Introduction xxvAssessment Test xxxviiChapter 1 Getting Started with AZ-700 Certification for Azure Networking 1Basics of Cloud Computing and Networking 2The Need for Networking Infrastructure 3The Need for the Cloud 3Basics of Networking 6Enterprise Cloud Networking 10Microsoft Azure Overview 11Azure Cloud Foundation 12Azure Global Infrastructure 14Azure Networking Terminology 20Azure Networking Overview 21Azure Networking Services 23Azure Virtual Network 26VNet Concepts and Best Practices 28Deploying a Virtual Network with Azure PowerShell 35Configure Public IP Services 37Basic SKUs 38Standard SKUs 39Configure a Basic SKU Public IP 40Configure a Standard SKU Public IP with Zones 40Configuring Domain Name Services 40Configure an Azure DNS Zone and Record Using Azure PowerShell 42Configuring Cross-Virtual Network Connectivity with Peering 43Configuring Peering between Two Virtual Networks in the Same Region 45Configuring Virtual Network Traffic Routing 46Using Forced Tunneling to Secure the VNet Route 52Configuring Internet Access with Azure Virtual NAT 53Deploy the NAT Gateway Using Azure PowerShell 54Summary 56Exam Essentials 56Hands-On Lab: Design and Deploy a Virtual Network via the Azure Portal 57Activity 1: Prepare the Network Schema 58Activity 2: Build the Aviation Resource Group 60Activity 3a: Build the CoreInfraVnet Virtual Network and Subnets 60Activity 3b: Build the EngineeringVnet Virtual Network and Subnets 64Activity 3c: Build the BranchofficeVnet Virtual Network and Subnets 66Activity 4: Validate the Build of VNets and Subnets 68Review Questions 70Chapter 2 Design, Deploy, and Manage a Site-to-Site VPN Connection and Point-to-Site VPN Connection 75Overview of Azure VPN Gateway 76Designing an Azure VPN Connection 79Design Pattern 1 86Design Pattern 2 87Design Pattern 3 88Choosing a Virtual Network Gateway SKU for Site-to-Site VPN 89Using Policy-Based VPNs vs. Route-Based VPNs 92Building and Configuring a Virtual Network Gateway 94Building and Configuring a Local Network Gateway 97Building and Configuring an IPsec/IKE Policy 101Configuration Workflow 104Diagnosing and Resolving VPN Gateway Connectivity Issues 109Choosing a VNet Gateway SKU for Point-to-Site VPNs 112Configuring RADIUS, Certificate-Based, and Azure AD Authentication 116Configuration Workflow for Native Azure Certification Authentication 117Configuration Workflow for Native Azure Active Directory 124Configuration Workflow for Windows Active Directory 127Diagnosing and Resolving Client-Side and Authentication Issues 133Summary 136Exam Essentials 136Review Questions 140Chapter 3 Design, Deploy, and Manage Azure ExpressRoute 145Getting Started with Azure ExpressRoute 146Key Use Case for ExpressRoute 151ExpressRoute Deployment Model 151Choosing Between the Network Service Provider and ExpressRoute Direct 153Designing and Deploying Azure Cross-Region Connectivity between Multiple ExpressRoute Locations 156Selecting ExpressRoute Circuit SKUs 156Estimating Price Based on ExpressRoute SKU 156Select a Peering Location 157Select the Proper ExpressRoute Circuit 157Select a Billing Model 159Select a High Availability Design 159Pick a Business Continuity and Disaster Recovery Design Pattern 162Choosing an Appropriate ExpressRoute SKU and Tier 169Designing and Deploying ExpressRoute Global Reach 171Deploying ExpressRoute Global Reach 173Use Case 1: Enabling Circuits in the Same Region 173Use Case 2: Enabling Circuits in Different Regions 174Designing and Deploying ExpressRoute FastPath 175Evaluate Private Peering Only, Microsoft Peering Only, or Both 176Setting Up Private Peering 178Setting Up Microsoft Peering 181Building and Configuring an ExpressRoute Gateway 182Connect a Virtual Network to an ExpressRoute Circuit 186Recommend a Route Advertisement Configuration 190Configure Encryption over ExpressRoute 191Deploy Bidirectional Forwarding Detection 192Diagnose and Resolve ExpressRoute Connection Issues 193Summary 196Exam Essentials 196Review Questions 199Chapter 4 Design and Deploy Core Networking Infrastructure: Private IP and DNS 203Designing Private IP Addressing for VNets 204Deploying a VNet 210Preparing Subnetting for Services 213Subnetting Design Considerations 214Example Case Study: Preparing Subnetting for Services 218Configuring Subnetting for Services 220Preparing and Configuring a Subnet Delegation 223Configure Subnet Delegation 225Planning and Configuring Subnetting for Azure Route Server 226Designing and Configuring Public DNS Zones 231Creating an Azure DNS Zone and Record Using PowerShell 233Designing and Configuring Private DNS Zones 235Creating a Private DNS Zone and Record Using PowerShell 238Designing Name Resolution Inside a VNet 240VMs and Role Instances 243Web Apps 243Linking a Private DNS Zone to a VNet 245Summary 248Exam Essentials 249Review Questions 251Chapter 5 Design and Deploy Core Networking Infrastructure and Virtual WANs 255Overview of Virtual Network Peering, Service Chaining, and Gateway Transit 256Configure VPN Gateway Transit for Virtual Network Peering 258Design VPN Connectivity between VNets 263Deploy VNet Peering 266Deployment Model 1: Running in the Same Azure Subscription and Deployed Using Azure Resource Manager 267Deployment Model 2: Running in Different Subscriptions and Deploying Using Resource Manager 270Deployment Model 3: Running in the Same Subscription and Deploying One VNet Using Resource Manager and Another Using the Classic Model 273Deployment Model 4: Running in Different Subscriptions and Deploying One VNet Using Resource Manager and Another Using the Classic Model 275Design an Azure Virtual WAN Architecture 277Choosing SKUs and Services for Virtual WANs 289Connect a VNet Gateway to an Azure Virtual WAN and Build a Hub in a Virtual WAN 291Build a Virtual Network Appliance (NVA) in a Virtual Hub 299Set Up Virtual Hub Routing 304Build a Connection Unit 306Summary 309Exam Essentials 310Review Questions 312Chapter 6 Design and Deploy VNet Routing and Azure Load Balancer 317Design and Deploy User-Defined Routes 318Basic Routing Concepts 318Azure Routes 321Associate a Route Table with a Subnet 328Set Up Forced Tunneling 329Diagnose and Resolve Routing Issues 334Design and Deploy Azure Route Server 336Route Server Design Pattern 1 338Route Server Design Pattern 2 339Choosing an Azure Load Balancer SKU 344Choosing Between Public and Internal Load Balancers 349Build and Configure an Azure Load Balancer (Including Cross-Region) 353Build and Configure Cross-Region Load Balancer Resources 361Deploy a Load Balancing Rule 366Build and Configure Inbound NAT Rules 370Build Explicit Outbound Rules for a Load Balancer 371Summary 374Exam Essentials 375Review Questions 377Chapter 7 Design and Deploy Azure application gateway, Azure front door, and Virtual NAT 381Azure Application Gateway Overview 383How Application Gateway Works 385Scaling Options for Application Gateway and WAF 389Overview of Application Gateway Deployment 390Front-End Setup 390Back-End Setup 390Health Probes Setup 391Configuring Listeners 393Redirection Overview 394Application Gateway Request Routing Rules 395Redirection Setting 397Application Gateway Rewrite Policies 397Features and Capabilities of Azure Front Door SKUs 409Health Probe Characteristics and Operation 411Secure Front Door with SSL 412Front Door for Web Applications with a High-Availability Design Pattern 413SSL Termination and End-to-End SSL Encryption 421Multisite Listeners 423Back-Ends, Back-End Pools, Back-End Host Headers, and Back-End Health Probes 424Routing and Routing Rules 426URL Redirection and URL Rewriting in Front Door Standard and Premium 427Design and Deploy Traffic Manager Profiles 429How Traffic Manager Works 430Traffic Manager Routing Methods 432Priority-Based Traffic Routing 433Weighted-Based Traffic Routing 433Performance-Based Traffic Routing 435Geographic-Based Traffic Routing 436Multivalue-Based Traffic Routing 437Subnet-Based Traffic Routing 437Building a Traffic Manager Profile 438Virtual Network NAT 442Using a Virtual Network NAT 443Allocate Public IP or Public IP Prefixes for a NAT Gateway 445Associate a Virtual Network NAT with a Subnet 447Summary 451Exam Essentials 451Review Questions 455Chapter 8 Design, Deploy, and Manage Azure Firewall and Network Security Groups 459Azure Firewall and Firewall Manager Features 460How Azure Firewall Manager Works 467How Azure Firewall and Firewall Manager Protect VNets 468Build and Configure an Azure Firewall Deployment 476Azure Firewall Policy 495Build and Configure a Secure Hub within an Azure Virtual WAN Hub 501Build and Configure a Secure Hub within an Azure Virtual WAN Hub Using Azure PowerShell 503Integrate an Azure Virtual WAN Hub with a Third-Party Network Virtual Appliance 507High-Level Use Case for Network Virtual Appliances 508Create and Attach a Network Security Group to a Resource 509Create an Application Security Group and Attach It to a NIC 519Create and Configure NSG Rules and Read Network Security Group Flow Logs 524Validate NSG Flow Rules 531Verify IP Flow 534Summary 536Exam Essentials 536Review Questions 539Chapter 9 Design and Deploy Azure Web Application Firewall and Monitor Networks 543Azure Web Application Firewall Functions and Features 544WAF on Application Gateway 547WAF on Front Door 549WAF on Azure CDN from Microsoft 550Set Up Detection or Prevention Mode 551Azure Front Door WAF Policy Rule Sets 553Managed Rule Sets 555Custom Rule Sets 558WAF Policies 560Application Gateway WAF Policy Rule Sets 566Per-Site WAF Policy 568Per-URI Policy 568Managed Rules 568WAF Policies 572Custom Rules 573Deploy and Attach WAF Policies 580Set Up Network Health Alerts and Logging Using Azure Monitor 582Build and Configure Azure Network Watcher 591Build and Configure a Connection Monitor Instance 595Build, Configure, and Use Traffic Analytics 600Build and Configure NSG Flow Logs 604Enable and Set Up Diagnostic Logging 607Enabling Diagnostic Logging 608Summary 609Exam Essentials 609Review Questions 611Chapter 10 Design and Deploy Private Access to Azure Services 615Overview of Private Link Services and Private Endpoints 616Key Benefits of Private Link 618How Private Link Integrates into an Azure Virtual Network 619How Azure Private Endpoint Works 619Plan Private Endpoints 628Configure Access to Private Endpoints 632Azure Private Link RBAC Permissions 634Integrate Private Link with DNS and Private Link Services with On-Premises Clients 634Use Case 1: Workloads on Virtual Networks without a Custom DNS Server 635Use Case 2: Workloads That Use a DNS Forwarder On-Premises 637Use Case 3: Using a DNS Forwarder for Virtual Network Workloads and On-Premises Workloads 640Set Up Service Endpoints and Configure Service Endpoint Policies 642Overview of Service Tags and Access to Service Endpoints 646Configure Access to Service Endpoints 651Integrating App Services into Regional VNets 657Azure Regional VNet Integration 658How Azure Regional VNet Integration Works 659Subnet Requirements 660Access Management 661Route Management 661Application Route Management 662Configure Azure Kubernetes Service (AKS) for Regional VNet Integration 665Configure Clients to Access the App Service Environment 670Summary 673Exam Essentials 673Review Questions 675Appendix Answers to Review Questions 679Chapter 1: Getting Started with AZ-700 Certification for Azure Networking 680Chapter 2: Design, Deploy, and Manage a Site-to-Site VPN Connection and Point-to-Site VPN Connection 681Chapter 3: Design, Deploy, and Manage Azure ExpressRoute 683Chapter 4: Design and Deploy Core Networking Infrastructure: Private IP and DNS 685Chapter 5: Design and Deploy Core Networking Infrastructure and Virtual WANs 686Chapter 6: Design and Deploy VNet Routing and Azure Load Balancer 688Chapter 7: Design and Deploy Azure application gateway, Azure front door, and Virtual NAT 690Chapter 8: Design, Deploy, and Manage Azure Firewall and Network Security Groups 691Chapter 9: Design and Deploy Azure Web Application Firewall and Monitor Networks 693Chapter 10: Design and Deploy Private Access to Azure Services 694Index 697

ABOUT THE AUTHORsPUTHIYAVAN UDAYAKUMAR is an infrastructure architect with over 14 years of experience in modernizing and securing IT infrastructure, including the Cloud. He has been writing technical books for more than ten years on various infrastructure and security domains. He has designed, deployed, and secured IT infrastructure out of on-premises and Cloud, including virtual servers, networks, storage, and desktops for various industries, including pharmaceutical, banking, healthcare, aviation, federal entities, etc. He is an open group certified Master certified architect.KATHIRAVAN UDAYAKUMAR is Head of Delivery and Chief Architect for Oracle Digital Technologies (Europe Practice) at Cognizant, covering various elements of technology stack in on-prem and cloud. He has over 18 years of experience in architecture, design, implementation, administration and integration with Green-field IT Systems, ERP, Cloud Platforms and Solutions across various business domains and Industries. He has had a passion for networking since he was an undergraduate and becoming a Cisco Certified Network Associate (CCNA).