AZ-104

Azure Administrator

Instructor: Sharif Khairy 2

 AZ-104
Azure Administrator

Module 4 Virtual Networking

 AZ-900

Contents
Module 4 Virtual Networking
In this module, you will learn about basic virtual networking concepts like virtual
networks and subnetting, IP addressing, Azure DNS, network security groups,
and Azure Firewall.

4
AZ-900

Contents
Module 04 – Virtual Networking
● Virtual Networks
● IP Addressing
● Network Security groups
● Azure Firewall
● Azure DNS
● Lab 04 - Implement Virtual Networking

5
 AZ-900

Virtual Networks
Azure Networking Components
Once the resources are moved to Azure, they require the same networking
functionality as an on-premises deployment, and in specific scenarios require
some level of network isolation.
Azure has many networking components.

Module 4 Virtual Networking 6

 AZ-900

Virtual Networks
Azure Networking Components

Module 4 Virtual Networking 7

 AZ-900

Virtual Networks
An Azure Virtual Network (VNet) is a representation of your own network in the
cloud.
You can use VNets to provision and manage virtual private networks (VPNs) in
Azure, link the VNets with other VNets in Azure, or with your on-premises IT
infrastructure to create hybrid or cross-premises solutions.
You also have control of DNS server settings for VNets, and segmentation of the
VNet into subnets.

Module 4 Virtual Networking 8

 AZ-900

Virtual Networks

Module 4 Virtual Networking 9

 AZ-900

Virtual Networks
Virtual networks can be used in many ways.
● Create a dedicated private cloud-only VNet.
● Securely extend your data center With Vnets.
● Enable hybrid cloud scenarios.

Module 4 Virtual Networking 10

 AZ-900

Subnets
A virtual network can be segmented into one or more subnets.
Subnets provide logical divisions within your network.
Subnets can help improve security, increase performance, and make it easier to
manage the network.
Each subnet contains a range of IP addresses that fall within the virtual network
address space.
Each subnet must have a unique address range, specified in CIDR format.
The address range cannot overlap with other subnets in the virtual network in
the same subscription.

Module 4 Virtual Networking 11

 AZ-900

Subnets

Module 4 Virtual Networking 12

 AZ-900

Considerations
● Service requirements. Each service directly deployed into virtual network has
specific requirements for routing and the types of traffic that must be allowed
into and out of subnets.
A service may require, or create, their own subnet,
For example, if you connect a virtual network to an on-premises network using
an Azure VPN Gateway, the virtual network must have a dedicated subnet for the
gateway.

Module 4 Virtual Networking 13

 AZ-900

Considerations
● Virtual appliances. Azure routes network traffic between all subnets in a
virtual network, by default.
You can override Azure's default routing to prevent Azure routing between
subnets.
Or to route traffic between subnets through a network virtual appliance.
So, if you require that traffic between resources in the same virtual network flow
through a network virtual appliance (NVA), deploy the resources to different
subnets

Module 4 Virtual Networking 14

 AZ-900

Considerations
● Service endpoints. You can limit access to Azure resources such as an Azure
storage account or Azure SQL database, to specific subnets with a virtual network
service endpoint.
you can deny access to the resources from the internet.
You may create multiple subnets, and enable a service endpoint for some
subnets, but not others.

Module 4 Virtual Networking 15

 AZ-900

Considerations
● Network security groups. You can associate zero or one network security
group to each subnet in a virtual network.
You can associate the same, or a different, network security group to each
subnet.
Each network security group contains rules, which allow or deny traffic to and
from sources and destinations.
Azure reserves the first three IP addresses and the last IP address in each subnet
address range.

Module 4 Virtual Networking 16

 AZ-900

Implementing Virtual Networks

You can create new virtual networks at any time.
You can also add virtual networks when you create a virtual machine.
Either way you will need to define the address space, and at least one subnet.
By default, you can create up to 50 virtual networks per subscription per region,
although you can increase this limit to 500 by contacting Azure support.

Module 4 Virtual Networking 17

 AZ-900

Demonstration - Creating Virtual Networks

Create a virtual network in the portal
Create a virtual network using PowerShell
1. Create a virtual network. Use values as appropriate.
$myVNet2 = New-AzVirtualNetwork -ResourceGroupName myResourceGroup -
Location EastUS -Name myVNet2 -AddressPrefix 10.0.0.0/16

Module 4 Virtual Networking 18

 AZ-900

Demonstration - Creating Virtual Networks

2. Verify your new virtual network information.
Get-AzVirtualNetwork -Name myVNet2
3. Create a subnet. Use values as appropriate.
$mySubnet2 = Add-AzVirtualNetworkSubnetConfig -Name mySubnet2 -
AddressPrefix 10.0.0.0/24 -VirtualNetwork $myVNet2

Module 4 Virtual Networking 19

 AZ-900

Demonstration - Creating Virtual Networks

4. Verify your new subnet information.
Get-AzVirtualNetworkSubnetConfig -Name mySubnet2 -VirtualNetwork $myVNet2
5. Associate the subnet to the virtual network.
$mySubnet2 | Set-AzVirtualNetwork
6. Return to the portal and verify your new virtual network with subnet was
created.

Module 4 Virtual Networking 20

 AZ-900

IP Addressing
You can assign IP addresses to Azure resources to communicate with other Azure
resources, your on-premises network, and the Internet.
There are two types of IP addresses you can use in Azure.
Virtual networks can contain both public and private IP address spaces.

Module 4 Virtual Networking 21

 AZ-900

IP Addressing
1. Private IP addresses: Used for communication within an Azure virtual network
(VNet), and your on-premises network, when you use a VPN gateway or
ExpressRoute circuit to extend your network to Azure.
2. Public IP addresses: Used for communication with the Internet, including Azure
public-facing services.

Module 4 Virtual Networking 22

 AZ-900

Static vs Dynamic addressing

IP addresses can also be statically assigned or dynamically assigned.
Static IP addresses do not change and are best for certain situations such as:
● DNS name resolution
● IP address-based security models which require apps or services to have a static
IP address.

Module 4 Virtual Networking 23

 AZ-900

Static vs Dynamic addressing

Static IP addresses do not change and are best for certain situations such as:
● SSL certificates linked to an IP address.
● Firewall rules that allow or deny traffic using IP address ranges.
● Role-based VMs such as Domain Controllers and DNS servers.
IP Addresses are never managed from within a virtual machine.

Module 4 Virtual Networking 24

 AZ-900

Creating Public IP Addresses

IP Version. Select IPv4 or IPv6 or Both.
Selecting Both will result in 2 Public IP addresses being create
1- IPv4 address and 2- IPv6 address.

Module 4 Virtual Networking 25

 AZ-900

Creating Public IP Addresses

SKU. You cannot change the SKU after the public IP address is created.
A standalone virtual machine, virtual machines within an availability set, or
virtual machine scale sets can use Basic or Standard SKUs.
Mixing SKUs between virtual machines within availability sets or scale sets or
standalone VMs is not allowed.
Name. The name must be unique within the resource group you select.

Module 4 Virtual Networking 26

 AZ-900

Creating Public IP Addresses

In Azure, SKU stands for (Stock Keeping Unit) SKU refers to a specific version or
offering of a resource within Azure.
It defines the characteristics, capabilities, features, performance levels, and
pricing of various Azure resources and services like virtual machines, storage
accounts, databases, and more.

Module 4 Virtual Networking 27

 AZ-900

Creating Public IP Addresses

IP address assignment
Dynamic. Dynamic addresses are assigned only after a public IP address is
associated to an Azure resource, and the resource is started for the first time.
Dynamic addresses can change if they're assigned to a resource, such as a virtual
machine, and the virtual machine is stopped (deallocated), and then restarted.
The address remains the same if a virtual machine is rebooted or stopped (but
not deallocated).

Module 4 Virtual Networking 28

 AZ-900

Creating Public IP Addresses

IP address assignment
Static. Static addresses are assigned when a public IP address is created.
Static addresses are not released until a public IP address resource is deleted.
If you select IPv6 for the IP version, the assignment method must be Dynamic for
Basic SKU.
Standard SKU addresses are Static for both IPv4 and IPv6.

Module 4 Virtual Networking 29

 AZ-900

Public IP Addresses
A public IP address resource can be associated with virtual machine network
interfaces, internet-facing load balancers, VPN gateways, and application
gateways.
*Static IP addresses only available on certain SKUs.

Module 4 Virtual Networking 30

 AZ-900

Address SKUs
When you create a public IP address you are given a SKU choice of either Basic or
Standard.
Your SKU choice affects the IP assignment method, security, available resources,
and redundancy.

Module 4 Virtual Networking 31

 AZ-900

Private IP Addresses
A private IP address resource can be associated with virtual machine network
interfaces, internal load balancers, and application gateways.

Module 4 Virtual Networking 32

 AZ-900

Private IP Addresses
● Dynamic. Azure assigns the next available unassigned or unreserved IP
address in the subnet's address range.
For example, Azure assigns 10.0.0.10 to a new resource, if addresses 10.0.0.4-
10.0.0.9 are already assigned to other resources. Dynamic is the default
allocation method.

Module 4 Virtual Networking 33

 AZ-900

Private IP Addresses
● Static. You select and assign any unassigned or unreserved IP address in the
subnet's address range.
For example, if a subnet's address range is 10.0.0.0/16 and addresses 10.0.0.4-
10.0.0.9 are already assigned to other resources, you can assign any address
between 10.0.0.10 - 10.0.255.254.

Module 4 Virtual Networking 34

 AZ-900

Network Security Groups

You can limit network traffic to resources in a virtual network using a network
security group (NSG).
A network security group contains a list of security rules that allow or deny
inbound or outbound network traffic.
An NSG can be associated to a subnet or a network interface.

Module 4 Virtual Networking 35

 AZ-900

Subnets
You can assign NSGs to subnets and create protected screened subnets (also
called a DMZ).
These NSGs can restrict traffic flow to all the machines that reside within that
subnet.

Module 4 Virtual Networking 36

 AZ-900

Network Interfaces
You can assign NSGs to a NIC so that all the traffic that flows through that
NIC is controlled by NSG rules.
Each network interface that exists in a subnet can have zero, or one,
associated network security groups.

Module 4 Virtual Networking 37

 AZ-900

NSG Rules
Security rules in network security groups enable you to filter the type of
network traffic that can flow in and out of virtual network subnets and
network interfaces.
Azure creates several default security rules within each network security
group.
You can add more rules by specifying Name, Priority, Port, Protocol (Any, TCP,
UDP), Source (Any, IP Addresses, Service tag), Destination (Any, IP Addresses,
Virtual Network), and Action (Allow or Deny).

Module 4 Virtual Networking 38

 AZ-900

NSG Rules
You cannot delete the default rules, but you can add other rules with a higher
priority.
Azure creates the default rules in each network security group that you create.
You cannot remove the default rules, but you can override them by creating rules
with higher priorities.

Module 4 Virtual Networking 39

 AZ-900

Inbound rules
There are three default inbound security rules.
The rules deny all inbound traffic except from the virtual network and Azure load
balancers.

Module 4 Virtual Networking 40

 AZ-900

Outbound rules
There are three default outbound security rules.
The rules only allow outbound traffic to the Internet and the virtual network.

Module 4 Virtual Networking 41

 AZ-900

NSG Effective Rules

NSGs are evaluated independently, and an “allow” rule must exist at both
levels otherwise traffic will not be admitted.

Module 4 Virtual Networking 42

 AZ-900

NSG Effective Rules

In the above example if there was incoming traffic on port 80, you would need
to have the NSG at subnet level ALLOW port 80, and you would also need
another NSG with ALLOW rule on port 80 at the NIC level.
For incoming traffic, the NSG set at the subnet level is evaluated first, then the
NSG set at the NIC level is evaluated.
For outgoing traffic, it is the converse.

Module 4 Virtual Networking 43

 AZ-900

Creating NSG Rules

It is easy to add inbound and outbound rules.
There is a Basic and Advanced page.
The advanced option lets you select from a large variety
of services such as HTTPS, RDP, FTP, and DNS.

Module 4 Virtual Networking 44

 AZ-900

Creating NSG Rules

Service. The service specifies the destination protocol and port range for this rule.
You can choose a predefined service or custom to provide your own port range.
Port ranges. If you choose a custom service then provide a single port, such as 80;
This specifies on which ports traffic will be allowed or denied by this rule.
Provide an asterisk (*) to allow traffic on any port.
Priority. Rules are processed in priority order.
The lower the number, the higher the priority.
Enter a value between 100-4096 that is unique for all security rules within the
network security group.

Module 4 Virtual Networking 45

 AZ-900

Application Security Groups

Application Security Groups provide for the grouping of servers with similar port
filtering requirements, and group together servers with similar functions, such as
web servers.

Module 4 Virtual Networking 46

 AZ-900

Application Security Groups

Module 4 Virtual Networking 47

 AZ-900

ASGs have the following constraints

● There are limits to the number of ASGs you can have in a subscription, in addition to
other limits related to ASGs.
● You can specify one ASG as the source and destination in a security rule. You cannot
specify multiple ASGs in the source or destination.
● All network interfaces assigned to an ASG have to exist in the same virtual network.
You cannot add network interfaces from different virtual networks to the same ASG.

Module 4 Virtual Networking 48

 AZ-900

ASGs have the following constraints

● If you specify an ASG as the source and destination in a security rule, the network
interfaces in both ASGs must exist in the same virtual network.
For example, if AsgLogic contained network interfaces from VNet1, and AsgDb
contained network interfaces from VNet2, you could not assign AsgLogic as the
source and AsgDb as the destination in a rule.
All network interfaces for both the source and destination ASGs need to exist in the
same virtual network.

Module 4 Virtual Networking 49

 AZ-900

Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your
Azure Virtual Network resources.
It's a fully stateful firewall as a service with built-in high availability and unrestricted
cloud scalability.
You can centrally create, enforce, and log application and network connectivity
policies across subscriptions and virtual networks.

Module 4 Virtual Networking 50

 AZ-900

Azure Firewall
Azure Firewall uses a static public IP address for your virtual network resources
allowing outside firewalls to identify traffic originating from your virtual network.

Module 4 Virtual Networking 51

 AZ-900

Azure Firewall features

● Built-in high availability
● Availability Zones
● Unrestricted cloud scalability
● Application FQDN filtering rules. You can limit outbound HTTP/S traffic or Azure
SQL traffic to a specified list of fully qualified domain names (FQDN) including wild
cards.

Module 4 Virtual Networking 52

 AZ-900

Azure Firewall features

● Network traffic filtering rules. You can centrally create allow or deny network
filtering rules by source and destination IP address, port, and protocol.
Rules are enforced and logged across multiple subscriptions and virtual networks.
● Threat intelligence. Threat intelligence-based filtering can be enabled for your
firewall to alert and deny traffic from/to known malicious IP addresses and domains.
● Multiple public IP addresses. You can associate multiple public IP addresses (up
to 100) with your firewall.

Module 4 Virtual Networking 53

 AZ-900

Firewall Rules
There are three kinds of rules that you can configure in the Azure Firewall.
Remember, by default, Azure Firewall blocks all traffic, unless you enable it.

Module 4 Virtual Networking 54

 AZ-900

NAT Rules
You can configure Azure Firewall Destination Network Address Translation (DNAT) to
translate and filter inbound traffic to your subnets.
Each rule in the NAT rule collection is used to translate your firewall public IP and
port to a private IP and port.

Module 4 Virtual Networking 55

 AZ-900

Application Rules
Application rules define fully qualified domain names (FQDNs) that can be accessed
from a subnet.

Module 4 Virtual Networking 56

 AZ-900

Rule Processing
When a packet is being inspected to determine if it is allowed or not the rules are
processed in this order:
1. Network Rules
2. Application Rules (network and application)
The rules are terminating. Once a positive match is found, allowing the traffic
through, no more rules are checked.

Module 4 Virtual Networking 57

 AZ-900

Azure DNS
By default, when you create an Azure subscription an Azure AD domain is
created for you.
This instance of the domain has initial domain name in the form
domainname.onmicrosoft.com.

Module 4 Virtual Networking 58

 AZ-900

Custom domain name

the initial domain name for a directory can't be changed or deleted, you can
add any routable custom domain name you control.

Module 4 Virtual Networking 59

 AZ-900

Practical information about domain names

● Only a global administrator can perform domain management tasks in
Azure AD, by default this is the user who created the subscription.
● Domain names in Azure AD are globally unique. no other Azure AD
directory can verify or use that same domain name
● Before a custom domain name can be used by Azure AD, the custom
domain name must be added to your directory and verified.

Module 4 Virtual Networking 60

 AZ-900

Verifying Custom Domain Names

When an administrator adds a custom domain name to an Azure AD, it is
initially in an unverified state.
Azure AD will not allow any directory resources to use an unverified domain
name.

Module 4 Virtual Networking 61

 AZ-900

Verifying Custom Domain Names

So, after adding the custom domain name, you must demonstrate ownership
of the domain name. This is called verification.
and is done by adding a DNS record (MX or TXT) that is provided by Azure into
your company’s DNS zone. Once this record is added, Azure will query the
DNS domain for the presence of the record.

Module 4 Virtual Networking 62

 AZ-900

Azure DNS Zones

Azure DNS provides a reliable, secure DNS service to manage and resolve
domain names in a virtual network without your needing to add a custom
DNS solution.
A DNS zone hosts the DNS records for a domain. So, to start hosting your
domain in Azure DNS, you need to create a DNS zone for that domain name.
Each DNS record for your domain is then created inside this DNS zone.

Module 4 Virtual Networking 63

 AZ-900

Azure DNS Zones

From the portal you can easily add a DNS zone and then view information
including name, number of records, resource group, location (always global),
subscription, and name servers.

Module 4 Virtual Networking 64

 AZ-900

Considerations
● The name of the zone must be unique within the resource group, and the
zone must not exist already.
● The same zone name can be reused in a different resource group or a
different Azure subscription.
● Where multiple zones share the same name, each instance is assigned
different name server addresses.
● Only one set of addresses can be configured with the domain name
registrar.

Module 4 Virtual Networking 65

 AZ-900

Child Domains
If you want to set up a separate child zone, you can delegate a sub-domain in
Azure DNS.
For example, after configuring contoso.com in Azure DNS, you could
configure a separate child zone for partners.contoso.com.
The parent and child zones can be in the same or different resource group.

Module 4 Virtual Networking 68

 AZ-900

DNS Record Sets

A record set is a collection of records in a zone that have the same name and
are the same type.
You can add up to 20 records to any record set.

Module 4 Virtual Networking 69

 AZ-900

DNS Record Sets

For an A record, you will need the TTL (Time to Live) and IP address.
The time to live, or TTL, specifies how long each record is cached by clients
before being requeried.

Module 4 Virtual Networking 70

 AZ-900

DNS for Private Domains

By using private DNS zones, you can use your own custom domain names
rather than the Azure-provided names available today.
It provides name resolution for virtual machines (VMs) within a virtual
network and between virtual networks.
Additionally, you can configure zones names with a split-horizon view, which
allows a private and a public DNS zone to share the name.

Module 4 Virtual Networking 71

 AZ-900

Azure DNS benefits

● Removes the need for custom DNS solutions. Previously, many customers
created custom DNS solutions to manage DNS zones in their virtual network.
Now perform DNS zone management by using the native Azure infrastructure,
which removes the burden of creating and managing custom DNS solutions.

Module 4 Virtual Networking 72

 AZ-900

Azure DNS benefits

● Use all common DNS records types. Azure DNS supports A, AAAA, CNAME,
MX, PTR, SOA, SRV, and TXT records.
● Automatic hostname record management. Along with hosting your
custom DNS records, Azure automatically maintains hostname records for
the VMs in the specified virtual networks.
● Hostname resolution between virtual networks. Unlike Azure-provided
host names, private DNS zones can be shared between virtual networks.

Module 4 Virtual Networking 73

 AZ-900

Azure DNS benefits

● Familiar tools and user experience. To reduce the learning curve, this
new offering uses well-established Azure DNS tools (PowerShell, Azure
Resource Manager templates, and the REST API).
● Split-horizon DNS support. With Azure DNS, you can create zones with the
same name that resolve to different answers from within a virtual network
and from the public internet.
● Available in all Azure regions. The Azure DNS private zones feature is
available in all Azure regions in the Azure public cloud.

Module 4 Virtual Networking 74

 AZ-900

Module 04 Lab
Lab 04 - Implement Virtual Networking
Objectives
In this lab, you will:
● Task 1: Create and configure a virtual network.
● Task 2: Deploy virtual machines into the virtual network.
● Task 3: Configure private and public IP addresses of Azure VMs.
● Task 4: Configure network security groups.
● Task 5: Configure Azure DNS for internal name resolution.
● Task 6: Configure Azure DNS for external name resolution.

Module 4 Virtual Networking 75

AZ-900

Thanks!
Any questions?
You can find me at:
[email protected]
+93 784670845

76