In this blog, I will share some quick tips, including Q/A’s and useful links from Day 4 of our recently launched new batch of Microsoft Azure Solutions Architect(AZ-303), in which we have 25 hands-on labs of AZ-303 and 12+ hands-on labs of AZ-304 in the course.
The previous week, In Day 3 session, we covered ARM (Azure Resource Manager) template, ARM Template Format, QuickStart Template, Azure Virtual hard disks(VHDs), Azure Automation, Runbooks, Webhooks.
A week before, In Day 3 session, we covered ARM (Azure Resource Manager) template, ARM Template Format, QuickStart Template, Azure Virtual hard disks(VHDs), Azure Automation, Runbooks, Webhooks. In Day 2 session, we covered Azure Virtual Machines, Availability Zones, Fault Domain, Update Domain, Availability Sets, Azure Dedicated Host, Virtual Machines Scale Sets, Disk Encryption, SnapShots & in Day 1 session, we covered Azure Networking for Beginners, IP Addressing, Azure Virtual Network, Virtual Network Peering.
And in this week’s Day 4 Live Session, we have continued with Module 4:
Implement Load Balancing and Network Security. We have covered the Azure Load Balancer, Azure Application Gateway, Azure Front Door, Azure Firewall, Azure Traffic Manager, Azure Bastion.
We also covered hands-on Lab 7, Lab 9, Lab 24, Lab 25 out of our 20+ extensive labs(AZ-303).
So, here are some of the Q/A asked during the Live session from Module 4: Implement Load Balancing and Network Security.
Azure Load Balancer
Azure load balancer allows you to distribute traffic to your backend virtual machines. An Azure load balancer provides high availability for your application. The Azure load balancer is a fully managed service itself.
In Azure, you can create two types of the load balancer
- Public load balancer
- Internal/ private load balancer
Read More: Azure Load Balancer
Features Of Azure Load Balancer
- Load Balancing: Azure load balancer uses a 5-tuple hash that contains source IP, source port, destination IP, destination port, and protocol.
- Outbound connection: All the outbound flows from a private IP address inside our virtual network to public IP addresses on the Internet can be translated to a frontend IP of the load balancer.
- Automatic reconfiguration: The load balancer can reconfigure itself when it scales up or down instances based on conditions.
- Health probes: It can configure a health probe to determine the health of the instances in the backend pool.
- Port forwarding: The load balancer supports port forwarding ability if we have a pool of web servers, and we don’t want to attach a public IP address for every web server in that pool.
See More: Features Of Azure Load Balancer
Q1: Azure Load balancers are software load balancers?
Ans: Yes, these load balancers are software load balancers that provide high availability by distributing incoming traffic among healthy VMs.
Q2: Is there a way to implement the public-facing Load Balancer highly available?
Ans: No, It’s already highly available. Because load balancers are deployed in three zones by Microsoft itself, So no need for any modification.
Azure Application Gateway
Azure Application Gateway provides an Azure load balancer on the transport level for applying Routing Rules for supporting load balancing and traffic management.
It supports secure socket layer termination security, which makes a more secure way of load balancing and supports HTTP-based load balancing, and creates sessions based on cookies.
Read More: Azure Application Gateway
Q3: What protocols does Application Gateway support?
Ans: Application Gateway supports HTTP, HTTPS, HTTP/2, and WebSocket.
Q4: Can the availability zone be implemented for the backend pool in Application Gateway?
Ans: Yes, You can choose a single zone or multiple zones where Application Gateway instances are deployed, making it more resilient to zone failure. The backend pool for applications can be similarly distributed across availability zones.
Web Application Firewall(WAF)
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. These can be taken care of by using WAF.
Q5: Does WAF support DDoS protection?
Ans: Yes, You can enable DDoS protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service protects the application gateway virtual IP (VIP).
Azure Firewall
Azure Firewall is a controlled security utility that defends your Azure Virtual Network resources. It comes with high availability and unlimited cloud scalability. You don’t have to deploy additional infrastructure for high availability like two firewalls or three firewalls, and no need for the load balancer.
Read More: Azure Firewall
Q6: What is the difference between Application Gateway WAF and Azure Firewall?
Ans: The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Azure Front Door (AFD)
Azure Front Door (AFD) is a service that offers a single global entry point for customers accessing web apps, APIs, content, and cloud services. It offers services over Web applications, VM, APIs’, Cloud services, Data. Also, it provides a global infrastructure for building, managing, and provide security. It’s a kind of a global load balancer.
Read More: Azure Front Door
Q7: What is the difference between Azure Front Door and Azure Application Gateway?
Ans: While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a global service, whereas Application Gateway is a regional service.
Azure Traffic Manager
Azure Traffic Manager allows you to regulate the distribution of user traffic by using DNS to direct requests to the most appropriate service endpoint supported on a traffic-routing method. Azure traffic manager selects an endpoint based on the configured routing method. It supports a variety of traffic-routing methods to suit different application needs.
Read More: Azure Traffic Manager
Q8: How does the traffic manager determine where a user is querying from?
Ans: Traffic Manager looks at the source IP of the query (this most likely is a local DNS resolver doing the querying on behalf of the user) and uses an internal IP to region map to determine the location.
Network Security Groups(NSG)
Network Security Group in Azure acts like a firewall at the network level. It filters the traffic passing through Azure Resources in a virtual network. NSG is a group of security rules that defines the priority, source or destination, protocol, direction, port range, and action. Using these rules, NSG allows or denies inbound and outbound traffic.
See More: Network Security Groups
Q9: What is the limit for NSG rules per Network Security Group?
Ans: The Maximum limit for NSG rules per one Network Security Group is 1000.
See More: Networking Limits
Application Security Groups
Application Security Groups help manage the security of Virtual Machines by grouping them according to the applications that run on them. Application Security Groups help manage the security of Virtual Machines by grouping them according to the applications that run on them. It is a feature that allows the application-centric use of Network Security Groups.
Q10: What is the difference between Network Security Groups(NSG) and Application Security Groups(ASG)?
Ans: Network Security Group is used to enforce and control the network traffic, whereas Application Security Group is an object reference within a Network Security Group. NSGs can be associated at the subnets level or individual network interfaces (NIC) attached to VMs. ASG Controls the inbound and outbound traffic at the network interface level.
Q11: Can we customize the bastion host?
Ans: No, you are not allowed to do any customization on the bastion host. Also, it is a (Platform as a Service)PAAS service. If you want to do customization, Pick a jump-server.
Q12: Do we need to enable a dedicated subnet only for AZ Bastion? or can we also use the IPs for other purposes?
Ans: We need a separate subnet for AZ Bastion, and we have some guidelines for that subnet which are:
- The subnet must be named AzureBastionSubnet.
- The subnet must be at least /27 or larger.
Quiz Time (Sample Exam Questions)!
With our Microsoft Azure Solutions Architect training program, we cover 220+ [AZ-303] & 150+[AZ-304] sample exam questions to help you prepare for the certification AZ-303 & AZ-304.
Note: Download the 25 Sample ExamQuestions of Microsoft Azure Solutions Architect from here.
Check out one of the questions and see if you can crack this…
Ques: You are designing an Azure solution. The solution must meet the following requirements:
- Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules.
- Provide SSL offloading capabilities.
Now, you need to recommend a solution to distribute network traffic. Which technology would you recommend?
A. Azure Traffic Manager
B. Azure Firewall rules
C. Azure Application Gateway
D. Azure Load Balancer
The right answer will be revealed in next week’s blog.
Here is the answer to the question shared last week.
Ques: You have a set of virtual machines in Azure. You have to restart the virtual machines when the CPU usage exceeds 85% for more than 30 minutes. You have to implement this with the least amount of administrative effort.
Which of the following would you implement for this requirement?
A. Scale Sets
B. Webhook
C. Automation Runbook
D. Logic App
Answer: C. Automation Runbook
Explanation: You can use Automation Runbooks that alerts can trigger.
Option A is incorrect since this is to create and manage a group of load-balanced Virtual Machines.
Option B is incorrect since this is used to invoke an external webhook.
Option D is incorrect since this is a workflow system. In the end, you still need a way to restart the virtual machines.
See More: Automation Runbook.
Feedback
We always work on improving and being the best version of ourselves from the previous session hence constantly ask feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
- Here 2106 is in YYMM format, represents the trainees from the batch of June 2021.
Related/References
- AZ 303/304: Microsoft Azure Solutions Architect: Step By Step Activity Guides (Hands-On Labs)
- Introduction to ARM Templates: Learn, Create and Deploy in Azure
- Top 10 Best Practices for Azure Security in 2021
- Tips To Prepare Exam AZ-304: Microsoft Azure Architect Design
Next Task For You
Are you still feeling confused about where to start or which certification is right for you? Just click on the register now button below to register for a Free Masterclass on Microsoft Azure Solutions Architect Certification, Live Demo & Q/A, which will help you better understand to choose the right path and clear certification exam.
The post [Recap] Day 4: Load Balancing and Network Security [Azure Solutions Architect] [AZ-303/304] appeared first on Cloud Training Program.