Skip to content

Network

  • has a name and address-space in CIDR notation
  • can have more than 1 VNET
  • Load balancer, generic network load balancer is Layer 4 within a region
  • CDN
  • DNS
  • Public IP:
    • Basic: dynamic or static, Open by default, no AZ, IPv6
    • Standard: only static, no Inbound by default, Zone redundant, No IPv6
    • ROT: SSL attached to IP require static IP
Feature Peering VNet-to-VNet
Encryption None IPSec/IKE
Span Region, subscription if same tenant Geo, Region
VPN Gateway Not needed Required
Span subscription Yes Only using Powershell

DNS

  • Azure provided DNS
    • No config, HA, cannot change suffix
  • Bring your own DNS
    • allows hybrid on-prem and Azure VM
    • reverse lookup of internal IP
    • authenticate to Domain Controller
    • Turn off Scavenging to prevent accidental removal of DNS record
  • Azure DNS
    • HA, must bring your own domain
    • No DNSSEC
    • Private DNS domains (preview)
      • name resolution within Azure spanning VNets, Regions and Subscriptions
      • Supports Split Horizon (Private and Public DNS zones share a name)

Network Security Group NSG

  • Apply or Deny rules, inbound or outbound
  • Can be applied to subnet or NIC
  • Default Inbound: AllowVNetInbound > AllowAzueLoadBalancerInBound > DenyAllInBound
  • Default Outbound: AllowVNetOutbound > AllowInternetOutBound > DenyAllOutBound
  • Rule: Source Port/Range, Destination Port/Range, Protocol, Action, Priority
    • Rules are processed with increasing number (low number => high priority)
    • First matched rule is taken, if none match, default is deny
  • A VM can be affected by subnet level and then VM level NSGs
  • Firewall offering is a newer version of NSG(?)

Traffic Manager

  • Primary goal is to reduce latency when users are distribute globally
  • Allows an endpoint to be available globally but applications and data can be in multiple regions
  • Traffic manager uses DNS that is closest to the User do direct traffic
  • Unlike load balancer,
    • not restricted to one region
    • works at DNS level to redirect traffic to preferred endpoint

Peering

  • From VNET-to-VNET
    • Global VNet peering can span regions or subscriptions as long as the same tenant
  • Can be either one-way or both directions
  • Chaining forwarded traffic (transitively extending network)
  • VNet-to-VNet connections: Peering or site-to-site VPN Tunnel
  • Both inbound an outbound networking is traffic is charged (~ 2 cents/GB intra-region, can be 10x for across region)

VPN

  • VPN: connect on-site network to Azure. Requires Virtual Network Gateway VNG in Azure
    • site-to-site: requires dedicated hardware
    • point-to-site: device to site, VPN software
    • ExpressRoute allows site-to-site connectivity between Azure and on-prem using private network
      • requires dedicated hardware at ISP
    • Virtual Network Gateway resides in a special subnet called Gateway Subnet
    • ExpressRoute Direct is provisioned by Microsoft
      • Connect to one of the edge locations that Microsoft has
      • higher speeds (10gps, 100gbps): achieved through combining 1 or more virtual circuits
  • VNG SKUs: offer predetermined bandwidth, certain number of P2S and S2S tunnels
  • VPN allows either {site,point}-to-site connectivity between Azure and on-prem using IPSec VPN, consists of
    • Virtual Network Gateway on Azure and has a public IP address
    • Local Network Gateway on-prem, also has an IP address
  • Unlike, peering, VNG incurs a fixed cost, but has no inbound charge for inter-virtual network data transfer
  • Microsoft Peering connect to public cloud services (like Office 365) over internet
  • Azure Private Peering connect to Azure services such as VM over private network
  • Virtual WAN
    • connect branch offices through Azure

Network Security Group

  • Can be applied to virtual network subnet or individual NIC

  • 1 NSGs can be applied, ROT: apply common NSG to subnet, more specific to NIC

  • all network packets are processed as:
    • find the next matching rule in all NSGs sorted by priority
    • if none found, drop the package
    • if matched rule is deny rule, drop the package
    • else-if matched rule is allow rule allow the package
  • Use firewall along with NSGs
  • Application Security Group ASG
    • Newer version of NSG(?)
    • limited to the region they created in (resource must belong to the same region)

Load balancer

  • Load Balancer: Layer 4 (transport)
    • Inbound NAT rules allow sending traffic to specific backend servers based on the input ports
  • App Gateway: Layer 7 (application)
  • Azure Application Gateway is a load-balancer that comes bundled with Web Application Firewall WAF
    • protects web applications that use HTTP/S

Application Gateway

  • OSI Layer 7, load balancer for Web Applications (if all network traffic is HTTP/HTTPS/WebSocket)
  • SSL/TLS termination (can manage certificates and pass un-encrypted traffic to backend)
  • URL-based routing, rewrite HTTP headers
  • Auto-scaling and zone redundancy
  • Cookie based affinity (Session affinity)
  • components:
    • Front-end IPs: one or more public IPs allowed
    • Backend pools: one or more of VM, VM Scale Set, Application Services or IP
    • Listeners: listens for traffic on specific frontend IP+port and specific protocol (HTTP or HTTPS)
    • Rules: tie front-end IP (aka HTTP Settings) and listener to backend pool
    • Health probes: periodically probe backend server, set unhealthy if consecutively timeouts out
  • Web Application Firewall WAF is optional Tier that can
    • provide detailed monitoring and logging
    • take action based on incoming Request's header, cookie, or any attribute
    • enforce selected or all OWASP rules (an OSS Web Application Security community)

Azure Active Directory Azure AD

  • A subscription can have multiple AAD
  • Editions: Free, Premium P1, Premium P2 (Basic is obsolete)
  • User types: Standard or External (Guest)
  • Group types:
    • Security(can assign permissions to) or
    • Office 365 (more like distribution list, cannot assign permissions)
  • Group membership types: dynamically (based on an AAD attribute) or assigned (explicit)
  • Devices: belonging to AAD users. Types:
    • Registered: devices authenticate when need to use resources; mainly personal devices
    • Joined: devices have some local access based on authentication; mainly company-owned devices
    • Hybrid Joined: devices that have joined on-prem
  • Device management InTune
  • Features: custom domains, enterprise applications
    • MFA: Disabled, Enabled or Enforced (non web-app will require a password)
  • AD Joins
  • access review

AD Connect

  • runs on-prem and syncs Domain Controller logins to Azure AD.
  • Sign-on methods:
    • Password Hash Synchronization - PHS: Sync on-prem password to AAD and optional write-back, sync AAD to on-prem. AAD stores password hash only
    • Pass-Through Authentication - PTA: Auth performed by on-prem, optional write-back, ROT: Use HA
    • Federation: AD FS: Trust relationship between on-prem and AAD using Web Application Proxy server and SSL
      • on-prem auth, sign-on from either on-prem or cloud, but trust makes it transparent
  • Can select OUs, App, Attributes, Users to sync