Exam AZ-700 Designing and Implementing Microsoft Azure Networking Solutions

Exam AZ-700: Designing and Implementing Microsoft Azure Networking Solutions - Certifications | Microsoft Learn

Modules in Learning Path

Introduction to Azure Virtual Networks

Design and Implement Hybrid Networking

Design and Implement Azure ExpressRoute

Load Balance non-HTTP(S) Traffic in Azure

Load Balance HTTP(S) Traffic in Azure

Design and Implement Network Security

Design and Implement Private Access to Azure Services

Design and Implement Network Monitoring

Factoid Factory

• Basic Route Based VPN Gateway support 10 S2S VPNs.
  • VpnGw1 supports 30, VPNGw5Az supports 100
• VpnGw4 supports 5000 P2S connections with 5Gbps
  • VpnGw5 supports 10000 P2S connections and 10Gbps
• Windows Admin Center is used to configure Azure Extended Network
• Express Route Microsoft Peering by default advertises no rules to the ExpressRoute. A Route Filter must be used to select what services to advertise (Exchange Online as a Example.)
• Express Route FastPath allows you to bypass the virtual network gateway
• Bidirectional Forwarding Detection is enabled on your router to see if a link goes offline, and provides near instant failover
• ExpressRoute scale units are 2Gbps each
• network policies are tenant or sub level policies that contain routes and security group rules
• Service endpoints can be used to restrict access to particular services, like storage accounts
• Enabling Direct Server Return (DSR), known in Azure as Floating IP, involves creating a loopback adapter on the virtual machine and assigning the loopback adapter the IP address of the frontend listener. This way, the virtual machines knows where to send the traffic back to for session affinity.
• IPv6 Subnets are always /64
• AzureFirewallSubnet is minimum a /26
• AKS, Virtual Machines and Load Balancer can share the same Subnet.
• VpnGW only supports 500Mbps throughput.
  • VpnGW4 supports up to 5Gbps throughput
    • VpnGW4AZ supports Availability Zones.
• Azure reserves the use of ASNs 65515 and 12076
• In Virtual WAN, ExpressRoute scale units are 2Gbps each
• In Virtual WAN, VPN scale units are 500Mbps each
• A Virtual Hub is minimum a /24
• Azure Application Gateway V2 supports URL rewrites
• Global Redirection is used to redirect HTTP to HTTPS
• Multi-sire listeners are used to host header match
• Service Endpoint Policies can be enabled to restrict traffic to specific storage accounts
• When NSGs are applied to both Subnets and NICs, only rules that exist in both will work.
• The Azure Connected Machine agent is used as part of Azure Arc, which is the method to connect on-premises virtual machines to Azure Monitor.

Last Minute Cram

Based on AZ-700 Designing and Implement Azure Networking Study SUPER Guide!

Virtual Networking

• Availability Zones are individual Data Centers with their own power, cooling, location.
• Azure Virtual Networks span all Availability Zones in the Region.
• Azure Vnet is Layer 3 (Not layer 2 as it has no VLANS).
• There is no Broadcast / multicast in Azure.
• RFC1918 defines the private addresses we can use. 10.0.0.0-10.255.255.255 (/8), 172.16.0.0-172.31.255.255(/12), 192.168.0.0-192.168.255.255 (/16)
  • You can also Not use
    • 224.0.0.0/4 (multicast)
    • 255.255.255.255/32 (broadcast)
    • 127.0.0.0/8 (loopback)
    • 169.254.0.0/16 (link-local)
    • 168.63.129.16/32 (internal dns)
• Vnets can be IPv4 or IPv4+IPv6, but not just IPv6
• IPv6 subnets are always a /64 subnet
• Smallest assignable IPv4 Subnet in Azure is a /29, which leaves 3 usable addresses.
• Subnets Reserve the first 4 addresses and the last 1 addresses (X.X.X.0, X.X.X.1,X.X.X.2, X.X.X.3, X.X.X.255 in a /24)

Public IPs

• You can not Bring Your Own IP block
• Public IPs are tied to region
• There are two SKUs for Public IPs
  • Basic
    • Dynamic Or static
    • Open by Default
      • Have to use NSG to deny
    • No availability zone support
  • Standard
    • Static Only
    • Locked down by default
      • Have to use NSG to allow
    • Has Availability zone Support
• Typically SKU matches sku. Basic LB uses Basic IP, standard uses Standard IP.
• Public IP Prefixes are available to get a contiguous block of ip addresses.

Virtual Network Peering

• Vnets can be peered across regions, which is called Global vnet peering
• Vnets must not overlap
• Vnets can not be peered across to sovereign clouds (Azure China)
• When using the Virtual Network tag in NSG's, Virtual Network includes peered VNets, and basically everything you could interact with via private ip including on prem networks.
• Peering's are not transitive, you need to either peer networks directly, or use a NVA

Gateway Transit

• Allow Gateway Transit on a hub network and Use Remote Gatewway propagates BGP routes from the hub network, and allows spokes to connect on premises.
• Each VNet can only use one remote gateway.
• Allow forwarded traffic allows traffic to be forwarded through the peering.

User Defined Routes

• By default, RFC 1918 addresses are blackholed
• Route tables can only be connected to subnets in the same region

Nat Gateway

• Need to use Standard SKU public IPs
• Linked per subnet, as long as they are in the same region
• Max 16 Ip addresses per NAT gateway
• only ipv4 public ips
• 64'000 connections per public ip via SNAT
• Can be pinned to a Zone / Region, but can not be zone redundant
• It is intelligent enough to not route established traffic through the nat gateway that was routing elsewhere.

Azure DNS

• All DNS traffic is surfaced by 168.63.129.16

Private DNS Zones

• Each Virtual Network can only use a singe Private Dns Zone for Auto Registration
• Can link up to 1000 private dns zones
• Private DNS Zones are Global
• Each Zone can connect to 100 Vnets for registration
• Each Zone can connect to 1000 vnets for resolution

Public DNS Zones

• Have to be authoritative on the DNS zone

Site to Site VPN

• Gateway subnet minimal is /29, recommended /27 so you can co exist s2s and express route. /29 only works with 1 service
• Basic SKu
  • Legacy, don't use
  • Policy based / static
  • 1 tunnel
  • can not co exist express route
  • can not do point to site
  • Can not change to another SKU live
• Other SKUS
  • Route based / dynamic
  • N number of tunnels
  • Express Route, Point to Site, Site to Site can co exist
  • Can optionally do BGP
  • Can do Active Active
  • Each tunnel typically maxes out at 1gbps, as it is processed by a single core
• Local Network Gateway is deployed to represent the public ip and private address of your on prem site
• If using Active Active VPN, you get 2 public ip addresses

Point to Site VPN

• 3 types
  • OpenVPN
    • Uses TLS 443
    • Works for all clients
  • SSTP
    • Uses TLS 443
    • Windows Only
  • IKEv2
    • Mac
• Can do Cert based authentication
• Can do RADIUS authentication to use Active Directory to authenticate.
• Can use Entra ID on OpenVPN client using a Enterprise Application in Entra.
• OpenVPN and IKE are smart enough to detect a change in public IP, but SSTP is not and needs client config re downloaded.

Express Route

• Private connection to Azure
• Microsoft does not do the last mile connectivity, your ISP connects to MS in the Peering Point / Meet Me location, and connects you to that.
• Big customers can use Express Route Direct, and supply their own router in the Meet me location
• Private peering allows you to connect to your virtual networks
  • Private peering is not encrypted, but you can use a VPN over it.
• Microsoft peering allows you to connect the public facing side of Azure
• ExpressRoute Gateway SKUs with AZ suffix are Availability Zone redundant.
• Fastpath makes it so inbound connections from onprem to Virtual Machines skip the Gateway subnet
  • Does not work across Vnet peering, uses the gateway subnet instead.
  • Does not work for Private Endpoints, uses the gateway subnet instead.
  • UDRs on the gateway subnet do not come into effect when using the fastpath.
  • Has to be the highest SKU
• Route Filters are used to advertise routes via the Microsoft Peering for things like Storage Accounts, regions public ips, basically the public side of Azure.
  • Uses BGP
  • Standard can advertise 4000 Routes
  • Premium can advertise 10 000 routes
• Express Route Standard connects to Geopolitical regions
• Express Route Premium allows you to connect to any region globally.
  • Can be used to route MS Route M365 services too.
  • Can connect to more than 10 Virtual Networks
• Metered Plans you pay for Ingress (and choose standard or premium from there), but not Egress data is included.
• UnMetered plans are way more expensive, but are all inclusive
• Local plans are when your meetme from the provider is very close to the Azure Region, and you can connect to that one exclusively.
  • Works out cheaper
• BFD can be used to auto failover if a active connection fails faster than BGP
• When using Express Route Direct, you can use MACSEC to encrypt between your router and MS router
• Express Route Global Reach can be used to make a VWAN between your on prem sites using the Microsoft global backbone (both sites need express route)

Virtual WAN

• A VWAN can be created in a Region
• This contains a managed VNET in the background that you dont have access to directly.
• Other Normal Vnets can be connected to VWAN
• Basic SKU only allows Site to Site VPN connections.
• Standard SKU supports S2S, P2S, Express Route, Vnet Transitive, Multi vwan hub
• Customer Route Tables can be added to restrict and direct flow to overwrite the default Any to Any.
• 3rd Party NVA's can be installed in the VWAN, like Barracuda.

Load Balancing

• Lots of different types dependant on your global vs region requirement, l7 vs l4 requirement.
• Regional
  • l4
    • Azure Load Balancer
    • Works based on Source / Dest <-> Ip/Port / Protocol
    • Can be Internal or External, but not both
    • SKUS;
      • Basic
        • Up to 300 backends in the same VMSS
        • Same Availability Zone only
        • Open by default.
        • No SLA
        • Free, No SLA
      • Standard
        • Costs, has SLA
        • Up to 1000 VMs / Nic / IP (containers and stuff) in the same Vnet.
        • Supports Availability zones
        • Locked down by default.
    • Works based on RUles
    • Has Health Probes
      • Basic is HTTP only
      • Standard is http or https
    • The Default balancing type is Hash
    • Can be set up to use 5, 3 or 2 tuple. for Session persistence. 5 default.
      • 5 tuple : Source iP, Dest Ip, Source Port, Dest port, Protocol
      • 3 tuple: Source IP, Dest Ip, Protocol
      • 2 tuple: Source Ip, Dest Ip
    • Nat rules can be used to selectively route traffic to a particular backend host based on incoming ip and port
      • E.G all 3389 goes to host 5
    • Standard SKU can do Outbound NAT rules for SNAT.
    • Standard SKU can use HA Ports, this allows you to evenly distribute traffic without configuring rules
    • Floating IP allows you to send the front end ip to the backend.
      • Ordinarily the backend pools see themselves as the destination. With Floating IP they see the frontend ip as the destination.
        • This needs a loopback adapter.
    • Only connects to Azure resources
  • l7
    • Azure Application Gateway
      • Http / Https / Http2
      • URL based routing
      • Http to Https redirection
      • ssl offload
        • receive encrypted, send unencrypted
      • cookie based affinity
      • Web Application Firewall.
      • Always has a Public Front end Ip, with a optional Private ip
        • Can not use the public IP, but it always needs to be there.
      • Listeners are configured to listen per IP and port
        • This is where you can do ssl offload
        • cert inspeciton
        • 2 types of listeners
          • Basic
            • Everything goes to particular rule no matter what fqdn
          • Multisite
            • Enables multiple listeners on the same port on the same url
            • Can filter by the FQDN, and by wildcards for subdomains
      • Rules are configured to move traffic based on url path
        • Basic rules just ship everything
        • Path based rules allow you to split traffic based on the path (something.com/images goes to storage)
        • Can do path rewrites
        • Has HTTP settings for things like affinity, encryption
      • Can connect to Azure or on prem (as long as it has connectivity.)
      • Standard can Auto Scale
• Global
  • l4
    • Azure Global Load Balancer
      • Relatively new
      • Overall the same as regional LB
      • Not supported everywhere, mostly Central America regions
      • Does not support Internal mode, Public Only
      • No Outbound rules
      • Can not be upgraded from Regional, requires redeploy.
    • Azure Traffic Manager
      • Basically is just DNS
      • Can target non Azure resources
      • Can do DNS and Ip Addresses.
      • Different routing methods
        • Priority
          • Pick primary, otherwise pick backup
        • Weighted
          • 80% to one host, 20% to another
        • Performance
          • Pick the fastest
        • Geographic
          • Pick based on where request originates, then direct to Azure, External or Nested.
        • Multivalue.
          • Can only have ipv4//6 endpoints, and all healthily endpoints are returned to the request.
        • Subnet
          • Route based on Subnet of originator
      • It is DNS, and limited by TTL
    • L7
      • Azure Frontdoor
        • Globally available, uses Microsoft Points of Presence around the world.
        • Has WAF capabilities
          • Standard lets you do Custom WAF Rules
          • Premium has Managed WAF rules
        • Only HTTP/S/2
        • Can do Split TCP, where it acts as a man in the middle of the communication to reduce latency.
        • Can do SSL offload
        • Can do Caching
        • Premium can do Private Link

NSGs and ASGs

• NSG can restrict on Source iP, Dest Ip, Source Port, Dest port, Protocol and Service Tags
• NSG is enforced at the NIC layer. The targeting at the Subnet is a management plane bonus.
• Regionally restricted to associating to the same region as the subnet.
• By default AllowVnetInBound, AllowAzureLoadBalancer, then DenyAllInbound
  • AllowVnetInbound uses the Virtual network Tag, which is everything private that Azure knows about in the vnet peerings / onprem.
• By default AllowVnetOutbound, AllowInternetOutbound, DenyAllOutbound
• ServiceTags are Microsoft Managed IP cidrs per service, typically per region.
• Application Security Groups are just a tag on a NIC that allows you to filter based on that. This is to work at scale outside of a Subnet.
• ASG's are regional

Service Endpoints

• Service Endpoints allow you to add a service endpoint to a subnet for something like microsoft.storage.australiaeast, which gives you a better route to all aueast storage and allows you to filter the traffic on the storage account to that subnet.
• Only works on the subnet that has the service endpoint, and not neighbours on onprem etc.
• Uses the MS front bone

Private Endpoints

• Private access to the service you are connecting to through the backend.
• Needs DNS to do the thing.
• Private Link service can be connected to a Standard Load balancer, that connects to your random custom service.
  • You can then do a private endpoint to the Private link.
  • This NATs which allows for IP overlap

Azure Firewall

• /26 minimum subnet
• Premium sku adds
  • TLS inspection
  • IDPS
  • URL filtering
    • Adding capability to filter based on path
  • Web Categories
    • Stop the gambling sites
• 3 Types of rules
  • Nat rules
    • Inbound
  • Network Rules
    • Layer 4
  • Application Rules
    • Layer 7
      • Has FQDN Tags which are well known MS domains

Networking Monitoring

• NSG FLow logs --> LAWS -- > traffic analytics