AZ-104T00A

Administer
Virtual Networking

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.
Learning Objectives - Administer Virtual Networking

• Configure Virtual Networks

• Configure Network Security Groups

• Configure Azure DNS

• Lab 04 – Implement Virtual Networks

© Copyright Microsoft Corporation. All rights reserved.

 Configure Virtual Networks

© Copyright Microsoft Corporation. All rights reserved.

Learning Objectives - Configure Virtual Networks
• Plan Virtual Networks
• Create Virtual Networks Implement and manage virtual
networking (15–20%): Configure and
• Create Subnets manage virtual networks in Azure
• Plan IP Addressing • Create and configure virtual networks
and subnets
• Create Public IP Addresses • Configure public IP addresses
• Associate Public IP Addresses
• Allocate or Assign Private IP Addresses
• Demonstration – Virtual Networks
• Learning Recap

© Copyright Microsoft Corporation. All rights reserved.

Plan Virtual Networks
Virtual Network

Subnet

On-premises
NIC NIC

Virtual
Virtual Machines
Network(s)

Create a dedicated Securely extend

Logical representation Enable hybrid
private cloud-only your datacenter with
of your own network cloud scenarios
virtual network virtual networks

© Copyright Microsoft Corporation. All rights reserved.

Create Virtual Networks

• Create new virtual networks

at any time
• Add virtual networks when
you create a virtual machine
• Define the address space, and
at least one subnet
• Check for overlapping
address spaces

© Copyright Microsoft Corporation. All rights reserved.

Create Subnets

Subnets can help Each subnet must have a

A virtual network can be Subnets provide logical improve security, unique address range –
segmented into one or divisions within your increase performance, cannot overlap with
more subnets network and make it easier to other subnets in the
manage the network vnet in the subscription

© Copyright Microsoft Corporation. All rights reserved.

Plan IP Addressing

VNets, on-premises
Private IP Azure Public IP Internet, public-
networks, VPN gateways,
address Resource address facing services
ExpressRoute

Private IP addresses - used within an Public IP addresses - used for communication

Azure virtual network (VNet), and your with the Internet, including Azure public-facing
on-premises network, when you use a VPN services
gateway or ExpressRoute circuit to extend your
network to Azure

© Copyright Microsoft Corporation. All rights reserved.

Create Public IP Addresses

Available in IPv4 or IPv6 or both

Basic vs Standard SKU

Dynamic vs Static

Microsoft vs. internet routing

© Copyright Microsoft Corporation. All rights reserved.

Associate Public IP Addresses

Public IP addresses IP address association Dynamic Static

Virtual Machine NIC Yes Yes

Load Balancer Front-end configuration Yes Yes

VPN Gateway Gateway IP configuration Yes Yes*

Application Gateway Front-end configuration Yes Yes*

A public IP address resource can be associated with virtual machine network interfaces,
internet-facing load balancers, VPN gateways, and application gateways
*Static IP addresses only available on certain SKUs.

© Copyright Microsoft Corporation. All rights reserved.

Allocate or Assign Private IP Addresses
Private IP Addresses IP address association Dynamic Static

Virtual Machine NIC Yes Yes

Internal Load Balancer Front-end configuration Yes Yes

Application Gateway Front-end configuration Yes Yes

Dynamic (default). Azure assigns the next available unassigned or unreserved IP address in
the subnet’s address range

Static. You select and assign any unassigned or unreserved IP address in the subnet's
address range

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Virtual Networks

• Create a virtual network in the Azure portal

• Configure subnets
• Create a public IP address

© Copyright Microsoft Corporation. All rights reserved.

Learning Recap – Virtual Networks

• Introduction to Azure Virtual Networks

• Design an IP addressing schema for your Azure deployme
nt (
sandbox)
Check your
knowledge • Implement Windows Server IaaS VM IP addressing and ro
uting
questions and
additional
study

A sandbox indicates an additional hands-on exercise.

© Copyright Microsoft Corporation. All rights reserved.
 Configure Network Security
Groups (NSGs)

© Copyright Microsoft Corporation. All rights reserved.

Learning Objectives – Network Security Groups

• Implement Network Security Groups

Implement and manage virtual
• Determine NSG Rules networking (15–20%): Configure secure
access to virtual networks
• Determine NSG Effective Rules • Create and configure network
security groups (NSGs) and
• Create NSG Rules
application security groups
• Implement Application Security Groups • Evaluate effective security rules in
NSGs
• Demonstration – NSGs

• Learning Recap

© Copyright Microsoft Corporation. All rights reserved.

Implement Network Security Groups

Lists the security rules

Limits network traffic Associated
that allow or deny Can be associated
to resources in a to a subnet or a
inbound or outbound multiple times
virtual network network interface
network traffic

© Copyright Microsoft Corporation. All rights reserved.

Determine NSG Rules

Security rules in NSGs enable you There are default security rules.
to filter network traffic that can flow You cannot delete the default rules,
in and out of virtual network subnets and but you can add other rules with
network interfaces a higher priority

© Copyright Microsoft Corporation. All rights reserved.

Determine NSG Effective Rules

NSGs are evaluated

independently for the
subnet and NIC

An “allow” rule must exist

at both levels for traffic to
be admitted

Use the Effective Rules link if

you are not sure which security
rules are being applied

© Copyright Microsoft Corporation. All rights reserved.

Create NSG rules

Source (Any, IP addresses, My IP address, service

tags, and application security group)

Destination (Any, IP addresses, service tag, and

application security group)

Service (HTTPS, SSH, RDP, DNS, POP3, custom, …)

Priority – The lower the number, the higher

the priority

© Copyright Microsoft Corporation. All rights reserved.

Implement Application Security Groups

Extends your application's structure

ASGs logically group virtual machines – WebServers AppLServers

web servers, application servers

Define rules to control the traffic flow

Source Destination Port

Wrap the ASG with an NSG for added Internet WebServers 80, 443
security
WebServers SQLServers 1433

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Network Security Groups

• Create a network security group

• Explore inbound and outbound rules

© Copyright Microsoft Corporation. All rights reserved.

Learning Recap – Network Security Groups

• Secure and isolate access to Azure resources by using net

work security groups and service endpoints (
sandbox)
Check your
knowledge
questions and
additional
study

A sandbox indicates an additional hands-on exercise.

© Copyright Microsoft Corporation. All rights reserved.
 Configure Azure DNS

© Copyright Microsoft Corporation. All rights reserved.

Configure Azure DNS Introduction
• Identify Domains and Custom Domains
• Verify Custom Domain Names (optional) Implement and manage virtual
networking (15–20%): Configure name
• Create Azure DNS Zones resolution and load balancing
• Delegate DNS Domains • Configure Azure DNS

• Add DNS Record Sets

• Plan for Private DNS Zones
• Determine Private Zone Uses (optional)
• Demonstration – DNS Name Resolution
• Learning Recap

© Copyright Microsoft Corporation. All rights reserved.

Identity Domains and Custom Domains
When you create a new AAD Tenant, a new
default domain is created

The domain has initial domain name in the

form domainname.onmicrosoft.com

You can add a custom domain name

After the custom name is added it must be

verified – this demonstrates ownership of the
domain

© Copyright Microsoft Corporation. All rights reserved.

Create Azure DNS Zones

A DNS zone hosts the DNS records for a domain

Where multiple zones share the same name,

each instance is assigned different name server
addresses

Root/Parent domain is registered at the registrar

and pointed to Azure NS

© Copyright Microsoft Corporation. All rights reserved.

Delegate DNS Domains

• When delegating a domain to

Azure DNS, you must use the
name server names provided
by Azure DNS – use all four
• Once the DNS zone is created,
update the parent registrar
• For child zones, register the NS
records in the parent domain

© Copyright Microsoft Corporation. All rights reserved.

Add DNS Record Sets

A record set is a collection of records in a zone

that have the same name and are the same type

You can add up to 20 records to any record set

A record set cannot contain two identical records

Changing the drop-down Type, changes the

information required

© Copyright Microsoft Corporation. All rights reserved.

Plan for Private DNS Zones
Use your own custom domain names

Provides name resolution for VMs within a

VNet and between VNets
db.contoso.lab

Automatic hostname record management

Removes the need for custom DNS solutions

Use all common DNS records types

Available in all Azure regions

© Copyright Microsoft Corporation. All rights reserved.

Demonstration - DNS

• Create a DNS zone

• Add a DNS record set

• View the name servers

© Copyright Microsoft Corporation. All rights reserved.

Learning Recap – Azure DNS

• Host your domain on Azure DNS (sandbox)

• Implement DNS for Windows Server IaaS VMs

Check your
knowledge
questions and
additional
study

A sandbox indicates an additional hands-on exercise.

© Copyright Microsoft Corporation. All rights reserved.
 Lab – Implement Virtual
Networks

© Copyright Microsoft Corporation. All rights reserved.

 Lab 04 – Implement Virtual Networking

Objectives
You plan to create a virtual
network in Azure that will host a Task 1: Create and configure a virtual network
couple of Azure virtual machines. Task 2: Deploy virtual machines into the virtual network
You will deploy them into different
Task 3: Configure private and public IP addresses of Azure
subnets and must ensure their IP
addresses will not change over
virtual machines
time. For security requirements, Task 4: Configure network security groups
you need to protect public Task 5: Configure Azure DNS for internal name resolution
endpoints of Azure virtual
machines accessible from Internet. Task 6: Configure Azure DNS for external name resolution
Finally, you need to implement
DNS name resolution.

Next slide for an architecture diagram

© Copyright Microsoft Corporation. All rights reserved.
Lab 04 – Architecture diagram
Task 1, Task 2 az104-04-rg1

az104-04-vnet1 10.40.0.0/20

Subnet0 10.40.0.0/24
Subnet1 10.40.1.0/24 Task 5
Private DNS zone

az104-04-vm0 az104-04-vm1
contoso.org

az104-04-nic0 az104-04-nic1
10.40.0.4 10.40.1.4

Task 3 Task 6

az104-04-pip0 az104-04-pip1 DNS zone

Task 4

az104-04-nsg01

© Copyright Microsoft Corporation. All rights reserved.

 End of presentation

© Copyright Microsoft Corporation. All rights reserved.