Implement and Manage Virtual Networking - Q&A
This document contains comprehensive questions and answers for the Implement and Manage Virtual Networking domain of the AZ-104 exam (15-20% weight).
📚 Reference Links
- Azure Virtual Network Documentation
- Azure DNS Documentation
- Azure Load Balancer Documentation
- AZ-104 Study Guide
Section 1: Virtual Networks and Subnets
Q1.1: What is an Azure Virtual Network (VNet)?
Answer: An Azure Virtual Network is a logically isolated network in Azure that enables resources to securely communicate with each other, the internet, and on-premises networks.
Key Characteristics:
- Isolated network boundary
- Address space using CIDR notation
- Can span multiple availability zones
- Region-specific (cannot span regions)
- Supports IPv4 and IPv6
VNet Components:
| Component | Description |
|---|---|
| Address space | IP range in CIDR (e.g., 10.0.0.0/16) |
| Subnets | Subdivisions of address space |
| DNS settings | Custom or Azure-provided DNS |
| DDoS protection | Basic (free) or Standard |
Creating VNet:
# Create VNet with subnet
az network vnet create \
--resource-group "Network-RG" \
--name "MyVNet" \
--address-prefix "10.0.0.0/16" \
--subnet-name "WebSubnet" \
--subnet-prefix "10.0.1.0/24"
# Add additional subnet
az network vnet subnet create \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "AppSubnet" \
--address-prefix "10.0.2.0/24"Address Space Planning:
- Use RFC 1918 private ranges (10.x, 172.16-31.x, 192.168.x)
- Plan for growth
- Avoid overlapping with on-premises or peered VNets
- Reserve addresses for Azure services (5 per subnet)
Reserved Addresses per Subnet:
- x.x.x.0: Network address
- x.x.x.1: Default gateway
- x.x.x.2-3: Azure DNS
- x.x.x.255: Broadcast
Documentation Links:
Q1.2: What are service endpoints and private endpoints?
Answer: Both provide secure connectivity to Azure services, but work differently.
Service Endpoints:
- Extend VNet identity to Azure services
- Traffic stays on Azure backbone
- Service still has public IP
- Free to use
- Configured at subnet level
# Enable service endpoint for storage
az network vnet subnet update \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "AppSubnet" \
--service-endpoints "Microsoft.Storage" "Microsoft.Sql"
# Configure storage to accept from VNet
az storage account network-rule add \
--account-name "mystorageaccount" \
--resource-group "Storage-RG" \
--vnet-name "MyVNet" \
--subnet "AppSubnet"Private Endpoints:
- Private IP address in your VNet
- Service accessible via private IP
- No public IP needed on service
- DNS integration required
- Per-hour and data processing charges
# Create private endpoint for storage
az network private-endpoint create \
--resource-group "Network-RG" \
--name "storage-pe" \
--vnet-name "MyVNet" \
--subnet "PrivateEndpointSubnet" \
--private-connection-resource-id "<storage-account-id>" \
--group-id "blob" \
--connection-name "storage-connection"
# Create private DNS zone
az network private-dns zone create \
--resource-group "Network-RG" \
--name "privatelink.blob.core.windows.net"
# Link DNS zone to VNet
az network private-dns link vnet create \
--resource-group "Network-RG" \
--zone-name "privatelink.blob.core.windows.net" \
--name "storage-dns-link" \
--virtual-network "MyVNet" \
--registration-enabled falseComparison:
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Traffic path | Azure backbone | Private IP |
| Public IP | Service keeps public IP | Can disable public IP |
| DNS | Public DNS | Private DNS zone |
| On-premises access | Requires VPN/ER | Requires VPN/ER |
| Cost | Free | Per hour + data |
| Scope | Subnet level | Resource level |
Documentation Links:
Q1.3: What is subnet delegation?
Answer: Subnet delegation allows Azure services to inject resources into a subnet with specific configurations.
How It Works:
- Subnet is dedicated to a specific service
- Service can create resources in the subnet
- Service manages network configuration
- Other resources may be restricted
Services Supporting Delegation:
- Azure Container Instances
- Azure App Service (VNet integration)
- Azure SQL Managed Instance
- Azure Databricks
- Azure NetApp Files
- Azure API Management
Configuring Delegation:
# Delegate subnet to Container Instances
az network vnet subnet update \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "ContainerSubnet" \
--delegations "Microsoft.ContainerInstance/containerGroups"
# Delegate subnet to App Service
az network vnet subnet update \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "AppServiceSubnet" \
--delegations "Microsoft.Web/serverFarms"Important Notes:
- Only one delegation per subnet
- Some services require empty subnet
- Delegation cannot be removed if resources exist
- Check service requirements for subnet size
Documentation Links:
Section 2: Network Security
Q2.1: What are Network Security Groups (NSGs)?
Answer: NSGs filter network traffic to and from Azure resources using security rules.
NSG Components:
Security Rules:
- Priority (100-4096, lower = higher priority)
- Source/Destination (IP, service tag, ASG)
- Protocol (TCP, UDP, ICMP, Any)
- Port range
- Action (Allow/Deny)
Default Rules (cannot be deleted):
- AllowVNetInBound (priority 65000)
- AllowAzureLoadBalancerInBound (priority 65001)
- DenyAllInBound (priority 65500)
- AllowVNetOutBound (priority 65000)
- AllowInternetOutBound (priority 65001)
- DenyAllOutBound (priority 65500)
Creating NSG:
# Create NSG
az network nsg create \
--resource-group "Network-RG" \
--name "WebNSG"
# Add inbound rule for HTTP
az network nsg rule create \
--resource-group "Network-RG" \
--nsg-name "WebNSG" \
--name "AllowHTTP" \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes "*" \
--source-port-ranges "*" \
--destination-address-prefixes "*" \
--destination-port-ranges 80
# Add rule for HTTPS
az network nsg rule create \
--resource-group "Network-RG" \
--nsg-name "WebNSG" \
--name "AllowHTTPS" \
--priority 110 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 443
# Associate NSG with subnet
az network vnet subnet update \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "WebSubnet" \
--network-security-group "WebNSG"Service Tags: Pre-defined groups of IP addresses:
Internet: All public IPsVirtualNetwork: VNet address space + peered VNetsAzureLoadBalancer: Azure health probesStorage: Azure Storage IPsSql: Azure SQL IPsAzureCloud: All Azure public IPs
Documentation Links:
Q2.2: What are Application Security Groups (ASGs)?
Answer: ASGs allow you to group VMs and define network security policies based on application structure.
Benefits:
- Group VMs by application role
- Simplify NSG rule management
- No need to manage IP addresses
- Scale with your application
Creating and Using ASGs:
# Create ASGs
az network asg create \
--resource-group "Network-RG" \
--name "WebServers"
az network asg create \
--resource-group "Network-RG" \
--name "AppServers"
az network asg create \
--resource-group "Network-RG" \
--name "DbServers"
# Create NSG rule using ASGs
az network nsg rule create \
--resource-group "Network-RG" \
--nsg-name "AppNSG" \
--name "AllowWebToApp" \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-asgs "WebServers" \
--destination-asgs "AppServers" \
--destination-port-ranges 8080
# Associate VM NIC with ASG
az network nic ip-config update \
--resource-group "Network-RG" \
--nic-name "WebVM1-nic" \
--name "ipconfig1" \
--application-security-groups "WebServers"Example Architecture:
Internet → [NSG] → WebServers (ASG)
↓
[NSG] → AppServers (ASG)
↓
[NSG] → DbServers (ASG)Limitations:
- ASGs must be in same region as resources
- Max 3,000 ASGs per subscription
- VM NIC can be in multiple ASGs
Documentation Links:
Q2.3: How does NSG rule evaluation work?
Answer: NSG rules are evaluated based on priority and direction.
Evaluation Process:
Inbound Traffic:
- NSG associated with subnet evaluated first
- NSG associated with NIC evaluated second
- Traffic must be allowed by both (if both exist)
Outbound Traffic:
- NSG associated with NIC evaluated first
- NSG associated with subnet evaluated second
- Traffic must be allowed by both (if both exist)
Rule Matching:
- Rules evaluated in priority order (lowest number first)
- First matching rule is applied
- If no rule matches, default deny applies
Example Scenario:
Subnet NSG:
- Priority 100: Allow HTTP from Internet
- Priority 200: Deny all from Internet
NIC NSG:
- Priority 100: Allow HTTP from 10.0.0.0/8
- Priority 200: Deny HTTP from Internet
Result: HTTP from Internet is DENIED
(Subnet allows, but NIC denies)Effective Security Rules:
# View effective rules for a NIC
az network nic list-effective-nsg \
--resource-group "Network-RG" \
--name "WebVM1-nic"Best Practices:
- Use subnet-level NSGs for broad rules
- Use NIC-level NSGs for specific VM rules
- Keep rules simple and documented
- Use ASGs to reduce rule complexity
- Regularly audit effective rules
Documentation Links:
Section 3: Azure DNS
Q3.1: What is Azure DNS?
Answer: Azure DNS provides DNS hosting and name resolution using Microsoft's global infrastructure.
DNS Zone Types:
Public DNS Zones:
- Host public domain records
- Accessible from internet
- Requires domain ownership verification
Private DNS Zones:
- Host private domain records
- Only accessible from linked VNets
- Auto-registration of VM names
Creating DNS Zones:
# Create public DNS zone
az network dns zone create \
--resource-group "Network-RG" \
--name "contoso.com"
# Create private DNS zone
az network private-dns zone create \
--resource-group "Network-RG" \
--name "private.contoso.com"
# Link private zone to VNet
az network private-dns link vnet create \
--resource-group "Network-RG" \
--zone-name "private.contoso.com" \
--name "MyVNetLink" \
--virtual-network "MyVNet" \
--registration-enabled trueCommon Record Types:
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | www → 10.0.0.4 |
| AAAA | IPv6 address | www → 2001:db8::1 |
| CNAME | Alias to another name | blog → www.contoso.com |
| MX | Mail server | @ → mail.contoso.com |
| TXT | Text data | @ → "v=spf1 include:..." |
| NS | Name server | @ → ns1.azure-dns.com |
| SOA | Start of authority | Zone metadata |
| SRV | Service location | _sip._tcp → sipserver |
| PTR | Reverse lookup | IP → hostname |
Creating Records:
# Create A record
az network dns record-set a add-record \
--resource-group "Network-RG" \
--zone-name "contoso.com" \
--record-set-name "www" \
--ipv4-address "10.0.0.4"
# Create CNAME record
az network dns record-set cname set-record \
--resource-group "Network-RG" \
--zone-name "contoso.com" \
--record-set-name "blog" \
--cname "www.contoso.com"
# Create MX record
az network dns record-set mx add-record \
--resource-group "Network-RG" \
--zone-name "contoso.com" \
--record-set-name "@" \
--exchange "mail.contoso.com" \
--preference 10Documentation Links:
Q3.2: What are alias records?
Answer: Alias records point directly to Azure resources instead of IP addresses.
Benefits:
- Automatic IP updates when resource changes
- Support for zone apex (naked domain)
- No extra DNS query (direct resolution)
Supported Target Resources:
- Azure Public IP
- Azure Traffic Manager profile
- Azure CDN endpoint
- Another DNS record in same zone
Creating Alias Records:
# Alias to public IP
az network dns record-set a create \
--resource-group "Network-RG" \
--zone-name "contoso.com" \
--name "www" \
--target-resource "/subscriptions/.../publicIPAddresses/MyPublicIP"
# Alias to Traffic Manager
az network dns record-set a create \
--resource-group "Network-RG" \
--zone-name "contoso.com" \
--name "@" \
--target-resource "/subscriptions/.../trafficManagerProfiles/MyTMProfile"Zone Apex (Root Domain):
- Traditional CNAME cannot be used at apex
- Alias records solve this limitation
- Example: contoso.com → Azure resource
Documentation Links:
Section 4: Connectivity
Q4.1: What is VNet Peering?
Answer: VNet peering connects two VNets, enabling resources to communicate as if in the same network.
Peering Types:
| Type | Description |
|---|---|
| Regional | VNets in same region |
| Global | VNets in different regions |
Key Characteristics:
- Low latency, high bandwidth
- Traffic stays on Microsoft backbone
- Non-transitive (A↔B, B↔C doesn't mean A↔C)
- Requires peering in both directions
- Address spaces cannot overlap
Creating Peering:
# Get VNet IDs
VNET1_ID=$(az network vnet show \
--resource-group "RG1" \
--name "VNet1" \
--query id -o tsv)
VNET2_ID=$(az network vnet show \
--resource-group "RG2" \
--name "VNet2" \
--query id -o tsv)
# Create peering from VNet1 to VNet2
az network vnet peering create \
--resource-group "RG1" \
--name "VNet1-to-VNet2" \
--vnet-name "VNet1" \
--remote-vnet $VNET2_ID \
--allow-vnet-access
# Create peering from VNet2 to VNet1
az network vnet peering create \
--resource-group "RG2" \
--name "VNet2-to-VNet1" \
--vnet-name "VNet2" \
--remote-vnet $VNET1_ID \
--allow-vnet-accessPeering Options:
| Option | Description |
|---|---|
| Allow VNet access | Enable communication |
| Allow forwarded traffic | Accept traffic from other VNets |
| Allow gateway transit | Share VPN gateway |
| Use remote gateways | Use peer's VPN gateway |
Hub-Spoke Topology:
On-Premises
↓
[VPN Gateway]
↓
Hub VNet ←→ Spoke VNet 1
↓
Spoke VNet 2Documentation Links:
Q4.2: What is VPN Gateway?
Answer: VPN Gateway enables encrypted connectivity between Azure VNets and on-premises networks.
VPN Types:
Site-to-Site (S2S):
- Connect on-premises network to Azure
- IPsec/IKE VPN tunnel
- Requires VPN device on-premises
Point-to-Site (P2S):
- Connect individual clients to Azure
- No VPN device needed
- Supports OpenVPN, IKEv2, SSTP
VNet-to-VNet:
- Connect Azure VNets
- Alternative to peering (for different subscriptions/regions)
Gateway SKUs:
| SKU | S2S Tunnels | P2S Connections | Throughput |
|---|---|---|---|
| Basic | 10 | 128 | 100 Mbps |
| VpnGw1 | 30 | 250 | 650 Mbps |
| VpnGw2 | 30 | 500 | 1 Gbps |
| VpnGw3 | 30 | 1000 | 1.25 Gbps |
| VpnGw4 | 100 | 5000 | 5 Gbps |
| VpnGw5 | 100 | 10000 | 10 Gbps |
Creating VPN Gateway:
# Create gateway subnet
az network vnet subnet create \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "GatewaySubnet" \
--address-prefix "10.0.255.0/27"
# Create public IP
az network public-ip create \
--resource-group "Network-RG" \
--name "VPNGatewayIP" \
--allocation-method Static \
--sku Standard
# Create VPN gateway (takes 30-45 minutes)
az network vnet-gateway create \
--resource-group "Network-RG" \
--name "MyVPNGateway" \
--vnet "MyVNet" \
--public-ip-address "VPNGatewayIP" \
--gateway-type Vpn \
--vpn-type RouteBased \
--sku VpnGw1
# Create local network gateway (on-premises)
az network local-gateway create \
--resource-group "Network-RG" \
--name "OnPremGateway" \
--gateway-ip-address "203.0.113.1" \
--local-address-prefixes "192.168.0.0/16"
# Create S2S connection
az network vpn-connection create \
--resource-group "Network-RG" \
--name "S2S-Connection" \
--vnet-gateway1 "MyVPNGateway" \
--local-gateway2 "OnPremGateway" \
--shared-key "YourSharedKey123!"Documentation Links:
Section 5: Load Balancing
Q5.1: What is Azure Load Balancer?
Answer: Azure Load Balancer is a Layer 4 (TCP/UDP) load balancer for distributing traffic across VMs.
Load Balancer Types:
| Type | Description | Use Case |
|---|---|---|
| Public | Internet-facing | Web applications |
| Internal | Private IP only | Internal applications |
SKUs:
| Feature | Basic | Standard |
|---|---|---|
| Backend pool size | 300 | 1000 |
| Health probes | TCP, HTTP | TCP, HTTP, HTTPS |
| Availability zones | No | Yes |
| SLA | No | 99.99% |
| Secure by default | No | Yes |
Components:
- Frontend IP: Public or private IP
- Backend pool: VMs or VMSS
- Health probe: Monitors backend health
- Load balancing rule: Traffic distribution
- Inbound NAT rule: Port forwarding
Creating Load Balancer:
# Create public IP
az network public-ip create \
--resource-group "Network-RG" \
--name "LBPublicIP" \
--sku Standard \
--allocation-method Static
# Create load balancer
az network lb create \
--resource-group "Network-RG" \
--name "WebLB" \
--sku Standard \
--public-ip-address "LBPublicIP" \
--frontend-ip-name "FrontEnd" \
--backend-pool-name "BackEndPool"
# Create health probe
az network lb probe create \
--resource-group "Network-RG" \
--lb-name "WebLB" \
--name "HealthProbe" \
--protocol Http \
--port 80 \
--path "/"
# Create load balancing rule
az network lb rule create \
--resource-group "Network-RG" \
--lb-name "WebLB" \
--name "HTTPRule" \
--protocol Tcp \
--frontend-port 80 \
--backend-port 80 \
--frontend-ip-name "FrontEnd" \
--backend-pool-name "BackEndPool" \
--probe-name "HealthProbe"
# Add VMs to backend pool
az network nic ip-config address-pool add \
--resource-group "Network-RG" \
--nic-name "WebVM1-nic" \
--ip-config-name "ipconfig1" \
--lb-name "WebLB" \
--address-pool "BackEndPool"Documentation Links:
Q5.2: What is Application Gateway?
Answer: Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer with advanced features.
Key Features:
- URL-based routing
- SSL termination
- Web Application Firewall (WAF)
- Session affinity (cookie-based)
- Autoscaling
- Zone redundancy
Components:
- Frontend IP: Public and/or private
- Listeners: HTTP/HTTPS, port, hostname
- Rules: Route to backend pools
- Backend pools: VMs, VMSS, App Service, IPs
- HTTP settings: Protocol, port, affinity
- Health probes: Custom health checks
SKUs:
| SKU | Features |
|---|---|
| Standard_v2 | Autoscaling, zone redundancy |
| WAF_v2 | Standard_v2 + WAF |
Creating Application Gateway:
# Create subnet for App Gateway
az network vnet subnet create \
--resource-group "Network-RG" \
--vnet-name "MyVNet" \
--name "AppGatewaySubnet" \
--address-prefix "10.0.10.0/24"
# Create public IP
az network public-ip create \
--resource-group "Network-RG" \
--name "AppGWPublicIP" \
--sku Standard \
--allocation-method Static
# Create Application Gateway
az network application-gateway create \
--resource-group "Network-RG" \
--name "MyAppGateway" \
--location "eastus" \
--sku WAF_v2 \
--capacity 2 \
--vnet-name "MyVNet" \
--subnet "AppGatewaySubnet" \
--public-ip-address "AppGWPublicIP" \
--http-settings-port 80 \
--http-settings-protocol Http \
--frontend-port 80URL-Based Routing:
/images/* → Image backend pool
/videos/* → Video backend pool
/* → Default backend poolDocumentation Links:
Q5.3: What are the differences between load balancing options?
Answer: Azure provides multiple load balancing services for different scenarios.
Comparison:
| Feature | Load Balancer | App Gateway | Traffic Manager | Front Door |
|---|---|---|---|---|
| Layer | 4 (TCP/UDP) | 7 (HTTP) | DNS | 7 (HTTP) |
| Scope | Regional | Regional | Global | Global |
| Protocol | Any | HTTP/HTTPS | Any | HTTP/HTTPS |
| SSL termination | No | Yes | No | Yes |
| WAF | No | Yes | No | Yes |
| URL routing | No | Yes | No | Yes |
| Session affinity | Hash-based | Cookie | No | Cookie |
When to Use Each:
Azure Load Balancer:
- Non-HTTP traffic (TCP/UDP)
- Internal load balancing
- High-performance, low-latency
Application Gateway:
- HTTP/HTTPS traffic
- SSL termination
- URL-based routing
- WAF protection
Traffic Manager:
- DNS-based global routing
- Multi-region failover
- Geographic routing
- Any protocol
Azure Front Door:
- Global HTTP load balancing
- SSL offloading at edge
- WAF at edge
- Caching and acceleration
Documentation Links:
Practice Questions
Question 1
You need to allow HTTP traffic from the internet to VMs in a subnet. The VMs are in an Application Security Group called "WebServers". What should you configure?
A. NSG rule with source "Internet" and destination "WebServers" ASG
B. NSG rule with source "WebServers" ASG and destination "Internet"
C. Service endpoint for HTTP
D. Private endpoint for the VMs
Answer: A
Create an inbound NSG rule with source service tag "Internet" and destination ASG "WebServers" to allow HTTP traffic to the web servers.
Question 2
Two VNets need to communicate. VNet1 has address space 10.0.0.0/16 and VNet2 has 10.0.0.0/16. What should you do?
A. Create VNet peering
B. Change one VNet's address space
C. Use VPN Gateway
D. Use Azure Firewall
Answer: B
VNet peering requires non-overlapping address spaces. You must change one VNet's address space before peering can be established.
Question 3
You need to route traffic to different backend pools based on URL path. Which service should you use?
A. Azure Load Balancer
B. Application Gateway
C. Traffic Manager
D. Azure Firewall
Answer: B
Application Gateway provides Layer 7 load balancing with URL-based routing capabilities. Load Balancer is Layer 4 and doesn't inspect URLs.
Question 4
You want VMs in a subnet to access Azure Storage without traffic going over the internet, but you don't need a private IP for storage. What should you configure?
A. Private endpoint
B. Service endpoint
C. VNet peering
D. VPN Gateway
Answer: B
Service endpoints extend VNet identity to Azure services, keeping traffic on the Azure backbone without requiring a private IP address. This is simpler and free compared to private endpoints.
Question 5
You have an NSG with these rules:
- Priority 100: Deny HTTP from Internet
- Priority 200: Allow HTTP from Internet
What happens to HTTP traffic from the internet?
A. Traffic is allowed
B. Traffic is denied
C. Traffic is allowed then denied
D. An error occurs
Answer: B
NSG rules are evaluated in priority order (lowest number first). The deny rule at priority 100 is evaluated before the allow rule at priority 200, so HTTP traffic is denied.
Summary
Key topics for the Networking domain:
- Virtual Networks: Address spaces, subnets, planning
- Service Endpoints: VNet identity extension, free
- Private Endpoints: Private IP, DNS integration
- Subnet Delegation: Service-specific subnets
- NSGs: Security rules, priority, evaluation
- ASGs: Application-based grouping
- Azure DNS: Public and private zones, record types
- Alias Records: Direct resource references
- VNet Peering: Regional and global, non-transitive
- VPN Gateway: S2S, P2S, VNet-to-VNet
- Load Balancer: Layer 4, public/internal
- Application Gateway: Layer 7, WAF, URL routing