access approvals, Private Link service, 195
active FTP, Azure Firewall and, 86
active-active mode, Azure VPN gateway, 41–42
Activity logs, 87
algorithms, load balancing, 60–61
AnyCast networking, 103
application FQDN traffic filtering, 81
architecture, Azure Bastion, 169–170
authentication
multi-factor, 180
point-to-site VPN gateway connections, 43–44
using Azure CLI, 112
using Azure Portal, 112
using Azure PowerShell, 112
autoscaling, 23. See also scaling
Azure Firewall and, 79
Azure Load Balancer and, 61–62
az network front-door create command, 163–165
az network lb create command, 72–73
az network private-dns link create command, 111
az network private-endpoint create command, 191–192, 199
az network traffic-manager profile create command, 140–141
az network vnet command, 12
Azure Activity Logs, 14
Azure AD (Active Directory), 179
Azure Application Gateway, 15–16
components
back-end pools, 20
health probes, 23
HTTP settings, 22
creating
deployment options, 16
sizing and scaling, 23
Azure Bastion, 167
connecting to a VM using Azure Portal, 176–179
creating
using Azure PowerShell, 175–176
disaster recovery, 171
peering, 171
permissions, 172
redundancy, 171
service requirements, 172
SKUs, 171
Azure CLI. See also commands
application gateway, creating, 32–33
Azure Bastion service, creating, 175–176
Azure Front Door service, setting up, 163–165
Azure Load Balancer, creating, 72–73
Azure Traffic Manager, setting up, 140–141
Azure VPN gateway, creating, 53
creating a vNET, 12
DNS zones, creating, 108
linking a private DNS zone to a vNET, 111
private endpoints, creating, 191–192
Private Link service, creating, 199
reverse DNS lookups, creating, 118
setting up auto registration, 112
Azure DNS, 103. See also DNS zones
DNS zones, 105
private, 105
public, 105
limitations, 104
queries, 119
reverse DNS lookups, creating, 116
using Azure CLI, 118
using Azure PowerShell, 118
zone delegation, 119
Azure endpoints, 125. See also endpoints
active FTP support, 86
classic rules, 84
creating
using Azure PowerShell, 99–100
DNAT (destination NAT), 79
DNS proxy, 86
features, 78
forced tunneling, 83
infrastructure FQDNs, 82
IP groups, 82
logging, 86
Activity logs, 87
diagnostic logs, 87
firewall metrics, 86
Manager, 83
policies, 84
rule processing
for outbound traffic, 85
tags, 81
FQDN, 81
service, 82
Threat Intelligence, 83
traffic filtering, 80
application FQDN, 81
network, 80
web, 80
web categories, 82
Azure Front Door, 145
back ends, 147
back-end pools, 147
dynamic content compression, 152
handling large volumes of traffic, 153
health probes, 148
integration with Azure DDoS Protection Basic, 153
logging, 165
performance counters, 165
protection against unwanted protocols, 153
query strings, 152
Rules Engine, 151
setting up
using Azure PowerShell, 162–163
URL rewrite, 149
WAF security features, 154
wildcard domains, 151
Azure Load Balancer, 55
components
back-end pool, 57
front-end IP addresses, 57
creating
deployment considerations, 56
features, 56
rules, 58
HA ports, 59
inbound NAT, 59
outbound SNAT, 60
Azure Log Analytics, 13
Azure Front Door and, 165
logging, 86
Activity logs, 87
diagnostic logs, 87
firewall metrics, 86
Azure Policy, 14, 143, 166, 181
Azure Portal
alias record sets, creating, 113–116
application gateway, creating, 24–30
Azure Bastion service, creating, 172–175
Azure Firewall, creating, 87–99
Azure Front Door service, setting up, 154–162
Azure Load Balancer, creating, 62–70
Azure Traffic Manager, setting up, 134–139
Azure VPN gateway, creating, 46–52
linking a private DNS zone to a vNET, 110
private endpoints, creating, 187–190
Private Link service, creating, 195–198
Real User Measurements, enabling, 141–143
reverse DNS lookups, creating, 116–118
setting up auto registration, 112
using Azure Bastion to connect to a VM, 176–179
Azure PowerShell
application gateway, creating, 31–32
Azure Bastion service, creating, 175–176
Azure Front Door service, setting up, 162–163
Azure Load Balancer, creating, 71–72
Azure Traffic Manager, setting up, 139–140
Azure VPN gateway, creating, 52–53
commands
New-AzDNSZone, 118
New-AzPrivateDNSVirtual NetworkLink, 112
New-AzPrivateDNSZone, 108
New-AzTrafficManager Profile, 139–140
NewAzVirtualNetwork, 12
New-AzVirtualNetwork Gateway, 31–32, 52–53
New-AzVirtualNetworkGatewayConnection, 52–53
New-AzVirtual NetworkLink, 190–191, 199
creating a vNET, 12
DNS zones, creating, 108
linking a private DNS zone to a vNET, 111
private endpoints, creating, 190–191
Private Link service, creating, 199
reverse DNS lookups, creating, 118
setting up auto registration, 112
Azure Private Link, 7, 183. See also Private Link service
best practices, 200
DNS configuration, 186
private endpoints, 184
features, 185
integration with Azure PaaS offerings, 184
integration with customer-owned services, 185
security and, 186
Azure Traffic Manager, 123
Azure, 125
failover and recovery, 134
monitoring, 133
nested, 126
RBAC and, 141
Real User Measurements, enabling, 141–143
setting up
using Azure PowerShell, 139–140
geographic, 132
multi-value, 128
subnet-based, 128
Azure VPN gateway, 35
availability zone support, 79
best practices, 54
BGP and, 38
creating
using Azure CLI, 53
deployment considerations, 36–37
gateway SKUs, 37
gateway subnet, 38
local network gateways, 38
point-to-site VPN gateway connections, 43
Highly Available vNET-to-vNET, 45
supported protocols, 43
vNET-to-vNET connections, 44
redundancy, 39
site-to-site VPN gateway connections
HA in active-active mode, 42
High Availability in active-standby mode, 41
multi-site active-Active mode, 40
single-site active standby mode, 39–40
zonal gateways, 46
zone-redundant gateways, 46
AzureActiveDirectory service tag, 7
back ends, 147
back-end pools, 1, 20, 57, 147
basic listener, 21
basic request routing rule, 21
Basic SKU, 37
best practices
Azure Private Link, 200
Azure Traffic Manager, 141–144
Azure VPN gateway, 54
for designing and securing vNETs, 12–14
BGP (Border Gateway Protocol), 6, 38
caching, Azure Front Door, 151–153
CDNs (content delivery networks), 145
classic rules, 84
commands
az network front-door create, 163–165
az network private-dns link create, 111
az network private-endpoint create, 191–192, 199
az network traffic-manager profile create, 140–141
az network vnet, 12
Azure PowerShell
New-AzDNSZone, 118
New-AzPrivateDNS VirtualNetworkLink, 112
New-AzPrivateDNSZone, 108
New-AzTrafficManagerProfile, 139–140
New-AzVirtualNetwork Gateway, 31–32, 52–53
New-AzVirtualNetworkGatewayConnection, 31–32
New-AzVirtualNetworkLink, 190–191, 199
conditional access policies, 180
connection types, VPN gateway, 37–38
creating
application gateway
Azure Bastion
using Azure PowerShell, 175–176
Azure Firewall
using Azure PowerShell, 99–100
Azure Load Balancer
Azure VPN gateway
using Azure CLI, 53
DNS zones
using Azure CLI, 108
using Azure PowerShell, 108
private endpoints
using Azure PowerShell, 190–191
Private Link service
using Azure CLI, 199
using Azure PowerShell, 199
reverse DNS lookups, 116
using Azure CLI, 118
using Azure PowerShell, 118
vNET
using Azure CLI, 12
using Azure PowerShell, 12
custom routes
BGP routes, 6
user-defined routes, 5
DDoS (distributed denial of service) attacks, 13
deployment considerations
Azure Load Balancer, 56
diagnostic logs, 87
disaster recovery, 8
Azure Bastion, 171
private endpoints and, 186–187
DNAT (destination NAT), Azure Firewall and, 79
DNS proxy, 86
DNS zones, 106, 186. See also private DNS zones; public DNS zones
using Azure CLI, 112
using Azure Portal, 112
using Azure PowerShell, 112
creating
using Azure CLI, 108
using Azure PowerShell, 108
linking to vNETs, 109
using Azure CLI, 111
using Azure Portal, 110
using Azure PowerShell, 111
private, 105
public, 105
reverse DNS lookups, creating, 116
using Azure CLI, 118
using Azure PowerShell, 118
zone delegation, 119
dynamic content compression, 152
endpoints, 123, 124–125. See also private endpoints
Azure, 125
failover and recovery, 134
monitoring, 133
nested, 126
disaster recovery and, 186–187
features, 185
integration with Azure PaaS offerings, 184
integration with customer-owned services, 185
security and, 186
service, 7
features
Azure Application Gateway, 16–18
Azure Firewall, 78
Azure Load Balancer, 56
Azure Traffic Manager, 123–124
Azure vNET (virtual network), 1–2
private endpoint, 185
file chunking, 152
filtering, threat intelligence-based, 83
forced tunneling, 83
FQDN tags, 81
Azure Application Gateway, 19–20
Azure Load Balancer, 57
gateway SKUs, 37
gateway subnet, 38
geographic traffic routing, 132
global peering, 171
groupings, 81
infrastructure FQDNs, 82
IP groups, 82
tags, 81
FQDN, 81
service, 82
web categories, 82
health probes, 23
Azure Application Gateway, 23
Azure Front Door, 148
High Availability in active-standby mode, Azure VPN gateway, 41
high-availability ports load-balancing rule, 59
HTTP, 22
HTTP/2 protocols, 18
IKEv2 VPN, 43
inbound NAT rules, 59
infrastructure FQDNs, 82
internal load balancer, 55
IP addresses
Azure Bastion, 172
IP groups, 82
Key Vault, 180
latency-based traffic routing, 148
load balancers, 15–16, 148. See also Azure Application Gateway
internal, 55
public, 55
rules, 58
HA ports, 59
inbound NAT, 59
outbound SNAT, 60
local network gateways, 38
logging, 86
Activity logs, 87
Azure Front Door, 165
diagnostic logs, 87
firewall metrics, 86
network traffic, 166
MFA (multi-factor authentication), 180
monitoring, endpoints, 133
multi-site active-Active mode, 40
multi-site listener, 21
multi-value traffic routing, 128
NAT (network address translation), 7, 59
nested endpoints, 126
network traffic filtering, 80
New-AzBastion command, 175–176
New-AzDNSZone command, 118
New-AzFirewall command, 99–100
New-AzFrontDoor command, 162–163
New-AzLoad Balancer command, 71–72
New-AzPrivateDNSV irtualNetworkLink command, 112
New-AzPrivateDNSZone command, 108
New-AzTrafficManagerProfile command, 139–140
NewAzVirtualNetwork command, 12
New-AzVirtualNetworkGateway command, 31–32, 52–53
New-AzVirtualNetworkGatewayConnection command, 31–32
New-AzVirtualNetworkLink command, 190–191, 199
non-zonal redundancy, 61
NSGs (network security groups), 6, 13
OpenVPN protocol, 43
outbound SNAT rules, 60
path-based request routing rule, 21
path-based routing, 18
PAWs (privileged access workstations), 180
peering, 5
Azure Bastion, 171
performance traffic routing, 130–131
permissions, Azure Bastion, 172
point-to-site VPN gateway connections
Highly Available vNET-to-vNET, 45
vNET-to-vNET connections, 44
policy(ies)
Azure Firewall, 84
-based VPNs, 37
conditional access, 180
priority traffic routing, 128–129, 149
private DNS zones, 105. See also DNS zones
using Azure Portal, 112
using Azure PowerShell, 112
creating
using Azure CLI, 108
using Azure PowerShell, 108
reverse DNS lookups, creating, 116
using Azure CLI, 118
using Azure PowerShell, 118
creating
using Azure PowerShell, 190–191
disaster recovery and, 186–187
features, 185
integration
with Azure PaaS offerings, 184
with customer-owned services, 185
security and, 186
access approvals, 195
connecting to, 194
creating
using Azure CLI, 199
using Azure PowerShell, 199
High Availability, 195
limitations, 195
public DNS zones, 105, 113–116. See also alias record sets
public load balancer, 55
query
DNS, 119
strings, 152
RBAC (role-based access control), 166
Azure Traffic Manager and, 141
Real User Measurements, 141–143
redundancy
Azure Bastion, 171
non-zonal, 62
VPN gateway, 39
zonal, 61
zone, 61
regional peering, 171
request routing rules
redirection support, 22
rewriting of HTTP headers and URLs, 22
reverse DNS lookups, creating, 116
using Azure CLI, 118
using Azure PowerShell, 118
route-based VPNs, 37
routing, 3
BGP routes, 6
NAT (network address translation), 7
path-based, 18
route selection, 6
user-defined routes, 5
rules
Azure Firewall, order of processing, 84–85
classic, 84
load balancing, 58
HA ports, 59
inbound NAT, 59
outbound SNAT, 60
redirection support, 22
rewriting of HTTP headers and URLs, 22
Threat Intelligence, 83
URL rewrite, 149
WAF (web application firewall), 17
Rules Engine, Azure Front Door, 151
security
Azure Front Door
integration with Azure DDoS Protection Basic, 153
protection against unwanted protocols, 153
WAF (web application firewall), 154
private endpoints and, 186
vNET, 7
segmentation, 7
service endpoints, 7
services, Private Link, 7, 192–194
access approvals, 195
connecting to a VM using Azure Portal, 194
High Availability, 195
limitations, 195
session affinity, 149
setting up Azure Traffic Manager
using Azure PowerShell, 139–140
site-to-site VPN gateway connections
HA in active-active mode, 42
High Availability in active-standby mode, 41
multi-site active-Active mode, 40
single-site active standby mode, 39–40
sizing, 34
SKUs
Azure Bastion, 171
gateway, 37
sizing and scaling, 23
v2, 34
SNAT (source NAT), Azure Firewall and, 79–80
source IP affinity algorithm, 61
SSTP (Secure Socket Tunneling Protocol (SSTP), 43
static VIP (virtual IP) assignment, 17
subnet-based traffic routing, 128
subnets, vNET deployment and, 2
tags, 81
FQDN, 81
service, 82
Threat Intelligence, 83
traffic filtering, 80
application FQDN, 81
network, 80
web, 80
traffic redirection
Azure Application Gateway, 17
Azure DNS and, 104
request routing rules and, 22
traffic routing
geographic, 132
latency-based, 148
multi-value, 128
session affinity, 149
subnet-based, 128
URL rewrite, 149
user-defined routes, 5
v2 SKU, 34
virtual network service tags, 166
VirtualNetwork service tag, 8
visibility options, Private Link service, 194–195
VMs (virtual machines), 1, 176–179
VMSS (virtual machine scale sets), 1
vNETs
availability zones, 6
creating
using Azure CLI, 12
using Azure PowerShell, 12
deployment considerations
address space, 2
subnets, 2
disaster recovery, 8
gateway, 4
integrations for enhanced security, 7
linking to DNS zones, 109
using Azure CLI, 111
using Azure Portal, 110
using Azure PowerShell, 111
NAT (network address translation), 7
NSGs (network security groups), 6
peering, 5
routing, 3
BGP routes, 6
custom routes, 5
user-defined routes, 5
security, 7
VPN (virtual private network), 1, 37
WAF (web application firewall), 16, 154
web categories, 82
web-traffic filtering, 80
weighted traffic routing, 129–130, 149
wildcard domains, 151
zonal
gateways, 46
redundancy, 61
zone
delegation, 119