Network¶

Feature	Peering	VNet-to-VNet
Encryption	None	IPSec/IKE
Span	Region, subscription if same tenant	Geo, Region
VPN Gateway	Not needed	Required
Span subscription	Yes	Only using Powershell

DNS¶

Azure provided DNS
No config, HA, cannot change suffix
Bring your own DNS
allows hybrid on-prem and Azure VM
reverse lookup of internal IP
authenticate to Domain Controller
Turn off Scavenging to prevent accidental removal of DNS record
Azure DNS
HA, must bring your own domain
No DNSSEC
Private DNS domains (preview)
- name resolution within Azure spanning VNets, Regions and Subscriptions
- Supports Split Horizon (Private and Public DNS zones share a name)

Apply or Deny rules, inbound or outbound
Can be applied to subnet or NIC
Default Inbound: AllowVNetInbound > AllowAzueLoadBalancerInBound > DenyAllInBound
Default Outbound: AllowVNetOutbound > AllowInternetOutBound > DenyAllOutBound
Rule: Source Port/Range, Destination Port/Range, Protocol, Action, Priority
Rules are processed with increasing number (low number => high priority)
First matched rule is taken, if none match, default is deny
A VM can be affected by subnet level and then VM level NSGs
Firewall offering is a newer version of NSG(?)

Primary goal is to reduce latency when users are distribute globally
Allows an endpoint to be available globally but applications and data can be in multiple regions
Traffic manager uses DNS that is closest to the User do direct traffic
Unlike load balancer,
not restricted to one region
works at DNS level to redirect traffic to preferred endpoint

From VNET-to-VNET
Global VNet peering can span regions or subscriptions as long as the same tenant
Can be either one-way or both directions
Chaining forwarded traffic (transitively extending network)
VNet-to-VNet connections: Peering or site-to-site VPN Tunnel
Both inbound an outbound networking is traffic is charged (~ 2 cents/GB intra-region, can be 10x for across region)

VPN: connect on-site network to Azure. Requires Virtual Network Gateway VNG in Azure
site-to-site: requires dedicated hardware
point-to-site: device to site, VPN software
ExpressRoute allows site-to-site connectivity between Azure and on-prem using private network
- requires dedicated hardware at ISP
Virtual Network Gateway resides in a special subnet called Gateway Subnet
ExpressRoute Direct is provisioned by Microsoft
- Connect to one of the edge locations that Microsoft has
- higher speeds (10gps, 100gbps): achieved through combining 1 or more virtual circuits
VNG SKUs: offer predetermined bandwidth, certain number of P2S and S2S tunnels
VPN allows either {site,point}-to-site connectivity between Azure and on-prem using IPSec VPN, consists of
Virtual Network Gateway on Azure and has a public IP address
Local Network Gateway on-prem, also has an IP address
Unlike, peering, VNG incurs a fixed cost, but has no inbound charge for inter-virtual network data transfer
Microsoft Peering connect to public cloud services (like Office 365) over internet
Azure Private Peering connect to Azure services such as VM over private network
Virtual WAN
connect branch offices through Azure

Load Balancer: Layer 4 (transport)
Inbound NAT rules allow sending traffic to specific backend servers based on the input ports
App Gateway: Layer 7 (application)
Azure Application Gateway is a load-balancer that comes bundled with Web Application Firewall WAF
protects web applications that use HTTP/S

OSI Layer 7, load balancer for Web Applications (if all network traffic is HTTP/HTTPS/WebSocket)
SSL/TLS termination (can manage certificates and pass un-encrypted traffic to backend)
URL-based routing, rewrite HTTP headers
Auto-scaling and zone redundancy
Cookie based affinity (Session affinity)
components:
Front-end IPs: one or more public IPs allowed
Backend pools: one or more of VM, VM Scale Set, Application Services or IP
Listeners: listens for traffic on specific frontend IP+port and specific protocol (HTTP or HTTPS)
Rules: tie front-end IP (aka HTTP Settings) and listener to backend pool
Health probes: periodically probe backend server, set unhealthy if consecutively timeouts out
Web Application Firewall WAF is optional Tier that can
provide detailed monitoring and logging
take action based on incoming Request's header, cookie, or any attribute
enforce selected or all OWASP rules (an OSS Web Application Security community)

A subscription can have multiple AAD
Editions: Free, Premium P1, Premium P2 (Basic is obsolete)
User types: Standard or External (Guest)
Group types:
Security(can assign permissions to) or
Office 365 (more like distribution list, cannot assign permissions)
Group membership types: dynamically (based on an AAD attribute) or assigned (explicit)
Devices: belonging to AAD users. Types:
Registered: devices authenticate when need to use resources; mainly personal devices
Joined: devices have some local access based on authentication; mainly company-owned devices
Hybrid Joined: devices that have joined on-prem
Device management InTune
Features: custom domains, enterprise applications
MFA: Disabled, Enabled or Enforced (non web-app will require a password)
AD Joins
access review

runs on-prem and syncs Domain Controller logins to Azure AD.
Sign-on methods:
Password Hash Synchronization - PHS: Sync on-prem password to AAD and optional write-back, sync AAD to on-prem. AAD stores password hash only
Pass-Through Authentication - PTA: Auth performed by on-prem, optional write-back, ROT: Use HA
Federation: AD FS: Trust relationship between on-prem and AAD using Web Application Proxy server and SSL
- on-prem auth, sign-on from either on-prem or cloud, but trust makes it transparent
Can select OUs, App, Attributes, Users to sync