AZ 100T04A ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED

Microsoft
Official
Course
AZ-100T04
Configure and Manage
Virtual Networks
MCT USE ONLY. STUDENT USE PROHIBITED
AZ-100T04
Configure and Manage Virtual
Networks
Contents
■■ Module 0 Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Start Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
■■ Module 1 Azure Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introducing Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Creating Azure Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Review of IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Network Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Module 1 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
■■ Module 2 Azure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Azure DNS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Implementing Azure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Module 2 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
■■ Module 3 Securing Virtual Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction to Network Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Implementing Network Security Groups and Service Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
■■ Module 4 Connecting Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Intersite Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Virtual Network Peering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
■■ Module 5 Lab-Configure and Manage Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Module 0 Welcome
Start Here
Azure Administrator Curriculum
This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certifica-
tion tests. There are two exams:
●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and
●● AZ-101, Microsoft Azure Integration and Security2.
Each exam measures your ability to accomplish certain technical tasks. For example, AZ-100 includes five
study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam.
The higher the percentage, the more questions you are likely to see in that area.
AZ-100 Study Areas Weights

Manage Azure subscriptions and resources 15-20%
Implement and manage storage 20-25%
Deploy and manage virtual machines 20-25%
Configure and manage virtual networks 20-25%
Manage identities 15-20%
✔️ This course will focus on preparing you for the Configure and manage virtual networks area of the
AZ-100 certification exam.
About This Course

Course Description
This course teaches IT Professional how to configure and manage Azure virtual networks (VNets). The
benefits of moving an infrastructure to the cloud, removing the need to maintain expensive datacenters
are an appealing proposition for many small and medium-sized companies. Regardless, once resources
1 https://www.microsoft.com/en-us/learning/exam-az-100.aspx
2 https://www.microsoft.com/en-us/learning/exam-az-101.aspx
MCT USE ONLY. STUDENT USE PROHIBITED 2 Module 0 Welcome
are moved to Azure, they require the same networking functionality as an on-premises deployment, and
this course deals with the basic network configuration tasks.
Students review the basis of IP addressing, with specific emphasis on how public and private IP address-
ing works in the cloud. Students learn how to configure network routing and how to implement Azure
DNS.
Securing the network infrastructure is of key importance and students learn how to use Network Security
Groups (NSGs) to limit network traffic to resources in a virtual network, by creating security rules that
allow or deny inbound or outbound traffic. Students also learn how to use NSG logging to diagnose and
troubleshoot network connectivity problems.
The course also covers different connectivity scenarios for Azure virtual networks and students learn how
to connect virtual networks with VNet-to-VNet VPN gateways and virtual network peering.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud
infrastructure, storage structures, and networking.
Expected learning
●● Understand virtual networking components, IP addressing, and network routing options.
●● Implement Azure DNS domains, zones, record types, and resolution methods.
●● Configure network security groups, service endpoints, logging, and network troubleshooting.
●● Implement site connectivity schemas including VNet-to-VNet connections and virtual network
peering.
Syllabus
This course includes content that will help you prepare for the certification exam. Other content is
included to ensure you have a complete picture of Azure virtual networks. The course content includes a
mix of videos, graphics, reference links, module review questions, and practice labs.
Module 1 – Azure Virtual Networks
In this module, you’ll will be introduced to Azure virtual networks. What are virtual networks and how are
they organized? How do you create and configure virtual networks with templates, PowerShell, CLI, or the
Azure portal? What is the difference between public, private, static, and dynamic IP addressing? How are
system routes, routing tables, and routing algorithms used? Lessons include:
●● Introducing Virtual Networks
●● Creating Azure Virtual Networks
●● Review of IP Addressing
Start Here 3
●● Network Routing
Module 2 – Azure DNS
In this module, you will learn about DNS basics and specifically implementing Azure DNS. In the DNS
Basics lesson you will review DNS domains, zones, record types, and resolution methods. In the Azure
DNS lesson, we will cover delegation, metrics, alerts, and DNS hosting schemes. Lessons include:
●● Azure DNS Basics
●● Implementing Azure DNS
Module 3 – Securing Virtual Network Resources
In this module, you will learn primarily about Network Security Groups (NSGs) including NSG rules and
NSG scenarios. You will also learn how to implement NSGs considering service endpoints, logging,
troubleshooting, and other network traffic. Lesson include:
●● Introduction to Network Security Groups
●● Implementing Network Security Groups and Service Endpoints
Module 4 – Connecting Virtual Networks
In this module, you will learn about two specific types of intersite connectivity: VNet-to-VNet connections
and VNet Peering. In both cases, you will learn when to choose which connectivity method, and how to
implement and configure the method. Lessons include:
●● Intersite Connectivity (VNet-to-VNet Connections)
●● Virtual Network Peering
Study Guide
The Configure and manage virtual networks objective of the AZ-100 exam, consists of four main areas of
study: Create connectivity between virtual machines, Implement and manage virtual networking, Config-
ure name resolution, and Create and configure a network security group . These tables show you what
may be included in each test area and where it is covered in this course.
✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area.
✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to
understanding these concepts and passing the certification exams. There are several ways to get an
Azure subscription4.
Create connectivity between virtual networks
Testing May Include Course Content

Create and configure VNet peering Module 04 - Connecting Virtual Networks
Create and configure VNet to VNet Module 04 - Connecting Virtual Networks
Verify virtual network connectivity Module 04 - Connecting Virtual Networks
Create virtual network gateway Module 04 - Connecting Virtual Networks
Implement and manage virtual networking

Configure private IP addressing Module 01 - Azure Virtual Networks
3 https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100
4 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/
MCT USE ONLY. STUDENT USE PROHIBITED 4 Module 0 Welcome

Configure public IP addresses Module 01 - Azure Virtual Networks
Create and configure network routes Module 01 - Azure Virtual Networks
Create and configure network interface Module 01 - Azure Virtual Networks
Create and configure subnets Module 01 - Azure Virtual Networks
Create and configure virtual network Module 01 - Azure Virtual Networks
Configure name resolution

Configure Azure DNS Module 02 - Azure DNS
Configure custom DNS settings Module 02 - Azure DNS
Configure private and public DNS zones Module 02 - Azure DNS
Create and configure an NSG

Create security rules Module 03 - Securing Virtual Network Resources
Associate NSG to a subnet or network interface Module 03 - Securing Virtual Network Resources
Identify required ports Module 03 - Securing Virtual Network Resources
Evaluate effective security rules Module 03 - Securing Virtual Network Resources
Module 1 Azure Virtual Networks
Introducing Virtual Networks

Video: Basic Azure Virtual Networking Concepts
Introduction to Azure Networking Components

A major incentive for adopting cloud solutions such as Azure is to enable information technology (IT)
departments to move server resources to the cloud. This can save money and simplify operations by
removing the need to maintain expensive datacenters with uninterruptible power supplies, generators,
multiple fail-safes, clustered database servers, and so on. For small and medium-sized companies, which
might not have the expertise to maintain their own robust infrastructure, moving to the cloud is particu-
larly appealing.
Once the resources are moved to Azure, they require the same networking functionality as an on-premis-
es deployment, and in specific scenarios require some level of network isolation. Azure networking
components offer a range of functionalities and services that can help organizations design and build
cloud infrastructure services that meet their requirements. Azure has many networking components.
MCT USE ONLY. STUDENT USE PROHIBITED 6 Module 1 Azure Virtual Networks
For more information, you can see:

Azure Virtual Networks - https://azure.microsoft.com/en-us/services/virtual-network/
Overview of Virtual Networks

An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical
isolation of the Azure cloud dedicated to your subscription. You can use VNets to provision and manage
virtual private networks (VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with
your on-premises IT infrastructure to create hybrid or cross-premises solutions. Each VNet you create has
its own CIDR block and can be linked to other VNets and on-premises networks if the CIDR blocks do not
overlap. You also have control of DNS server settings for VNets, and segmentation of the VNet into
subnets.
You can use virtual networks to:
●● Create a dedicated private cloud-only VNet. Sometimes you don't require a cross-premises config-
uration for your solution. When you create a VNet, your services and VMs within your VNet can
communicate directly and securely with each other in the cloud. You can still configure endpoint
connections for the VMs and services that require internet communication, as part of your solution.
Introducing Virtual Networks 7
●● Securely extend your data center With VNets. You can build traditional site-to-site (S2S) VPNs to
securely scale your datacenter capacity. S2S VPNs use IPSEC to provide a secure connection between
your corporate VPN gateway and Azure.
●● Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud
scenarios. You can securely connect cloud-based applications to any type of on-premises system such
as mainframes and Unix systems.
What is an Azure virtual network? - https://docs.microsoft.com/en-us/azure/virtual-network/
virtual-networks-faq#what-is-an-azure-virtual-network-vnet
Subnets
A virtual network can be segmented into one or more subnets. Subnets provide logical divisions within
your network. Subnets can help improve security, increase performance, and make it easier to manage
the network.
Each subnet contains a range of IP addresses that fall within the virtual network address space. Each
subnet must have a unique address range, specified in CIDR format. The address range cannot overlap
with other subnets in the virtual network.
It is important to carefully plan your subnets. Here are some things to think about.
●● Service requirements. Each service directly deployed into virtual network has specific requirements
for routing and the types of traffic that must be allowed into and out of subnets. A service may
require, or create, their own subnet, so there must be enough unallocated space for them to do so.
For example, if you connect a virtual network to an on-premises network using an Azure VPN Gate-
way, the virtual network must have a dedicated subnet for the gateway.
●● Virtual appliances. Azure routes network traffic between all subnets in a virtual network, by default.
You can override Azure's default routing to prevent Azure routing between subnets, or to route traffic
between subnets through a network virtual appliance. So, if you require that traffic between resources
in the same virtual network flow through a network virtual appliance (NVA), deploy the resources to
different subnets.
✔️ Azure reserves the first three IP addresses and the last IP address in each subnet address range.
✔️ The Review of IP Addressing lesson covers the basics of IP addressing if you need a refresher.
Subnets - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-VNet-plan-de-
sign-arm#subnets
Services that can be deployed into a virtual network - https://docs.microsoft.com/en-us/azure/
virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtu-
al-network
Video: Managing Virtual Networks
Additional Practice - Virtual Networks

A virtual network enables Azure resources, such as virtual machines (VM), to communicate privately with
each other, and with the internet.
Take a few minutes to try the QuickStart: Create a virtual network using the Azure portal1. In this
QuickStart, you learn how to create a virtual network. After creating a virtual network, you deploy two
VMs into the virtual network. You then connect to one VM from the internet and communicate privately
between the two VMs.
●● Create a virtual network.
●● Create virtual machines.
●● Connect to a VM from the internet.
●● Communicate between VMs.
✔️ Creating virtual networks is a common administrator task. Be sure to take time to practice.
1 https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal
Creating Azure Virtual Networks 9
Creating Azure Virtual Networks

Implementing Virtual Networks
You can create new virtual networks at any time. You can also add virtual networks when you create a
virtual machine. Either way you will need to define the address space, and at least one subnet. By default,
you can create up to 50 virtual networks per subscription per region, although you can increase this limit
to 500 by contacting Azure support.
✔️ Always plan to use an address space that is not already in use in your organization, either on-premis-
es or in other VNets. Even if you plan for a VNet to be cloud-only, you may want to make a VPN connec-
tion to it later. If there is any overlap in address spaces at that point, you will have to reconfigure or
recreate the VNet. The next lesson will focus on IP addressing.
What is Azure Virtual Network - https://docs.microsoft.com/en-us/azure/virtual-network/virtu-
al-networks-overview
Networking Limits - https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#net-
working-limits-1
Demonstration: Create a Virtual Network using

the Azure Portal
Demonstration: Create a Virtual Network (Pow-

erShell and CLI)
Demonstration Create a Virtual Network (PowerShell and
CLI)
In this video Corey mentions the Unified Client. He is referring to the Azure Command Line Interface (CLI).
Multiple NICs in Virtual Machines

You can create virtual machines in Azure and attach multiple network interfaces (NICs) to each of your
VMs. Having multiple NICs is a requirement for many network virtual appliances, such as application
delivery and WAN optimization solutions. Having multiple NICs also provides more network traffic
management functionality, including isolation of traffic between a front-end NIC and back-end NIC(s), or
separation of data plane traffic from management plane traffic.
The figure above shows a VM with three NICs, each connected to a different subnet.
●● The order of the NICs from inside the VM will be random and could also change across Azure infra-
structure updates. However, the IP addresses, and the corresponding ethernet MAC addresses will
remain the same. For example, assume Eth1 has IP address 10.1.0.100 and MAC address 00-0D-3A-B0-
39-0D; after an Azure infrastructure update and reboot, it could be changed to Eth2, but the IP and
MAC pairing will remain the same. When a restart is customer-initiated, the NIC order will remain the
same.
●● The address for each NIC on each VM must be in a subnet and multiple NICs on a single VM can each
be assigned addresses that are in the same subnet.
●● The VM size determines the number of NICS that you can create for a VM.
Creating Azure Virtual Networks 11
The following limitations are applicable when using the multiple NIC feature:
●● All VMs in an availability set need to use either multiple NICs or a single NIC. You cannot have a
mixture of multi NIC VMs and single NIC VMs within an availability set. Same rules apply for VMs in a
cloud service.
●● A VM with single NIC cannot be configured with multiple NICs (and vice-versa) once it is deployed,
without deleting and re-creating it.
Add network interfaces to or remove network interfaces from virtual machines - https://docs.microsoft.
com/en-us/azure/virtual-network/virtual-network-network-interface-vm
Demonstration: Using Multiple NICs

Demonstration Using Multiple NICs
For more information, see:
Create and manage a Windows virtual machine that has multiple NICs - https://docs.microsoft.com/
en-us/azure/virtual-machines/windows/multiple-nics
Review of IP Addressing
Video: IP Addressing
Overview of IP Addressing
You can assign IP addresses to Azure resources to communicate with other Azure resources, your
on-premises network, and the Internet. There are two types of IP addresses you can use in Azure. Virtual
networks can contain both public and private IP address spaces.
1. Private IP addresses: Used for communication within an Azure virtual network (VNet), and your
on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to
Azure.
2. Public IP addresses: Used for communication with the Internet, including Azure public-facing
services.
IP addresses can also be statically assigned or dynamically assigned. Static IP addresses do not change
and are best for certain situations such as:
●● DNS name resolution, where a change in the IP address would require updating host records.
●● IP address-based security models which require apps or services to have a static IP address.
●● SSL certificates linked to an IP address.
●● Firewall rules that allow or deny traffic using IP address ranges.
●● Role-based VMs such as Domain Controllers and DNS servers.
✔️ As a best practice you may decide to separate dynamically and statically assigned IP resources into
different subnets. And, IP Addresses are never managed from within a virtual machine.
Public IP Addresses
A public IP address resource can be associated with virtual machine network interfaces, internet-facing
load balancers, VPN gateways, and application gateways. Azure can provide an IP address (dynamic
assignment) or you can assign the IP address (static assignment). The type of resource affects the assign-
ment.
Review of IP Addressing 13
Public IP addresses IP address association Dynamic Static

Virtual Machine NIC Yes Yes
Load Balancer Front-end configuration Yes Yes
VPN Gateway Gateway IP configura- Yes No
tion
Application Gateway Front-end configuration Yes No
When you create a public IP address you are given a SKU choice of either Basic or Standard.
Your SKU choice affects the IP assignment method, security, available resources, and redundancy. This
table summarizes the differences.
Feature Basic SKU Standard SKU

IP assignment Static or dynamic Static
Security Open by default Are secure by default and closed
to inbound traffic
Resources Network interfaces, VPN Gate- Network interfaces or public
ways, Application Gateways, and standard load balancers
Internet-facing load balancers
Redundancy Not zone redundant Zone redundant by default
Public IP addresses - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
work-ip-addresses-overview-arm#public-ip-addresses2
Allocation method - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
work-ip-addresses-overview-arm#allocation-method3
Private IP Addresses
A private IP address resource can be associated with virtual machine network interfaces, internal load
balancers, and application gateways. Azure can provide an IP address (dynamic assignment) or you can
assign the IP address (static assignment).
Private IP Addresses IP address association Dynamic Static

Virtual Machine NIC Yes Yes
Internal Load Balancer Front-end configuration Yes Yes
Application Gateway Front-end configuration Yes Yes
2 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm
A private IP address is allocated from the address range of the virtual network subnet a resource is
deployed in.
●● Dynamic. Azure assigns the next available unassigned or unreserved IP address in the subnet's
address range. For example, Azure assigns 10.0.0.10 to a new resource, if addresses 10.0.0.4-10.0.0.9
are already assigned to other resources. Dynamic is the default allocation method.
●● Static. You select and assign any unassigned or unreserved IP address in the subnet's address range.
For example, if a subnet's address range is 10.0.0.0/16 and addresses 10.0.0.4-10.0.0.9 are already
assigned to other resources, you can assign any address between 10.0.0.10 - 10.0.255.254.
Private IP addresses - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
work-ip-addresses-overview-arm#private-ip-addresses4
Demonstration: Configuring IP Settings
Additional Practice - Static Public IP Addresses

You would like to deploy a web server that can be accessed by customers on the internet. By default,
public IP addresses are dynamic, but you would like to assign a static IP address. Static IP addresses are
often used for web servers that require SSL connections in which the SSL certificate is linked to an IP
address.
Requirements:
●● Create a virtual network called TestVNet. The IP address space is 192.168.0.0/16.
●● Create a subnet within the virtual network called FrontEnd. The address space is 192.168.0.1/24.
Review of IP Addressing 15
●● Create a virtual machine called Web1 (your choice of machine type) and associate it with the new
subnet. You may use an existing virtual machine.
●● Configure the virtual machine to use a static public IP address. Set the IP address to 192.168.1.101.
✔️ You should be able to easily implement this scenario. If you need a hint use the reference links. You
can try this practice in the portal, PowerShell, or CLI.
Create a VM with a static public IP address using the Azure portal - https://docs.microsoft.com/en-us/
azure/virtual-network/virtual-network-deploy-static-pip-arm-portal
Create a VM with a static public IP address using PowerShell - https://docs.microsoft.com/en-us/
azure/virtual-network/virtual-network-deploy-static-pip-arm-ps
Create a VM with a static public IP address using the Azure CLI - https://docs.microsoft.com/en-us/
azure/virtual-network/virtual-network-deploy-static-pip-arm-cli
Additional Practice - Static Private IP Addresses

In certain cases, you want a VM or role instance to have a static IP address. For example, if your VM is
going to run DNS or will be a domain controller. You can do this by configuring a static private IP ad-
dress.
Requirements:
●● Create a virtual network called TestVNet. The IP address space is 192.168.0.0/16.
●● Create a subnet within the virtual network called FrontEnd. The address space is 192.168.0.1/24.
●● Create a virtual machine called DNS01 (your choice of machine type) and associate it with the new
subnet. You may use an existing virtual machine.
●● Configure the virtual machine to use a static private IP address. Set the IP address to 192.168.1.102.
✔️ You cannot set a static private IP address during the creation of a VM in the Resource Manager
deployment mode by using the Azure portal. You must create the VM first, then set its private IP to be
static. Use the reference link to explore different configuration options.
Configure private IP addresses for a virtual machine using the Azure portal - https://docs.microsoft.
com/en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-pportal
Configure private IP addresses for a virtual machine using PowerShell - https://docs.microsoft.com/

en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-ps
Configure private IP addresses for a virtual machine using the Azure CLI - https://docs.microsoft.com/
en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-cli
Network Routing 17
Network Routing
System Routes
Azure uses system routes to direct network traffic between virtual machines, on-premises networks, and
the Internet. The following situations are managed by these system routes:
●● Traffic between VMs in the same subnet.
●● Between VMs in different subnets in the same virtual network.
●● Data flow from VMs to the Internet.
●● Communication between VMs using a VNet-to-VNet VPN.
●● Site-to-Site and ExpressRoute communication through the VPN gateway.
For example, consider this virtual network with two subnets. Communication between the subnets and
from the frontend to the internet are all managed by Azure using the default system routes.
Information about the system routes is recorded in a route table. A route table contains a set of rules,
called routes, that specifies how packets should be routed in a virtual network. Route tables are associat-
ed to subnets, and each packet leaving a subnet is handled based on the associated route table. Packets
are matched to routes using the destination. The destination can be an IP address, a virtual network
gateway, a virtual appliance, or the internet. If a matching route can't be found, then the packet is
dropped.
System routes - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
works-udr-overview#system-routes
User Defined Routes

As you have just read, Azure automatically handles all network traffic routing. But, what if you want to do
something different? For example, you may have a VM that performs a network function, such as routing,
firewalling, or WAN optimization. You may want certain subnet traffic to be directed to this virtual
appliance. For example, you might place an appliance between subnets or a subnet and the internet.
In these situations, you can configure user-defined routes (UDRs). UDRs control network traffic by
defining routes that specify the next hop of the traffic flow. This hop can be a virtual network gateway,
virtual network, internet, or virtual appliance.
✔️ Each route table can be associated to multiple subnets, but a subnet can only be associated to a
single route table. There are no additional charges for creating route tables in Microsoft Azure. Do you
think you will need to create custom routes?
Custom routes - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
works-udr-overview#custom-routes
Routing Example
Let’s look at a specific example where you have a virtual network that includes 3 subnets: Private, DMZ,
and Public. In the DMZ subnet there is a network virtual appliance (NVA). You want to ensure all traffic
from the Public subnet goes through the NVA to the Private subnet.
Network Routing 19
Let’s look at how we could implement this scenario by creating the route table, creating the route, and
associating the route to the subnet.
✔️ There is practice exercise that includes a complete set of steps for this scenario, including creating the
virtual appliance and testing.
Create Route Table

Creating a route table is very straightforward, but pay attention to the Border Gateway Protocol (BGP)
route propagation setting. In this case, we will want to enable BGP route propagation.
BGP is the standard routing protocol commonly used on the Internet to exchange routing and reachabili-
ty information between two or more networks. Routes are automatically added to the route table of all
subnets with BGP propagation enabled. In many situations this is what you want. For example, if you are
using ExpressRoute you would want all subnets to know about that routing. Read more at the reference
links.
Border gateway protocol - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
works-udr-overview#border-gateway-protocol
Overview of BGP with Azure VPN Gateways - https://docs.microsoft.com/en-us/azure/vpn-gateway/
vpn-gateway-bgp-overview?toc=%2fazure%2fvirtual-network%2ftoc.json
Create and Associate the Route

When you create a route there are several Next hop types. In this example, we are using virtual appliance.
Other choices are virtual network gateway, virtual network, internet, and none.
Notice this route applies to any address prefixes in 10.0.1.0/24 (private subnet). Traffic headed to these
addresses will be sent to the virtual appliance with a 10.0.2.4 address.
Associate Route to Subnet
Each subnet can have zero or one route table associated to it. In this example, our Public subnet will be
associated with the routing table.
Network Routing 21
✔️ In this case the virtual appliance should not have a public IP address and IP forwarding should be ena-
bled. Be sure to try the practice.
Routing Algorithms
So far routing has been fairly straightforward, but what if a destination address matches two routes in the
routing table? Azure sorts this out in two ways: longest prefix match algorithm, and route priorities.
Longest prefix match algorithm
For example, if the destination address is 10.0.0.5 and there are two routes: One route specifies the
10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. In this case,
Azure selects a route using the longest prefix match algorithm, which is the 10.0.0.0/24 route.
Source Address prefixes Next hop type

System 10.0.0.0/24 Internet (selected)
System 10.0.0.0/16 Virtual network gateway
Route priorities
When the address prefixes are the same, Azure selects the route type, based on the following priority:
1. User-defined route
2. BGP route
3. System route
In our example, address 10.0.0.5, Azure selects the route with the User source, because user-defined
routes are higher priority than system default routes.
Source Address prefixes Next hop type

User 10.0.0.0/16 Internet (selected)
System 10.0.0.0/16 Virtual network gateway
How Azure selects a route - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
works-udr-overview#how-azure-selects-a-route
Video: BGP for VPN
Additional Practice - Routing

Azure automatically routes traffic between all subnets within a virtual network, by default. You can create
your own routes to override Azure's default routing. The ability to create custom routes is helpful if, for
example, you want to route traffic between subnets through a network virtual appliance (NVA).
Take a few minutes to try the Tutorial: Route network traffic with a route table using the Azure
portal5. In this Tutorial, you create custom routes to support a virtual appliance. You will learn how to:
●● Create a route table
●● Create a route
●● Create a virtual network with multiple subnets
●● Associate a route table to a subnet
●● Create an NVA that routes traffic
●● Deploy virtual machines (VM) into different subnets
●● Route traffic from one subnet to another through an NVA
There is another more complicated Routing example6 that you should also check out.
And, you may also want to try Create, change, or delete a route table7.
✔️ If you prefer, use the reference links to try the tutorial with PowerShell or the CLI.
Route network traffic with a route table using PowerShell - https://docs.microsoft.com/en-us/azure/
virtual-network/tutorial-create-route-table-powershell
Route network traffic with a route table using the Azure CLI - https://docs.microsoft.com/en-us/azure/
virtual-network/tutorial-create-route-table-cli
5 https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
6 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#routing-example
7 https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table
Module 1 Review Questions 23
Module 1 Review Questions

Networking Components
You manage the Azure subscription for a company that specializes in safety training for the Oil and Gas
industry. Each client company develops their own training materials. The client companies consider the
training materials intellectual property.
You need to provide a secure, highly available, video streaming solution with content isolation to clients
who are distributed across the globe.
Which Azure components could you consider as part of the solution, and why?
Click for suggested answer ↓

●● Load Balancer: Deliver high availability and network performance to applications.
●● Application Gateway: Build secure, scalable and highly available web front ends.
●● ExpressRoute: Dedicated private network fiber connections to Azure, with VPN Gateways added to
establish secure cross-premises connectivity.
●● Content Delivery Network: Ensure secure, reliable content delivery with broad global reach.
●● Traffic Manager: Route incoming traffic for high performance and availability.
Multi-NIC VMs
You manage Azure virtual machines (VMs) for your organization. Each VM comes with the option to use
multiple network interface cards (NICs). You need to justify the use of multiple NICs in your budget. Give
examples of how using multiple NICs can benefit an Azure VM implementation. What are the limitations
in Azure when using the multiple NIC feature?

You can create virtual machines in Azure and attach multiple network interfaces (NICs) to each of your
VMs. Having multiple NICs is a requirement for many network virtual appliances, such as application
delivery and WAN optimization solutions. Having multiple NICs also provides more network traffic
management functionality, including isolation of traffic between a front-end NIC and back-end NIC(s), or
separation of data plane traffic from management plane traffic. The following limitations are applicable
when using the multiple NIC feature:
●● All VMs in an availability set need to use either multiple NICs or a single NIC. You cannot have a
mixture of multi NIC VMs and single NIC VMs within an availability set. Same rules apply for VMs in a
cloud service.
●● A VM with single NIC cannot be configured with multiple NICs (and vice-versa) once it is deployed,
without deleting and re-creating it.
IP Addressing
You manage Azure virtual machines (VMs) for your organization. Each VM must be configured with one
or more IP addresses. You need to decide whether to use static or dynamic IP addresses for VMs. When is
it beneficial to use static IP addresses over dynamic IP addresses?

Static IP addresses do not change and are best for certain situations such as:
●● DNS name resolution, where a change in the IP address would require updating host records.
●● IP address-based security models which require apps or services to have a static IP address.
●● SSL certificates linked to an IP address.
●● Firewall rules that allow or deny traffic using IP address ranges.
●● Role-based VMs such as Domain Controllers and DNS servers.
Module 2 Azure DNS
Azure DNS Basics

Video: Name Resolution in Azure Virtual Net-
works
Azure DNS Benefits

Azure Domain Name Service (DNS) is a hosting service for DNS domains. DNS provides name resolution
by resolving a website or service name to its IP address.
Azure DNS has many benefits.

●● Hosting. Use Azure DNS to host your DNS domains in Azure. DNS records use the same credentials,
and billing and support contract, as your other Azure services.
●● Performance. DNS domains in Azure DNS are hosted on Azure’s global network of DNS name
servers. Azure uses Anycast networking, so DNS queries automatically route to the closest name
servers. This provides both fast performance and high availability for your domain.
MCT USE ONLY. STUDENT USE PROHIBITED 26 Module 2 Azure DNS
●● Scalability. The Microsoft global network of name servers has the scale and redundancy to give you
ultra-high availability for your domains. With Azure DNS, you can be confident that your DNS will
always be available.
●● Updating. When you add a new DNS record, the Azure DNS name servers are updated in a few
seconds—so you don’t have to wait long before that DNS record can be used.
●● Management. Can be managed via the Azure portal, Azure PowerShell cmdlets, and the cross-plat-
form Azure CLI. Applications requiring automatic DNS management can integrate with the service via
the REST API and SDKs.
✔️ Have you thought about using Azure for your DNS needs?
Azure DNS - https://azure.microsoft.com/en-us/services/dns/
What is DNS? - https://docs.microsoft.com/en-us/azure/dns/dns-overview
Azure DNS FAQ - https://docs.microsoft.com/en-us/azure/dns/dns-faq
DNS Domains
The DNS is a hierarchy of domains. The hierarchy starts from the ‘root’ domain, whose name is simply '.'.
Below this come top-level domains, such as ‘com’, 'net', ‘org’, 'uk' or ‘jp’. Below these are second-level
domains, such as 'org.uk' or ‘co.jp’. The domains in the DNS hierarchy are globally distributed, hosted by
DNS name servers around the world.
1. Root Domain. The DNS namespace organizes host names and IP addresses into a hierarchical tree. At
the top is the root domain.
2. Top-Level Domain. Under the root domain are top-level domains such as org, edu, com, gov, and
mil. There are also two letter country code designations such as au and us.
3. Second-Level Domain. Examples of second-level domains are: contoso, adatum, and fabrikam. These
domains are private domains owned and managed locally.
4. Sub-Domain. Sub-domains under a second-level domain could include: sales and research.
5. Individual Machine. An individual machine within the sales sub-domain would be uniquely refer-
enced as sales1.sales.adatum.com.
Azure DNS Basics 27
✔️ Azure DNS does not currently support purchasing of domain names. If you want to purchase do-
mains, you'll need to use a third-party domain name registrar. The registrar will typically charge a small
annual fee. Purchasing a domain name gives you the right to control the DNS hierarchy under that name.
For example, allowing you to direct the name ‘www.contoso.com’ to your company web site.
Domain Names - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#domain-names1
DNS Zones
A DNS zone hosts the DNS records for a domain. So, to start hosting your domain in Azure DNS, you
need to create a DNS zone for that domain name. Each DNS record for your domain is then created
inside this DNS zone.
From the portal you can easily add a DNS zone and then view information including name, number of
records, resource group, location (always global), subscription, and name servers.
When creating a DNS zone in Azure DNS remember:

●● The name of the zone must be unique within the resource group, and the zone must not exist already.
●● The same zone name can be reused in a different resource group or a different Azure subscription.
●● Where multiple zones share the same name, each instance is assigned different name server address-
es.
●● Only one set of addresses can be configured with the domain name registrar.
✔️ You do not have to own a domain name to create a DNS zone with that domain name in Azure DNS.
However, you do need to own the domain to configure the domain.
DNS Zones - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#dns-zones
DNS Record Types

An Azure DNS zone can support all common DNS record types, such as A, AAAA, CNAME, MX, NS, SOA,
SRV and TXT.
The following table describes the function of each type of record.
1 https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
Record Type Full Name Function

A (IPv4) AAAA (IPv6) Address Maps a host name such as mail.
adatum.com to an IP address,
such as 131.107.10.10.
CNAME Canonical name Points one host record, such as
adatum.ftp.adatum.com, to
another host record, such as
mail.lucernepublishing.com, or
even another host record in
another domain, such as www.
contoso.com.
MX Mail exchange Points to the host that will
receive mail for that domain. MX
records must point to an A
record, not to a CNAME record.
NS Name server Delegates a DNS zone to the
specified authoritative name
server.
SOA Start of Authority Defines the authoritative record
for the zone.
SRV Service Locates hosts that are providing
specific services, such as the
Session Initiation Protocol (SIP)
endpoint.
TXT Text Records a human-readable text
field in DNS.
DNS record names - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#record-names
DNS record types - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records#record-types
DNS Resolution
Azure DNS provides an authoritative DNS service for domain name resolution. Name resolution is the
process by which a computer name is resolved to an IP address. That means it hosts DNS zones and
answers DNS queries for records only in those zones. To answer queries, it uses a special type of DNS
record called a Name Server (NS) record.
For example, the root zone contains NS records for ‘com’ and shows the name servers for the ‘com’ zone.
In turn, the ‘com’ zone contains NS records for ‘contoso.com’, which shows the name servers for the
‘contoso.com’ zone. Setting up the NS records is called delegating the domain.
Azure DNS Basics 29
There are two copies of the NS records; one in the parent zone pointing to the child, and another in the
child zone itself. The ‘contoso.com’ zone contains the NS records for ‘contoso.com’ (in addition to the NS
records in ‘com’). These are called authoritative NS records and they sit at the apex of the child zone.
Resolution and delegation - https://docs.microsoft.com/en-us/azure/dns/dns-domain-delega-
tion#resolution-and-delegation
Additional Practice - DNS Zones

Take a few minutes to try the How to manage DNS Zones in the Azure portal2 page. That page shows
you how to manage your DNS zone with the Azure portal. You will learn how to:
●● Create a DNS zone.
●● List DNS zones.
●● Delete a DNS zone.
✔️If you prefer, use the reference links for PowerShell and CLI tasks.
How to manage DNS Zones using PowerShell - https://docs.microsoft.com/en-us/azure/dns/dns-op-
erations-dnszones
How to manage DNS Zones in Azure DNS using the Azure CLI 2.0 - https://docs.microsoft.com/en-us/
azure/dns/dns-operations-dnszones-cli
Additional Practice - DNS Records and Record

Sets
Take a few minutes to try the Manage DNS records and record sets by using the Azure portal3 page.
This page shows you how to manage record sets and records for your DNS zone by using the Azure
portal. You will learn how to:
●● View a record set.
●● Add a new record to a record set.
2 https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal
3 https://docs.microsoft.com/en-us/azure/dns/dns-operations-recordsets-portal
●● Update a record.
●● Remove a record from a record set.
●● Delete a record set.
●● Work with Name Server and SOA records.
✔️If you prefer, use the reference links for PowerShell and CLI tasks.
Manage DNS records and record sets in Azure DNS using Azure PowerShell- https://docs.microsoft.
com/en-us/azure/dns/dns-operations-recordsets
Manage DNS records and record sets in Azure DNS using the Azure CLI 2.0 – https://docs.microsoft.
com/en-us/azure/dns/dns-operations-recordsets-cli
Implementing Azure DNS 31
Implementing Azure DNS

Demonstration: Azure DNS
DNS Delegation
To delegate your domain to Azure DNS, you first need to know the name server names for your zone.
Each time a DNS zone is created Azure DNS allocates name servers from a pool. Once the Name Servers
are assigned, Azure DNS automatically creates authoritative NS records in your zone.
The easiest way to see the name servers assigned to your zone is through the Azure portal. In this
example, the zone ‘contoso.net’ has been assigned four name servers: ‘ns1-01.azure-dns.com’, ‘ns2-01.
azure-dns.net’, ‘ns3-01.azure-dns.org’, and ‘ns4-01.azure-dns.info’:
You can also discover the NS records with PowerShell, use Get-AzureRmDnsZone and Get-AzureRMDns-
RecordSet. Note that the record name “@” is used to refer to records at the apex of the zone.
# Retrieve the zone information
$zone = Get-AzureRmDnsZone –Name contoso.net –ResourceGroupName MyResource-
Group
# Retrieve the name server records
Get-AzureRmDnsRecordSet –Name “@” –RecordType NS –Zone $zone
Once the DNS zone is created, and you have the name servers, you need to update the parent domain.
Each registrar has their own DNS management tools to change the name server records for a domain. In
the registrar’s DNS management page, edit the NS records and replace the NS records with the ones
Azure DNS created.
✔️ When delegating a domain to Azure DNS, you must use the name server names provided by Azure
DNS. You should always use all four name server names, regardless of the name of your domain.
Delegating Sub-Domains
If you want to set up a separate child zone, you can delegate a sub-domain in Azure DNS. For example,
after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.
contoso.com.
Setting up a sub-domain follows the same process as typical delegation. The only difference, step 3, is
that NS records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain
registrar.
The following PowerShell example demonstrates how this works. The same steps can be executed via the
Azure Portal, or via the cross-platform Azure CLI.
# Create the parent zone

$parent = New-AzureRmDnsZone -Name contoso.com -ResourceGroupName RG1
# Create the child zone

$child = New-AzureRmDnsZone -Name partners.contoso.com -ResourceGroupName
RG1
# Retrieve NS records for the child zone

$child_ns_recordset = Get-AzureRmDnsRecordSet -Zone $child -Name "@" -Re-
cordType NS
# Create the NS record set in the parent zone.

$parent_ns_recordset = New-AzureRmDnsRecordSet -Zone $parent -Name "part-
ners" -RecordType NS -Ttl 3600
$parent_ns_recordset.Records = $child_ns_recordset.Records
Set-AzureRmDnsRecordSet -RecordSet $parent_ns_recordset
✔️ The parent and child zones can be in the same or different resource group. Notice that the record set
name in the parent zone matches the child zone name, in this case “partners”.
DNS Metrics and Alerts

Azure DNS provides metrics for customers to enable them to monitor specific aspects of their DNS zones
hosted in the service. In addition, with Azure DNS metrics, you can configure and receive alerts based on
conditions of interest. The metrics are provided via the Azure Monitor service. Azure DNS provides
several metrics for the DNS zone.
Implementing Azure DNS 33
●● Query Volume. The Query Volume metric in Azure DNS shows the volume of DNS queries (query
traffic) that is received by Azure DNS for your DNS zone. The unit of measurement is Count and the
aggregation is the total of all the queries received in a specified time.
●● Record Set Capacity Utilization. The Record Set Capacity Utilization metric in Azure DNS shows the
percentage of utilization of your Record set capacity for a DNS Zone. Every DNS zone is subject to a
Record set. This metric shows you how close you are to hitting the Record set limit.
●● Record Set Count. The Record Set Count metric shows the number of Record sets in Azure DNS for
your DNS zone. All the Records sets defined in your zone are counted. The unit of measurement is
Count and the aggregation is the Maximum of all the Record sets.
✔️Azure Monitor provides the capability to alert against available metric values.
Azure DNS metrics and alerts - https://docs.microsoft.com/en-us/azure/dns/dns-alerts-metrics
Additional Practice - DNS Name Resolution

Take a few minutes to try the Quickstart: Configure Azure DNS for name resolution using the Azure
Portal4. In this QuickStart you will learn how to:
●● Create a DNS record.
●● Test the name resolution.
✔️In this QuickStart you will use the nslookup command-line tool. This tool helps test name resolution.
For example, IP address lookup for a given DNS name (or vice-versa). You could also use the PowerShell
Resolve-DnsName command. Read more at the reference links. Both tools use the TCP/IP protocol.
Nslookup - https://docs.microsoft.com/en-us/windows-server/administration/windows-com-
mands/nslookup
Resolve-DnsName - https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dn-
sname?view=winserver2012r2-ps
4 https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal
Additional Practice - DNS Hosting

Take a few minutes to try the Tutorial: Host your domain in Azure DNS5. In this tutorial you will learn
how to:
●● Retrieve a list of name servers.
●● Delegate the domain.
●● Verify the delegation is working.
✔️In this QuickStart you will use the nslookup command-line tool. This tool helps test name resolution.
For example, IP address lookup for a given DNS name (or vice-versa). You could also use the PowerShell
Resolve-DnsName command. Read more at the reference links. Both tools use the TCP/IP protocol.
Nslookup - https://docs.microsoft.com/en-us/windows-server/administration/windows-com-
mands/nslookup
Resolve-DnsName - https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dn-
sname?view=winserver2012r2-ps
Additional Practice - DNS (PowerShell)

Take a few minutes to try the Get Started with Azure DNS using PowerShell6. This article walks you
through the steps to create your first DNS zone and record using Azure PowerShell. You will learn to:
●● Create a DNS record.
●● View records.
●● Update name servers.
✔️If you prefer, you can use the reference link to try the practice with the CLI.
Get started with Azure DNS using Azure CLI 2.0 - https://docs.microsoft.com/en-us/azure/dns/
dns-getstarted-cli
5 https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
6 https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-powershell

Azure DNS
You are the network administrator for your company. You experience downtime in a datacenter that hosts
all internal DNS servers. This causes connectivity issues throughout your infrastructure. To prevent future
issues, you decide to move all on-premises DNS servers to Azure DNS. What are some benefits of moving
on-premises DNS to Azure DNS?

Azure DNS has many benefits.
●● Hosting. Use Azure DNS to host your DNS domains in Azure. DNS records use the same credentials,
and billing and support contract, as your other Azure services.
●● Performance. DNS domains in Azure DNS are hosted on Azure’s global network of DNS name
servers. Azure uses Anycast networking, so DNS queries automatically route to the closest name
servers. This provides both fast performance and high availability for your domain.
●● Scalability. The Microsoft global network of name servers has the scale and redundancy to give you
ultra-high availability for your domains. With Azure DNS, you can be confident that your DNS will
always be available.
●● Updating. When you add a new DNS record, the Azure DNS name servers are updated in a few
seconds—so you don’t have to wait long before that DNS record can be used.
●● Management. Can be managed via the Azure portal, Azure PowerShell cmdlets, and the cross-plat-
form Azure CLI. Applications requiring automatic DNS management can integrate with the service via
the REST API and SDKs.
DNS Record Types
You are the DNS administrator for your organization. You decide to move your internal DNS to Azure
DNS. Your infrastructure contains: Exchange servers in a hybrid deployment, Active Directory Domain
Controllers, and SQL servers. You need to configure DNS records for applications that are moving to the
cloud. Which types of records might you create?

You might need an A record to map a host name. A CName record to point one host record to another. A
MX record for mail exchange. A NS name server record.
DNS Delegation
You move your on-premises DNS servers to Azure DNS. How should you proceed to update your domain
registrar? When delegating a domain to Azure DNS, which name servers should you use?

To delegate your domain to Azure DNS, you first need to know the name server names for your zone.
Each time a DNS zone is created Azure DNS allocates name servers from a pool. Once the Name Servers
are assigned, Azure DNS automatically creates authoritative NS records in your zone.
After discovering your name servers, you need to update the parent domain. Each registrar has their own
DNS management tools to change the name server records for a domain. In the registrar’s DNS manage-
ment page, edit the NS records and replace the NS records with the ones Azure DNS created.
When delegating a domain to Azure DNS, you must use the name server names provided by Azure DNS.
You should always use all four name server names, regardless of the name of your domain.
Module 3 Securing Virtual Network Resources
Introduction to Network Security Groups

Video: Understanding Network Security Groups
Overview of Network Security Groups

You can limit network traffic to resources in a virtual network using a network security group (NSG). A
network security group contains a list of security rules that allow or deny inbound or outbound network
traffic. An NSG can be associated to a subnet or a network interface.
Subnets
You can assign NSGs to subnets and create protected screened subnets (also called a DMZ). These NSGs
can restrict traffic flow to all the machines that reside within that subnet. Each subnet can have zero, or
one, associated network security groups.
Network Interfaces
You can assign NSGs to a NIC so that all the traffic that flows through that NIC is controlled by NSG rules.
Each network interface that exists in a subnet can have zero, or one, associated network security groups.
Associations
When you create an NSG the Overview blade provides information about the NSG such as, associated
subnets, associated network interfaces, and security rules.
MCT USE ONLY. STUDENT USE PROHIBITED 38 Module 3 Securing Virtual Network Resources
✔️ To simplify management of security rules, it's recommended that you associate a network security
group to individual subnets, rather than individual network interfaces within the subnet.
Network Security Groups - https://docs.microsoft.com/en-us/azure/virtual-network/security-over-
view#network-security-groups1
NSG Rules
Security rules in network security groups enable you to filter the type of network traffic that can flow in
and out of virtual network subnets and network interfaces. Azure creates several default security rules
within each network security group.
You can add more rules by specifying Name, Priority, Port, Protocol (Any, TCP, UDP), Source (Any, IP
Addresses, Service tag), Destination (Any, IP Addresses, Virtual Network), and Action (Allow or Deny). You
cannot delete the default rules, but you can add other rules with a higher priority.
✔️ Take minute to locate the Virtual Machines Networking blade. Review the settings that are available
when you add inbound and outbound port rules. Also, check out the Effective security rules link. Your
virtual machine must be running for the rules to load.
1 https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Introduction to Network Security Groups 39
Security rules - https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#securi-

ty-rules2
Default security rules - https://docs.microsoft.com/en-us/azure/virtual-network/security-over-
view#default-security-rules3
NSG Effective Rules

Be very careful when you want to apply NSG to both VM (NIC) and subnet level at the same time. NSGs
are evaluated independently, and an “allow” rule must exist at both levels otherwise traffic will not be
admitted.
In the above example if there was incoming traffic on port 80, you would need to have the NSG at subnet
level ALLOW port 80, and you would also need another NSG with ALLOW rule on port 80 at the NIC level.
For incoming traffic, the NSG set at the subnet level is evaluated first, then the NSG set at the NIC level is
evaluated. For outgoing traffic, it is the converse.
If you have several NSGs and are not sure which security rules are being applied, you can use the Effec-
tive security rules link. For example, you could verify the security rules being applied to a network
interface.

Azure Network Security Groups (NSG) – Best Practices and Lessons Learned - https://blogs.msdn.
microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-les-
sons-learned/
NSG Scenarios
Your subnet designs will affect your NSG associations. For example, let’s assume you have two apps
(App1 and App2). Each app has front-end (web servers) and backend (workload) resources. Consider
these three designs.
Design 1. One subnet. An NSG for each front-end and back-end.

Design 2. Two subnets. One subnet for each app and an NSG for each front-end and back-end.
Design 3. Two subnets. One subnet for the front-end resources and one subnet for the back-end re-
sources.
✔️ Which of these designs do you prefer? Each offers different advantages in the areas of security,
isolation, and ease of management.
Azure Network Security Best Practices - https://docs.microsoft.com/en-us/azure/security/azure-secu-
rity-network-security-best-practices
Networking Limits - https://docs.microsoft.com/en-us/azure/azure-subscription-service-lim-
its?toc=%2fazure%2fvirtual-network%2ftoc.json#networking-limits-1
Implementing Network Security Groups and Service Endpoints 41
Implementing Network Security Groups and

Service Endpoints
Creating NSG Rules
It is easy to add inbound and outbound rules. There is a Basic and Advanced page. The advanced option
lets you select from a large variety of services such as HTTPS, RDP, FTP, and DNS.
Service. The service specifies the destination protocol and port range for this rule. You can choose a
predefined service, like HTTPS and SSH. When you select a service the Port range is automatically com-
pleted. Choose custom to provide your own port range.
Port ranges. If you choose a custom service then provide a single port, such as 80; a port range, such as
1024-65635; or a comma-separated list of single ports and/or port ranges, such as 80, 1024-65535. This
specifies on which ports traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic
on any port.
Priority. Rules are processed in priority order. The lower the number, the higher the priority. We recom-
mend leaving gaps between rules – 100, 200, 300, etc. This is so it is easier to add new rules without
editing existing rules. Enter a value between 100-4096 that is unique for all security rules within the
network security group.
✔️Take a minute to locate the Advanced rule page. Are there any services you are interested in?
Create a security rule - https://docs.microsoft.com/en-us/azure/virtual-network/manage-net-
work-security-group#create-a-security-rule
Demonstration: Network Security Groups
Additional Practice - Filter Network Traffic

Take a few minutes to try the Tutorial: Filter network traffic with a network security group using
PowerShell4. In this tutorial, you learn how to:
●● Create a network security group and security rules.
●● Create a virtual network and associate a network security group to a subnet.
●● Deploy virtual machines (VM) into a subnet.
●● Test traffic filters
✔️ This tutorial uses PowerShell. If you prefer, try the CLI version at the reference link.
Filter network traffic with a network security group using the Azure CLI - https://docs.microsoft.com/
en-us/azure/virtual-network/tutorial-filter-network-traffic-cli
Additional Practice - NSG Logging

An NSG includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.
When you enable diagnostic logging for an NSG, you can log the following categories of information:
●● Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. The status
for these rules is collected every 60 seconds.
●● Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.
Take some time to try the Diagnostic logging for a network security group5 page. In this practice you
will learn how to:
●● Enable logging.
●● Explore log destinations.
●● Determine log categories.
●● View and analyze logs.
✔️ Learn more about Activity logs at the reference link.
Azure resource activity logs - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/
monitoring-overview-of-diagnostic-logs?toc=%2fazure%2fvirtual-network%2ftoc.
json#what-are-azure-resource-diagnostic-logs
4 https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
5 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log
Additional Practice - NSG Troubleshooting

Take a few minutes to try the Diagnose a virtual machine network traffic filter problem6 page. In this
practice you attempt to connect to a VM over port 80 from the internet, but the connection fails. You
then attempt to determine why you the connection has failed. You will learn how to:
●● Diagnose through the portal.
●● Diagnose with PowerShell and the CLI.
●● Interpret command line output.
●● Resolve the problem.
●● Troubleshoot connectivity problems.
✔️ If you don’t have time to replicate the scenario, be sure to at least read about the troubleshooting
method that was applied.
✔️ The steps in this scenario assume you have an existing VM to view the effective security rules for. If
you don't have an existing VM, first deploy a Linux or Windows VM to complete the tasks in this article
with.
Service Endpoints
Virtual network service endpoints enable you to limit network access to Azure service resources. Access is
limited to just the virtual network subnets and IP addresses you specify. Currently, Azure supports service
endpoints to these services: Cosmos DB, Event Hub, Key Vault, SQL, and Storage. Endpoints allow you to
secure your critical Azure service resources to your virtual networks.
Why use a service endpoint?

●● Security. With service endpoints, Azure service resources can be secured to your virtual network.
Securing service resources to a virtual network provides improved security by fully removing public
Internet access to resources and allowing traffic only from your virtual network.
●● Routing. Endpoints take service traffic directly from your virtual network to the service on the Micro-
soft Azure backbone network. Keeping traffic on the Azure backbone network allows you to continue
auditing and monitoring outbound Internet traffic from your virtual network. Service endpoints
provide optimal routing for Azure traffic.
●● Ease of use. You do not need reserved, public IP addresses in your virtual networks to secure Azure
resources through IP firewall. There are no NAT or gateway devices required to set up the service
6 https://docs.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem
endpoints. Service endpoints are configured through a simple click on a subnet. There is no additional
overhead to maintaining the endpoints.
✔️ Can you see using service endpoints in your organization?
Virtual network service endpoints - https://docs.microsoft.com/en-us/azure/virtual-network/
virtual-network-service-endpoints-overview
Limitations of network service endpoints - https://docs.microsoft.com/en-us/azure/virtual-network/
virtual-network-service-endpoints-overview#limitations
Implementing Service Endpoints

Implementing service endpoints requires configuring both sides of the endpoints. For example, the virtual
network side and the storage account side.
It is easy to add a service endpoint to the virtual network and select the subnets that will have access to
the service endpoint. Notice you must decide which service the virtual network will connect to. Adding
service endpoints can take up to 15 minutes to complete.
The steps necessary to restrict network access to Azure services varies across services. For accessing a
storage account, you would use the Firewalls and virtual networks blade to add/create the virtual net-
works that will have access. You may also configure to allow access to one or more public IP ranges.
✔️It is important to test and ensure the service endpoint is limiting access as expected. You will do this in
the practice exercise.

Virtual Network Service Endpoints and Firewalls for Azure Storage now generally available - https://
azure.microsoft.com/en-us/blog/virtual-network-service-endpoints-and-firewalls-for-azure-stor-
age-now-generally-available/
Configure Azure Storage Firewalls and Virtual Networks - https://docs.microsoft.com/en-us/azure/
storage/common/storage-network-security
Additional Practice - Service Endpoints

Take a few minutes to try the Tutorial: Restrict network access to PaaS resources with virtual network
service endpoints using the Azure portal7. In this tutorial, you will learn how to:
●● Create a virtual network with one subnet.
●● Add a subnet and enable a service endpoint.
●● Create an Azure resource and allow network access to it from only a subnet.
●● Deploy a virtual machine (VM) to each subnet.
●● Confirm access to a resource from an allowed subnet.
●● Confirm access is denied to a resource from another subnet and the internet.
✔️ If you prefer, you can try the practice in PowerShell or the CLI. Use the reference links to get started.
Restrict network access to PaaS resources with virtual network service endpoints using PowerShell -
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-re-
sources-powershell
Restrict network access to PaaS resources with virtual network service endpoints using the Azure CLI -
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-re-
sources-cli
7 https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources

NSG Rules
You are managing the Azure resources for your organization. Developers can access production data on a
SQL Server instance and have modified data that is considered confidential. You create several Network
Security Groups to manage your application servers and development environment. What rules can you
specify to ensure that only white-listed servers can communicate with the SQL Server?

Security rules in network security groups enable you to filter the type of network traffic that can flow in
and out of virtual network subnets and network interfaces. Azure creates several default security rules
within each network security group.
You can add more rules by specifying Name, Priority, Port, Protocol (Any, TCP, UDP), Source (Any, IP
Addresses, Service tag), Destination (Any, IP Addresses, Virtual Network), and Action (Allow or Deny). You
cannot delete the default rules, but you can add other rules with a higher priority.
NSG Effective Rules

You are managing the Azure resources for your organization. You apply Network Security Groups (NSGs)
across your infrastructure. Users are not able to access a line of business system that is hosted on an
Azure virtual machine (VM).
What should you consider when you create the NSGs? How can you ensure that the correct security rules
are applied?

NSGs are evaluated independently, and an “allow” rule must exist at both levels otherwise traffic will not
be admitted.
If there was incoming traffic on port 80, you would need to have the NSG at subnet level ALLOW port 80,
and you would also need another NSG with ALLOW rule on port 80 at the NIC level. For incoming traffic,
the NSG set at the subnet level is evaluated first, then the NSG set at the NIC level is evaluated. For
outgoing traffic, it is the converse.
If you have several NSGs and are not sure which security rules are being applied, you can use the *Effec-
tive security rules* link. For example, you could verify the security rules being applied to a network
interface.
Endpoints
You manage a database server instance that hosts personal customer information which cannot be
exposed to the internet or exported to countries/regions in the European Union. You need to limit access
to the information to users on your corporate network.
How can you use a service endpoint to achieve your goal?

Virtual network service endpoints enable you to limit network access to Azure service resources. Access is
limited to just the virtual network subnets and IP addresses you specify. Currently, Azure supports service
endpoints to these services: Cosmos DB, Event Hub, Key Vault, SQL, and Storage. Endpoints allow you to
secure your critical Azure service resources to your virtual networks.
Security. With service endpoints, Azure service resources can be secured to your virtual network.
Routing. Endpoints take service traffic directly from your virtual network to the service on the Microsoft
Azure backbone network.
Ease of use. You do not need reserved, public IP addresses in your virtual networks to secure Azure
resources through IP firewall.
Module 4 Connecting Virtual Networks
Intersite Connectivity
Video: Virtual Network Connectivity
Virtual Network Connectivity
In this video Corey covers the ways virtual networks can be connected. In this course, we will only cover
VNet Peering and VNet-to-VNet. A second course will cover ExpressRoute and Site-to-Site connections.
VNet-to-VNet Connections
You can connect your VNets with a VNet-to-VNet VPN connection. Using this connection method, you
create a VPN gateway in each virtual network. The VPN gateway can also be used to provide a connec-
tion to an on-premises network. This is called a Site-to-Site (S2S) connection. In both cases a secure
tunnel using IPsec/IKE provides the communication between the networks.
MCT USE ONLY. STUDENT USE PROHIBITED 50 Module 4 Connecting Virtual Networks
With a VNet-to-VNet connection your VNets can be:

●● in the same or different regions.
●● in the same or different subscriptions.
●● in the same or different deployment models.
●● in Azure or on-premises.
✔️ Can you see how this could be used to create network topologies that combine on-premises and
Azure connectivity? Note that the Gateway VPN used here is different from the Gateway subnet used for
VNet Peering.
VNet-to-VNet Connectivity - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-
howto-vnet-vnet-resource-manager-portal#vnet-to-vnet
Site-to-Site ( IPsec) - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-
vnet-vnet-resource-manager-portal#site-to-site-ipsec
About cryptographic requirements and Azure VPN gateways - https://docs.microsoft.com/en-us/
azure/vpn-gateway/vpn-gateway-about-compliance-crypto
Implementing VNet-to-VNet VPN

The steps to implement VNet-to-VNet connections are the same as for VNet peering with the addition of
configuring the VPN Gateway. You still need to create VNets, subnets, and a gateway subnet in each
virtual network. When everything is configured you will need to test and verify.
Intersite Connectivity 51
Create VPN Gateway (1)
●● Name and Gateway Type. Name your gateway and use the VPN Gateway type.
●● VPN Type. Most VPN types are Route-based.
●● SKU. Use the drop-down to select a gateway SKU1. Your choice will affect the number of tunnels you
can have and the aggregate throughput benchmark. The benchmark is based on measurements of
multiple tunnels aggregated through a single gateway. It is not a guaranteed throughput due to
Internet traffic conditions and your application behaviors.
●● Virtual Networks. Associate a virtual network with the gateway. Before you do this, you must
configure the gateway subnet. Each virtual network will need its own VPN gateway.
●● IP Address. The gateway needs a public IP address to its IP configuration to enable it to communicate
with the remote network.
It can take up to 45 minutes to provision the VPN gateway.
✔️Be sure to use the reference link and read more about the VPN gateway configuration. And, continue
to the next page for configuring the connections between the VPN gateways.
Create a virtual network gateway - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gate-
way-howto-vnet-vnet-resource-manager-portal#VNetGateway
VPN Types - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gate-
way-settings#vpntype
1 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
Configuring Gateway Connections

Once your VPN gateways are created, you can create the connection between them. If your VNets are in
the same subscription, you can use the portal.
For example, you could add a connection between TestVNet1GW and TestVNet4GW. In the Shared key
field, type a shared key for your connection. You can generate or create this key yourself.
✔️ If your VNets are in different subscriptions, you must use PowerShell to make the connection. You can
use the New-AzureRmVirtualNetworkGatewayConnection2 command. This command can also be
used for Site-to-Site connections.
Configure the TestVNet1 gateway connection - https://docs.microsoft.com/en-us/azure/vpn-gate-
way/vpn-gateway-howto-vnet-vnet-resource-manager-portal#TestVNet1Connection
Demonstration: VNet-to-VNet Connections
2 https://docs.microsoft.com/en-us/powershell/module/azurerm.network/new-azurermvirtualnetworkgatewayconnection?view=azur-
ermps-6.3.0
Intersite Connectivity 53
Additional Practice - VNet-to-VNet Connections

Set aside some time to work through the Configure a VNet-to-VNet VPN gateway connection using
the Azure portal3 documentation. This practice will put together all the things you have learned about in
this course. You will learn how to:
●● Create and configure virtual networks.
●● Create and configure subnets.
●● Create and configure gateway subnets.
●● Specify a DNS server (optional).
●● Create and configure virtual network gateways.
●● Configure virtual network gateway connections.
●● Verify your connections.
Configure a VNet-to-VNet VPN gateway connection using PowerShell - https://docs.microsoft.com/
en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps
Configure a VNet-to-VNet VPN gateway connection using Azure CLI - https://docs.microsoft.com/
en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-cli
Additional Practice - VPN Gateways

Take a few minutes to try the Create and Manage VPN gateway with the Azure PowerShell module4
documentation. This tutorial covers basic Azure VPN gateway deployment items such as creating and
managing a VPN gateway. You learn how to:
●● Create a resource group.
●● Create a virtual network.
●● Request a public IP address for the gateway.
●● Create VPN gateway.
●● Resize VPN gateway.
●● Reset VPN gateway.
●● Get the gateway public IP address.
●● Delete VPN gateway.
✔️ Use the reference link to access other PowerShell scripts for common network administrator tasks like
downloading the VPN device template.
Azure PowerShell samples for VPN Gateway - https://docs.microsoft.com/en-us/azure/vpn-gateway/
powershell-samples
3 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
4 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-tutorial-create-gateway-powershell
Virtual Network Peering

Video: VNet Peering
VNet Peering
This is an older Azure Friday’s video. But, it is still very interesting to hear from the Azure Networking
team on how they initially conceived of VNet peering and their intentions for its use.
Overview of VNet Peering

Perhaps the simplest and quickest way to connect your VNets is to use VNet peering. Virtual network
peering enables you to seamlessly connect two Azure virtual networks5. Once peered, the virtual
networks appear as one, for connectivity purposes. There are two types of VNet peering.
●● Regional VNet peering connects Azure virtual networks in the same region.
●● Global VNet peering connects Azure virtual networks in different regions.
The benefits of using virtual network peering, whether regional or global, include:
●● Security. Network traffic between peered virtual networks is private. Traffic between the virtual
networks is kept on the Microsoft backbone network.
●● Performance. Once virtual networks are peered, resources in both virtual networks can communicate
with each other, with the same latency and bandwidth as if the resources were in the same virtual
network.
●● Seamless. The ability for resources in one virtual network to communicate with resources in a differ-
ent virtual network once the virtual networks are peered. The ability to transfer data across Azure
subscriptions, deployment models, and across Azure regions.
●● Efficient. No downtime to resources in either virtual network when creating the peering, or after the
peering is created. Peering is easy to configure and manage.
5 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
Virtual Network Peering 55
✔️ The default VNet peering configuration provides full connectivity. Can you see how network security
groups could be applied to block or deny access to specific subnets or virtual machines?
Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-
work-peering-overview
Regional VNet Peering

Here are the steps to configure VNet peering. Notice you will need two virtual networks. To test the
peering, you will need a virtual machine in each network. Initially, the VMs will not be able to communi-
cate (ping), but after configuration the communication will work. The step that is new is configuring the
peering of the virtual networks.
To configure the peering use the Add peering blade. There are only a few optional configuration parame-
ters to consider. Remember you must configure the peering on each virtual network. For example, if you
select ‘allow gateway transit’ on one virtual network; then you should select ‘use remote gateways’ on the
other virtual network.
●● Allow forwarded traffic. Allows traffic not originating from within the peer virtual network into your
virtual network.
●● Allow gateway transit. Allows the peer virtual network to use your virtual network gateway. The peer
cannot already have a gateway configured.
●● Use remote gateways. Use your peer’s virtual gateway. Only one virtual network can have this
enabled.
Use the reference link to get the complete details about the peering configuration options. The gateway
option will be discussed in more detail in an upcoming topic.
✔️ Remember If virtual network address spaces overlap, the virtual networks cannot be peered.
Create a peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-man-
age-peering#create-a-peering6
Global VNet Peering

Global VNet peering in is the ability to peer virtual networks across regions. You can check the status of
VNet peering. The peering is not successfully established until the peering status for both virtual network
peerings shows Connected.
●● Initiated. When you create the peering to the second virtual network from the first virtual network,
the peering status is Initiated.
●● Connected. When you create the peering from the second virtual network to the first virtual network,
its peering status is Connected. If you view the peering status for the first virtual network, you see its
status changed from Initiated to Connected.
Requirements and constraints
The benefits and configuration steps are the same as for regional peering, but there are some special
requirements.
●● Public clouds. The virtual networks can exist in any Azure public cloud region, but not in Azure
national clouds. National clouds are physical and logical network-isolated instances of Microsoft
enterprise cloud services, which are confined within the geographic borders of specific countries and
operated by local personnel. There are very specific customer requirements to using and operating
national clouds.
●● Virtual network resources. Resources in one virtual network cannot communicate with the IP
address of an Azure internal load balancer in the peered virtual network. The load balancer and the
resources that communicate with it must be in the same virtual network.
●● Gateway transit. You should not configure ‘use remote gateways’ or ‘allow gateway transit’. Gateway
transit only applies to regional VNet peering.
●● Transitivity. VNet global peerings are not transitive meaning downstream VNets in one region cannot
talk with downstream VNets in another region. If you create peerings between VNet1-VNet2 and
VNet2-VNet3, there is no implied peering between VNet1 and VNet3.
●● Virtual machines. Peering high performance compute7 and GPU8 virtual machines is not supported.
For example, H, NC, NV, NCv2, NCv3, and ND series VMs.
How to setup Global VNet peering in Azure - https://blogs.msdn.microsoft.com/azu-
reedu/2018/04/24/how-to-setup-global-vnet-peering-in-azure/
6 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
7 https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-hpc
8 https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-gpu
Virtual Network Peering 57
Requirements and constraints - https://docs.microsoft.com/en-us/azure/virtual-network/virtu-

al-network-manage-peering#requirements-and-constraints
Gateway Transit
When you allow gateway transit the virtual network can communicate to resources outside the peering.
For example, the subnet gateway could:
●● Use a site-to-site VPN to connect to an on-premises network.
●● Use a VNet-to-VNet connection to another virtual network.
●● Use a point-to-site VPN to connect to a client.
In these scenarios, gateway transit allows peered virtual networks to share the gateway and get access to
resources. This means you do not need to deploy a VPN gateway in the peer virtual network.
When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and
configured with the required VPN gateway settings. You must never deploy anything else (for example,
additional VMs) to the gateway subnet. The gateway subnet must be named ‘GatewaySubnet’.
To deploy a gateway in your virtual network simply add a gateway subnet.
This architecture is often referred to as a hub-spoke topology in Azure. In the illustration at the beginning
of this topic, VNet1 is the hub and acts as a central point of connectivity to external resources. VNet2 is
the spoke that peers with the hub and can be used to isolate workloads.
✔️ When working with gateway subnets, avoid associating a network security group (NSG) to the
gateway subnet. Associating a network security group to this subnet may cause your VPN gateway to
stop functioning as expected.
Gateway transit - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peer-
ing-gateway-transit?toc=%2fazure%2fvirtual-network%2ftoc.json
PowerShell Example - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peer-

ing-gateway-transit?toc=%2fazure%2fvirtual-network%2ftoc.json#powershell-sample9
Hub and spoke - https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/
hybrid-networking/hub-spoke
Gateway Subnet - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gate-
way-about-vpn-gateway-settings#gwsub10
Demonstration: VNet Peering

Demonstration VNet Peering
At the time of this video Global VNet peering was in Preview. It is now generally available in all Azure
public regions.
Global VNet Peering now generally available - https://azure.microsoft.com/en-us/blog/glob-
al-vnet-peering-now-generally-available
Additional Practice - VNet Peering

You can connect virtual networks to each other with virtual network peering. Once virtual networks are
peered, resources in both virtual networks can communicate with each other, with the same latency and
bandwidth as if the resources were in the same virtual network.
Take a few minutes to try the Tutorial: Connect virtual networks with virtual network peering using
the Azure portal11. In this tutorial, you will learn how to:
●● Create two virtual networks.
●● Connect two virtual networks with a virtual network peering.
●● Deploy a VM into each virtual network.
●● Test the communication between the VMs.
Connect virtual networks with virtual network peering using PowerShell - https://docs.microsoft.com/
en-us/azure/virtual-network/tutorial-connect-virtual-networks-powershell
Connect virtual networks with virtual network peering using the Azure CLI - https://docs.microsoft.
com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-cli
9 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=%2fazure%2fvirtual-network%2ftoc.json
10 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
11 https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

VNet Resource Access
You configure a VNet-to-VNet connection between two VNets hosted in Azure in the same region. The
VNets contain virtual machines (VMs) used for a business-critical application. You need to give access to
the application to users within your internal network, as well as users who work from a remote location.
You allow gateway transit, and need to establish the connectivity between Azure and the corporate office
as well as to users.
What should you use to establish the connectivity to an on-premises network, another virtual network, or
a on-premises client?

When you allow gateway transit the virtual network can communicate to resources outside the peering.
You could use a site-to-site VPN to connect to an on-premises network. You could use a VNet-to-VNet
connection to another virtual network. You could use a point-to-site VPN to connect to a client.
VNet Peering
You configure a VNet-to-VNet connection between two VNets hosted in Azure across two regions. The
VNets contain virtual machines (VMs) used for a business-critical application.
How can you verify that the VNet peering has been successfully established? What are the benefits and
constraints for global VNet peering?

You can check the status of VNet peering. The peering is not successfully established until the peering
status for both virtual network peerings shows Connected. Initiated means you have created the peering,
but are not yet connected.
The benefits and configuration steps are the same as for regional peering, but there are some special
requirements.
●● Public clouds. The virtual networks can exist in any Azure public cloud region, but not in Azure
national clouds. National clouds are physical and logical network-isolated instances of Microsoft
enterprise cloud services, which are confined within the geographic borders of specific countries and
operated by local personnel. There are very specific customer requirements to using and operating
national clouds.
●● Virtual network resources. Resources in one virtual network cannot communicate with the IP
address of an Azure internal load balancer in the peered virtual network. The load balancer and the
resources that communicate with it must be in the same virtual network.
●● Gateway transit. You should not configure ‘use remote gateways’ or ‘allow gateway transit’. Gateway
transit only applies to regional VNet peering.
●● Transitivity. VNet global peerings are not transitive meaning downstream VNets in one region cannot
talk with downstream VNets in another region. If you create peerings between VNet1-VNet2 and
VNet2-VNet3, there is no implied peering between VNet1 and VNet3.
●● Virtual machines. Peering high performance compute and GPU virtual machines is not supported. For
example, H, NC, NV, NCv2, NCv3, and ND series VMs.
VNet Peering
You configure VNet peering between two virtual networks. You create a virtual machine (VM) in each
network to test communication. What configuration options should you consider?

You must configure the peering on each virtual network. If you select ‘allow gateway transit’ on one
virtual network; then you should select ‘use remote gateways’ on the other virtual network.
The options available to configure is:
●● Allow forwarded traffic. Allows traffic not originating from within the peer virtual network into your
virtual network.
●● Allow gateway transit. Allows the peer virtual network to use your virtual network gateway. The peer
cannot already have a gateway configured.
●● Use remote gateways. Use your peer’s virtual gateway. Only one virtual network can have this
enabled.
Module 5 Lab-Configure and Manage Virtual
Networks
Lab
Lab
Scenario
Adatum Corporation wants to implement service chaining between Azure virtual networks in its Azure
subscription.
Exercise 0
Prepare the Azure environment.
Exercise 1
Configure VNet peering.
Exercise 2
Implement custom routing.
Exercise 3
Validating service chaining.
Estimated Time: 120 minutes
✔️ If you are in a classroom, ask your instructor for the lab guide. If you are in a self-paced online course,
check the Course Handouts page.
MCT USE ONLY. STUDENT USE PROHIBITED 62 Module 5 Lab-Configure and Manage Virtual Networks

AZ 100T04A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

AZ 100T04A ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ 100T04A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

AZ-100 Study Areas Weights

About This Course

Testing May Include Course Content

Testing May Include Course Content

Testing May Include Course Content

Testing May Include Course Content

Testing May Include Course Content

Introducing Virtual Networks

Introduction to Azure Networking Components

For more information, you can see:

Overview of Virtual Networks

You can use virtual networks to:

Video: Managing Virtual Networks

Additional Practice - Virtual Networks

Creating Azure Virtual Networks

Demonstration: Create a Virtual Network using

Demonstration: Create a Virtual Network (Pow-

Multiple NICs in Virtual Machines

Demonstration: Using Multiple NICs

Public IP addresses IP address association Dynamic Static

Feature Basic SKU Standard SKU

Private IP Addresses IP address association Dynamic Static

Demonstration: Configuring IP Settings

Additional Practice - Static Public IP Addresses

Additional Practice - Static Private IP Addresses

Configure private IP addresses for a virtual machine using PowerShell - https://docs.microsoft.com/

User Defined Routes

Create Route Table

Create and Associate the Route

Source Address prefixes Next hop type

Source Address prefixes Next hop type

Video: BGP for VPN

Additional Practice - Routing

Module 1 Review Questions

Click for suggested answer ↓

Click for suggested answer ↓

Click for suggested answer ↓

Azure DNS Basics

Azure DNS Benefits

Azure DNS has many benefits.

When creating a DNS zone in Azure DNS remember:

DNS Record Types

Record Type Full Name Function

Additional Practice - DNS Zones

Additional Practice - DNS Records and Record

Implementing Azure DNS

# Create the parent zone

# Create the child zone

# Retrieve NS records for the child zone

# Create the NS record set in the parent zone.

DNS Metrics and Alerts

Additional Practice - DNS Name Resolution

Additional Practice - DNS Hosting

Additional Practice - DNS (PowerShell)

Module 2 Review Questions

Click for suggested answer ↓

Click for suggested answer ↓