal editor, the template validation is performed by default. Parameters, variables, and resources will not populate if there are any template errors
The two most common extensions for configuration management
Windows PowerShell Desired State Configuration (DSC) Custom Script Extension
Basic vs Standard WAN
With Basic WAN, you can only create Basic Hubs. Basic Hubs are only capable of creating site-to-site connections. For any other connectivity, it is recommended to use Standard WAN.
Action Group Notifications Limits
You may have up to 1,000 email actions and 10 SMS/Voice actions in an Action Group.
Action Group (ITSM)
You may have up to 10 IT Service Manager (ITSM) actions with an ITSM connection. The following ITSM providers are currently supported: ServiceNow, System Center Service Manager, Provance, and Cherwell.
Backup reports
In order to configure the backup reports, you need to create or use an existing Log Analytics Workspace to store the backup reporting data. Also, you need a Recovery Services Vault, which records all the backup operations as diagnostic data.
Service Connectivity Monitor
Monitors outbound connectivity from nodes on your network to any external service with an open TCP port, such as web sites, applications, or databases.
Adds an Azure deployment to a resource group
New-AzResourceGroupDeployment
Steps to Create a VPN Gateway using the Azure portal
1. Add a Subnet 2. Assign an address space using a /27 CIDR
Network Watcher tools
1. IP Flow Verify 2. Next Hop 3. VPN Troubleshoot 4. Packet Capture 5. Connection Troubleshoot 6. Effective Security Rules
AKS Upgrade Process
1. Kubernetes upgrades one node at a time 2. It first stops any pods from being scheduled on the node it's about to upgrade, and any pods that are currently running on that node are scheduled for other nodes. 3. A new node is then created using the version of Kubernetes you've specific to upgrade to. 4. Once that's done, Kubernetes deletes the node running the older version and begins the upgrade process on the next node in the cluster. This continues until all nodes are upgraded.
Network Performance Monitor (NPM) Services
1. Performance Monitor 2. Service Connectivity Monitor 3. ExpressRoute
How routes are applied
1. User-defined routes 2. System routes for traffic in a virtual network, across a virtual network peering, or to a virtual network service endpoint 3. BGP routes 4. Other system routes
Virtual network IP ranges
10.0.0.0-10.255.255.255 (10.0.0.0/8) 172.16.0.0-172.31.255.255 (172.16.0.0/12) 192.168.0.0- 192.168.255.255 (192.168.0.0/16)
IP ranges reserved by the Azure platform
169.254.0.0/16 (Link-local) 168.63.129.16/32 (Azure-provided DNS)
Action Group (Function Apps)
A Function App is a set of code that runs "serverless" that can respond to alerts. This functionality requires Version 2 of Function Apps, and the value of the AzureWebJobsSecretStorageType app setting must be set to files.
Action Group (Logic Apps)
A Logic App provides a visual designer to model and automate your process as a series of steps known as a workflow. There are many connectors across the cloud and on-premises to quickly integrate across services and protocols. When an alert is triggered the Logic App can take the notification data and use it with any of the connectors to remediate the alert or start other services.
Connection Troubleshoot Tool
A Network Watcher feature designed to allow you to test the connectivity between an Azure VM or an App Gateway and another endpoint—either another Azure VM, or an arbitrary Internet or Intranet endpoint.
Action Group
A collection of actions that should occur in response to an alert being triggered.
Gateway subnets
A gateway subnet is a special type of subnet that can only be used for virtual network gateways. VPN gateways can only be deployed to a dedicated gateway subnet within the VNet
Fault Domain
A group of servers, which have shared power, cooling, and networking
Proximity Placement Group
A logical grouping of VMs to reduce the latency by keeping them closer to each other
Complete mode using PowerShell
New-AzResourceGroupDeployment ' -Mode Complete ' -Name simpleVMDeployment ' -ResourceGroupName ExamRefRG ' -TemplateFile C:\ARMTemplates\deploy.json
Alerts can have one of three states:
New. The alert is new and has not been reviewed Acknowledged. The issue that generated the alert is being actioned by an administrator Closed. The issue that generated the alert has been resolved, and the alert has been marked as closed
Create Application Insights
On the Basics blade, select the Subscription, Resource Group, Region, Resource Mode, and Log Analytics Workspace and specify the Name
VNET Peering
Once peered, traffic between VMs is routed through the Microsoft backbone infrastructure. Traffic does not pass over the public Internet, even when using global VNet peering to connect VNets in different Azure regions.
Public IP address prefixes
Only Standard Tier is supported
Floating IP (direct server return)
Only recommended when load-balancing traffic for a SQL Server Always On Availability Group listener
Performance Monitor
Performance Monitor enables you to monitor packet loss and latency between your endpoints, both in Azure and on-premises. A VM or server running the Log Analytics agent is required at both ends of each monitored connection.
Availability Zones
Physically separate locations within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. Offer high availability and low latency.
Extensions
Provide post-deployment configuration and automation
Azure Network Watcher
Provides a central hub for a wide range of network monitoring and diagnostic tools.
Network Topology
Provides a diagrammatic view of the resources in your virtual network. It is not a diagnostic or alerting tool. It is a quick and easy way to review your network resources and manually check for misconfiguration.
VPN Troubleshoot Tool
Provides automated diagnostics of Azure VPN gateways and connections. The results provide a detailed report on gateway health and connection health, providing accurate pointers regarding common issues that might occur when enabling informed remediations.
Microsoft Peering
Provides connectivity over the Internet address space into Microsoft services such as Office 365, Dynamics 365, and Internet-facing endpoints of Azure platform (PaaS) services.
Azure Private Peering
Provides connectivity over the Intranet address space into your Azure virtual network. This peering is considered a trusted extension of your core network into Azure.
Public IP address allocation
Public IP addresses support both dynamic and static IP allocation. For the Basic tier, both static and dynamic allocation are supported, the default being dynamic. For the Standard tier, only static allocation is supported.
Subnets
Subnets are used to divide the VNet IP space. Different subnets can have different network security and routing rules, enabling applications and application tiers to be isolated and network flows between them to be controlled. For example, consider a typical three-tier application architecture comprised of a web tier, an application tier, and a database tier
Update Domain
separates VMs forming 1 environment into different groups in order that not all are rebooted at the same time during maintenance
Azure VNets and on-premises networks
site-to-site VPN
Load-Balencer Front-end routing Rule
specify the Listener Name and select the Frontend IP, Protocol, Port, and Listener Type
Requirement to install Log Analytics Agent
the workspace IDs and keys needed to configure the agent
ARM Templates Structure
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { }, "variables": { }, "functions": [ ], "resources": [ ], "outputs": { }
Variable JSON Example Network Interface
"VMNicName": "VMNic"
VNet Peering
Allows virtual machines in two separate virtual networks to communicate directly, using their private IP addresses.
Availability Sets
Availability sets are a way for you to ensure your application remains online if a high-impact maintenance event is required, or a hardware a failure occurs. Availability sets are made up of update domains and fault domains.
How to get to RDP without port scanning
Bastion Host
BGP (Border Gateway Protocol)
Border Gateway Protocol (BGP) is a standard used in the Internet to exchange routing information between networks. BGP can be optionally enabled on your VPN gateway, if the on-premises gateway also supports it. If used, it enables the VPN gateway and the on-premises gateway to exchange routing information automatically, avoiding the need to configure routes manually.
Where can you stream logs to?
Event Hub
service key (s-key)
ExpressRoute circuit identified by a GUID
ExpressRoute
A secure and reliable private connection between your on-premises network and the Microsoft cloud.
Action Group (Runbook)
A set of PowerShell code that runs in the Azure Automation Service.
Forced Tunneling
A special case is when routes are configured with the destination IP prefix 0.0.0.0/0. Given the precedence rules described above, this route controls traffic destined for any IP address is not covered by any other rules.
Action Group (Webhook)
A webhook allows you to route an Azure alert notification to other systems for post-processing or custom actions. For example, you can use a webhook on an alert to route it to services that send text messages, log bugs, notify a team via chat/messaging services, or do any number of other actions
View alerts in Azure Monitor
After an alert rule has been created, the alert rule and Action Group can be managed through Azure Monitor from the Alerts blade by selecting Manage Alert Rules
Windows PowerShell DSC Extension
Allows you to define the state of a virtual machine. perform continuous updates when integrated with the Azure Automation DSC service
ExpressRoute Monitor
Allows you to monitor end-to-end network connectivity and performance between on-premises and Azure endpoints over ExpressRoute connections. It can auto-detect ExpressRoute circuits and your network topology, and track bandwidth utilization, packet loss and network latency.
User-defined routes
Allows you to send traffic through a network virtual appliance, such as a third-party Load Balancer, firewall, or router deployed into your VNet from the Azure Marketplace.
Valid locations to send logs to
Archive To A Storage Account, Stream To An Event Hub, or Send To Log Analytics
Action Group (Actions Types)
Automation Runbook Azure Function ITSM Logic App Secure Webhook Webhook
ARM Templates
Azure Resource Manager templates (ARM templates), you can describe the resources you want to use in a declarative JSON format. Benefits: - *Verified* before the code is executed. - The template orchestrates the creation of *many resources in parallel*. - Creates *all dependencies* in the correct order.
Snapshot Streamed
Azure Storage associated with the Recovery Services Vault
System routes
Azure VMs that are in the same VNet can communicate automatically with each other and with the Internet without any explicit configuration changes, even when they are in different subnets.
Analyze alerts across subscriptions
Azure operators are not limited to viewing alerts from only a single subscription through Azure Monitor, which again, provides a single pane of glass for not only managing alert rules across multiple subscriptions, but also for managing the generated alerts.
IP forwarding
By default, a virtual machine in Azure will not accept a network packet addressed to a different IP address. For that traffic to be allowed to pass into that virtual appliance, you must enable IP forwarding on the network interface of the virtual machine.
Four ways to configure a DNS label for an Azure public IP address
By specifying the DNS name label property of the public IP address resource By creating a DNS A record in Azure DNS or a third-party DNS service hosting a DNS domain By creating a DNS CNAME record in Azure DNS or a third-party DNS service hosting a DNS domain By creating an alias record in Azure DNS
What is the minimum size for a gateway subnet
CIDR /29
Hybrid networks
Commonly used for Intranet applications, which may be hosted in Azure but only accessed from the on-premises network. They are also used by Azure applications that require access to an on-premises resource, such as a database.
Create a template Azure Portal
Create Resource button and search for template deployment, select the template deployment name from the search results, and then click Create. Build your own or use Github
Azure Virtual WAN
Creates a unified wide area network (WAN) that connects local and remote sites.
(Automate Deployment) Pre-requisite of deploying a virtual machine
Creating a Virtual Network
Create Action Group
Define the Action Group Name, Display Name, Subscription, and Resource Group in which the Action Group will be created
Arm Template parameters
Define the various values that are passed at runtime without changing the exact template file. Key elements when dealing with nested templates to pass the values from parent template to the child templates
Arm Template variables
Defines values which are used in your template to simplify template language
How to view NSG Rules
Effective Security Rules
Action Group Notifications
Email/SMS Message/Push/Voice
Network Performance Monitor (NPM)
Is a network monitoring solution for hybrid networks that enables you to monitor network connectivity and performance between various points in your network, both in Azure and on premises. It can provide reports of network performance and raise alerts when network issues are detected.
What is a virtual network gateway
It allows you to create connections from your virtual network to other networks
Arm Template $schema
JSON schema file is the reference to the standard structure defined for an ARM template
Peering Limits
Limit of 500 peering connections per VNet
Azure Monitor Signal Types
Metrics Log search queries Activity Logs
Network virtual appliance (NVA)
Service chaining allows for the use of common services across VNet Peerings with the use of a NVA in the HUB Vnet
Service endpoints
Service endpoints are a mechanism to integrate Azure PaaS services into your virtual network and access them through a Microsoft Azure backbone network instead of over the Internet. Service endpoints prevent the exposure of data and services to Internet.
hub-and-spoke network topology
Shared resources (such as domain controllers, DNS servers, monitoring systems, and so on) are deployed into a dedicated hub VNet. These services are accessed from multiple applications, each deployed to their own separate spoke VNets.
Difference between ExpressRoute connections and Site-to-Site VPN
Site-to-Site VPN connections only provide connectivity to your Azure VNet, whereas ExpressRoute provides connectivity to all Microsoft cloud services
Health Prob Configuration
Specify the health probe name, together with the protocol, port, probe interval, and consecutive probe failures threshold.
Where to install an extension
The Advanced blade in the Azure portal
IP Flow Verify
The IP Flow Verify tool provides a quick and easy way to test whether a given network flow will be allowed into or out of an Azure virtual machine. It will report whether the requested traffic is allowed or blocked, and in the latter case, which NSG rule is blocking the flow. It is a useful tool for verifying that NSGs are correctly configured.
Next Hop
The Next Hop tool provides a useful way to understand how a VM's outbound traffic is being directed. For a given outbound flow, it shows the next hop IP address and type and the route table ID of any user-defined route in effect
Packet Captures
The Packet Capture tool allows you to capture network packets entering or leaving your virtual machines. It is a powerful tool for deep network diagnostics. Use WireShark or Microsoft Message Analyzer to read the file
Arm Template contentVersion
This provides source control to track the changes made in your template. You can provide any value for this element. When deploying resources using the template, this value can be used to make sure that the right template is being used.
DNS troubleshooting
Use Connection troubleshoot
To back up files and folders from on-premises VMs
Use Microsoft Azure Recovery Services (MARS) agent. The MARS agent is available for installation from the Recovery Services Vault.
Custom script extension
Used to execute an arbitrary command such as a batch file, regular PowerShell script, or a bash script.
Arm Template functions
Users can create functions that can be used within the template. The complex expressions that are being used multiple times in the template can be defined as a function once. You need to create your own namespace and create member functions as needed. You cannot access variables or any other user-defined functions within your function.
How to use Azure custom script extension
Your script must be accessible via a URI, such as an Azure storage account, and must either accessed anonymously or passed with a shared access signature (SAS URL)
ExpressRoute gateway
a virtual network gateway, created with the ExpressRoute option (rather than the VPN option, used to create VPN gateways). Just as with VPN gateways, the ExpressRoute gateway must be created in the gateway subnet of the virtual network.
Source Network Address Translation (SNAT)
changes the source address of outgoing packets. It works best for local client systems which initiate connections with outside servers, but don't usually receive incoming connections.
