Designing and implementing virtual networks and subnets is an integral part of the AZ-120 Planning and Administering Azure for SAP Workloads exam. These topics focus on Azure Network Management, including network planning, network configuration, and network security measures. Well-established virtual networks and subnets ensure seamless connectivity and security for SAP workloads.
Understanding Virtual Networks and Subnets
A Virtual Network (VNet) in Azure provides an isolation and segmentation of the Azure cloud dedicated to your subscription. As for subnets, they serve as subdivisions within a VNet, allowing you to segment the network further, segregate resources, improve network security, and optimize network performance. In short, a VNet is the principal construct in Azure Networking, and a subnet is a section within that network.
Designing Virtual Networks and Subnets for SAP Workloads
Designing a VNet for SAP workloads, consider the following aspects:
- Address Space: Determine the IP address range that will be used for your VNet. Azure uses CIDR (Classless Inter-Domain Routing) notation. For example, you could use 10.0.0.0/16 for your SAP VNet.
- Subnets: Subnets partition a VNet into one or more IP ranges where you can deploy Azure resources. For instance, you might have separate subnets for different SAP components like SAP Application servers (10.0.1.0/24) and SAP Database servers (10.0.2.0/24).
- Connectivity: Evaluate if you need connections to your on-premises network or the public internet. Azure offers multiple options like VPN (Virtual Private Network), Azure ExpressRoute, and NAT Gateways.
- Security: Incorporate security measures such as Network Security Groups (NSGs), Application Security Groups and Azure Firewall to safeguard your SAP workloads effectively.
Implementing Virtual Networks and Subnets
Once the design is in place, the next step would be the actual implementation of the vnets and subnets. Azure provides a platform using both GUI and CLI to construct your network topology. However, it is recommended to leverage infrastructure as code (IaC) tools such as Azure Resource Manager (ARM) templates or Terraform for the setup.
Here is a sample ARM template code block to create a VNet and two Subnets:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"name": "myVNet",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": ["10.0.0.0/16"]
},
"subnets": [
{
"name": "appSubnet",
"properties": {
"addressPrefix": "10.0.1.0/24"
}
},
{
"name": "dbSubnet",
"properties": {
"addressPrefix": "10.0.2.0/24"
}
}
]
}
}
Conclusion
Designing and implementing a well-structured network topology in Azure using VNets and Subnets plays a crucial role in ensuring high-performance and security for SAP Workloads. These Azure skills make an imperative section of the AZ-120 Azure for SAP workload certification exam. The exam requires a comprehensive understanding and practical knowledge of Azure network planning and implementation. Thus, Azure aspirants must familiarize themselves with creating and managing VNets and Subnets to increase their chances of succeeding in the exam.
Practice Test
True or False: You can connect on-premises networks and infrastructures directly to Azure.
- True
Answer: True
Explanation: Azure provides Azure express route and site-to-site VPN that you can use to directly connect your on-premises networks to Azure.
What does VNet peering in Azure provide?
- A. Connection between Azure and on-premises infrastructure
- B. Connection across virtual networks
- C. Connection between Azure and other cloud services
- D. Both A and B
Answer: B. Connection across virtual networks
Explanation: VNet peering in Azure connects two Azure virtual networks.
True or False: Azure virtual networks (VNets) are isolated from one another by default.
- True
Answer: True
Explanation: By default, VNets are isolated from each other. To make them communicate with each other, either VNet peering or VPN gateways has to be used.
What does a subnet refer to in Azure virtual networks?
- A. A separate network within your VNet
- B. A connection between two VNets
- C. An on-premises network
- D. None of the above
Answer: A. A separate network within your VNet
Explanation: In an Azure virtual network, subnets refer to a separate network within your VNet.
Multiple select: Which of the following can be used to establish a secure connection between Azure and on-premises networks?
- A. VPN Gateway
- B. VNet Peering
- C. Azure ExpressRoute
- D. Subnet
Answer: A. VPN Gateway, C. Azure ExpressRoute
Explanation: VPN Gateway and Azure ExpressRoute provide secure, private connections between Azure and on-premises infrastructure.
True or False: It is not possible to resize a subnet after it is created.
- False
Answer: False
Explanation: You can resize a subnet by removing it, adjusting the address range, and then recreating it.
True or False: You can deploy VMs and other resources in the same subnet.
- True
Answer: True
Explanation: Similar to other networks, Azure virtual networks allow the deployment of VMs, and other resources in the same subnet.
What is the purpose of Network Security Group in Azure?
- A. Manage network traffic
- B. Connect Azure and on-premises infrastructure
- C. Speed up Virtual Network Performance
- D. None of the above
Answer: A. Manage network traffic
Explanation: Network Security Group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
What does Azure ExpressRoute provide?
- A. Peering of Azure virtual networks
- B. Security Group for managing traffic
- C. Direct private connectivity to Azure
- D. None of the above
Answer: C. Direct private connectivity to Azure
Explanation: Azure ExpressRoute provides direct private connectivity between your on-premises infrastructure or colocation environment and Azure.
True or False: Subnets in Azure can span multiple virtual networks.
- False
Answer: False
Explanation: Each subnet is only relevant and usable in the context of the VNet in which it exists. A subnet cannot span multiple VNets.
True or False: You can deploy Azure virtual machines (VMs) and an Azure VPN gateway in the same subnet.
- False
Answer: False
Explanation: Azure virtual machines (VMs) and an Azure VPN gateway have to be in different subnets.
Who can communicate with resources in an Azure subnet?
- A. Only resources in the same subnet
- B. Resources on any subnet within the VNet
- C. Only the subnet owner
- D. None of the above
Answer: B. Resources on any subnet within the VNet
Explanation: In Azure, all resources on any subnet within a VNet, by default, can freely communicate inbound and outbound with each other.
Interview Questions
What is Azure Virtual Network?
Azure Virtual Network (VNet) is the fundamental building block for any customer network. VNet lets you create your own private space in Azure, akin to a network in your own data center, and is crucial to your private IP address collections.
What are subnets in Azure Virtual Network?
Subnets in Azure Virtual Network are segmented parts of the VNet’s IP address range where you can place resources.
What are network security groups in the context of Azure for SAP workloads?
Network Security Groups (NSGs) are used to allow or deny network traffic to your virtual network resources. They contain a list of Access Control List (ACL) rules that allow or deny traffic based on source and destination IP address, port, and protocol.
What are the maximum numbers of VNet peering in Azure?
Each Azure subscription can have up to 500 virtual network peerings.
What is the purpose of VNet peering in Azure for SAP workloads?
VNet peering allows direct network connectivity between virtual networks, providing a low-latency, high-bandwidth connection that can be crucial for high performance scenarios like SAP workloads.
What is a User-Defined route in Azure Virtual Network?
User-Defined Routes are custom rules that control the routing behavior within a subnet. They work by defining priority-based routes that dictate the flow of data in your Azure environment.
What is the role of Azure Network Watcher?
Azure Network Watcher is a service that offers tools to monitor, diagnose, and gain insights into your network in Azure.
Can you connect on-premises networks to Azure virtual networks?
Yes, you can connect on-premises networks to Azure virtual networks using VPN gateways or ExpressRoute connections.
How is traffic encrypted in Azure VNet?
Traffic within Azure VNet is encrypted by default, ensuring the secure communication between your Azure resources.
What are the methods available to connect multiple virtual networks within Azure?
There are a few methods available: VNet Peering, VNet-to-VNet VPN, and Azure ExpressRoute.
Can we mix IPv4 and IPv6 addresses in Azure VNet?
Yes, Azure VNet supports both IPv4, IPv6 and dual-stack addresses i.e., both IPv4 and IPv6.
What is Azure Private Link used for in relation to virtual networks and subnets?
Azure Private Link allows users to access Azure Services (like Azure Storage, Azure Cosmos DB, and SQL Database) and Azure hosted customer/partner services over a private endpoint in your Azure VNet.
Can outbound connectivity be restricted in Azure VNet?
Yes, outbound connectivity can be controlled and restricted using User Defined Outbound Routes and Network Security Groups.
What is Azure VPN Gateway in context of Azure VNet?
Azure VPN Gateway is a type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
How can I monitor the network performance within Azure VNet?
You can monitor network performance using Azure Network Watcher. It provides tools to monitor, diagnose and view metrics for your network resources.
extutorials.com