AZ-700 Designing and Implementing Microsoft Azure Networking Solutions Questions and Answers

To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use a Network Security Group (NSG). This solution is straightforward and minimizes administrative effort.

Step-by-Step Solution

Step 1: Create a Network Security Group (NSG)

Navigate to the Azure Portal.

Search for “Network security groups” and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the NSG (e.g., NSG-Subnet1-2).

Region: Select the region where your virtual network is located.

Click on “Review + create” and then “Create”.

Step 2: Create an Inbound Security Rule

Navigate to the newly created NSG.

Select “Inbound security rules” from the left-hand menu.

Click on “Add” to create a new rule.

Enter the following details:

Source: Select Service Tag.

Source Service Tag: Select VirtualNetwork.

Source port ranges: Leave as *.

Destination: Select IP Addresses.

Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g., 10.1.2.0/24).

Destination port ranges: Enter 5585.

Protocol: Select TCP.

Action: Select Deny.

Priority: Enter a priority value (e.g., 100).

Name: Enter a name for the rule (e.g., Deny-TCP-5585).

Click on “Add” to create the rule.

Step 3: Associate the NSG with Subnet1-2

Navigate to the virtual network that contains subnet1-2.

Select “Subnets” from the left-hand menu.

Select subnet1-2 from the list of subnets.

Click on “Network security group”.

Select the NSG you created (NSG-Subnet1-2).

Click on “Save”.

Explanation

Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network. They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.

Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.

Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.

By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.

No

subnet1(WM1->NSG1 outbound->NSG10 outbound)->subnet2(NSG1 inbound->NSG11 inbound->VM2)

Yes

NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2ג€™s subnet (VNet1/Subnet2).

No

NSG11 blocks RDP (port TCP 3389) destined for ג€˜VirtualNetworkג€™. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked.

For the first question, only ExpressRoute GW SKU Ultra Performance support FastPath feature.

For the second question, vnet1 will connect to ExpressRoute gw, once Vnet1 peers with Vnet2, the traffic from on-premise network will bypass GW and Vnet1, directly goes to Vnet2, while this feature is under public preview.

====Reference

ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

To configure FastPath, the virtual network gateway must be either:

Ultra Performance

ErGw3AZ

VNet Peering - FastPath will send traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.

https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath

Gateway SKU

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

VNet 1 will get the default from BGP and propagate it to VNET 2 and 3

To configure a policy in Azure API Management that can be used by an Azure Application Gateway to protect against known web attack vectors and only allow requests from IP addresses in Canada, follow these steps:

Step-by-Step Solution

Step 1: Create or Access Your API Management Instance

Navigate to the Azure Portal.

Search for “API Management services” and select your API Management instance.

Step 2: Configure the Policy

In the API Management instance, go to the “APIs” section.

Select the API you want to apply the policy to.

Go to the “Design” tab.

Select “All operations” if you want to apply the policy to all operations, or select a specific operation.

Step 3: Add the Inbound Policy

In the Inbound processing section, click on “+ Add policy”.

Select “IP filter” from the list of policies.

Add the IP address ranges for Canada. You can find the IP ranges for Canada from a reliable source or use a service that provides this information.

Here is an example of the XML configuration for the policy:

Save the policy to apply the changes.

Explanation

IP Filter Policy: This policy allows you to filter incoming requests based on their IP addresses. By specifying the IP ranges for Canada, you ensure that only requests originating from these IPs are allowed.

Inbound Processing: Applying the policy in the inbound section ensures that the requests are filtered before they reach your API.

By following these steps, you can configure a policy in Azure API Management that restricts access to your API to only those requests originating from IP addresses in Canada, thereby enhancing security and compliance

To minimize the risk of SNAT port exhaustion for your 100 virtual machines in subnet4-1, while ensuring minimal administrative effort, you can use an Azure NAT Gateway. This service provides scalable and resilient outbound connectivity for virtual networks, dynamically allocating SNAT ports to avoid exhaustion.

Navigate to the Azure Portal.

Search for “NAT gateways” and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the NAT gateway (e.g., NATGateway-Subnet4-1).

Region: Select the region where your virtual network is located.

Click on “Next: Outbound IP”.

Choose whether to use existing public IP addresses or create new ones.

If creating new ones, click on “Add new” and configure the new public IP addresses.

Click on “Next: Subnet”.

Click on “Associate subnet”.

Select the virtual network that contains subnet4-1.

Select subnet4-1 from the list of subnets.

Click on “OK”.

Review your settings to ensure everything is correct.

Click on “Review + create” and then “Create”.

Azure NAT Gateway: This service provides outbound connectivity for virtual networks, dynamically allocating SNAT ports across all VM instances within a subnet. This dynamic allocation helps prevent SNAT port exhaustion, especially in scenarios with high outbound connection volumes12.

Dynamic SNAT Port Allocation: Unlike static allocation methods, NAT Gateway dynamically allocates SNAT ports based on demand, ensuring efficient use of available ports and reducing the risk of exhaustion2.

Step-by-Step SolutionStep 1: Create a NAT GatewayStep 2: Configure Outbound IP AddressesStep 3: Associate the NAT Gateway with Subnet4-1Step 4: Review and CreateExplanationBy following these steps, you can ensure that your 100 virtual machines in subnet4-1 can make the necessary API calls without running into SNAT port exhaustion, all while minimizing administrative effort.

To provide a single host name that routes traffic based on the origin, you can use Azure Traffic Manager. This service allows you to route traffic to different endpoints based on various routing methods, including geographic routing.

Navigate to the Azure Portal.

Search for “Traffic Manager profiles” and select it.

Click on “Create”.

Enter the following details:

Name: Enter a name for the Traffic Manager profile (e.g., ContosoTrafficManager).

Routing method: Select Geographic.

Subscription: Select your subscription.

Resource group: Select an existing resource group or create a new one.

Resource group location: Choose a location (this does not affect the routing).

Click on “Create”.

Navigate to the newly created Traffic Manager profile.

Select “Endpoints” from the left-hand menu.

Click on “Add” to add a new endpoint.

Enter the following details:

Type: Select External endpoint.

Name: Enter a name for the endpoint (e.g., NewYorkEndpoint).

FQDN: Enter ny.contoso.com.

Geographic region: Select “World” (this will be adjusted later).

Click on “Add” to save the endpoint.

Repeat the process to add the second endpoint:

Type: Select External endpoint.

Name: Enter a name for the endpoint (e.g., GermanyEndpoint).

FQDN: Enter de.contoso.com.

Geographic region: Select Europe.

Navigate to the Traffic Manager profile.

Select “Configuration” from the left-hand menu.

Under “Geographic routing”, adjust the regions:

For the GermanyEndpoint, ensure that the geographic region is set to Europe.

For the NewYorkEndpoint, ensure that the geographic region is set to World (excluding Europe).

Use a DNS query tool to test the routing.

From a location in Germany, query the Traffic Manager profile’s DNS name and ensure it resolves to de.contoso.com.

From a location outside Europe, query the Traffic Manager profile’s DNS name and ensure it resolves to ny.contoso.com.

Azure Traffic Manager: This service uses DNS to direct client requests to the most appropriate endpoint based on the routing method you choose. Geographic routing ensures that traffic is directed based on the origin of the request.

Geographic Routing: This method allows you to route traffic based on the geographic location of the DNS query origin, ensuring that users are directed to the nearest or most appropriate endpoint.

Step-by-Step SolutionStep 1: Create a Traffic Manager ProfileStep 2: Configure EndpointsStep 3: Adjust Geographic RoutingStep 4: Test the ConfigurationExplanationBy following these steps, you can provide a single host name that routes traffic to de.contoso.com for users in Germany and to ny.contoso.com for users from other locations, ensuring efficient and appropriate traffic management.

Here are the steps and explanations for ensuring that subnet4-3 can accommodate 507 hosts:

To determine the subnet size that can accommodate 507 hosts, you need to use the formula: number of hosts = 2^(32 - n) - 2, where n is the number of bits in the subnet mask1. You need to find the value of n that satisfies this equation for 507 hosts.

To solve this equation, you can use trial and error or a binary search method. For example, you can start with n = 24, which is the default subnet mask for Class C networks. Then, plug in the value of n into the formula and see if it is too big or too small for 507 hosts.

If you try n = 24, you get number of hosts = 2^(32 - 24) - 2 = 254, which is too small. You need to increase the value of n to get a larger number of hosts.

If you try n = 25, you get number of hosts = 2^(32 - 25) - 2 = 510, which is just enough to accommodate 507 hosts. You can stop here or try a smaller value of n to see if it still works.

If you try n = 26, you get number of hosts = 2^(32 - 26) - 2 = 254, which is too small again. You need to decrease the value of n to get a larger number of hosts.

Therefore, the smallest value of n that can accommodate 507 hosts is n = 25. This means that the subnet mask for subnet4-3 should be /25 or 255.255.255.128 in dot-decimal notation1.

To change the subnet mask for subnet4-3, you need to go to the Azure portal and select your virtual network. Then select Subnets under Settings and select subnet4-3 from the list2.

On the Edit subnet page, under Address range (CIDR block), change the value from /24 to /25. Then select Save2.

To ensure that only hosts on VNET1 can access the slcnage42150372 storage account and that access occurs over the Azure backbone network, you can use Azure Private Endpoints. This method secures the connection by assigning a private IP address from your virtual network to the storage account, ensuring that traffic does not traverse the public internet.

Step-by-Step Solution

Step 1: Create a Private Endpoint for the Storage Account

Navigate to the Azure Portal.

Search for “Storage accounts” and select the slcnage42150372 storage account.

In the storage account blade, select “Networking” under the “Security + networking” section.

Under “Private endpoint connections”, click on “Add private endpoint”.

Enter the following details:

Name: Enter a name for the private endpoint (e.g., PrivateEndpoint-VNET1).

Region: Select the same region as your virtual network (VNET1).

Click on “Next: Resource”.

Step 2: Configure the Resource

Select “Target sub-resource”: Choose the storage service you want to connect to (e.g., blob, file, queue, table).

Click on “Next: Virtual network”.

Step 3: Select the Virtual Network and Subnet

Select the virtual network: Choose VNET1.

Select the subnet: Choose the appropriate subnet within VNET1.

Click on “Next: Configuration”.

Step 4: Configure DNS Integration (Optional)

Configure DNS settings if needed to ensure proper name resolution within your virtual network.

Click on “Next: Tags”, add any tags if necessary, and then click on “Review + create”.

Review your settings and click on “Create”.

Step 5: Restrict Public Network Access

Navigate back to the storage account.

Select “Networking” under the “Security + networking” section.

Under “Firewalls and virtual networks”, select “Selected networks”.

Ensure that only VNET1 is listed under the virtual networks section.

Click on “Save”.

Explanation

Private Endpoints: These provide secure connectivity to Azure services by assigning a private IP address from your VNet to the service, ensuring that traffic stays within the Azure backbone network12.

Firewall and Virtual Networks: Configuring the storage account to allow access only from selected networks (VNET1) ensures that no other network can access the storage account3.

By following these steps, you can ensure that only hosts on VNET1 can access the slcnage42150372 storage account, and that all access occurs over the secure Azure backbone network.

To ensure that all traffic to the internet from subnet3-1 is forwarded to the appliance in subnet3-2 for packet inspection, you can use User-Defined Routes (UDRs) to direct the traffic. Here’s how you can do it:

Navigate to the Azure Portal.

Search for “Route tables” and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the route table (e.g., RouteTable-Subnet3-1).

Region: Select the region where your virtual network is located.

Click on “Review + create” and then “Create”.

Navigate to the newly created route table.

Select “Routes” from the left-hand menu.

Click on “Add” to create a new route.

Enter the following details:

Route name: Enter a name for the route (e.g., RouteToAppliance).

Address prefix: Enter 0.0.0.0/0 to route all internet traffic.

Next hop type: Select Virtual appliance.

Next hop address: Enter the IP address of the appliance (10.3.2.100).

Click on “OK” to add the route.

Navigate to the route table.

Select “Subnets” from the left-hand menu.

Click on “Associate”.

Select the virtual network that contains subnet3-1.

Select subnet3-1 from the list of subnets.

Click on “OK”.

User-Defined Routes (UDRs): These allow you to control the routing of traffic within your virtual network. By defining a route that directs all internet-bound traffic to the appliance, you ensure that the traffic is inspected before it reaches the internet1.

Virtual Appliance: This is a network appliance that performs specific functions, such as packet inspection, and is treated as a next hop in the routing table2.

Route Table Association: Associating the route table with subnet3-1 ensures that all traffic from this subnet follows the defined routes.

Step-by-Step SolutionStep 1: Create a Route TableStep 2: Add a Route to the Route TableStep 3: Associate the Route Table with Subnet3-1ExplanationBy following these steps, you can ensure that all internet-bound traffic from subnet3-1 is forwarded to the appliance in subnet3-2 for inspection, thereby enhancing your network security.

Here are the steps and explanations for ensuring that all hosts deployed to subnet3-2 connect to the internet by using the same static public IP address:

To use the same static public IP address for multiple hosts, you need to create a NAT gateway and associate it with subnet3-2. A NAT gateway is a resource that performs network address translation (NAT) for outbound traffic from a subnet1. It allows you to use a single public IP address for multiple private IP addresses2.

To create a NAT gateway, you need to go to the Azure portal and select Create a resource. Search for NAT gateway, select NAT gateway, then select Create3.

On the Create a NAT gateway page, enter or select the following information and accept the defaults for the remaining settings:

Subscription: Select your subscription name

Resource group: Select your resource group

Name: Type a unique name for your NAT gateway

Region: Select the same region as your virtual network

Public IP address: Select Create new and type a name for your public IP address. Select Standard as the SKU and Static as the assignment method4.

Select Review + create and then select Create to create your NAT gateway3.

To associate the NAT gateway with subnet3-2, you need to go to the Virtual networks service in the Azure portal and select your virtual network.

On the Virtual network page, select Subnets under Settings, and then select subnet3-2 from the list.

On the Edit subnet page, under NAT gateway, select your NAT gateway from the drop-down list. Then select Save.

Here are the steps and explanations for ensuring that hosts on VNET2 can access hosts on both VNET1 and VNET3, but hosts on VNET1 and VNET3 cannot communicate through VNET2:

To connect different virtual networks in Azure, you need to use virtual network peering. Virtual network peering allows you to create low-latency, high-bandwidth connections between virtual networks without using gateways or the internet1.

To create a virtual network peering, you need to go to the Azure portal and select your virtual network. Then select Peerings under Settings and select + Add2.

On the Add peering page, enter or select the following information:

Name: Type a unique name for the peering from the source virtual network to the destination virtual network.

Virtual network deployment model: Select Resource manager.

Subscription: Select the subscription that contains the destination virtual network.

Virtual network: Select the destination virtual network from the list or enter its resource ID.

Name of the peering from [destination virtual network] to [source virtual network]: Type a unique name for the peering from the destination virtual network to the source virtual network.

Configure virtual network access settings: Select Enabled to allow resources in both virtual networks to communicate with each other.

Allow forwarded traffic: Select Disabled to prevent traffic that originates from outside either of the peered virtual networks from being forwarded through either of them.

Allow gateway transit: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network.

Use remote gateways: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network as a transit point to another network.

Select Add to create the peering2.

Repeat the previous steps to create peerings between VNET2 and VNET1, and between VNET2 and VNET3. This will allow hosts on VNET2 to access hosts on both VNET1 and VNET3.

To prevent hosts on VNET1 and VNET3 from communicating through VNET2, you need to use network security groups (NSGs) to filter traffic between subnets. NSGs are rules that allow or deny inbound or outbound traffic based on source or destination IP address, port, or protocol3.

To create an NSG, you need to go to the Azure portal and select Create a resource. Search for network security group and select Network security group. Then select Create4.

On the Create a network security group page, enter or select the following information:

Subscription: Select your subscription name.

Resource group: Select your resource group name.

Name: Type a unique name for your NSG.

Region: Select the same region as your virtual networks.

Select Review + create and then select Create to create your NSG4.

To add rules to your NSG, you need to go to the Network security groups service in the Azure portal and select your NSG. Then select Inbound security rules or Outbound security rules under Settings and select + Add4.

On the Add inbound security rule page or Add outbound security rule page, enter or select the following information:

Source or Destination: Select CIDR block.

Source CIDR blocks or Destination CIDR blocks: Enter the IP address range of the source or destination subnet that you want to filter. For example, 10.0.1.0/24 for VNET1 subnet 1, 10.0.2.0/24 for VNET2 subnet 1, and 10.0.3.0/24 for VNET3 subnet 1.

Protocol: Select Any to apply the rule to any protocol.

Action: Select Deny to block traffic from or to the source or destination subnet.

Priority: Enter a number between 100 and 4096 that indicates the order of evaluation for this rule. Lower numbers have higher priority than higher numbers.

Name: Type a unique name for your rule.

Select Add to create your rule4.

Repeat the previous steps to create inbound and outbound rules for your NSG that deny traffic between VNET1 and VNET3 subnets. For example, you can create an inbound rule that denies traffic from 10.0.1.0/24 (VNET1 subnet 1) to 10.0.3.0/24 (VNET3 subnet 1), and an outbound rule that denies traffic from 10.0.3.0/24 (VNET3 subnet 1) to 10.0.1.0/24 (VNET1 subnet 1).

To associate your NSG with a subnet, you need to go to the Virtual networks service in the Azure portal and select your virtual network. Then select Subnets under Settings and select the subnet that you want to associate with your NSG5.

On the Edit subnet page, under Network security group, select your NSG from the drop-down list. Then select Save5.

Repeat the previous steps to associate your NSG with the subnets in VNET1 and VNET3 that you want to isolate from each other.

To archive all the metrics of VNET1 to an existing storage account, you can use Azure Monitor’s diagnostic settings. Here’s how you can do it:

Step-by-Step Solution

Step 1: Navigate to VNET1 in the Azure Portal

Open the Azure Portal.

Search for “Virtual networks” and select VNET1 from the list.

Step 2: Configure Diagnostic Settings

In the VNET1 blade, select “Diagnostic settings” under the “Monitoring” section.

Click on “Add diagnostic setting”.

Step 3: Set Up the Diagnostic Setting

Enter a name for the diagnostic setting (e.g., VNET1-Metrics-Archive).

Select the metrics you want to archive. You can choose from various metrics like TotalBytesReceived, TotalBytesSent, etc.

Under “Destination details”, select “Archive to a storage account”.

Choose the existing storage account where you want to archive the metrics.

Configure the retention period if needed.

Step 4: Save the Configuration

Review your settings to ensure everything is correct.

Click on “Save” to apply the diagnostic setting.

Explanation

Diagnostic Settings: These allow you to collect and route metrics and logs from your Azure resources to various destinations, including storage accounts, Log Analytics workspaces, and Event Hubs.

Metrics: Metrics provide numerical data about the performance and health of your resources. Archiving these metrics helps in long-term analysis and compliance.

Storage Account: Using an existing storage account ensures that the metrics are stored securely and can be accessed for future analysis.

By following these steps, you can ensure that all the metrics of VNET1 are archived to your existing storage account, enabling you to monitor and analyze the performance and health of your virtual network over time.

To achieve the task of ensuring that virtual machines on VNET1 and VNET2 are included automatically in a DNS zone named contoso.azure, and that they can resolve the names of the virtual machines on either virtual network, you can follow these steps:

Step-by-Step Solution

Step 1: Create a Private DNS Zone

Navigate to the Azure Portal.

Search for “Private DNS zones” in the search bar and select it.

Click on “Create”.

Enter the DNS zone name as contoso.azure.

Select the appropriate subscription and resource group.

Click on “Review + create” and then “Create”.

Step 2: Link VNET1 and VNET2 to the DNS Zone

Go to the newly created DNS zone (contoso.azure).

Select “Virtual network links” from the left-hand menu.

Click on “Add”.

Enter a name for the link (e.g., VNET1-link).

Select the subscription and virtual network (VNET1).

Enable auto-registration to ensure that VMs are automatically registered in the DNS zone.

Click on “OK”.

Repeat the process for VNET2.

Step 3: Configure DNS Settings for VNET1 and VNET2

Navigate to VNET1 in the Azure Portal.

Select “DNS servers” under the “Settings” section.

Ensure that the DNS server is set to “Default (Azure-provided)”.

Repeat the process for VNET2.

Step 4: Verify Name Resolution

Deploy a virtual machine in VNET1 and another in VNET2.

Connect to the virtual machines using Remote Desktop Protocol (RDP) or Secure Shell (SSH).

Test name resolution by pinging the VM in VNET2 from the VM in VNET1 using its hostname (e.g., ping .contoso.azure).

Explanation

Private DNS Zone: This allows you to manage and resolve domain names in a private network without exposing them to the public internet.

Virtual Network Links: Linking VNET1 and VNET2 to the DNS zone ensures that VMs in these networks can register their DNS records automatically.

Auto-registration: This feature automatically registers the DNS records of VMs in the linked virtual networks, simplifying management.

DNS Settings: Using Azure-provided DNS ensures that the VMs can resolve each other’s names without additional configuration.

By following these steps, you ensure that virtual machines on VNET1 and VNET2 are included automatically in the DNS zone contoso.azure and can resolve each other’s names seamlessly.

Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:

To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations. You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution1.

To create a diagnostic setting, you need to go to the Azure portal and select your virtual network. Then select Diagnostic settings under Monitoring and select + Add diagnostic setting1.

On the Add diagnostic setting page, enter or select the following information:

Diagnostic setting name: Type a unique name for your diagnostic setting.

Destination details: Select the destination where you want to send the data. For example, you can select Send to Log Analytics workspace and choose your workspace from the list.

Log: Select the categories of logs that you want to collect. For VNET1, you can select NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter as the log categories2.

Metric: Select AllMetrics to collect all the platform metrics for VNET12.

Select Save to create your diagnostic setting1.

To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination. Then select Logs under General and enter your KQL query in the query editor3.

For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:

NetworkSecurityGroupEvent

| where TimeGenerated > ago(24h)

| where ResourceId contains "VNET1"

| summarize count() by EventID

| top 10 by count_

Copy

Select Run to execute your query and view the results in a table or a chart3.

To ensure that the owner of VNET3 receives an alert whenever an administrative operation is performed on the virtual network, you can set up an Activity Log Alert in Azure Monitor. Here’s how you can do it:

Step-by-Step Solution

Step 1: Create an Activity Log Alert

Navigate to the Azure Portal.

Search for “Monitor” and select it.

In the Monitor blade, select “Alerts” from the left-hand menu.

Click on “New alert rule”.

Step 2: Configure the Alert Rule

Select the Scope:

Click on “Select resource”.

Choose “Virtual Network” as the resource type.

Select VNET3 from the list of virtual networks.

Define the Condition:

Click on “Add condition”.

In the “Signal type” dropdown, select “Activity Log”.

Choose “Administrative” as the category.

Select the specific operations you want to monitor (e.g., Microsoft.Network/virtualNetworks/write for any write operations on the virtual network).

Set the Alert Details:

Enter a name for the alert rule (e.g., VNET3 Admin Operations Alert).

Provide a description if needed.

Configure the Action Group:

Click on “Add action group”.

Enter a name for the action group.

Select the action type (e.g., Email/SMS/Push/Voice).

Enter the details of the recipient (e.g., the email address of the owner of VNET3).

Review and Create:

Review the alert rule settings.

Click on “Create alert rule”.

Explanation

Activity Log Alerts: These alerts notify you when specific operations are performed on your Azure resources. By setting up an alert for administrative operations, you ensure that any changes to VNET3 are promptly reported.

Action Groups: These define the actions to take when an alert is triggered. You can configure notifications via email, SMS, or other methods to ensure the owner of VNET3 is informed immediately.

Administrative Operations: Monitoring these operations helps in tracking changes and maintaining the security and integrity of your virtual network.

By following these steps, you can ensure that the owner of VNET3 receives timely alerts for any administrative operations performed on the virtual network, helping to maintain oversight and security.

To deploy Azure virtual machines to the France Central region and ensure they are in a network segment with an IP address range of 10.5.1.0/24, follow these steps:

Step-by-Step Solution

Step 1: Create a Virtual Network in France Central

Navigate to the Azure Portal.

Search for “Virtual networks” in the search bar and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the virtual network (e.g., VNet-FranceCentral).

Region: Select France Central.

Click on “Next: IP Addresses”.

Step 2: Configure the Address Space and Subnet

In the IP Addresses tab, enter the address space as 10.5.1.0/24.

Click on “Add subnet”.

Enter the following details:

Subnet name: Enter a name for the subnet (e.g., Subnet-1).

Subnet address range: Enter 10.5.1.0/24.

Click on “Add”.

Click on “Review + create” and then “Create”.

Step 3: Deploy Virtual Machines to the Virtual Network

Navigate to the Azure Portal.

Search for “Virtual machines” in the search bar and select it.

Click on “Create” and then “Azure virtual machine”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select the same resource group used for the virtual network.

Virtual machine name: Enter a name for the VM.

Region: Select France Central.

Image: Select the desired OS image.

Size: Select the appropriate VM size.

Click on “Next: Disks”, configure the disks as needed, and then click on “Next: Networking”.

In the Networking tab, select the virtual network (VNet-FranceCentral) and subnet (Subnet-1) created earlier.

Complete the remaining configuration steps and click on “Review + create” and then “Create”.

Explanation

Virtual Network: A virtual network in Azure allows you to create a logically isolated network that can host your Azure resources.

Address Space: The address space 10.5.1.0/24 ensures that the VMs are in a specific network segment.

Subnet: Subnets allow you to segment the virtual network into smaller, manageable sections.

Region: Deploying the virtual network and VMs in the France Central region ensures that the resources are physically located in that region.

By following these steps, you can ensure that your Azure virtual machines in the France Central region are deployed within the specified IP address range of 10.5.1.0/24.

Here are the steps and explanations for ensuring that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net:

To use a custom domain with your Azure Front Door, you need to create a CNAME record with your domain provider that points to the Front Door default frontend host. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name1.

To create a CNAME record, you need to sign in to your domain registrar’s website and go to the page for managing DNS settings1.

Create a CNAME record with the following information1:

Source domain name: wwwjelecloud.com

Destination domain name: frontdoor1.azurefd.net

Save your changes and wait for the DNS propagation to take effect1.

To verify the custom domain, you need to go to the Azure portal and select your Front Door profile. Then select Domains under Settings and select Add2.

On the Add a domain page, select Non-Azure validated domain as the Domain type and enter wwwjelecloud.com as the Domain name. Then select Add2.

On the Domains page, select wwwjelecloud.com and select Verify. This will check if the CNAME record is correctly configured2.

Once the domain is verified, you can associate it with your Front Door endpoint. On the Domains page, select wwwjelecloud.com and select Associate endpoint. Then select your Front Door endpoint from the drop-down list and select Associate2.

To deploy a firewall to subnetl-2, you need to create a network virtual appliance (NVA) in the same virtual network as subnetl-2. An NVA is a virtual machine that performs network functions, such as firewall, routing, or load balancing1.

To create an NVA, you need to create a virtual machine in the Azure portal and select an image that has the firewall software installed. You can choose from the Azure Marketplace or upload your own image2.

To assign the IP address of 10.1.2.4 to the NVA, you need to create a static private IP address for the network interface of the virtual machine. You can do this in the IP configurations settings of the network interface3.

To ensure that traffic from subnetl-1 to the IP address range of 192.168.10.0/24 is routed through the NVA, you need to create a user-defined route (UDR) table and associate it with subnetl-1. A UDR table allows you to override the default routing behavior of Azure and specify custom routes for your subnets4.

To create a UDR table, you need to go to the Route tables service in the Azure portal and select + Create. You can give a name and a resource group for the route table5.

To create a custom route, you need to select Routes in the route table and select + Add. You can enter the following information for the route5:

Destination: 192.168.10.0/24

Next hop type: Virtual appliance

Next hop address: 10.1.2.4

To associate the route table with subnetl-1, you need to select Subnets in the route table and select + Associate. You can select the virtual network and subnet that you want to associate with the route table5.

Box 1:

If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed.

Box 2:

The “Visit Azure Firewall Manager to configure and manage this firewall” link in the exhibit shows that the firewall is managed by Azure Firewall Manager.

NO, NO, YES

1. VM3 can connect to port 8080 on VM1 : false, UserRule_DenyVirtualNetworkInbound

2. VM1 and VM2 can connect on port 9090: false, UserRule_DenyVirtualNetworkInbound

3. VM1 can connect to VM3 on port 9090: true

Box 2: One NSG

The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could attach the NSG to VMScaleSet2 and restrict inbound traffic. Either way you would need two custom NSG rules.

Box 1: Two custom rules

With the NSG attached to VMScaleSet2, you would need to create a custom rule blocking all traffic from VMScaleSet1. Then you would need to create another custom rule with a higher priority than the first rule that allows traffic on port 443.

The default rules in the NSG will allow all other traffic to VMScaleSet2.

Box 1: VM2, VM3 and VM4.

VM1 is in VNet1/Subnet1. VNet1 is peered with VNet2 and VNet3.

There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in VNet3.

Box 2:

VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.

Box 1: No

Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.

Box 2: Yes

VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.

Box3: No

VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you won’t be able to enable auto-registration on the link.