AZ-700 Designing and Implementing Microsoft Azure Networking Solutions Questions and Answers

There is no virtual network peering between VM4’s VNet (VNet3) and VM5’s VNet (VNet4). To enable the VMs to communicate over the Microsoft backbone network a VNet peering is required between VNet3 and VNet4.

Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.windows.net:

• To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
• On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
• Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0/24 range.
• Select Save to apply your changes1.
• To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.
• Sign in to your domain registrar’s website, and then go to the page for managing DNS settings2.
• Create a CNAME record with the following information2:
• Save your changes and wait for the DNS propagation to take effect2.
• To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.
• On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.

VNet 1 will get the default from BGP and propagate it to VNET 2 and 3

Text Description automatically generated

Box 1: VM2, VM3 and VM4.

VM1 is in VNet1/Subnet1. VNet1 is peered with VNet2 and VNet3.

There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in VNet3.

Box 2:

VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.

Graphical user interface, text, application Description automatically generated

For the first question, only ExpressRoute GW SKU Ultra Performance support FastPath feature.

For the second question, vnet1 will connect to ExpressRoute gw, once Vnet1 peers with Vnet2, the traffic from on-premise network will bypass GW and Vnet1, directly goes to Vnet2, while this feature is under public preview.

====Reference

ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

To configure FastPath, the virtual network gateway must be either:

Ultra Performance

ErGw3AZ

VNet Peering - FastPath will send traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.

https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath

Gateway SKU

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Box 1: No

Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.

Box 2: Yes

VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.

Box3: No

VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you won’t be able to enable auto-registration on the link.

NGS1 only

VM2, VM3, VM4 and VM5

No

subnet1(WM1->NSG1 outbound->NSG10 outbound)->subnet2(NSG1 inbound->NSG11 inbound->VM2)

Yes

NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2ג€™s subnet (VNet1/Subnet2).

No

NSG11 blocks RDP (port TCP 3389) destined for ג€˜VirtualNetworkג€™. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked.

• To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.
• To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.
• To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW-policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.
• To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.

Here are the steps and explanations for ensuring that all hosts deployed to subnet3-2 connect to the internet by using the same static public IP address:

• To use the same static public IP address for multiple hosts, you need to create a NAT gateway and associate it with subnet3-2. A NAT gateway is a resource that performs network address translation (NAT) for outbound traffic from a subnet1. It allows you to use a single public IP address for multiple private IP addresses2.
• To create a NAT gateway, you need to go to the Azure portal and select Create a resource. Search for NAT gateway, select NAT gateway, then select Create3.
• On the Create a NAT gateway page, enter or select the following information and accept the defaults for the remaining settings:
• Select Review + create and then select Create to create your NAT gateway3.
• To associate the NAT gateway with subnet3-2, you need to go to the Virtual networks service in the Azure portal and select your virtual network.
• On the Virtual network page, select Subnets under Settings, and then select subnet3-2 from the list.
• On the Edit subnet page, under NAT gateway, select your NAT gateway from the drop-down list. Then select Save.

Here are the steps and explanations for ensuring that hosts on VNET2 can access hosts on both VNET1 and VNET3, but hosts on VNET1 and VNET3 cannot communicate through VNET2:

• To connect different virtual networks in Azure, you need to use virtual network peering. Virtual network peering allows you to create low-latency, high-bandwidth connections between virtual networks without using gateways or the internet1.
• To create a virtual network peering, you need to go to the Azure portal and select your virtual network. Then select Peerings under Settings and select + Add2.
• On the Add peering page, enter or select the following information:
• Select Add to create the peering2.
• Repeat the previous steps to create peerings between VNET2 and VNET1, and between VNET2 and VNET3. This will allow hosts on VNET2 to access hosts on both VNET1 and VNET3.
• To prevent hosts on VNET1 and VNET3 from communicating through VNET2, you need to use network security groups (NSGs) to filter traffic between subnets. NSGs are rules that allow or deny inbound or outbound traffic based on source or destination IP address, port, or protocol3.
• To create an NSG, you need to go to the Azure portal and select Create a resource. Search for network security group and select Network security group. Then select Create4.
• On the Create a network security group page, enter or select the following information:
• Select Review + create and then select Create to create your NSG4.
• To add rules to your NSG, you need to go to the Network security groups service in the Azure portal and select your NSG. Then select Inbound security rules or Outbound security rules under Settings and select + Add4.
• On the Add inbound security rule page or Add outbound security rule page, enter or select the following information:
• Select Add to create your rule4.
• Repeat the previous steps to create inbound and outbound rules for your NSG that deny traffic between VNET1 and VNET3 subnets. For example, you can create an inbound rule that denies traffic from 10.0.1.0/24 (VNET1 subnet 1) to 10.0.3.0/24 (VNET3 subnet 1), and an outbound rule that denies traffic from 10.0.3.0/24 (VNET3 subnet 1) to 10.0.1.0/24 (VNET1 subnet 1).
• To associate your NSG with a subnet, you need to go to the Virtual networks service in the Azure portal and select your virtual network. Then select Subnets under Settings and select the subnet that you want to associate with your NSG5.
• On the Edit subnet page, under Network security group, select your NSG from the drop-down list. Then select Save5.
• Repeat the previous steps to associate your NSG with the subnets in VNET1 and VNET3 that you want to isolate from each other.

Here are the steps and explanations for creating a policy that can be linked to the planned application gateway and block connections from IP addresses in the 131.107.150.0/24 range:

• To create a policy, you need to go to the Azure portal and select Create a resource. Search for WAF, select Web Application Firewall, then select Create1.
• On the Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:
• On the Custom rules tab, select Add a rule to create a custom rule that blocks connections from IP addresses in the 131.107.150.0/24 range2. Enter or select the following information for the custom rule:
• On the Review + create tab, review your settings and select Create to create your WAF policy1.
• To link your policy to the planned application gateway, you need to go to the Application Gateway service in the Azure portal and select your application gateway3.
• On the Web application firewall tab, select your WAF policy from the drop-down list and select Save

Here are the steps and explanations for creating the object that will provide the IP addressing configuration of the on-premises network to the Site-to-Site VPN:

• The object that you need to create is called a local network gateway. A local network gateway represents your on-premises network and VPN device in Azure. It contains the public IP address of your VPN device and the address prefixes of your on-premises network that you want to connect to the Azure virtual network1.
• To create a local network gateway, you need to go to the Azure portal and select Create a resource. Search for local network gateway, select Local network gateway, then select Create2.
• On the Create local network gateway page, enter or select the following information and accept the defaults for the remaining settings:
• Select Review + create and then select Create to create your local network gateway2.

Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:

• To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations. You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution1.
• To create a diagnostic setting, you need to go to the Azure portal and select your virtual network. Then select Diagnostic settings under Monitoring and select + Add diagnostic setting1.
• On the Add diagnostic setting page, enter or select the following information:
• Select Save to create your diagnostic setting1.
• To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination. Then select Logs under General and enter your KQL query in the query editor3.
• For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:

NetworkSecurityGroupEvent

| where TimeGenerated > ago(24h)

| where ResourceId contains "VNET1"

| summarize count() by EventID

| top 10 by count_

Copy

• Select Run to execute your query and view the results in a table or a chart3.

• To deploy a firewall to subnetl-2, you need to create a network virtual appliance (NVA) in the same virtual network as subnetl-2. An NVA is a virtual machine that performs network functions, such as firewall, routing, or load balancing1.
• To create an NVA, you need to create a virtual machine in the Azure portal and select an image that has the firewall software installed. You can choose from the Azure Marketplace or upload your own image2.
• To assign the IP address of 10.1.2.4 to the NVA, you need to create a static private IP address for the network interface of the virtual machine. You can do this in the IP configurations settings of the network interface3.
• To ensure that traffic from subnetl-1 to the IP address range of 192.168.10.0/24 is routed through the NVA, you need to create a user-defined route (UDR) table and associate it with subnetl-1. A UDR table allows you to override the default routing behavior of Azure and specify custom routes for your subnets4.
• To create a UDR table, you need to go to the Route tables service in the Azure portal and select + Create. You can give a name and a resource group for the route table5.
• To create a custom route, you need to select Routes in the route table and select + Add. You can enter the following information for the route5:
• To associate the route table with subnetl-1, you need to select Subnets in the route table and select + Associate. You can select the virtual network and subnet that you want to associate with the route table5.

Here are the steps and explanations for ensuring that the storage34280945 storage account will only accept connections from hosts on VNET1:

• To restrict network access to your storage account, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
• On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
• Under Virtual networks, select + Add existing virtual network. Then select VNET1 from the list of virtual networks and select the subnet that contains the hosts that you want to allow access to your storage account1. This will enable a service endpoint for Storage in the subnet and configure a virtual network rule for that subnet through the Azure storage firewall2.
• Select Add to add the virtual network and subnet to your storage account1.
• Select Save to apply your changes1.

Here are the steps and explanations for ensuring that subnet4-3 can accommodate 507 hosts:

• To determine the subnet size that can accommodate 507 hosts, you need to use the formula: number of hosts = 2^(32 - n) - 2, where n is the number of bits in the subnet mask1. You need to find the value of n that satisfies this equation for 507 hosts.
• To solve this equation, you can use trial and error or a binary search method. For example, you can start with n = 24, which is the default subnet mask for Class C networks. Then, plug in the value of n into the formula and see if it is too big or too small for 507 hosts.
• If you try n = 24, you get number of hosts = 2^(32 - 24) - 2 = 254, which is too small. You need to increase the value of n to get a larger number of hosts.
• If you try n = 25, you get number of hosts = 2^(32 - 25) - 2 = 510, which is just enough to accommodate 507 hosts. You can stop here or try a smaller value of n to see if it still works.
• If you try n = 26, you get number of hosts = 2^(32 - 26) - 2 = 254, which is too small again. You need to decrease the value of n to get a larger number of hosts.
• Therefore, the smallest value of n that can accommodate 507 hosts is n = 25. This means that the subnet mask for subnet4-3 should be /25 or 255.255.255.128 in dot-decimal notation1.
• To change the subnet mask for subnet4-3, you need to go to the Azure portal and select your virtual network. Then select Subnets under Settings and select subnet4-3 from the list2.
• On the Edit subnet page, under Address range (CIDR block), change the value from /24 to /25. Then select Save2.

Here are the steps and explanations for ensuring that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net:

• To use a custom domain with your Azure Front Door, you need to create a CNAME record with your domain provider that points to the Front Door default frontend host. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name1.
• To create a CNAME record, you need to sign in to your domain registrar’s website and go to the page for managing DNS settings1.
• Create a CNAME record with the following information1:
• Save your changes and wait for the DNS propagation to take effect1.
• To verify the custom domain, you need to go to the Azure portal and select your Front Door profile. Then select Domains under Settings and select Add2.
• On the Add a domain page, select Non-Azure validated domain as the Domain type and enter wwwjelecloud.com as the Domain name. Then select Add2.
• On the Domains page, select wwwjelecloud.com and select Verify. This will check if the CNAME record is correctly configured2.
• Once the domain is verified, you can associate it with your Front Door endpoint. On the Domains page, select wwwjelecloud.com and select Associate endpoint. Then select your Front Door endpoint from the drop-down list and select Associate2.