Questions - Configure and manage virtual networking

# Questions - Configure and manage virtual networking ###### tags: `az-104` `azure` ## Loadbalancer #### Difference between standard and Basic load balancer | Type | Standard Load Balancer | Basic Load Balancer | | -- | -- | -- | | Backend pool size | Supports up to 1000 instances. | Supports up to 300 instances. | | Backend pool endpoints | Any virtual machines or virtual machine scale sets **in a single virtual network**. | Virtual machines in **a single availability set** or **virtual machine scale set**. | | Health probes | TCP, HTTP, HTTPS | TCP, HTTP | | Health probe down behavior | TCP connections stay alive on an instance probe down and on all probes down. TCP connections stay alive on an instance probe down. | All TCP connections end when all probes are down. | | Availability Zones | Zone-redundant and zonal frontends for inbound and outbound traffic. | Not available | | Diagnostics | Azure Monitor multi-dimensional metrics | Azure Monitor logs | | HA Ports | Available for Internal Load Balancer | Not available | | Secure by default | Closed to inbound flows unless allowed by a network security group. Internal traffic from the virtual network to the internal load balancer is allowed. | Open by default. Network security group optional. | | Outbound Rules | Declarative outbound NAT configuration | Not available | | TCP Reset on Idle | Available on any rule | Not available | | Multiple front ends | Inbound and outbound | Inbound only | | Management Operations | Most operations < 30 seconds | 60-90+ seconds typical | | SLA | 99.99% | Not available | #### How to protect SQL injection attack Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. **SQL injection** and **cross-site scripting** are among the most common attacks. Refer to [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview) #### How inbound rule helps on accessing multi VMs -- Port Forward Create a load balancer inbound network address translation (NAT) rule to **forward** traffic from a specific port of the front-end IP address to a specific port of a back-end VM. Refer to https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal#create-an-inbound-nat-port-forwarding-rule ## How to view NSG logs To record the successful and failed connection requests, Azure Network Watcher flow logs can be used 1. Enable Azure Network Watcher flow logs 2. Register the Microsoft.insights resource provider 3. Create storage account for log storage ## Application Gateway #### URL path-based routing rules (**single domain**) URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. One of the scenarios is to route requests for different content types to different pool. For example, requests for http://contoso.com/video/* are routed to VideoServerPool, and http://contoso.com/images/* are routed to ImageServerPool. DefaultServerPool is selected if none of the path patterns match. #### Multi-site listeners(**multi domains**) With Application Gateway, you can configure routing based on host name or domain name for more than one web application on the same application gateway. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains, contoso.com, fabrikam.com, and adatum.com, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting. Requests for http://contoso.com are routed to ContosoServerPool, http://fabrikam.com are routed to FabrikamServerPool, and so on. ## How to add a custom domain 1. Add the domain name to Azure AD 2. Add your DNS info to the domain registrar 3. Verify the the custom domain name Refer to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain ## How to update the local network gateway -- existing gateway connection 1. Remove the connection 2. Update the IP address or Modify the address prefix 3. Create a new connection ## What is the difference between "forwarded-traffic" and "gateway transit" for vnet peering **Gateway transit** is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. If **virtual network gateway** attach to this vnet ![](https://i.imgur.com/eh34T6c.png) **Forwarded traffic** allow traffic forwarded by a network virtual appliance in a virtual network (that didn't originate from the virtual network) to flow to this virtual network through a peering. For example, consider three virtual networks named Spoke1, Spoke2, and Hub. A peering exists between each spoke virtual network and the Hub virtual network, but peerings don't exist between the spoke virtual networks. ## How Azure firewall control outbound network access With Azure Firewall, you can configure: - Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet. - Network rules that define source address, protocol, destination port, and destination address.