Author: zeusexam

Skill 4.2: Configure secure access to virtual networks Network security groups (NSGs) control which network flows are permitted into and out of your virtual networks and virtual machines. Each NSG contains lists of inbound and outbound rules, which give you fine-grained control over exactly which network flows are allowed or denied. Combine this with the…

Troubleshoot network connectivity Azure provides several built-in tools to troubleshoot network connectivity, with most of them available through Network Watcher. This section focuses on two of the tools within Network Watcher that can help you troubleshoot network connectivity. Connection Troubleshoot Connection Troubleshoot is a Network Watcher feature designed to test the connectivity between an Azure…

Forced tunneling A special case is when routes are configured with the destination IP prefix 0.0.0.0/0. Given the precedence rules described earlier, this route controls traffic destined for any IP address not covered by any other rules. By default, Azure implements a system route directing all traffic matching 0.0.0.0/0 (and not matching any other route)…

IP forwardingUser-defined routes (UDR) change the default system routes that Azure creates for you in an Azure VNet. In the virtual appliance scenario, UDRs forward traffic to a virtual appliance such as a firewall, which is running as an Azure virtual machine.By default, a virtual machine in Azure will not accept a network packet addressed…

User-defined routes In some cases, you will want to configure the routing of packets differently from what is pro- vided by the default system routes. One of these scenarios is when you want to send traffic through a network virtual appliance, such as a third-party load balancer, firewall, or router deployed into your VNet from…

Outbound internet connections When a public IP address is assigned to a virtual machine’s network interface, outbound traffic to the internet will be routed through that IP address. The recipient will see your public IP address as the source IP address for the connection. However, the virtual machine itself does not see the public IP…

Public IP address prefixesWhen using multiple public IP addresses, it can be convenient to have all of the IP addresses allocated from a single IP range or prefix. For example, when configuring firewall rules, this allows you to configure a single rule for the prefix, rather than separate rules for each IP address.To support this…

Basic vs Standard pricing tiers Public IP addresses are available at two pricing tiers (or SKUs): Basic or Standard. All public IP addresses created before the introduction of these tiers are mapped to the Basic tier. Standard tier public IP addresses support zone-redundant deployment, allowing you to use availability zones to protect your deployments against…

Create a VNet peering using the Azure portalTo create a peering connection between two VNets, the VNets must already have been created and must not have overlapping address spaces.To create a new VNet peering from VNet-hub to VNet-spoke, connect to the Azure portal and locate VNet-hub. Under Settings, click Peerings, and then click Add to…

Service chaining and hub-and-spoke networks A common way to reduce duplication of resources is to use a hub-and-spoke network topol- ogy. In this approach, shared resources (such as domain controllers, DNS servers, monitoring systems, and so on) are deployed into a dedicated hub VNet. These services are accessed from multiple applications, each deployed to their…