This chapter covers AZ-800 Administering Windows Server Hybrid Core Infrastructure: Implement and manage Azure network infrastructure.
In the previous chapter, we added skills to understand the concepts of on-premises network infrastructure and services. We will start this chapter with an understanding of network services concepts in Azure. We will then look at each network service in more detail and conclude with a hands-on exercise to develop your skills further.
The following topics are included in this chapter:
In addition to the topics listed in this chapter, this chapter’s goal is to take your knowledge beyond the exam objectives to prepare you for a real-world, day-to-day hybrid environment-focused role.
This section introduces the functionality of the network services available in Azure, why each service is required, and how it may be used. Each network service capability will be covered in more detail in this chapter.
The following list outlines the available network services capabilities:
In this section, we introduced some of the Azure network services. In the following sections of this chapter, we will cover each of these areas. The first topic we will look at in the next section is VNets.
This section will look at implementing and managing Azure VNets. We will cover VNet peering, VNet routing, implementing IP addressing, and the Extended Network for Azure.
The first skills area we will look at in this section is VNets in Azure and how they work.
An Azure VNet is a software-defined representation of a Local Area Network (LAN) that you would have on-premises.
A VNet provides communication paths between resources through network interfaces. When resources in on-premises locations communicate with resources in Azure, this can be referred to as hybrid connectivity or cross-premises connectivity.
A VNet provides a private and isolated single-tenant network for your resources to communicate in. You can define private IP address spaces and segment them into subnets as you would for on-premises.
Each connected device on the VNet will be assigned a unique IP through the Azure Dynamic Host Configuration Protocol (DHCP) service. VMs are recommended to be assigned private IPs.
Public IPs can also be assigned to resources, although they are recommended for association with firewalls, load balancers, and so on for security reasons.
A VNet allows for network interfaces to be created that belong to a subnet as part of the segmentation of an IP address space associated with the VNet. These network interfaces are assigned an IP address in the range from that subnet by the Microsoft DHCP service; you cannot bring your own DHCP servers.
For a VM to communicate on the network, it must have one or more network interfaces associated with it. You would assign network interfaces according to the subnets you wish to send or receive traffic. A VM can have a network interface assigned from one or more subnets, with the maximum number of network interfaces supported by the VM type. The network interface is always allocated to the VM, even in the shutdown state. However, when the VM is deleted, the network interface remains a standalone resource but can be deleted as required.
A VNet in Azure exists in the boundary of an Azure region and is a communication boundary for network traffic within that region.
A VNet can span across a data center zone but cannot span a region. You can connect VNets in different regions and allow the traffic to span as though it were one network.
The default traffic behavior is that a VNet allows all resources within that VNet to communicate with each other but not with resources in another VNet without additional configuration steps.
A VNet can connect to on-premises locations for hybrid connectivity through a VPN gateway. Only one VPN gateway can be created for a VNet and can be created as a VPN type or an ExpressRoute type. Both types can exist on the same gateway if enough IP addressing is available to assign in address space; it is recommended to create a VPN subnet of /27 as a minimum.
VMs in one or more VNets can communicate with each other through VNet peering.
Unlike a VPN gateway where the communication traffic must route over the internet, VNet peering allows communication to flow as though they are the same logical network, and traffic passes over Microsoft’s backbone and bypasses the internet. This is important in terms of speed, reliability, and security. VNet peering is available as regional VNet peering, which connects VNets in the same region, and global VNet peering, which connects VNets in different regions.
This is represented in the following diagram:
Figure 6.1 – VNet peering
In this section, we looked at what an Azure VNet was. In this next section, we will look at IP addressing for VMs.
When a VNet is created, you define one or more IP address spaces. This can then be further broken down into subnets to meet your requirements. Each resource can be assigned an IP address from the subnet so that other resources can communicate with it on the network.
This is represented in the following diagram:
Figure 6.2 – IP address subnetting
The preceding diagram represents a VNet with an address space defined using the classless inter-domain routing (CIDR) format of 10.5.0.0/16. Subnetting has been used to further segment into smaller subnets that use a /24 notation, and each resource is allocated an IP from this range. This approach allows us to optimize the IP address allocation from the defined address /16 space. A VNet can have more than one IP address space assigned, which can be a public IP address prefix but is more commonly a private address range.
The following are the recommended private non-routable (RFC 1918) address ranges:
The private IP addresses are static or dynamically assigned to the network interfaces and can be changed between the two at any time. Typically, static IP addresses will be used, especially in the case of VMs that will perform roles such as domain controllers, DNS servers, or NVAs, where it is critical that the IPs remain assigned and not change. Private IPs (static and dynamic) can also be assigned to resources such as load balancers and network interfaces of storage services, for example, that use private endpoints.
When planning IP addressing in Azure, it is essential to note that Azure reserves five IP addresses for its own use in each subnet range, which cannot be allocated to any resources. These five reserved IP addresses are the first four IP addresses and the last IP address in a range, with the IP address ranges starting at 0, not 1.
The reserved five IP addresses are utilized as follows:
You will notice from the preceding list that the first IP assigned to a created VM in the subnet will be the .4 address.
Public IP addressing prefixes can be added to Azure VNets and can be assigned to resources such as network interfaces, VPN gateways, NVAs, and internet-facing load balancers. There are basic- and standard-type stock-keeping units (SKUs).
IPv6 can also be used alongside IPv4 in the same VNet and for the same resource. When a resource such as a VM has requirements for IPv6 and IPv4 communication paths, that is known as a dual stack.
The Extended Network for Azure capability provides a subnet extension, meaning an on-premises subnet can be stretched into Azure to meet the requirements of specific scenarios, and vice versa. Azure resources can be part of your on-premises local network, akin to making the same IP broadcast domain available in separate locations. It should be noted that this is not necessarily a good practice but may be required for a specific scenario that dictates this requirement.
This is achieved by extending the on-premises Layer 2 network with a Layer 3 overlay network using a Virtual Extensible LAN (VXLAN) solution. The advantage is that when VMs move to Azure, they can retain their existing IPs. Ordinarily, this is not possible as there cannot be overlapping IP address space between the on-premises networks and Azure.
This is represented in the following diagram:
Figure 6.3 – Azure Extended Network subnet extension
This section looked at how to implement IP addressing in an Azure VNet. In the next section, we will look at implementing VNet routing.
As we learned earlier, an Azure VNet is a software-defined representation of on-premises networks. When a VNet is created, an RFC 1918 private address space can be configured, and subnets created for the segmented network design are required. In an earlier example, we saw a /16 address space that contained /24 subnets for IP assignment to network interfaces that could be attached to VMs to allow them to communicate within the VNet.
Azure has a set of default system routes that automatically provide the Azure built-in routing capability; this allows VMs in the same VNet to communicate with each other with no specific network configuration required. The default gateway address is pre-defined at .1 in any subnet, and the system routes determine the next hop paths. These routes cannot be edited or removed, although you can provide custom routes that allow you to override the system routes with more specific routes that take priority over the system routes. These custom routes are referred to as UDRs. UDRs are applied through a route table resource. This provides specific network packet control of where the next hop should be for any packet leaving a subnet where it is not desired to use the default .1 gateway next hops.
The next-hop type can be one of the following:
Implementing UDRs in subnets is particularly beneficial when we want the next hop for traffic leaving a subnet to be filtered and inspected by an NVA such as a firewall. This allows us to control east-west traffic and provides network protection against lateral attacks.
This concept is represented in the following diagram:
Figure 6.4 – Network routing in Azure
In the preceding diagram, we see that the default system routing shows direct communication possible between the VM1 and VM2 VMs. This allows VM2 to communicate with VM1 using the default system route.
Due to the UDR route table being associated with the app subnet, all packets leaving the app subnet will use the custom routes provided by the UDR route table.
In this case, the route table has an entry that specifies that for all traffic with a destination of the data subnet, its next hop must be VM3.
This means VM1 cannot communicate with VM2 directly, but VM1 can only communicate with VM2 via VM3, a firewall appliance VM; if VM1 were to be compromised, this approach would protect VM2 from a lateral movement attack.
We should also discuss in this section the topic of egress routing. This is where we can determine the path of traffic leaving an Azure VNet, based on cost, quality, and performance metrics.
The two options available for egress routing are set out here:
This concept is represented in the following diagram:
Figure 6.5 – Egress routing in Azure
The preceding diagram visualizes the cold-potato versus hot-potato egress routing methods; the benefits and disadvantages are as follows:
We can also link this traffic delivery method to air transport versus ground/boat shipping.
In this section, we looked at VNet routing. The following section will look at implementing hybrid network connectivity in Azure.
This section will look at network connectivity in Azure between VNets as well as cross-premises/hybrid options available in Azure.
While there are many third-party vendor solutions, we will look to introduce only the first-party Microsoft services available in Azure and for the exam skills objectives.
VPNs are the first skills area we will look at in this section.
The Microsoft VPN Gateway is a network connectivity service that provides traffic encryption through private and secure tunnels across the internet. These tunnels can connect on-premises networks to Azure VNets or connect VNets in the same region or across different regions.
When a VPN gateway is implemented, it can be created as two types:
Only one VNet gateway can be created per VNet, with a high availability (HA) option; VNets can’t share a gateway.
The gateway type must be deleted and created again with the correct type to change it.
VPN connection type gateways can be created as two VPN types:
The VPN gateway can create Point-to-Site VPNs and Site-to-Site VPNs.
The Internet Protocol Security (IPsec) protocol Internet Key Exchange (IKE) versions 1 and 2 can be used; pre-shared keys are used for authentication.
The following connectivity types require a route-based VPN gateway:
This section introduced the VPN Gateway service in Azure. The following sections will look at the Point-to Site and Site-to-Site VPN types.
A Point-to-Site VPN type provides an encrypted connection from a single device to Azure resources by creating a secure tunnel across the internet for communication.
The protocols used for this VPN type are as follows:
This Point-to-Site VPN type is represented in the following diagram:
Figure 6.6 – Point-to-Site VPN
The use case for a Point-to-Site VPN is when remote workers, such as home workers or those traveling, need access to Azure resources accessible via VNets and cannot use a Site-to-Site VPN.
A Site-to-Site VPN type provides an encrypted connection from on-premises locations to Azure resources by creating a secure tunnel across the internet for communication to support hybrid connectivity/cross-premises scenarios.
The Azure VPN gateway supports policy-based and route-based VPNs and the IPsec v1/v2 protocols; pre-shared keys are used for authentication.
This Site-to-Site VPN type is represented in the following diagram:
Figure 6.7 – Site-to-Site VPN
In the preceding diagram, the on-premises location must have a VPN device with a public IP address. Note that without the deployment of Azure Extended Network, the on-premises and Azure VNet address spaces cannot overlap; Layer 3 routing over the public internet is required.
A VPN gateway can also establish VPN tunnels to multiple on-premises locations using a single VNet gateway.
This multi-site VPN connection type is represented in the following diagram:
Figure 6.8 – Multi-site VPN connection
For multiple VPN connection tunnels to co-exist on a single VNET gateway, you must use a route-based VPN to support this.
VPNs can also connect two Azure VNets to allow encrypted communications.
This VNet-to-VNet VPN type is represented in the following diagram:
Figure 6.9 – VNet-to-VNet VPN connection
To interconnect Azure VNets, we can also use the alternative method of VNet peering; however, this does not encrypt the traffic, bypasses the internet, and stays on Microsoft’s backbone.
As we learned earlier, a VNet gateway is an Azure resource that connects on-premises networks to Azure VNets over the internet. Secure and private tunnels are created through which encrypted traffic can be sent. This allows resources in both cloud and on-premises locations to communicate as though they were on the same local network.
A VNet gateway requires the following resources to be implemented:
The preceding resources and their relationships are represented in the following diagram:
Figure 6.10 – VPN gateway resources
VNet gateway is also used when implementing ExpressRoute, which we will look at in the next section.
An ExpressRoute circuit is an extension of your on-premises network into Azure without the need for VPNs or traversing the internet. It provides cross-premises/hybrid connectivity using a reliable, low-latency, fast private network, with traffic routed directly to Microsoft’s data centers, bypassing the internet. This private network is facilitated by a network carrier provider, which acts as the connectivity provider.
This is represented in the following diagram:
Figure 6.11 – ExpressRoute
Working with a network carrier provider, ExpressRoute can make Azure data centers appear as a site on a Multiprotocol Label Switching (MPLS) network. This provides global reach and capacity extensions of on-premises locations into Azure Data centers.
With ExpressRoute being an enterprise-grade network solution, redundancy is built in using Border Gateway Protocol (BGP) and dynamic routing.
It should be noted that by ExpressRoute does not encrypt or filter traffic; you should build that into a design if that is important. Typically, this will be achieved by implementing NVAs into the solution.
To implement an ExpressRoute circuit, the following steps outline the actions required:
Microsoft provides two peering types, as follows:
You may have a Site-to-Site VPN and ExpressRoute on the same VNet gateway, but you must use a route-based VPN to support this. It is recommended to allocate a /27 subnet to ensure adequate IPS can be assigned.
In this section, we looked at ExpressRoute. In the next section, we will look at Azure Network Adapter.
Windows Server 2019 introduced Azure Network Adapter as a new hybrid connectivity solution. To connect to networks and VMs running in Azure, there is the option of VPNs and ExpressRoute, which can add significant complexity to what is often a simple need to connect resources on-premises to resources in Azure.
With Azure Network Adapter and through Windows Admin Center, you can provide a one-click solution to connect your Azure VNets to on-premises networks using a Point-to-Site VPN.
Azure Relay is the service that used to be called Service Bus Relay.
Azure Relay is a hybrid solution that provides the ability to expose internal application resources to public cloud environments. It works based on listeners and does this without the need for inbound firewall ports to be open and without intrusive network infrastructure changes to the on-premises environment. This is a different solution from VPNs, which work at the network integration level. This is like an application VPN where we can scope connection access to a single on-premises machine’s application rather than a VPN (whose scope is very wide to a network range) and is more about connecting networks than connecting applications.
Azure Virtual WAN provides a global network transit architecture solution.
It is a virtualized representation of a Wide Area Network (WAN) that would traditionally be in place on-premises, such as an MPLS solution. In the case of Virtual WAN, Microsoft now becomes your connectivity provider.
In essence, the solution is a scaled-out, any-to-any connection type VNet gateway solution. It can handle multiple connection types, such as P2S, S2S, ExpressRoute, and Software-Defined WAN (SD-WAN).
A virtual WAN enables endpoints to transit connectivity across a hub. These endpoints make up distributed spokes that can be global.
This is represented in the following diagram:
Figure 6.12 – Azure Virtual WAN
Azure Virtual WAN supports the following capabilities:
This can be thought of as an any-to-any-type connectivity solution.
To implement an Azure virtual WAN, the high-level steps are as follows:
In this section, we looked at Azure Virtual WAN and concluded the topic of network connectivity in Azure. The following section will look at implementing network protection in Azure.
This section will look at the network protection options available in Azure. This will cover NSGs, application security groups (ASGs), and the Azure Firewall; we will look at the use cases, how they work, and their capabilities.
This section will look at NSGs as the first skill area.
An NSG is a packet filter approach controlling traffic flow into and out of resources such as VMs.
A set of inbound and outbound rules filters network traffic, denying all traffic unless explicitly allowed.
An NSG evaluates whether access is allowed or denied based on five data points (the 5-tuple method); these data points are as follows:
NSGs are represented in the following diagram:
Figure 6.13 – NSGs
NSGs can be associated with a network interface or a subnet, but not a VNet. A subnet or network interface can only have one NSG assigned; an NSG can be associated with multiple subnets or network interfaces.
NSG association is represented in the following diagram:
Figure 6.14 – NSG association
Each NSG rule is numbered; the lowest number will be evaluated first and will determine based on the data points if a connection to the destination is allowed or denied.
Each NSG has a set of default rules that cannot be modified or removed; you should add custom rules with a lower number to have these overrides evaluated before the default rules. The final default rule that will be enforced is a deny-all rule.
An NSG can only be used to protect resources in the same subscription and region as the NSG; if you need to perform centralized network protection across highly distributed VNets and across multiple regions, Azure Firewall can be used.
This section looked at NSGs. In the next section, we will look at ASGs.
An ASG provides a set of application-/workload-specific rules that can be associated with an NSG. In a nutshell, we base ASG traffic filter rules on business logic layer names rather than IP addresses or ranges. This is intended to simplify network protection rules by determining access at the business logic layer.
An ASG provides simplified network security micro-segmentations. We can apply a single NSG to all subnets on the NSG for full traffic analytics via flow logs. We then apply ASGs, with each VM being made a member of the appropriate ASG based on its role or network segmentation; this allows granular VM network interface layer control for both east/west and north/south traffic.
This approach is achieved through traffic filter rules based on the business logic and your application topology rather than the network address space topology. It takes a declarative/intent base approach. Rather than defining specific network IPs to be included in the rule, you define the business logic name layer groups you intend to filter traffic for and let Microsoft handle the complexities of the IP rules required. This is represented in the following diagram:
Figure 6.15 – ASG association
We can link this approach to the DNS concept, which uses names instead of IP addresses. In DNS, we may not know the IP address of a server, and its IP address may change, so we focus on business logic, meaning whatever the resource name is (that is constant), return the IP address (that can be variable). We can therefore use the same approach in ASGs to assign an alias or nickname, referred to as a moniker, to a group of VM resources and set a traffic filter rule based on the monikers rather than a network address.
This section looked at ASGs. In the next section, we will look at Azure Firewall.
Azure Firewall is a cloud-based Microsoft-managed firewall-as-a-service (FWaaS) solution. It provides centralized Layer 3/Layer 7 protection and control policies. Unlike an NSG, it works across subscriptions and regions.
Traffic control is through UDRs and can provide segmentation of networks for traffic control.
A typical Azure Firewall network topology is represented in the following diagram:
Figure 6.16 – Azure Firewall
Some of the capabilities of Azure Firewall are outlined here:
Firewall Manager is another service that can be utilized. It provides centralized policy configuration and management for multiple deployed Azure firewalls across different Azure regions and subscriptions.
In this section, we looked at Azure Firewall and concluded the topic of network protection in Azure. The following section will look at implementing name resolution in Azure.
This section will look at the name resolution options available in Azure; we will also cover the topic of cross-premises/hybrid name resolution.
Azure DNS is the first skill area we will look at in this section.
Azure DNS is a Microsoft-managed DNS-as-a-service solution for name resolution of Azure resources. You do not need to provide your own DNS servers for name resolution.
The Azure DNS service provides hosting for both your public DNS zones and private DNS zones, for which Azure can be authoritative, as detailed here:
Once your DNS zones are migrated to Azure DNS, Microsoft’s DNS name servers will respond to queries for resources in these zones. Anycast DNS is used by the DNS service, meaning the query will be responded to by the DNS server that is closest geographically to the query.
The Azure portal, Azure PowerShell, or the Azure CLI can be used to create and manage Azure public and private zones.
These are the high-level steps to implement a public zone:
These are the high-level steps to implement a private zone:
For Azure DNS private zones, the following capabilities are provided:
The following are some limitations of Azure DNS:
Next, we will look at Windows Server DNS on Azure VMs and integration with Azure DNS.
The DNS server role can be installed on Azure VMs running the Windows Server OS using Server Manager in the same way as for an on-premises installation.
You can specify that a VNet uses your own Windows DNS servers instead of Azure DNS; these DNS servers could be Azure VM DNS servers or on-premises DNS servers connected to the Azure VNet.
You may decide to implement Windows Server DNS on Azure VMs to replace or in addition to Azure DNS in the following scenarios:
Your own Windows DNS servers can be set in the Azure VNet DNS servers | Custom setting, as shown in the following diagram:
Figure 6.17 – Custom DNS server setting
The following diagram represents hybrid name resolution using Windows Server DNS and Azure DNS:
Figure 6.18 – Hybrid name resolution
In the preceding diagram, Windows Server DNS servers attached to a VNet can respond to queries for its on-premises domain, such as its own authoritative zones, and use the recursive resolvers in Azure for forwarded queries that need to resolve Azure hostnames that it will not have a record of.
The address to use for Azure DNS recursive DNS resolvers is 168.63.129.16.
Next, we will look at the split-horizon DNS in Azure.
Split-horizon DNS uses the same name to resolve the names of internal and external resources. It is also known as split-brain DNS.
This works by having two zones for the same domain; one is used for internal resource queries, and the other for external resource queries.
In Azure DNS, this is implemented by creating two zones of the same name, such as milesbetter.solutions.
The milesbetter.solutions zones should be created and configured as follows:
Host |
Record type |
IP address |
pizzapp |
CNAME |
mbs1.milesbetter. solutions |
mbs1 |
A |
10.5.1.4 |
Host |
Record type |
IP address (public) |
pizzapp |
A |
123.456.789 |
This configuration returns the correct lookups and information based on whether clients are on the internal or external network.
In this section, we looked at Windows Server DNS on Azure VMs and concluded the topic of implementing name resolution in Azure. In the next section, we will complete a hands-on exercises section to re-enforce some of the concepts covered in this chapter.
To support your learning with some practical skills, we will utilize concepts and understanding gained from the earlier sections of this chapter and put them into practical application.
We will look at the following exercises:
To get started with this section, if you do not already have an Azure subscription, you can create a free Azure account at https://azure.microsoft.com/free. This free Azure account provides the following:
Let’s move on to the exercises for this chapter.
In this exercise, we will look to create an Azure VNet.
Follow these steps to create a VNet:
Figure 6.19 – Searching for the Virtual networks resource
Figure 6.20 – Creating a VNet
Figure 6.21 – VNet Basics tab
Figure 6.22 – VNet IP Addresses tab
Figure 6.23 – VNet Security tab
Figure 6.24 – VNet Tags tab
Figure 6.25 – VNet Review + create tab
Figure 6.26 – VNet deployment succeeded
Figure 6.27 – Created VNet
With this, we have completed this exercise. It taught us the skills needed to implement an Azure VNet. The following exercise will look at implementing an NSG.
In this exercise, we will look to create a VM and associate an NSG at the subnet level. We will then add rules to allow Remote Desktop Protocol (RDP) access and deny outbound internet access.
In the following sub-sections, you can see the procedure to complete the exercise, segregated into tasks for a better understanding.
Figure 6.28 – Searching for the VM’s resource
Figure 6.29 – Creating a VM
Figure 6.30 – Creating a VM: settings
Figure 6.31 – Creating a VM: settings (continued)
Figure 6.32 – Creating a VM: settings (continued)
Figure 6.33 – Creating a VM: settings (continued)
Figure 6.34 – Creating a VM: settings (continued)
Figure 6.35 – Creating a VM: Review + create tab
Figure 6.36 – VM deployment succeeded
Figure 6.37 – Searching for the NSG resource
Figure 6.38 – Creating an NSG
Figure 6.39 – Creating an NSG: settings
Figure 6.40 – Created NSG
Figure 6.41 – Associating an NSG
Figure 6.42 – Associating an NSG (continued)
Figure 6.43 – Created NSG
Figure 6.44 – Adding an NSG
Figure 6.45 – Adding an NSG (continued)
Figure 6.46 – NSG created
Figure 6.47 – VM connection
Figure 6.48 – VM connection (continued)
Figure 6.49 – Remote desktop connection
Figure 6.50 – Accessing the internet
Figure 6.51 – Adding an NSG rule
Figure 6.52 – New NSG rule added
Figure 6.53 – Internet access denied
With this, we have completed this exercise. This exercise taught us the skills needed to implement and configure an NSG. The following exercise will look at implementing Azure DNS.
This exercise will look at creating and configuring public and private zones in Azure DNS.
In the following sub-sections, you can see the procedure to complete the exercise, segregated into tasks for a better understanding.
Figure 6.54 – Searching for the Azure DNS zones resource
Figure 6.55 – Creating a DNS zone
Figure 6.56 – Adding DNS records
For this exercise, we have used an example name and record; you should use an example that meets your requirements.
nslookup az800.milesbetter.com ns1-01.azure-dns.com
Replace with the information for the fully qualified domain name (FQDN) and name server that is relevant to your environment.
Figure 6.57 – nslookup command output
With this, we have completed this exercise. This exercise taught us the skills needed to implement Azure DNS. This next exercise will look at creating an Azure VPN gateway.
In this exercise, we will look to create an Azure VPN gateway for hybrid connectivity to on-premises resources.
For this exercise, you will require the following in place:
In the following sub-sections, you can see the procedure to complete the exercise, segregated into tasks for a better understanding.
Follow the steps in the following tasks to create a VPN gateway (VNet gateway).
Figure 6.58 – Searching for the VNet gateway resource
Figure 6.59 – Creating a VNet
Figure 6.60 – Creating a VNet (continued)
Figure 6.61 – Creating a VNet (continued)
Figure 6.62 – Reviewing settings
With this, we have completed this exercise. This exercise taught us the skills needed to implement an Azure VPN gateway. In the next exercise, we look at implementing VNet peering.
In this exercise, we will look to add a peering relationship between two VNets so that resources can communicate across the Microsoft backbone without traversing the public internet.
For this exercise, you will require the following in place:
Follow these steps to add VNet peering.
Figure 6.63 – Selecting the first VNet to peer
Figure 6.64 – Peering added successfully
Figure 6.65 – VNet peerings
With this, we have completed this exercise. This exercise taught us the skills needed to implement Azure VNet peering. Now, let’s summarize this chapter.
This chapter aimed to take your knowledge beyond the exam objectives; we added new skills and learning with the content provided. This further develops your knowledge and skills for on-premises network infrastructure services and enables you to be prepared for a real-world, day-to-day hybrid environment-focused role.
The content in this chapter covered information for the Implement and manage Azure network infrastructure skills outline section for the AZ-800 Administering Windows Server Hybrid Core Infrastructure exam.
We learned about some of the core network services components in Azure, such as implementing VNets and DNS, as well as looking at connectivity options and network protection aspects. A hands-on exercise then finished the chapter to develop your skills further.
The next chapter teaches about implementing and managing Azure network infrastructure.
This section provides links to additional study references and additional exam information:
Challenge yourself with what you have learned in this chapter:
3.145.119.199