AZ-700

Subscription

• Billing purpose

VNet

• Isolated network
• If VM inside a VNet, VM will have a private IP from Vnet IP range
• 1 VNet can have 1 express route virtual network gateway and 1 VPN virtual network gateway. They are in the same gateway subnet /27.
• VNet peering is non-transitive. To make it transitive, use VNet gateway/NVA(Azure Firewall)
• WebApp need subnet to Cross Region VNet/ VNet integration
• VNet name unique in a resource group
• VNet can be moved to another resource group even though IP conflict with another VNet
• VNet peering can be different region
• Route between subnets within a VNet by default
• One VNet can have only one private DNS linked with auto registration but many without auto registration

VNet Create

• All resources > Search: Virtual Network
  • Subscription
  • Resource group (logical grouping, e.g. demo-grp)
  • Name
  • Region (Azure physical location)
  • IP Address Space (e.g. 10.0.0.0/16)
  • Default subnet (e.g. 10.0.0.0/24)

VM Creation

• Virtual machines > Create
  • Basic
    • Subscription
    • Resource group (e.g. demo-grp)
    • Virtual machine name (e.g. demovm)
    • Region (e.g. North Europe, same as VN)
    • Availability options (e.g. Availability set)
    • Availability set (e.g. Name: loadset)
    • Image (e.g. Windows Server 2019 Datacenter – Gen1)
    • Size (e.g. Standard_D2s_v3 – 2 vcpus, 8 GiB memory ($145.27/month))
    • Username
    • Password
  • Disk
  • Network
    • Virtual network (e.g. Name: load-network)
    • Subnet
    • Public IP
• After creation, all resource will show
  • Demovm (vm)
  • Demovm-ip (public ip)
  • Demovm-nsg (Network security group)
  • Demovm984 (Network Interface)
  • Demovm_disk1_7c8fc (Disk)

Installing Internet Information Services on the machine

• Home > All resources > demovm > Networking
  • NSG > Add inbound port rule
    • Service (e.g. HTTP)
    • Name (e.g. Port_HTTP)
• Now you can use VM public IP address to access Internet Information Services

Virtual Networking Peering – Implementation

• Virtual Network > Peerings
  • This virtual network
    • Peering link name
    • Virtual network
• Remote virtual network
  • Peering link name
  • Virtual network

Subnet

• Default Subnet for VM
• Gateway Subnet for VPN Gateway
• Webapp-integration Subnet for WebApp
• SQL Managed Instance Subnet
• Gateway Subnet /27 /26 /25

Lab – User Defined Routes (Static Route) – Route Table

• Name: ‘customroutetable’
• Routes
  • Route name: ‘customroute’
  • Address prefix: ’10.0.0.0/16’
  • Next hop type: ‘Virtual appliance’
  • Next hop address: ’10.0.0.4’
• Subnets
  • Virtual network: ‘routing-grp-vnet’
  • Subnet: ‘SubnetA’
• Go to 10.0.0.4 VM, IP configurations  > Enable IP forwarding

NSG (ACL & Stateful)

• Default allow VNet traffic
• Default allow LB traffic
• Default deny INTERNET traffic
• if applied to a subnet, traffic between VMs within same subnet also affected
• NSG attached to VM network interface / subnets (But not Virtual Network)
• Azure Firewall attached to Virtual Network
• No inbound to VM by default

Network Security Groups – Subnet NSG

• All resources > Search: Network security group
  • Inbound security rules
  • Outbound security rules
  • Network interfaces
  • Subnets
• VM
  • Networking
    • Subnet NSG
    • Interface NSG

Application Security Groups

• App1 > DB (NSG rule1)
• App2 > DB (NSG rule1+2)
• App3 > DB (NSG rule1+2+3)
• Simplify: ASG(App1, App2, App3) > DB (NSG ruleASG)

Lab – Application Security Groups

• All resource > Search Application Security Groups
• VM > Networking > ASG

Virtual Machine Scale Sets

• Based on rules (CPU>70%), increase/decrease number of identical VMs, and load-balancing them.

Lab – Virtual Machine Scale Set

• Search: Virtual machine scale set
  • Resource group: ‘scale-grp’
  • Virtual machine scale set name: ‘scaleset’
  • Region: ‘(Europe) North Europe’
  • Orchestration mode: ‘Uniform’
  • Administrator account
    • Username: demousr
    • Password: xxxxxx
  • Networking
    • Use a load balancer: checked
    • Select a load balancer
      • Name: ‘load-balancer’
      • Public IP address name: ‘load-ip’
      • Select a backend pool
        • Name: ‘PoolA’
• Scaling
  • Initial instance count: 1

Lab – Virtual Machine Scale Set – Extensions

• Search: storage account
  • Resource group: ‘scale-grp’
  • Storage account name: ‘appstore48990’
  • Region: ‘(Europe) North Europe’
  • Redundancy: ‘Locally-redundant storage (LRS)’
• Data storage
  • Containers
    • Name: ‘data’
    • Upload: ‘Install.ps1’
• Scaleset
  • Extensions
    • Add: Custom Script Extension
      • Script file > storage acc > container > install.ps1
• Scaleset
  • Instances > Upgrade
• Scaleset
  • Networking > Add inbound security rule :80
• Install.ps1
  • Add-WindowsFeature Web-Server
  • Set-Content –Path ‘’C:\intpub\wwwroot\Default.html’’ –Value ‘’This is the server $($env:computername) !:

Lab – Virtual Machine Scale Set – Scaling

• Scaleset
  • Scaling
    • Custom autoscale
      • Scale mode: ‘Scale based on a metric’
      • Rules
      • Instance limts: Maximum 3 instances

Availability Sets

• Update Domain
  • Bio update
• Fault Domain
  • Network interface
  • Power

Azure Bastion

• dedicated subnet: AzureBastionSubnet

ExpressRoute (max share to 10 subscriptions)

• ExpressRoute Direct
• ExpressRoute FastPath (On-prem send to VNet bypassing gateway)
• ExpressRoute Global Reach (On-prem in different regions can talk to each other)
• ExpressRoute Local (On-prem within the region)
• ExpressRoute Standard (multiple regions in geopolitical location, 10 VNets)
• ExpressRoute Premium (4k route, global connectivity, 10 VNets)
• Creation: Create ER>Send service key>config private peering>connect VNet to ER -ErGw3AZ (Support Er FastPath)
• No need go to Internet > more reliable, faster, less latency, more bandwidth
• Partner Edge/ ISP have connection with Azure already.
• 2 x Express Route Circuit by default

• Local SKU – connect to one region
• Standard SKU – connect to geo-political region
• Premium SKU – connection to locations beyond the geo-political region
• ExpressRoute can be shared across Subscriptions

• Azure ExpressRoute Global Reach – Peering between ExpressRoute circuit for connection between two On-Premise.

Lab – Creating an ExpressRoute Circuit

• All resource > ExpressRoute
  • Name: ‘approute’
  • Port type: ‘Provider’
  • Provide: ‘Equinix’
  • Peering location: ‘Mumbai2’
  • Bandwidth: ‘200Mbps’
  • > provide Service key to service provider
  • Peering: Private Peering (Azure Virtual Network) / Microsoft Peering (Office365)

Lab – Azure ExpressRoute peering connections

• All Resource > Virtual network gateway
• Gateway type: ExpressRoute

AD

• Radius integrated with AD to authenticate user.
• P2S VPN needs AD Enterprise Application to have user authentication

Point to Site VPN

• Virtual Machine > Subnets > +Gateway subnet
• All resource > Search: Virtual Network Gateway
  • Name: ‘network-gateway’
  • Gateway type: ‘VPN/ExpressRoute’
  • Virtual network: ‘azure-network’
  • Subnet: ‘GatewaySubnet (10.0.1.0/24)’
  • Public IP address name: ‘gateway-ip’

Point-to-Site VPN (e.g. Anyconnect) – Certificates for authentication

• A. Self-Signed Root certificate
  • 1. Create Root Certificate (Signed by myself)
  • 2. Create Client Certificate from Root Certificate
  • 3. Install Client Certificate to client PC
• B. Enterprise CA authority
  • 1. Create Client Certificate from CA and install to client PC

• 1.$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
• 2.-Subject “CN=VPNRoot” -KeyExportPolicy Exportable `
• 3.-HashAlgorithm sha256 -KeyLength 2048 `
• 4.-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign
• 1.New-SelfSignedCertificate -Type Custom -DnsName VPNCert -KeySpec Signature `
• 2.-Subject “CN=VPNCert” -KeyExportPolicy Exportable `
• 3.-HashAlgorithm sha256 -KeyLength 2048 `
• 4.-CertStoreLocation “Cert:\CurrentUser\My” `
• 5.-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

Lab – Point-to-Site VPN –Establishing the connection

• network-gateway > Point-to-site configuration
  • Address pool: ‘172.16.0.0/16’
  • Tunnel Type: ‘IKEv2’
  • Authentication type: ‘Azure certificate’
  • Root certificates:
    • Name: ‘root’
    • Public certificate data: ‘copy from root cert’
  • Download VPN client

Site to Site VPN

• Virtual Network Gateway & Local Network Gateway
• IKEDiagnosticLog for debug
• Virtual Network Gateway IPsec/IKE policy custom setting for On-prem policy-based routing
• Powershell: AzIPsecPolicy & AzVirtualNetworkGatewayConnection
• Query Virtual Network Gateway health probe: https://<Virtual Network Gateway IP>:8081

Site-to-Site VPN – Setup

• Virtual network gateway
  • Connections
    • Name: ‘companyconnection’
    • Connection type: ‘Site-to-Site (IPsec)’
    • Local Network Gateway: ‘local-gateway’
    • PSK: ‘abc123’
• Local Network Gateway (On-premise Information)
  • Name: ‘local-gateway’
  • IP address (On-premise Public IP): ’51.132.12.51’
  • Address space (On-premise internal IP): ’10.1.0.0/16’

Virtual WAN

• Basic: Support S2S VPN ONLY: 500Mbps per ScaleSet
• Standard: Support ER: 2Gbps per ScaleSet
• contain Virtual Hub
• contain VWan Hub Gateway
• migrate from Hub VNet and spoke VNet on-prem to VWan: migrate from VNet peering to VNet Connection; migrate from UDR to VWan Hub dynamic routing.
• Global Virtual WAN topology: Standard VWAN: Hub can be connected globally across region, one VHub for each region, 1 ER gateway 1 S2S gateway for each VHub
• Isolating VNet: VHub is using default route table, VNet is using RT1 and propagate to default routing, Branch need use Default route table and propagate to RT1&Default route.
• One default route table per HUB

• On-Premise <> Virtual Network A {Virtual Network Gateway A, default subnets A}
• 2 On-Premises <> Virtual Network A {Virtual Network Gateway A, default subnets A}
• On-Premise <> Virtual Network B {Virtual Network Gateway B, default subnets B}
• On-Premise <> Virtual Network A {Virtual Network Gateway A, default subnets A} <Peering> Virtual Network B {Virtual Network Gateway B, default subnets B}
• For Simplify, use Azure Virtual WAN (Hub), all on-premises and Virtual Network connect to a single hub.

Lab – Creating the Azure virtual WAN resource

• All resource > Search: Virtual Wan Publisher name: Microsoft
  • Name: ‘virtualWAN’
  • Type: ‘Standard’

Lab – Virtual WAN – Virtual Hub

• Virtual Wan > Hubs
  • Name: ‘virtualhub’
  • Hub private address space: ’10.3.0.0/16’ (for hub background computing  resources)
  • Point to site/ site-to-site / express route
  • AS Number: ‘65515’
  • Gateway scale units: ‘1 scale unit – 500 Mbps x2’

Lab – Azure Virtual WAN Hub – Azure virtual networks

• Virtual Wan > Virtual network connections
  • Connection name: ‘azure-network-connection’
  • Hubs: ‘virutalhub’
  • Subscription: ‘Azure subscription 1’
  • Resource group: ‘vpn-grp’
  • Virtual network: ‘azure-network’
  • Associate Route Table: ‘Default’

Lab – Azure Virtual WAN Hub – Point-to-Site connections

• Virtual WAN > User VPN configurations
  • Choose ‘userconfig’ > Download virtual WAN user VPN profile
    • Authentication type: EAPTLS > Generate and download profile

Azure Virtual WAN – VPN Site-to-Site

• Virtual WAN > VPN sites
  • Name: ‘siteA’
  • Device vendor: ‘Cisco’
  • Private address space: ’10.4.0.0/16’ (On-premise Subnets)
  • Link (like Local Network Gateway)
    • Link name: ‘Linkname’
    • Link speed: ‘50’
    • Link provider name: ‘Microsoft’
    • Link IP address: ’51.132.12.51’ (On-premise public IP)

VPN Gateway SKU

• VpnGw1AZ (Support 30 S2S VPN)
• VpnGw2AZ (Support 30 S2S VPN)
• VpnGw3AZ (Support 30 S2S VPN)
• VpnGw4AZ (Support 100 S2S VPN)
• VpnGw5AZ (Support 100 S2S VPN)

Loadbalancer

• Standard SKU support global VNet peering
• Basic SKU can’t support global VNet peering
• Can be for non-HTTP traffic -HA standard loadbalancer: allow you to have 1 rule for all UDP TCP ports
• IP must match SKU and Region
• backend pool and VMs must be the same VNet
• Once backend pool has been configured, even an additional backend pool must be the same VNet
• Standard SKU: Secure by default
• Pool VMs must be in same availability zone/ scale set & same VNet

Basic Load Balancer – Implementation – Part 1

• All resources > Search: Public IP address
  • IP Version
  • SKU
    • Standard
    • Basic
  • Name: load-ip
  • Dynamic/Static
  • Resource group
• All resources > Search: Load Balancer
  • Publisher name: Microsoft
  • Choose: Load Balancer
    • Basic
      • Resource group
      • Name: loadbalancer
      • Type: Internal/ Public
      • SKU: Standard/ Basic
    • Frontend IP configuration
      • Name: load-frontendip
      • Public IP address

Basic Load Balancer – Implementation – Part 2

• Loadbalancer > Backend pool
  • Name: ‘windowspool’
  • Virtual network: ‘load-network (load-grp)’
  • Associated to: Virtual machines/ Virtual machines scale set
  • IP Version: IPv4
  • Virtual machines
    • ‘loadvm2’
    • ‘loadvm1’
• Loadbalancer > Health probes
  • Name: ProbeA
  • Protocol: TCP
  • Port: 80
• Interval: 5
• Unhealthy threshold: 2
• Loadbalancer > Load balancing rules
• Name: RuleA
• Frontend IP address: ‘load-frontendip (52.178.133.138)’
• Port: 80
• Backend port: 80
• Backend pool: windowspool
• Health probe: ProbeA (TCP: 80)

Lab – Basic Load Balancer – NAT rules

• Loadbalancer > Inbound NAT rules >
  • Name: ‘loadvm1rule’
  • Frontend IP address: ‘load-frontendip (52.178.133.138)’
  • Service: RDP
  • Port: ‘49152’
  • Target virtual machine: ‘loadvm1’
  • Network IP configuration: ‘ipconfig1 (10.0.0.4)’
  • Target port: ‘3389’

Lab – Standard Load Balancer – Outbound Rules

• Outbound rules
  • Name: ‘OutboundRule’
  • Frontend IP address: ‘loadfrontendip (20.82.236.229)’
  • Protocol: ‘TCP’
  • Backend pool: ‘PoolA (2 instances)’
  • Port allocation: ‘Manually choose number of outbound ports’
  • Choose by: ‘Ports per instance’
  • Ports per instance: ‘16’

Application Gateway

• HTTP Listener
• Routing rule associated with HTTP Listener -Only for HTTP traffic
• Creation:
• Listener 1- Multi-site (Multiple/wildcard)
• Hostnames: app1.contoso.com and app2.contoso.com
• Backend1= As1.contoso.com -RoutingRule1= Listener1+backend1 and httpseting1 with health probe
• Can enable WAF
• 一個listener一個url, 如果多個url, 起多個listener, backend pool, rule
• Application Gateway Ingress Controller (AGIC) is a Kubernetes application
• Layer 7 Web Traffic Load Balancer
• Application Gateway needs an empty subnets in Virtual Network.

Lab – Azure Application Gateway – URL Routing – Implementation

• All resources > Search: Application Gateway
  • Basic
    • Application gateway name: ‘app-gateway’
    • Tier: ‘Standard V2’
    • Enable autoscaling: ‘No’
    • Instance count: ‘1’
    • Availability zone: ‘None’
    • Virtual network: ‘application-network’
    • Subnet: ‘appSubnet (10.0.1.0/24)’
• Frontends
  • Public IP address
• Backends
  • Name: ‘imagespool’
    • Virtual machines: ‘appvm1’
  • Name: ‘videospool’
    • Virtual machine: ‘appvm2’
• Routing Rule
  • Rule name: ‘RuleA’
  • Listener name: ‘Listener’
  • Frontend IP Protocol: ‘Public’
  • Port: 80
  • Backend target: ‘imagespool’
  • Path-based routing: ‘/images/’ > imagespool
  • Path-based routing: ‘/videos/’ > videospool

App Service

• PaaS
• WebApp, LogicApp
• App service app can have VNet integration. App can use VNet IP to go out Internet.
• one app service plan can have only one VNet integration

Lab – Azure Web Apps

• All resources > Search: Web App
  • Subscription: ‘Azure subscription 1’
  • Resource Group: ‘app-grp’
  • Name: ‘gatewayapp’
  • Runetime stack: ‘.NET Core 3.1 (LTS)’
  • Region: ‘North Europe’
  • App Service Plan: ‘ASP-appgrp-8250’
• Azure Web apps > App Service Editor (Preview)

Azure Web App – NET Integration

• Reverse of Private Endpoint
• Put Azure Web App into Azure Private network inside

Lab – Azure Web App – VNET Integration – Setup

• App Service
  • Scale up (App Service plan)
    • Production
      • 100 total ACU

Front Door

• Route traffic based on user location latency between two web app servers.
• Origin group=backend pool, origin=nodes
• 1 App Service app= 1 origin
• Premium SKU provide bot protection
• can set WAF
• only SKU Premium can create private link

Lab – Azure Front Door – Implementation

• All resource > ‘Front Door’
  • Backend pool
    • Name: ‘PoolA’
    • Backend host type: ‘Custom host’
    • Backend host name: ‘137.135.201.17’
  • Frontends/domains
    • Host name: ‘newapp100’
  • Routing rules
    • Name: ‘RuleA’
    • Backend Pool: ‘PoolA’

Lab – Azure Front Door – WAF

• Microsoft Azure > Search: WAF
  • Policy for: ‘Global WAF (Front Door)’
  • Policy name: ‘frontdoorpolicy’
  • Policy mode: ‘Prevention’
  • Custom rules
    • Custom rule name: ‘BlockIP’
    • Match type: ‘IP address’
    • IP address or range: ’92.98.38.250’
    • Then: ‘Deny traffic’
    • Priority: ‘100’
  • Association
    • Frontdoor: ‘newapp100’
    • Frontend host: ‘newapp100-azurefd-net’

Traffic Manager

• CName weburl to TMprofile1.trafficmanager.net -eg. One parent Geo profile with two child weighted profile

Lab – Azure Traffic Manager – Priority Routing method

• All resource > Search: Traffic Manager profile
  • Name: ‘app-profile100010’
  • Routing method: ‘Priority/Geographic/Subnet/Multivalue/Weighted’
  • Resource group: ‘traffic-grp’
• Traffic Manager profile > Endpoints
  • Type: ‘Azure endpoint/Nested endpoint’
  • Name: ‘primaryendpoint1’
  • Target resource type: ‘Public IP address’
  • Public IP address: ‘trafficvm1-ip (40.85.137.92)’

Private Endpoint

• incoming traffic to WebApp
• outgoing traffic from WebApp needs VNet integration
• use VNet private IP bringing service into VNet, like DB, storage -for VNet one subnet
• Vnet connect to Storage account by its private interface IP.

Lab – Private Endpoint

• Storage account
  • Networking
    • Private endpoint connections
    • Name: storage-endpoint
    • Target sub-resource: blob

Lab – Azure Web App – Private Endpoint

• All resources > Search: Web App
  • Name: new-app90909
  • Runtime stack: .NET Core 3.1 (LTS)
  • Sku and size: P1V2
• App Service
  • Networking
    • Private endpoints
      • Name: web-endpoint
      • Virtual network: app-network
      • Subnet: default

Service Endpoint

• for VNet all subnet
• Service Endpoint policy is needed
• access to public storage account
• If VM has no Public IP to access public service like Azure Storage Accounts, you can enable Service Endpoints to Virtual Network.
• The VM can access to Azure Storage Accounts via Azure backbone network.

Lab – Creating the service endpoint

• Virtual Network
  • Service endpoints
    • Service: ‘Microsoft.Storage’
    • Subnets: ‘default’
• Storage account
  • Networking
    • Firewalls and virtual networks
      • Add existing virtual network
  • Storage Explorer

Lab – Service endpoint policies

• All resources: Search: service endpoint
  • Name: policy
  • Policy definitions
    • Service: Microsoft.Storage
    • Scope: Single account
    • Subscription: Azure subscription 1
    • Resource group: security-grp
    • Resource: vmstore1000
• Virtual network
  • Service endpoints
    • Service: Microsoft.Storage
    • Service endpoint policies: policy
    • Subnets: default

• Service Endpoint route through Azure Backbone, but still going to the storage Public IP address.

Private Link Service

• Set on Standard LB Front IP
• Share URI to customer’s private endpoint -Accept request

Azure Firewall

• Only apply to same Resource Group
• Standard SKU: Can filter by web category -Force tunnelling needs management subnet
• Global Service as Azure Traffic Manager
• Can mix Path-based routing + Azure Application Gateway
• Mainly for Geo low latency user experience

Lab – Azure Firewall – Deployment

• All resources > Search: Firewall
  • Name: ‘firewall’
  • Firewall tier: ‘Standard’
  • Firewall management: ‘Firewall Policy/Firewall rules (classic)’
  • Virtual network: ‘firewall-grp-vnet (firewall-grp)’
  • Public IP address: ‘’

Lab – Azure Firewall – NAT Rules

• Firewall
  • Overview
    • Firewall policy
      • DNAT Rules
        • Name: ‘RDPRules’
        • Rules: ‘firewall interface 13.79.157.190:4000 > vm:3389’

Lab – Azure Firewall – Routing traffic through firewall

• All resources > Search: Route table
  • Name: ‘firewallroutetable’
  • Add route
    • Route name: ‘InternetRoute’
    • Address prefix: ‘0.0.0.0/0’
    • Next hop type: ‘Virtual appliance’
    • Next hop address: ’10.0.1.4 (firewall internal address)’

Lab – Web Application Firewall – Prevention Mode

• Application gateway > Web application firewall
  • Tier: ‘WAF V2’
  • Firewall mode: ‘Detection/Prevention’
• All resources > Search: Web Application Firewall (WAF)
  • Basic
    • Policy for: ‘Regional WAF (Application Gateway)’
    • Policy name: ‘webpolicy’
    • Policy mode: ‘Prevention’
• Custom rules
  • Custom rule name: ‘BlockIP’
  • > Deny IP
• Associate – Application Gateway

Lab – Web Application Firewall – Detection Mode

• WAF > Overview > Switch to detection mode
  • Diagnostic settings
    • Diagnostic setting name: ‘logsetting’
    • Storage account: ‘appgatewaylog 1000’
• All resources > Storage account
  • Storage account name: ‘appgatewaylog 1000’
• appgatewaylog 1000
  • Containers
    • Download json logs

NAT Gateway

• Affect only inside a subnet
• can be associated to multiple subnets as long as they are in the same VNET.
• Not support IPv6

Lab – Azure Virtual Network NAT

• All resource > Search: NAT Gateway
  • NAT gateway name: ‘natgateway’
  • Public IP addresses: ‘nat-ip’
  • Virtual network: ‘network-nat-vnet’
  • Checked: ‘SubnetB’

Local DNS

• Virtual Network > DNS servers
  • Custom
    • 10.2.0.4

Default Azure DNS

• 168.63.129.16

Azure Private DNS

• All resource > Create > Private DNS > Create
  • Resource group
  • Name: cloud2hub.com
• > Create Record set > Create A record
• > Virtual network links > Add
  • Link name: new-network-link
  • Virtual network
  • Enable auto registration

Azure Private DNS and VNET Peering

• Private DNS zone (cloud2hub.com) > Virtual network links
  • Subscription
  • Virtual network
• And also virtual network peering between DNS VNET and the VM VNET.

Azure Public DNS

• All resources > DNZ zone
  • Subscription
  • Resource group
  • Name (e.g. cloud2hub.com)
  • Record set
    • IP address (A record)
• Virtual Machine > Networking > Inbound port rules
  • Service: 80
  • Name: Port_80
• GoDaddy
  • Nameserver: xxx.azure-dns.com

Azure DNS Private Resolver

• Resolve on-prem DNS query for Azure

Network Watcher – Connection Troubleshoot

• packet capture only to blob storage or vm file path
• Connection monitor: monitor end to end connectivity, mon from a whole region to other resources
• VM
  • Connection troubleshoot

Lab – Network Watcher – Connection Monitor

• Network Watcher
  • Connection Monitor
    • Connection Monitor Name: ‘vm-monitoring’
    • Workspace configuration: ‘Use workspace created by connection monitor (default)’ (Log data storage)
  • IP Flow Verify
  • Next hop
  • NSG Diagnostic
  • NSG Flow logs

Traffic Analytics

• Require Storage account
• Require Log Analytics Workspace
• Require NSG flow log

Lab

Lab1: Create Local Network Gateway

Step1: Search Local Network Gateway

Step2: IP address: [On-prem public IP]

Step3: Address space: [Internal address range]

Lab2: VNet Peering with Hub VNet2 and Spoke VNet1,3

Step1: In VNet2, select peering VNet1

Step2: In VNet2, select peering VNet3

Lab3: Azure Front Door

Step1: Networking > Front Door

Step2: select Front Door (classic)

Step3: In Frontend host > hostname: contoso-frontend

Step4: In Backend pool > name: myBackendPool

Step5 x2: In Backend > Backend host type: App service, Backend hostname: WebAppContoso

Step6: In Routing rule > Name: LocationRule

Lab4: NAT Gateway

Step1: Search NAT Gateway

Step2: Name: myNATGateway

Step3: OutboundIP: myPublicIP

Step4: In the Subnet, change NAT Gateway to myNATGateway

Lab5: Link private DNS to VNet

Step1: Locate DNS zone contosoazure

Step2: Select Virtual Network Link

Step3: Enable auto registration

Lab6: Create a VNet

Step1: Search VNet

Step2: IP Address Space: 10.5.0.0/16

Step3: Subnet: 10.5.1.0/24

Lab7: Monitor Alert for a VNet

1. Monitor  Alerts  Alert Rule

2. Alert Rule  • Scope > Select VNet3 > Apply Condition > See all signals > Activity Log > All Administrative Operation > Apply  Actions > Create Action Group  Basic Tab Notification > Email/SMS-message/Push Voice > Put the email > Name  Actions > Not required for this scenario just notification is enough  Tags > You can assign a necessary tag for the action group  Review+Create  • Details Alert Rule Name > VNET3 Notification  Description > Notify the admin for any changes on VNET3 • Tags > Put any tag that represent the Alert Rule

Lab8: Archive VNet to a storage account

Step1: Go to VNet

Step2: Diagnostic setting

Step3: Add, AllMetrics, archive to a storage account

Step4: select the storage account

Lab9: Route to NVA

You need to create route table as per below – Called InternetAccess Destination type – IP Address Destination IP address/CIDR ranges – 0.0.0.0/0 Next Hop type – Virtual Appliance  Next Hop Address – 10.3.2.100 Save and now associate the InternetAccess route table with subnet – subnet3-1

Lab10: WAF

Step1: Search WAF

Step2: Basic Tab

Step3: Association Tab > Application Gateway > Listener > Routing Rule

Step4: WAF default in Detection mode

Step5: Add custom rule > Geo Location > Match variable: RemoteAddr > Operation: is not > Country: Canada

Step6: Add custom rule for allowing Canada

Lab11: NSG prevent port 5585 to a subnet Step 1: Create NSG Upper left side of the portal Search for Network Security Group  Put > Subscription > Resource Group > Name > Region Tags Review+Create Step

2: Add Inbound Security  Source > Any Port Range > * Destination > IP address  Destination IP address/CIDR Range > Range of Subnet1-2 Service > Custom Destination Port Range > 5585 Protocol > Any Action > Deny  Priority > 100 Name > DenyAnyCustom8080Inbound Step 3: Associate the NSG with the subnet  Go to Virtual Network  Select the Subnet1-2 On NSG section > select the proper name of the NSG that you create earlier  Save

Lab12: Connect storage account using private endpoint

Step1: Search storage account and locate storage123456789

Step2: Under Networking Tab, select disable public access and use private endpoint, select VNet1

Lab13: Add gateway subnet

Step1: Select VNet2, add subnet

Step2: Specify 10.0.0.0/27

Lab14: Create DNS record

Step1: Open fabrikan.con DNS zone

Step2: add record, Name: www, Type:A, IP: 131.107.2.50

Lab15: Traffic from a subnet to Internet route through On-prem firewall

Step1: Create a route table

Step2: Add route: dst type:IP, dst IP: 0.0.0.0/0, next hop: Virtual Appliance, next hop address: firewall IP,

Step3: associate VNet2 subnet2-1

Lab16: Azure DNS Private Resolver

Step1: Search DNS Private Resolver

Step2: Name: mydnsresolver, select VNet2

Step3: Add ruleset, Name: internal, Domain Name: internal.fabrikam.com, Destination IP: 10.2.1.4 & 10.2.1.5

Lab17: Traffic to host.fabrikam.com direct to Traffic Manager.

Step1: Search Traffic Manager

Step2: Select Endpoint

Step3: Type: Azure endpoint, Target resource type: Hostname, Target resource: host.fabrikam.com, Weight: 100

Lab18: FW direct traffic to Internet

Step1: search firewall

Step2: Firewall management: Firewall Policy

Step3: Add new firewall policy

Step4: VNet address range 10.1.255.0/24

Step5: create route table to Internet and associate to firewall

Lab19: WAF apply to application gateway to block IP

Step1: Search WAF

Step2: Add custom rules and Associate to application gateway

Lab20: VNet to log event and metrics and query from KQL

Step1: VNet diagnostic setting. Tick all logs and save

Lab21: Restrict subnets outbound traffic to HTTP/HTTPS

Step1: firewall>Add Network rule collection

Lab22: Restrict storage to a subnet

Step1: select a storage account

Step2: select Networking

Step3: Enabled from selected virtual network and IP addresses

Step4: Add existing virtual network

Lab23: Restrict a subnet access to another subnet

Step1: Create NSG

Step2: Associate a subnet

Step3: Create a security rule

Lab24: Rate limit Japan

Step1: Search WAF

Step2: Add custom rule rate limit

Lab25: Create a subnet to a storage account

Step1: Create a VNet & Subnet

Step2: Search Private Endpoint

Step3: Storage subresource: storage12345678.privatelink.net

Step4: Private DNS integration

Step5: select subnet

Lab26: requests for www.relecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net

Step1: Search private DNS zone

Step2: name relecloud.com

Step3: Add CName www to frontdoor1.azurefd.net Sent from my iPhone