AZ-104 Microsoft Azure Administrator Exam

Configure Subnet Settings and Network Security Groups

Subnets are crucial components within a virtual network in Azure, acting like segments that help in organizing and securing resources. Each subnet is required to have its own unique address range using CIDR (Classless Inter-Domain Routing) format. This ensures no overlapping with other subnets within the same virtual network. When planning these subnets, you must consider the address space requirements to ensure sufficient unallocated space remains for future needs, such as deploying additional Azure service resources, which might necessitate their distinct subnets.

Subnet Configuration

When setting up subnets, several factors should be considered:

• Name: The subnet name must be unique to avoid any confusion within the virtual network.
• Subnet address range: This must be specified in CIDR notation, and it should not overlap with the address ranges of other subnets.
• Add IPv6 address space: Optionally, you can create a dual-stack virtual network that supports both IPv4 and IPv6.
• Private Subnet: Marking a subnet as private prevents it from having default outbound internet access.
• NAT gateway: Associating a NAT gateway can provide network address translation to the resources on the subnet, improving connectivity.

Network Security Groups (NSGs)

Network Security Groups (NSGs) are vital in managing the traffic flow to and from subnets and individual network interfaces. An NSG contains rules that determine whether traffic is allowed or denied based on factors such as the source and destination IP addresses, port numbers, and the protocol being used. NSGs can be connected either to entire subnets or specific network interfaces, providing flexibility in traffic management.

Key features of NSGs include:

• Rules: NSGs define rules with properties such as protocol type, port ranges, address prefixes, direction of traffic (inbound or outbound), priority, and access type (allow or deny).
• Default rules: Every NSG comes with default rules that cannot be deleted or overridden, essential for basic protection.
• Association: NSGs can be associated with entire subnets or specific network interfaces within those subnets, applying the rules to all VMs within that scope.

Security and Connectivity

Improving security and connectivity within your virtual network can be achieved by:

• Override default routing: Restrict Azure's automatic routing between subnets or direct traffic through a network virtual appliance (NVA) for more control.
• Service endpoints: Use virtual network service endpoints to restrict access to Azure resources to specific subnets for better security.
• Network virtual appliances: Utilize NVAs like firewalls to regulate traffic flow between virtual networks or subnet sections.

Best Practices

To achieve optimal performance and security in your Azure virtual network setup, follow these best practices:

• Address space planning: Ensure that the address spaces do not overlap with other networks to avoid IP conflicts.
• Segmentation: Use subnets wisely to divide workloads into segments, enhancing security and management.
• NSG flow logs: Activate NSG flow logs for detailed traffic monitoring and security analysis to detect unauthorized access attempts.
• Azure Firewall: Implement Azure Firewall for centralized, stateful protection. It allows you to manage rules across various levels efficiently.

By adhering to these guidelines, you can maintain a well-optimized network in Azure, characterized by excellent performance, robust security measures, and scalability tailored for future growth needs.