By Shiji Sujai, IOD Expert

Let me help you prepare for the AZ-100 with this “cheat sheet” you can use for better understanding the Azure network, including concepts of Microsoft Azure virtual networking, hybrid connectivity, VNet to VNet connectivity, name resolution, and network security group configuration.

I’m sure you probably know that thorough knowledge of compute, storage, and network components are all important in preparing for Azure infrastructure certification exams. Did you know that about 20-25% of the exam is focused on knowing how to manage a virtual network? This post will be a quick reference manual for you as you’re prepping. So let’s get started!

Configure and Manage Virtual Networks

Azure virtual network (VNet) is the basic construct of networking in Azure that offers isolation and segmentation of resources in Azure. It allows resources like Azure VMs within a VNet to communicate with each other while segregating it from resources in other VNets. VNets can be created with one or more address spaces, which can then be further segmented into multiple subnets within the virtual network.

Let’s explore how to create Azure virtual networks using Azure CLI. Azure CLI can be installed on Windows, Linux or Mac OS and step by step installation guidance is available in Azure documentation. You can also install these commands from the web-based Azure Cloud Shell, which comes with all common Azure tools pre-installed.

1. Create an Azure resource group which act as a logical container and security boundary for Azure resources.

az group create –name myRG –location eastus

2. Create the Azure virtual network with specific address space and a single subnet.

az network vnet create \

–resource-group myRG \

–name myVNet \

–address-prefix 10.0.0.0/16 \

–subnet-name subnet1 \

–subnet-prefix 10.0.0.0/24 \

Note: Azure reserves some IP addresses in each subnet. The first and last IP addresses are reserved for protocol conformance.x.x.x.1-x.x.x.3 addresses are reserved for Azure services. This should be considered while planning your Azure subnet size.

Private IP address

A Private IP address from the subnet address range is automatically assigned to VMs or PaaS role instances connected to a virtual network. Private IP addresses are used for internal communications within VNets or with on-premises networks connected using VPN or expressroute. The private IP addresses are assigned dynamically unless specified as static during resource creation. In certain scenarios such as Active directory or DNS server deployments in Azure, you may need to configure the private IP address as static.

The following commands can be used to create a VM with a static private IP address:

1. Create the NIC card with static private IP.

az network nic create \

–resource-group myRG \

–name TestNIC \

–location eastus \

–subnet subnet1 \

–private-ip-address 10.0.0.10 \

–vnet-name myVNet

2. Create the VM and use the NIC provisioned in step 1 with the static IP.

az vm create \

–resource-group myRG \

–name AD01 \

–location eastus \

–image Debian \

–admin-username adminuser \

–ssh-key-value ~/.ssh/id_rsa.pub \

–nics TestNIC

3. To view private IP address allocated to a specific VM, use the following command:

az vm show -g myRG -n AD01 –show-details –query ‘privateIps’

[iod-callout]

Public IP Addresses

Public IP addresses are used to communicate to VMs from the internet. Like private IP addresses, public IP addresses are also assigned dynamically from a pool of Azure public IPs. Though customers cannot choose which IP addresses to use, the public IPs can be made static so that they never change after allocation. This is commonly required in enterprises where you want to map a static public IP address to a public DNS A record for accessing applications from internet.

The following command can be used to create a VM with static public IP:

az vm create \

–resource-group myRG \

–name VM01 \

–image UbuntuLTS \

–admin-username azureuser \

–generate-ssh-keys \

–public-ip-address myPublicIpAddress \

–public-ip-address-allocation static

There are two SKUs available in Public IPs. If the SKU is not specified in the above command, it is created by default in the basic SKU. To create an IP in the standard SKU, use the –public-ip-sku Standard Switch along with the above command.

To view the provisioned Public IP address, use the following command:

az network public-ip show \

–resource-group myRG \

–name myPublicIpAddress \

–query [ipAddress,publicIpAllocationMethod,sku] \

–output table

Routing Configuration

Azure uses default system routes for routing traffic within the VNet, across peered VNets or VPNs and also redirect traffic to internet. Users can override system routes by creating user defined routes catering to specific network architecture requirements. For example, if you want to inspect traffic in your VNet you can create user defined routes to send data to Network Virtual Appliance (NVA).

The following commands can be used create route table and associate it to a VNet

1. Create route table in a resource group.

az network route-table create \

–resource-group myRG \

–name nvaRoutetable

2. Create route in the route table.

az network route-table route create \

–name ToPrivateSubnet \

–resource-group myRG \

–route-table-name nvaRoutetable \

–address-prefix 10.0.1.0/24 \

–next-hop-type VirtualAppliance \

–next-hop-ip-address 10.0.2.4



3. Associate route table.

az network vnet subnet update \

–vnet-name myVNet \

–name Public \

–resource-group myRG \

–route-table nvaRoutetable

Create Connectivity Between Virtual Networks

VNET Peering

VNet peering can be used to connect two Azure virtual networks, and traffic between these networks traverse through the Azure backbone network. VNet peering was supported only between VNets in same Azure region when it was originally introduced. Global VNet peering was introduced later that supports Peering across multiple Azure regions.

The following command can be used to create VNet peering between two networks:

az network vnet peering create -g myRG -n Vnet1ToVnet2 –vnet-name MyVnet –remote-vnet-id MyVnet2 –allow-vnet-access

The following command will list all VNet peering of a Virtual Network:

az network vnet peering list -g MyResourceGroup –vnet-name MyVnet1

Virtual Network Gateway

A virtual network gateway forms the perimeter of an Azure Virtual Network and is used for sending traffic over a secure network channel to an on-premises network. Virtual Network gateways of type “VPN” are used for site-to-site and point-to-site VPN connections. If multiple on-premises networks are to be connected to the same Azure VNet for multi-site connectivity VPN, select VPN gateway type as route-based. A virtual network gateway of type “express route,” on the other hand, is used to establish a dedicated private connection with on-premises network.

1. Create a route-based VPN gateway.

az network vnet-gateway create \

-n VNet1GW \

-l eastus \

–public-ip-address VNetGWIP \

-g myRG \

–vnet myVNet \

–gateway-type Vpn \

–sku VpnGw1 \

–vpn-type RouteBased \

–no-wait

2. Create a virtual network gateway for express route.

az network express-route gateway create –express-route-gateway-name EG1

–resource-group myRG

Configure Name Resolution

Azure provides internal name resolution for VMs hosted in the same Azure virtual network. However, customers can also configure their own DNS servers within a virtual network. This will be required in hybrid cloud scenarios while extending on-premises network to Azure.

1. Update the DNS server for a specific virtual network.

az network vnet update -g MyRG -n MyVNet –dns-servers 10.2.0.8

Azure also provides a DNS service called Azure DNS that can be used to manage your existing domain names. A globally distributed, highly available name server infrastructure is used to host your domain and provides a single pane management of DNS records along with other Azure resources.

2. Create Azure DNS zone.

az network dns zone create -g MyRG -n contoso.com

3. Create DNS A records in the new Zone

az network dns record-set a add-record -g MyRG -z contoso.com -n www -a 1.2.3.4

4. View DNS records in a DNS zone.

az network dns record-set list -g MyRG -z contoso.com

Create and Configure a Network Security Group

Network security groups allows simple filtering of traffic to Azure virtual networks and VMs based on inbound and outbound rules. They can be attached to individual NIC cards of VMs, at subnet level or both depending on the network traffic filtering requirements.

1. Create Azure NSG in a resource group.

az network nsg create \

–resource-group myRG \

–name Nsg1

2. Command to create sample NSG rule to deny traffic over 80 from a specific IP range

az network nsg rule create \

-g MyRG\

–nsg-name Nsg1 \

-n NsgRule1 \

–priority 4096 \

–source-address-prefixes 208.130.28/24

–source-port-ranges 80 \

–destination-address-prefixes ‘*’ \

–destination-port-ranges 80 \

–access Deny \

–protocol Tcp \

–description “Deny from specific IP address ranges on port 80.”

3. List all rules in an NSG.

az network nsg rule list -g MyRG–nsg-name Nsg1

Conclusion

This article will serve as a cheat sheet or quick reference for one of the important topics when it comes to the AZ-100 certification exam–managing Azure virtual networks. Make sure to also review the other important topics, such as managing Azure subscriptions, implementing Azure Storage, managing VMs, and managing identities. Hands-on labs in managing Azure resources through portal, PowerShell, or Azure CLI also will help you understand the concepts better and prepare for certification exams. Good luck!

Did you like this post on Microsoft Azure? If so, check out these past posts by IOD Expert Shiji Sujai.