When preparing for the AZ-140 Configuring and Operating Microsoft Azure Virtual Desktop exam, one key topic to review is managing connectivity to the internet and on-premises networks. This involves understanding how to route traffic in Virtual Desktop environments and how to configure networking and security components.
1. Routing in Azure Virtual Desktop environment:
Azure Virtual Desktop employs Azure’s built-in routing to direct network traffic. This comprises of user data traffic, management traffic, and PowerShell remoting for app group assignments.
Deciding on the appropriate infrastructure for managing internet traffic is critical. For instance, the majority of user data traffic in a virtual desktop infrastructure (VDI) deployment goes out to the internet. Azure Virtual Desktop instances are not any different. Users in a pooled or personalized host pool expect the same browsing experience they get at a traditional on-premises VDI deployment.
Azure Virtual Desktop does not require an on-premises gateway. However, to route Azure Virtual Desktop virtual machines (VMs) network traffic to an on-premises network before it goes to the internet, you can use Azure’s built-in UDR (user-defined route), implement a Network Virtual Appliance (NVA) or use Azure Firewall to control outbound internet traffic.
2. Configuring Network Components:
Establishing a Virtual Network (VNet) is crucial for an Azure Virtual Desktop deployment. The VNet connects the Azure resources and can connect to an on-premise network if required, using a VPN gateway or ExpressRoute.
Azure Virtual Desktop uses a subnet within the VNet. It’s important to calculate the right subnet size to accommodate all your session hosts and other resources. For example, if you plan on having 50 session hosts, your subnet size should include 50 + additional space for other VNet resources.
Here is the general rule for deciding subnet size for host pools:
| # of Session Hosts | Subnet Size |
|---|---|
| < 32 | /27 |
| < 64 | /26 |
| < 128 | /25 |
| < 256 | /24 |
| < 512 | /23 |
| < 1024 | /22 |
3. Configuring Network Security Components:
Network security is just as significant in the Azure Virtual Desktop environment as at home. Network Security Groups (NSGs) can be used to control inbound and outbound traffic to your Azure Virtual Desktop, which can be applied at the subnet or NIC (Network Interface Card) level.
Azure also supports Application Security Groups, that allows you to configure micro-segmentation for your Virtual Network with a higher level of granularity. For example, you can create Application Security Groups to separate your organisation units, departments, or specific applications, managing access at a more granular and manageable level.
In addition, Azure provides Azure Firewall, a managed, cloud-based network security service that helps to protect your Azure Virtual Network resources.
In conclusion, managing network connectivity in Azure Virtual Desktop includes not only routing traffic effectively but also involves implementing and enforcing network security controls. The discussions above provide you with insights on managing connectivity to the internet and on-premises networks, which is key to successfully passing exam AZ-140.
Practice Test
True or False: Azure Virtual Desktop can be integrated with other Azure services, such as Azure Logic Apps.
• True
• False
Answer: True.
Explanation: Azure Virtual Desktop integrates smoothly with Azure Logic Apps and other Azure services, allowing for greater flexibility and scalability.
Which of the following provides the primary network connection for Azure Virtual Desktop?
• A) Azure ExpressRoute
• B) Azure Virtual Network
• C) Azure VPN Gateway
• D) Azure Load Balancer
Answer: B) Azure Virtual Network.
Explanation: Azure Virtual Network provides the main network connection for Azure Virtual Desktop, allowing for secure, private connections between Azure resources and on-premises networks.
True or False: You should use a site-to-site VPN for Azure Virtual Desktop connection, if you have an existing, secure on-premises network and you want a secure connection to your Azure public IP addresses.
• True
• False
Answer: True.
Explanation: Site-to-site VPN allows for a secure, encrypted connection between an on-premises network and Azure Virtual Network, making it ideal for connecting securely to an Azure public IP address.
Which of the following is the dedicated private connectivity between Azure and your on-premises networks?
• A) Azure Load Balancer
• B) Azure VPN Gateway
• C) Azure ExpressRoute
• D) Azure Virtual Network
Answer: C) Azure ExpressRoute.
Explanation: Azure ExpressRoute provides a dedicated, private network connection between Azure and your on-premises network, offering higher security, reliability, and speeds than typical connections over the internet.
True or False: You do not have any control over network security for Azure Virtual Desktop.
• True
• False
Answer: False.
Explanation: You can manage network security for Azure Virtual Desktop via Azure Firewall, Network Security Groups, and Azure Security Center to ensure secure and controlled access.
Azure Virtual Desktop requires which type of IP address to connect with an on-premises network?
• A) Public IP address
• B) Private IP address
• C) Both A and B
• D) Neither A nor B
Answer: A) Public IP address.
Explanation: Azure Virtual Desktop requires a public IP address to connect with an on-premises network to ensure identify and access over the internet.
Which of the following is not a layer of Azure Virtual Desktop’s layered networking model?
• A) Regional VNet Peering
• B) Azure VPN Gateway
• C) Azure ExpressRoute
• D) Azure NetApp Files
Answer: D) Azure NetApp Files.
Explanation: Azure NetApp Files is a file storage service, and is not part of Azure Virtual Desktop’s layered networking model.
True or False: Azure Firewall can manage connectivity and create network rules for Azure Virtual Desktop.
• True
• False
Answer: True.
Explanation: Azure Firewall is a cloud-based network security service that can create and manage network rules, protecting Azure Virtual Desktop resources.
Which of the following services can support Azure Virtual Desktop to ensure high availability and load balancing?
• A) Azure Traffic Manager
• B) Azure Load Balancer
• C) Azure Front Door
• D) All of the above
Answer: D) All of the above.
Explanation: Azure Traffic Manager, Azure Load Balancer, and Azure Front Door are all services that can support high availability and load balancing for Azure Virtual Desktop.
True or False: Azure Private Link allows you to access Azure services over a private connection.
• True
• False
Answer: True.
Explanation: Azure Private Link allows you to create and manage private connections between Azure services and Virtual Networks, ensuring secure access via a private network connection.
Interview Questions
What is the role of Network Security Groups (NSGs) in Azure Virtual Desktop?
Network Security Groups (NSGs) are used in Azure Virtual Desktop to control the traffic to and from Azure resources. They allow or deny traffic to these resources based on priority, source address, destination address, port, and protocol.
What is Azure VNet Peering?
Azure VNet Peering allows direct network connectivity between virtual networks. This enables communication between resources in the VNets over the Microsoft Azure backbone.
How does Azure ExpressRoute provide connectivity to Azure resources?
Azure ExpressRoute provides a private, dedicated, and high-bandwidth network connection to Azure, bypassing the public internet. This helps improve reliability, speed, and network security.
What’s the role of Azure Load Balancer in managing connectivity to the internet and on-premises networks?
Azure Load Balancer distributes incoming internet and private network traffic among healthy service instances in cloud services or virtual machines in a Virtual Network, to provide high availability and reliability.
What is Azure VPN Gateway?
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs. It provides a secure and reliable connection and eliminates the need for dedicated private connectivity to Azure.
How can Azure Private Link improve network security for Azure Desktop Virtualization?
Azure Private Link provides private connectivity from a virtual network to Azure platform as service (PaaS), customer-owned, or Microsoft partner services. It simplifies network architecture and improves security by eliminating data exposure to the public internet.
What is the role of Azure Firewall in Azure Virtual Desktop?
Azure Firewall provides network-level protection for Azure Virtual Desktop. It uses rules to control inbound and outbound traffic, providing a secure barrier between Azure resources and the public internet.
How does Azure Traffic Manager manage network connectivity for Azure Virtual Desktop?
Azure Traffic Manager uses DNS-based traffic load balancing to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.
What is the purpose of the Azure Front Door service in managing connectivity?
Azure Front Door service enhances application performance by accelerating HTTP(S) content delivery. It also provides top-tier global routing for handling network traffic and reducing latency.
How does Azure Virtual Network (VNet) assist in managing connectivity for Azure Virtual Desktop?
Azure Virtual Network (VNet) provides networking capabilities for resources deployed within Virtual Network, such as Azure Virtual Machines (VMs). VNets enable communication within Azure, to the internet, and to on-premises networks, providing a secure environment for Azure resources.
What is the role of Azure Bastion in managing the connectivity to Azure Virtual Desktop?
Azure Bastion is a service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over SSL. It helps protect against outside threats and reduces exposure to the public internet.
What is the purpose of Azure Logic Apps in terms of connectivity in Azure Virtual Desktop?
Azure Logic Apps provides a way to simplify and implement scalable integrations and workflows in the cloud. It can connect to various services within and outside Azure, enabling data and processes interaction across different services.
What is Azure’s User Defined Routing (UDR)?
User Defined Routing (UDR) is a feature in Azure that allows for the customisation of network routes. Using UDR, you can direct traffic from one subnet to another, to a Network Virtual Appliance, and even to an on-premises network, providing flexibility and control over network traffic flow.
How does Azure Site Recovery help manage connectivity in Azure Virtual Desktop?
Azure Site Recovery facilitates business continuity by keeping business apps and workloads running during planned and unplanned outages. It replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location, thereby ensuring connectivity remains intact during a catastrophe.
What’s the purpose of Azure Traffic Analytics in managing network connectivity for Azure Virtual Desktop?
Azure Traffic Analytics provides insights into user traffic on your Azure network. This empowers you to identify security threats and understand traffic patterns, allowing you to make informed decisions on network optimization and security policies enforcement.
extutorials.com