d084 Configure and manage virtual networks
subscriptions
You can peer VNets in different ______, even if those ______are under different Azure Active Directory tenants
CIDR /27
Microsoft-recommended best practice is to use a _____ address block to allow for future expansion.
DNS Settings
Network interfaces properties: If specified, these DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers. This setting will override the VNet-level _______, if both are specified.
location
Network interfaces properties: The ____of the resource. Must be the same as the _____ of any virtual network or any virtual machine which the network interface will be connected to.
1-80
Network interfaces properties: The network interface name. Must be unique within the resource group. it is between ___ characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number and end with a letter, number, or underscore.
hare a single gateway
. Rather than deploy two virtual network gateways, it is much simpler and more cost-efficient for both VNets to s____. This can be achieved, provided both VNets are deployed to the same Azure region, and having the correct configuration of the peering settings.
virtual network gateway
A _____ allows you to create connections from your virtual network to other networks.
hub-and-spoke
A common way to reduce duplication of resources is to use a ____ network topology. n this approach, shared resources (such as domain controllers, DNS servers, monitoring systems, and so on) are deployed into a dedicated VNet.
IP configurations
A list of _____ for the network interface. These are the most important settings, containing the public and private IP address properties.
Global VNet peering.
Peering between VNets in different regions is called _________
properties
Private IP addresses are configured as _____ within the IP configurations of the network interface. They are not a separate resource.
IPv4 or IPv6
Public IP address resources can use either an _____ address (but not both).
Basic or Standard
Public IP addresses are available at two pricing tiers (or SKUs):
DHCP
Static private IP addresses should only be configured in the Azure network interface resource. They will be assigned to the virtual machine using ____, just like with dynamic private IP addresses.
private
The IP ranges in your VNet are ___ to that VNet. An IP address in your VNet can only be accessed from within that VNet, or from other networks connected to the VNet.
4
There are ___ ways to configure a DNS label for an Azure public IP address:
DNS name label property
There are four ways to configure a DNS label for an Azure public IP address: 1. By specifying the _____ of the public IP address resource.
DNS A record
There are four ways to configure a DNS label for an Azure public IP address: 2. By creating a _____ in Azure DNS or a third-party DNS service hosting a DNS domain.
CNAME
There are four ways to configure a DNS label for an Azure public IP address: 3. By creating a DNS _____ record in Azure DNS or a third-party DNS service hosting a DNS domain.
alias
There are four ways to configure a DNS label for an Azure public IP address: 4. By creating an ____ record in Azure DNS.
dynamic or static
There are two methods used to assign private IP addresses: ________.
Service endpoints (and policies)
VNET Subnet Properties: An array of ____ for this subnet. ____ provide a direct route to various Azure PaaS services (such as Azure storage), without requiring an Internet-facing endpoint. ____provide further control over which instances of those services may be accessed.
CIDR /29
the minimum size for the gateway subnet is a _____
Delegations
VNET Subnet Properties: An array of references to ___on the subnet. ____allow subnets to be used by certain Azure services, which will then deploy managed resources (such as an Azure SQL Database Managed Instance) into the subnet. Access to these resources is private and can be controlled using NSGs. ____also support access to and from on-premises networks when hybrid networking is used.
Network security group
VNET Subnet Properties: Reference to the ____ for the subnet. NSGs are essentially firewall rules that can be associated to a subnet and are used to control which inbound and outbound traffic flows are permitted.
Address prefix
VNET Subnet Properties: The IP address range for a subnet, specified in CIDR notation. All subnets must sit within the VNet address space and cannot overlap.Support for multiple IP ranges in a single subnet is currently in preview.
2-80
VNET Subnet Properties: The subnet name must be unique within the VNet. It is between____characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number. Must end with a letter, number, or underscore.
Route table
VNET Subnet Properties: ____ applied to the subnet, used to override the default system routes. These are used to send traffic to destination networks that are different than the routes that Azure uses by default.
100
Be aware of the limit of ___peering connections per VNet. This is a hard limit.
IPv4 and IPv6
Both ____ private IP addresses are supported
network interface
Both public and private IP addresses are configured on virtual machines using ____ resources.
0.0.0.0/0
A special case is when routes are configured with the destination IP prefix ____. Given the precedence rules described above, this route controls traffic destined for any IP address is not covered by any other rules.
Virtual Appliance
A variety of different types of next hop are supported. These are: A virtual machine running a network application such as a load-balancer or firewall.
None
A variety of different types of next hop are supported. These are: Used to drop all traffic send to a given IP address or prefix.
Internet
A variety of different types of next hop are supported. These are: Used to route a specific IP address or prefix to the Internet.
Virtual Network Gateway
A variety of different types of next hop are supported. These are: Used to route traffic to a VPN Gateway (but not an ExpressRoute Gateway, which uses BGP for custom routes).
Virtual Network
A variety of different types of next hop are supported. These are: Used to route traffic within the Virtual Network.
resource
A virtual network (VNet) is an Azure ___.
network virtual appliance (NVA)
An alternative approach is to deploy a ______ into the hub, using user-defined routes (UDRs) to route inter-spoke traffic through the _____
automatically
Azure VMs that are added to a VNet can communicate _____ with each other over the network. Even if they are in different subnets or attempting to gain access to the Internet, there are no configurations required by you as the administrator.
3
Azure also holds ____additional addresses for internal use starting from the first address in the subnet.
first and last
Azure reserves the ____ IP addresses in each subnet for network identification and for broadcast, respectively.
5
Azure will hold back a total of ___IP addresses from each subnet.
public IP prefixes
Basic Tier Does not support ___
both static and dynamic
Basic Tier Supports ____ allocation methods.
inbound or outbound
Basic Tier Use NSGs to restrict ____ traffic.
Open
Basic Tier is ___ by default for inbound traffic.
Not zone redundant
Basic Tier is ___, but can be assigned to a specific availability zone.
Internet
By default, Azure implements a system route directing all traffic matching 0.0.0.0/0 (and not matching any other route) to the _____.
IP forwarding
By default, a virtual machine in Azure will not accept a network packet addressed to a different IP address. For that traffic to be allowed to pass into that virtual appliance, you must enable _____ on the network interface of the virtual machine.
forced tunneling
By using a VPN Gateway as the next hop, you can direct all Internet-bound traffic over your VPN connection to an on-premises network security appliance. This is known as ______.
devices
Changes to subnets and address ranges can only be made if there are no ____connected to the subnet.
network settings
Do not configure private IP addresses directly within the virtual machine OS ____.
4
Dynamic allocation assigns private IP addresses from each subnet in order, starting with the lowest available IP in the subnet IP range. Remember that the first ____ IP addresses in each subnet are reserved by the Azure platform.
single network range
Each subnet must also define a ____(in CIDR format).
IP ranges
Each virtual network can use either a single or multiple disjoint ____.
Classless Inter-Domain Routing (CIDR)
IP ranges are defined using ____ notation.
User defined routes
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 1st priority
System routes for traffic in a virtual network, across a virtual network peering, or to a virtual network service endpoint
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 2nd priority
BGP routes
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 3rd priority
Other system routes
If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 4th priority
latency
Implementing a custom route using the 0.0.0.0/0 prefix has several implications. First, traffic to Azure platform services will also be routed via your custom route. This may add considerable additional _____ to these connections.
indirect
Implementing a custom route using the 0.0.0.0/0 prefix has several implications. Second, you will no longer be able to access resources in your subnet directly from the Internet. Instead, you will need to configure an ____ path, with inbound traffic passing through the next hop device.
Loopback
In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 127.0.0.0/8
Azure-provided DNS
In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 168.63.129.16/32
Multicast
In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 224.0.0.0/4
Broadcast
In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 255.255.255.255/32
Link-local
In addition, there are a small number of IP ranges reserved by the Azure platform, and which therefore cannot be used. These are: 169.254.0.0
static
Standard Tier Supports ____ allocation .
IP address block.
Standard Tier Supports public IP prefixes, allowing IP addresses to be assigned from a contiguous___
allow
Standard Tier Use NSGs to ____ inbound traffic
restrict
Standard Tier Use NSGs to ___outbound traffic.
Zone redundant
Standard Tier is ___ by default, or can instead be assigned to a specific availability zone
Closed
Standard Tier is ____ by default for inbound traffic.
name
The ____ of a subnet must be unique within that VNet. You cannot change the subnet ____after is has been created.
user defined routes (UDRs).
The _____ is implemented by creating a route table resource.
dynamic
The default allocation method is ____, where the IP address is automatically allocated from the resource's subnet
default system
The following are the ____ routes that Azure will use and provide for you: Within the same subnet From one subnet to another within a VNet VMs to the Internet A VNet to another VNet through a VPN gateway A VNet to another VNet through VNet peering A VNet to your on-premises network through a VPN gateway or ExpressRoute
non-overlapping
The peered VNets must have _____ IP address spaces.
Source Network Address Translation (SNAT)
Traffic leaves the virtual machine via the private IP address, and ____is used to map the outbound traffic from the private IP address to the public IP address.
next hop
UDR: Each route specifies the destination IP range (in CIDR notation) and the ____ IP address.
routes of exposure
UDR: Within the route table, a number of _____are configured.
Public IP addresses
Used for communication with the Internet.
Private IP addresses:
Used for communication within Azure virtual networks and connected on-premises networks.
IP forwarding
Used to enable _____ on this network interface. It is used for network virtual appliances to allow the virtual machine to receive packets addressed to other networks.
IPv6
VMs cannot communicate between private ___addresses on a VNet, since they can only use ___ to receive and respond to inbound traffic from the Internet when using an Internet-facing load balancer.
Address Space
VNET Properties: An array of IP address ranges available for use by subnets.
location
VNET Properties: Azure ____must be the same as the VNet. Each VNet is tied to a single Azure region, and can only be used by resources (such as Virtual Machines) in that region.
DHCP Options
VNET Properties: Contains an array of DNS servers. If specified, these DNS servers are configured on virtual machines in the virtual network in place of the Azure-provided DNS servers.
DDOS Protection
VNET Properties: Settings to defines whether additional DDoS protection is provided for resources in the VNet, and if so which protection plan is used
2-64
VNET Properties: The VNet name. It must be unique within the resource group. It is between ____ characters, may contain letters (case insensitive), numbers, underscores, periods, or hyphens. Must start with a letter or number and end with a letter, number, or underscore
Peerings
VNET Properties: The list of peerings configured for this VNet. Peerings are used to create network connectivity between separate VNets.
Subnets
VNET Properties: The list of subnets configured for this VNet.
RFC 1918
Your VNet IP ranges will typically be taken from the private address ranges defined in ____
VNet peering
____ allows virtual machines in two separate virtual networks to communicate directly, using their private IP addresses.
Static public IP addresses
____ are typically used in scenarios where a dependency is taken on a particular IP address. For example: commonly used in the following scenarios: Where firewall rules specify an IP address. Where a DNS record would need to be updated when an IP address changes. Where the source IP address is used as a (weak) form of authentication of the traffic source. Where an SSL certificate specifies an explicit IP address rather than a domain name.
Subnets
____ are used to divide the VNet IP space.
Static private
_____ IP addresses are commonly used for: Virtual machines that act as domain controllers or DNS servers Resources that require firewall rules using IP addresses Resources accessed by other apps/resources through an IP address explicitly, rather than a domain name.
VPN gateways
_____ can be used to create VPN connections, either to on-premises networks or to other virtual networks.
IPv6
_______ support is limited as follows: Only the Basic tier is supported. Only dynamic allocation is supported. Only Internet-facing load balancers (and not virtual machines) can be assigned a public IPv6 add