Networking, Security & Cloud Knowledge
Microsoft Azure cloud Networking components:
Azure terms used for networking component that my be useful for AZ-900 Foundation or administration exam.
- vNet (Virtual Network):
- It work like logical network boundary, represents supernet allocated for Azure resource group.
- Under vNet we can create multiple subnet. Minimum one subnet is required to create vNet.
- vNet exists with subscription and region and cannot span subscription or region. There is limit for vNet soft limit =50 and hard limit = 500.
- Routing between subnet in vNet is automatic and enabled by default using System Routes. System route cannot be modified or deleted, but we ca override it using custom route.
- Traffic from vNet to azure service is routed via Azure’s backbone network. Rest other traffic (except RFC 1918, RFC 6598) are routed via public internet
- Route table.
- Route table are used to route traffic between vNet or another network.
- It contain 3 important information, source, destination and next-hop
- Source = defines who created route (Default / system << Virtual Network Gateway / BGP << UDR (User defined route)
- Destination : Subnet of destination network
- Next-hop: 1st hop to reach destination network.
- Most specific / longest prefix route is preferred, if there are multiple route to same destination than preference is (UDR >> Virtual Network Gateway >> System)
- Next-hop type:
- Virtual network gateway
- Virtual network (default Azure routing)
- Internet
- Virtual appliance (specified VM)
- None (black hole / drop traffic)
- Network Security Group (NSG):
- It acts like FW at network lever used to filter inbound / outbound traffic.
- It is applied at VM (NIC) level or Subnet level.
- Service endpoint:
- Allows communication from vNet to Azure service (e.g. blob service)
- Application Security Group (ASG)
- Help to manage security of VM by grouping them according to the application that run on them. (e.g. Internet >>> webserver >>> app server >>> database server
- Azure Firewall and Azure Firewall manager
- Azure Firewall is firewall service from Azure and Azure Firewall manager is used to manage it.
- Azure Firewall manager support secured virtual hub and hub virtual network.
- Bastion host:
- Node used as jump server, jump box or remote server host for client coming from internet.
- NAT Gateay
- Network address translator
- Azure DNS
- Azure load balance.
- Used to balance network traffic / session load between group of servers.
- There are public (external) and private (internal) load balancer.
- Application Gateway :
- It works like L7 load balancer and can used path-based routing.
- WAF (Web application Firewall)
- Used to protect web application use along with Application gateway.
- Azure traffic manager:
a. Used as DR / HA solution to route traffic between different region.
- Express route:
- Dedicated 10Gig connectivity to Azure cloud using private network via express route provider.
- VPN Gateway:
- Allows to connect remote site (Site-to-Site) or user (Point-to-site) vpn
- Local network gateway:
- Network object that represent on-premises location, used while configure VPN gateway.
- Virtual WAN
- Form of HUB which allows to interconnect all vNet and on-premises site or remote user.
- vNet peering:
- allows routing traffic between two vNet using Microsoft backbone network infrastructure
- Gateway transit:
- Allows vpn hub to forward traffic from spoke
- Azure FrontDoor:
- Microsoft global edge network that acts like entry-point to access hosted resource (Azure / on-premises) from public internet.
- Azure private link:
- Allow access to Azure service using private address space.
- Azure private link service.
- Allows communication between resource from two vNet / network hosted in Azure using overlapping private ip