d084 Configure and manage virtual networks

subscriptions

You can peer VNets in different ______, even if those ______are under different Azure Active Directory tenants

CIDR /27

Microsoft-recommended best practice is to use a _____ address block to allow for future expansion.

DNS Settings

Network interfaces properties: If specified, these DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers. This setting will override the VNet-level _______, if both are specified.

location

Network interfaces properties: The ____of the resource. Must be the same as the _____ of any virtual network or any virtual machine which the network interface will be connected to.

1-80

Network interfaces properties: The network interface name. Must be unique within the resource group. it is between ___ characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number and end with a letter, number, or underscore.

hare a single gateway

. Rather than deploy two virtual network gateways, it is much simpler and more cost-efficient for both VNets to s____. This can be achieved, provided both VNets are deployed to the same Azure region, and having the correct configuration of the peering settings.

virtual network gateway

A _____ allows you to create connections from your virtual network to other networks.

hub-and-spoke

A common way to reduce duplication of resources is to use a ____ network topology. n this approach, shared resources (such as domain controllers, DNS servers, monitoring systems, and so on) are deployed into a dedicated VNet.

IP configurations

A list of _____ for the network interface. These are the most important settings, containing the public and private IP address properties.

Global VNet peering.

Peering between VNets in different regions is called _________

properties

Private IP addresses are configured as _____ within the IP configurations of the network interface. They are not a separate resource.

IPv4 or IPv6

Public IP address resources can use either an _____ address (but not both).

Basic or Standard

Public IP addresses are available at two pricing tiers (or SKUs):

DHCP

Static private IP addresses should only be configured in the Azure network interface resource. They will be assigned to the virtual machine using ____, just like with dynamic private IP addresses.

private

The IP ranges in your VNet are ___ to that VNet. An IP address in your VNet can only be accessed from within that VNet, or from other networks connected to the VNet.

4

There are ___ ways to configure a DNS label for an Azure public IP address:

DNS name label property

There are four ways to configure a DNS label for an Azure public IP address: 1. By specifying the _____ of the public IP address resource.

DNS A record

There are four ways to configure a DNS label for an Azure public IP address: 2. By creating a _____ in Azure DNS or a third-party DNS service hosting a DNS domain.

CNAME

There are four ways to configure a DNS label for an Azure public IP address: 3. By creating a DNS _____ record in Azure DNS or a third-party DNS service hosting a DNS domain.

alias

There are four ways to configure a DNS label for an Azure public IP address: 4. By creating an ____ record in Azure DNS.

dynamic or static

There are two methods used to assign private IP addresses: ________.

Service endpoints (and policies)

VNET Subnet Properties: An array of ____ for this subnet. ____ provide a direct route to various Azure PaaS services (such as Azure storage), without requiring an Internet-facing endpoint. ____provide further control over which instances of those services may be accessed.

CIDR /29

the minimum size for the gateway subnet is a _____

Delegations

VNET Subnet Properties: An array of references to ___on the subnet. ____allow subnets to be used by certain Azure services, which will then deploy managed resources (such as an Azure SQL Database Managed Instance) into the subnet. Access to these resources is private and can be controlled using NSGs. ____also support access to and from on-premises networks when hybrid networking is used.

Network security group

VNET Subnet Properties: Reference to the ____ for the subnet. NSGs are essentially firewall rules that can be associated to a subnet and are used to control which inbound and outbound traffic flows are permitted.

Address prefix

VNET Subnet Properties: The IP address range for a subnet, specified in CIDR notation. All subnets must sit within the VNet address space and cannot overlap.Support for multiple IP ranges in a single subnet is currently in preview.

2-80

VNET Subnet Properties: The subnet name must be unique within the VNet. It is between____characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number. Must end with a letter, number, or underscore.

Route table

VNET Subnet Properties: ____ applied to the subnet, used to override the default system routes. These are used to send traffic to destination networks that are different than the routes that Azure uses by default.

100

Be aware of the limit of ___peering connections per VNet. This is a hard limit.

IPv4 and IPv6

Both ____ private IP addresses are supported

network interface

Both public and private IP addresses are configured on virtual machines using ____ resources.

0.0.0.0/0

A special case is when routes are configured with the destination IP prefix ____. Given the precedence rules described above, this route controls traffic destined for any IP address is not covered by any other rules.

Virtual Appliance

A variety of different types of next hop are supported. These are: A virtual machine running a network application such as a load-balancer or firewall.

None

A variety of different types of next hop are supported. These are: Used to drop all traffic send to a given IP address or prefix.

Internet

A variety of different types of next hop are supported. These are: Used to route a specific IP address or prefix to the Internet.

Virtual Network Gateway

A variety of different types of next hop are supported. These are: Used to route traffic to a VPN Gateway (but not an ExpressRoute Gateway, which uses BGP for custom routes).

Virtual Network

A variety of different types of next hop are supported. These are: Used to route traffic within the Virtual Network.

resource

A virtual network (VNet) is an Azure ___.

network virtual appliance (NVA)

An alternative approach is to deploy a ______ into the hub, using user-defined routes (UDRs) to route inter-spoke traffic through the _____

automatically

Azure VMs that are added to a VNet can communicate _____ with each other over the network. Even if they are in different subnets or attempting to gain access to the Internet, there are no configurations required by you as the administrator.

3

Azure also holds ____additional addresses for internal use starting from the first address in the subnet.

first and last

Azure reserves the ____ IP addresses in each subnet for network identification and for broadcast, respectively.

5

Azure will hold back a total of ___IP addresses from each subnet.

public IP prefixes

Basic Tier Does not support ___

both static and dynamic

Basic Tier Supports ____ allocation methods.

inbound or outbound

Basic Tier Use NSGs to restrict ____ traffic.

Open

Basic Tier is ___ by default for inbound traffic.

Not zone redundant

Basic Tier is ___, but can be assigned to a specific availability zone.

Internet

By default, Azure implements a system route directing all traffic matching 0.0.0.0/0 (and not matching any other route) to the _____.

IP forwarding

By default, a virtual machine in Azure will not accept a network packet addressed to a different IP address. For that traffic to be allowed to pass into that virtual appliance, you must enable _____ on the network interface of the virtual machine.

forced tunneling

By using a VPN Gateway as the next hop, you can direct all Internet-bound traffic over your VPN connection to an on-premises network security appliance. This is known as ______.

devices

Changes to subnets and address ranges can only be made if there are no ____connected to the subnet.

network settings

Do not configure private IP addresses directly within the virtual machine OS ____.

4

Dynamic allocation assigns private IP addresses from each subnet in order, starting with the lowest available IP in the subnet IP range. Remember that the first ____ IP addresses in each subnet are reserved by the Azure platform.

single network range

Each subnet must also define a ____(in CIDR format).

IP ranges

Each virtual network can use either a single or multiple disjoint ____.

Classless Inter-Domain Routing (CIDR)

IP ranges are defined using ____ notation.

User defined routes

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 1st priority

System routes for traffic in a virtual network, across a virtual network peering, or to a virtual network service endpoint

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 2nd priority

BGP routes

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 3rd priority

Other system routes

If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 4th priority

latency

Implementing a custom route using the 0.0.0.0/0 prefix has several implications. First, traffic to Azure platform services will also be routed via your custom route. This may add considerable additional _____ to these connections.

indirect

Implementing a custom route using the 0.0.0.0/0 prefix has several implications. Second, you will no longer be able to access resources in your subnet directly from the Internet. Instead, you will need to configure an ____ path, with inbound traffic passing through the next hop device.

Loopback

In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 127.0.0.0/8

Azure-provided DNS

In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 168.63.129.16/32

Multicast

In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 224.0.0.0/4

Broadcast

In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 255.255.255.255/32

Link-local

In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 169.254.0.0

static

Standard Tier Supports ____ allocation .

IP address block.

Standard Tier Supports public IP prefixes, allowing IP addresses to be assigned from a contiguous___

allow

Standard Tier Use NSGs to ____ inbound traffic

restrict

Standard Tier Use NSGs to ___outbound traffic.

Zone redundant

Standard Tier is ___ by default, or can instead be assigned to a specific availability zone

Closed

Standard Tier is ____ by default for inbound traffic.

name

The ____ of a subnet must be unique within that VNet. You cannot change the subnet ____after is has been created.

user defined routes (UDRs).

The _____ is implemented by creating a route table resource.

dynamic

The default allocation method is ____, where the IP address is automatically allocated from the resource's subnet

default system

The following are the ____ routes that Azure will use and provide for you: Within the same subnet From one subnet to another within a VNet VMs to the Internet A VNet to another VNet through a VPN gateway A VNet to another VNet through VNet peering A VNet to your on-premises network through a VPN gateway or ExpressRoute

non-overlapping

The peered VNets must have _____ IP address spaces.

Source Network Address Translation (SNAT)

Traffic leaves the virtual machine via the private IP address, and ____is used to map the outbound traffic from the private IP address to the public IP address.

next hop

UDR: Each route specifies the destination IP range (in CIDR notation) and the ____ IP address.

routes of exposure

UDR: Within the route table, a number of _____are configured.

Public IP addresses

Used for communication with the Internet.

Private IP addresses:

Used for communication within Azure virtual networks and connected on-premises networks.

IP forwarding

Used to enable _____ on this network interface. It is used for network virtual appliances to allow the virtual machine to receive packets addressed to other networks.

IPv6

VMs cannot communicate between private ___addresses on a VNet, since they can only use ___ to receive and respond to inbound traffic from the Internet when using an Internet-facing load balancer.

Address Space

VNET Properties: An array of IP address ranges available for use by subnets.

location

VNET Properties: Azure ____must be the same as the VNet. Each VNet is tied to a single Azure region, and can only be used by resources (such as Virtual Machines) in that region.

DHCP Options

VNET Properties: Contains an array of DNS servers. If specified, these DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers.

DDOS Protection

VNET Properties: Settings to defines whether additional DDoS protection is provided for resources in the VNet, and if so which protection plan is used

2-64

VNET Properties: The VNet name. It must be unique within the resource group. It is between ____ characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number and end with a letter, number, or underscore

Peerings

VNET Properties: The list of peerings configured for this VNet. Peerings are used to create network connectivity between separate VNets.

Subnets

VNET Properties: The list of subnets configured for this VNet.

RFC 1918

Your VNet IP ranges will typically be taken from the private address ranges defined in ____

VNet peering

____ allows virtual machines in two separate virtual networks to communicate directly, using their private IP addresses.

Static public IP addresses

____ are typically used in scenarios where a dependency is taken on a particular IP address. For example: commonly used in the following scenarios: Where firewall rules specify an IP address. Where a DNS record would need to be updated when an IP address changes. Where the source IP address is used as a (weak) form of authentication of the traffic source. Where an SSL certificate specifies an explicit IP address rather than a domain name.

Subnets

____ are used to divide the VNet IP space.

Static private

_____ IP addresses are commonly used for: Virtual machines that act as domain controllers or DNS servers Resources that require firewall rules using IP addresses Resources accessed by other apps/resources through an IP address explicitly, rather than a domain name.

VPN gateways

_____ can be used to create VPN connections, either to on-premises networks or to other virtual networks.

IPv6

_______ support is limited as follows: Only the Basic tier is supported. Only dynamic allocation is supported. Only Internet-facing load balancers (and not virtual machines) can be assigned a public IPv6 add