Categories: All - security - monitoring - traffic

by Kit Ainscough 12 months ago

137

MS.Azure

The AZ-700 exam focuses on various aspects of Azure networking, including security, load balancing, and monitoring. Key services covered are Azure Front Door, which acts as a global entry point for web applications, and Azure Traffic Manager, a DNS-based traffic load balancer.

MS.Azure

Azure

AZ-700

MONITORING
Azure Monitor

cloud-based hybrid network monitoring

Azure ExpressRoute

application endpoints

service endpoints

data types

logs

metrics

time series data

no configuration required

Network Watcher

monitors and repairs net health of IaaS

LB

App GW

VM

regional service

Topology

Traffic Analytics

reduced logs

NSG Flow logs

JSON format

VPN Diagnostics

Gateway t/shoot

Next Hop

Routing analysis

Connection Monitor

VM to VM

Connection Troubleshoot

VM to dest

Effective Security Rules

VM NIC security

Packet Capture

VM

IP Flow Verify

VM packet flow

SECURITY
LOAD BALANCING
Azure Front Door

Global entry point for web apps

Azure Traffic Manager

Endpoints

Nested

sub-traffic manager profile

External

IP address

FQDN

Azure public IP address

App service slot

App service

Routing Methods

Subnet

mapped end-user IP address ranges

MultiValue

IPv4/6-only endpoints

Geographic

data sovereignty

Performance

latency

Weighted

canary testing

Priority

disaster recovery

DNS-based traffic load balancer

VNET
to VNET

Only allowed a single VPN GW per VNET

Hourly

Public IP involvved

Bandwidth limited by SKU

VNET Peering

peered VNETs can share the remote VNET gateway

peering VNETs in different regions

Pricing

Egress

Ingress

per Deployment model

Classic model

cannot peer across tenants and subscriptions

to do this use VPN Gateway

Resource Manager model

create a peering per VNET

can peer across tenants and subscriptions, but not clouds

non transitive

high bandwidth

low latency

uses Azure backbone (private addressing)

PRIVATE ACCESS

Private Link

VNET to Azure PaaS

privately access services in Azure platform

HYBRID

Gateways

VPN Gateway

High availability

Active/Active

Active/Standby

PSK authentication

no VMs in the GatewaySubnet

/27 or greater

GatewaySubnet

Types

Policy based

5 min idle time

traffic selector is an ACL

address prefixes

static routing

Route based

traffic selector is any-to-any

uses routing table to direct packets to tunnels

dynamic routing

Connection options

AER

IKEDiagnosticLog

IPSEC

P2S

Authentication

AAD

requires AzureVPN client

authorised in AAD as an Enterprise Application

Global Admin rights required

only supports OpenVPN (SSL) protocol

Azure certificate authentication

AD DS

Protocols

SSTP (TCP443), OpenVPN (TCP443), or IKEv2 (UDP500, 4500)

ExpressRoute Gateway

Capabilities

encrypted

use point-to-point encryption (MACsec)

use end-to-end encryption (IPSEC)

unencrypted

by default

BFD

configured per interface, linked to BGP session

failure detection time <1s

pricing

Requirements

One of the two virtual network gateway types

ExpressRoute Circuit

Unlimited

ExpressRoute Global Reach

link ExpressRoute circuits together

ExpressRoute Direct circuit

used to create the local, std, and premium circuits

ExpressRoute Premium circuit

access to all Azure regions globally

ExpressRoute Standard circuit

min service speed is 50Mbps

access to all Azure regions in a Geopolitical area

ExpressRoute Local circuit

unlimited inbound and outbound data transfer

max service speed is 10Gbps

min service speed is 1 Gbps

access to only 1-2 Azure regions

access through HA pair of 10Gbps or 100Gbps ports

Metered

Premium price

Std price

Monthly port fee (2 HA ports)

Outbound data costs

Inbound data is free

VWAN

Hub&Spoke Architecture

Microsoft backbone

Global transit network architecture

min /24 to create a VWAN hub

managed service

Standard

NVA in a VWAN

Azure firewall

AER, P2S, S2S, InterHub, VNet-toVNet transit

Basic

S2S

can combine S2S, P2S, AER

use VWAN if > 100 S2S VPN tunnels needed

Private peering

Virtual NAT

SNAT

public prefix

can be shared across NAT gateways

contiguous

public address

each address provides 64000 SNAT ports

maximum 16 addresses

on-demand outbound SNAT

shared public IP address

allows private outbound access to the internet

properties

used to combat LB SNAT exhaustion

applied to subnets

simplifies outbound internet-only NAT

no need for a public IP attached to VMs

no need for a LB

Routing

Service chaining

VNET to gateway and on to another VNET

use of UDRs to customise routing

Route Server

requires RouteServerSubnet

no longer the need to update NVA route table

no longer the need to update UDR

NVA needs to support BGP

simplifies dynamic routing between VNET and NVA

fully managed service

custom routes

route to route-based VPN GW

on-site VPN gateway uses 0.0.0.0/0 as traffic selector

called forced tunneling

associate with subnet

system routing

default routes

routes to the internet

on-prem routes

route to Azure VPN GW

local VNET routes

associated with subnet

Private Endpoint

uses separate IP address (from VNET) for each storage account

provides secure connectivity between VNET clients and storage account

special NIC for an Azure service in VNET

Service EndPoint

traffic remains in Azure (Microsoft backbone)

eliminates public exposure

enabled on the subnet

enables private IPs in VNET to access Azure services public endpoint

Peerings

types

Gateway transit

peered VNETs can share the gateway

non-transitive

no requirement for VPN gateway

regional

global

Qualities

connects two VNETs

can peer across tenants and subscriptions

uses Azure backbone

record sets

cannot have identical records

collection of dns records in a zone with same name and same type

delegation

once created, update parent registrar

use all four Azure DNS servers

zones

the same zone name can exist in another subscription, or RG

hosts dns records for a domain

Private

automatic record management

provides name resolution for VMs in VNETs

Public

Public addresses

Assignment

dynamic

static

Tier

Regional

Global

version

IPv6

IPv4

SKU

standard

can be zone-redundant, zonal, or no-zone

allocate NSG to permit inbound traffic

closed by default

static address assignment

basic

does not support availablity zones

open by default

dynamic or static address

Subnets

scoped to a single region

secured with NSGs

certain Azure services require unique subnets

subnets must have unique address range

division of VNETs into logical units

Address space

Unavailable

168.63.129.16/32

enables VM comms to Azure

DNS

Heartbeat

Health probes

address assignment via DHCP

Link local unavailable

Loopback unavailable

Multicast unavailable

RFC1918

.255 broadcast address

.2, .3 reserved for Azure to map DNS IPs to VNET

.1 gateway address reserved

.0 network address

Azure reserves .1, .2, .3