UDEMY : Azure Network Engineer Associate

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 AZ -700

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-- Peer to Peer Networking : Peer to Peer was not a great way to achieve centrally.

Domain Controller : Is a special kind of servers that control your Domains.
they also have GPO : Group Policy Options.

-- What is the difference between Domain Controller and DNS Server ?

A Domain Controller (DC) and a DNS (Domain Name System) server are both integral components of a Windows-based network infrastructure, but they serve different purposes. Here's a comparison of the two:

Domain Controller (DC):

1. Purpose: A Domain Controller is a server that manages and authenticates network resources in a Windows domain environment. It stores a centralized database called the Active Directory (AD) that contains information about users, groups, computers, and other network objects. It provides authentication, security, and centralized management for network resources.

2. User Authentication: The Domain Controller verifies the identity of users attempting to access network resources and allows them to log in using their credentials. It provides a Single Sign-On (SSO) experience, allowing users to access various resources with a single set of credentials.

3. Group Policy Management: The Domain Controller enables the creation and management of Group Policies that define security settings, configurations, and restrictions for users and computers within the domain. Group Policies are used to enforce security policies, software deployment, and other administrative settings.

4. Replication: Domain Controllers replicate the Active Directory database among themselves to ensure redundancy, fault tolerance, and availability. This replication process keeps the information consistent across multiple Domain Controllers in a domain.

DNS Server:

1. Purpose: A DNS server is responsible for translating domain names into IP addresses and vice versa. It resolves human-readable domain names (e.g., www.example.com) into machine-readable IP addresses (e.g., 192.168.1.1) to facilitate communication between network devices.

2. Name Resolution: DNS servers store and manage a database of domain names and their corresponding IP addresses. When a client device needs to access a resource by its domain name, it queries a DNS server to obtain the IP address associated with that domain name.

3. Domain Name Hierarchy: DNS servers maintain a hierarchical structure of domain names called the DNS namespace. This hierarchy includes top-level domains (TLDs), domain names, subdomains, and individual host names. DNS servers resolve queries by traversing this hierarchical structure.

4. DNS Zones: DNS servers manage zones, which are portions of the DNS namespace that they are authoritative for. Each zone contains resource records (RRs) that define mappings between domain names and IP addresses or other types of information.

In summary, a Domain Controller primarily manages network authentication, security, and centralized resource management within a Windows domain environment. It uses Active Directory to store user and computer information. On the other hand, a DNS server resolves domain names into IP addresses and vice versa, facilitating network communication by maintaining a database of domain names and their corresponding IP addresses.

 

Active Directory uses a protocol called LDAP . Also uses a protocol called kerbros . Multiple domain controller. Creating a user account in one Domain Controller replicates it to another Domain controller.

Active Directory Originally Called NT5 , they changed the name from NT5 to Windows 2000 , Directory services were called NTDS and the renamed Active Directory.

DMZ: Demilitarized zone.

• SCCM stands for System Center Configuration Manager, Previously known as Systems Management Server (SMS)
• You can inventory devices  , you can deploy images , you can deploy application , you can appliances
• SCCM is further renamed to Endpoint Configuration manager .

I believe you meant to ask about "Endpoint Configuration Management." Endpoint Configuration Management refers to the process of managing and controlling the configuration settings and policies on individual endpoints or devices within a network.

Endpoints typically include devices such as desktop computers, laptops, servers, mobile devices, and IoT (Internet of Things) devices. Endpoint Configuration Management involves centrally managing and enforcing configurations, settings, and policies on these devices to ensure consistency, security, and compliance across the network.

RAS (Remote Access Service) and VPN (Virtual Private Network) are both technologies that enable remote access to a private network. However, they serve different purposes and have distinct characteristics. Here are the key differences between RAS and VPN:

1. Purpose:

   • RAS: RAS focuses on providing remote access to an organization's internal network resources. It allows remote users to connect to the network and access files, applications, and services as if they were directly connected to the local network.
   • VPN: VPN focuses on creating a secure and encrypted connection over a public network (such as the Internet) to establish a private network. It allows users to access resources and services securely from outside the network, making it ideal for remote work scenarios or connecting branch offices.

2. Network Scope:

   • RAS: RAS typically provides access to an organization's entire internal network. Once connected, remote users can access various resources available within the network.
   • VPN: VPN creates a secure "tunnel" between the user's device and the private network, allowing access to specific resources or services within that network. It doesn't necessarily grant access to the entire internal network.

3. Security:

   • RAS: RAS often relies on security protocols like Point-to-Point Protocol (PPP) or Remote Desktop Protocol (RDP). While it provides authentication and encryption options, the level of security may vary depending on the specific implementation.
   • VPN: VPNs are designed with strong encryption protocols (such as IPsec, SSL/TLS, or OpenVPN) to ensure data confidentiality and integrity. It creates a secure connection from the user's device to the private network, protecting the data transmitted over the public network.

4. Use Cases:

   • RAS: RAS is commonly used for remote access scenarios where users need to connect to the organization's network and access internal resources, such as files, applications, or databases. It enables employees to work remotely or connect to the network while traveling.
   • VPN: VPN is primarily used to establish secure connections over the Internet. It is often employed to enable secure remote access to a private network, connect geographically distributed offices or branch networks, or provide secure access for mobile or remote workers.

In summary, RAS focuses on remote access to an organization's internal network, providing access to a wide range of resources. VPN, on the other hand, establishes a secure connection over a public network to create a private network, allowing secure access to specific resources or services within that network. While both technologies involve remote access, their purposes, network scope, and security mechanisms differ.

Introduction to few Acronyms .

IAAS : Infrastructure as a service:

• V-Appliance
• Virtual-Firewall
• Virtual Storage
• Database

Their IAAS cloud is called -- Azure.

PAAS : Platform as a service:

Where they are hosting some kind of a web based platform and you have to configure it and set it up the way you want , deploy it the way you want for your people.

• PaaS: PaaS platforms typically offer built-in scalability features, allowing applications to scale automatically based on demand. The platform manages resource allocation and scaling behind the scenes, ensuring that applications can handle increased traffic and workload.
• IaaS: With IaaS, users have more control over scalability and resource management. They can manually provision or deprovision virtual machines, storage, and networking resources as needed. Scaling and resource management are more manual and require user intervention.

The IP range for TCP/IP depends on the version of the IP protocol being used, which includes IPv4 and IPv6. Here's a breakdown of the IP ranges for both versions:

1. IPv4 (Internet Protocol version 4):

   • IPv4 addresses consist of four sets of numbers separated by periods (e.g., 192.168.0.1).
   • The IPv4 address range is divided into several address classes:
     • Class A: Ranges from 0.0.0.0 to 127.255.255.255
     • Class B: Ranges from 128.0.0.0 to 191.255.255.255
     • Class C: Ranges from 192.0.0.0 to 223.255.255.255
     • Class D: Reserved for multicast addresses (224.0.0.0 to 239.255.255.255)
     • Class E: Reserved for experimental use (240.0.0.0 to 255.255.255.255)
   • Additionally, there are private IP address ranges reserved for use within private networks:
     • Class A Private: 10.0.0.0 to 10.255.255.255
     • Class B Private: 172.16.0.0 to 172.31.255.255
     • Class C Private: 192.168.0.0 to 192.168.255.255

2. IPv6 (Internet Protocol version 6):

   • IPv6 addresses are represented in hexadecimal format and consist of eight groups of four hexadecimal digits, separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
   • The IPv6 address range is divided into several blocks, including reserved blocks and blocks assigned to different organizations for allocation.
   • The unique and vast address space of IPv6 allows for multiple subnets and allocations without exhaustion concerns.

It's important to note that within these IP ranges, certain addresses are reserved for specific purposes, such as loopback addresses (e.g., 127.0.0.1 for IPv4 and ::1 for IPv6) and link-local addresses (e.g., fe80::/10 for IPv6). Additionally, there are other reserved addresses for special purposes, such as broadcast and multicast addresses.

Network administrators and organizations allocate IP addresses from the available ranges based on their specific network requirements and the guidelines provided by Internet Assigned Numbers Authority (IANA), regional internet registries (RIRs), and internet service providers (ISPs).

VNet : Virtual Network 

VNet is going to represent a network as a whole. VNet represents a network as a whole . A VNet is going to be made up of an address space

The first and the last address in TCP/IP cannot be used,
First  Address : Network Address
Last Address : Broadcast Address

Azure also reserves some addresses for itself .But we are not going to get into that.

If we have a VM in each of these subnets , they can automatically talk to each other,

There is this thing called the NSG - Network security group . NSG has IP filtering capabilities. And what they could do is restrict traffic from flowing to one place to the other. 

NSG can placed directly on a VNic . Or they can be placed on a Subnet. I can either restrict traffic from Subnet B from communicating to subnet by placing NSG  over the Nic or the Subnet. 

NSG's are IP filtering system.

 Your subnet must be /24 based on the thumb rule. But this need not be necessary.

 

NSG is not a firewall, it is just an IP filtering system. Azure has something called the Azure firewall.

Some times you will have to connect your On-Prem to your Azure system , Make sure their IP's do not conflict with the IPs of the Azure cloud VNet .

Multiple vNets

Subnets within the same Subnets have system routing enabled.

Though subnets can communicate between themselves within the same VNet , but they cannot communicate to a subnet which is located to a subnet in a seperate VNet.

But you can enable subnet in one vNet to communicate to a subnet in another vNet by using something called peering.

Peering allows traffic to flow between different vNets . This is traditional type if you are using Hub and Spoke scenario.

Peering allows traffic to flow between different vNets. In the hub vNet what i might have is the Azure firewall. And Azure firewall can police traffic between the vNets .

In the hub vNet , I would basically have a firewall. In the hub Azure firewall can police traffic between the vNets.

Peering : I can use something called UDR - User Defined Routes

If any of the VMs in the subnet needs to talk to each other they need to flow through this Azure FW . Azure FW has something called the UDR to control that route.

ADDS : Active Directory Domain Services :

You can set a connection from your On-Premise network  to the VNet , using a VPNGW -- which is another set of appliance.

VPN Concentrator

There is another solution which will connect everything .

You work with a Telecommunication provider . And they install hardware at your office "Express Route" and what it does it uses the telecommunication private network and connect directly into Azure that way.
This would be the most expensive route to go .

Creating a Virtual Network(v-Net)

Section 3: 12

Hub and Spoke : We are going to set this up in a Hub and Spoke style

 

Plan and configure subnetting for services , including Vnet

Section 3: 14

There are going to be certain resources that you are going to add to the Virtual Network that require special subnets for example a VPN Gateway , Express Route Gateway, Azure Fireway , these are various service which would require their special Virtual Nwtwork subnets .

for azure firewall you need to create the subnet a head of time for you tp create the Azure Firewall. 

Plan and configure subnet delegation

Section 3: 15

The concept : of taking a subnet and delegate it to a special kind of service in Azure . The reason for this is there are certain type of services in Azure that need to place its rules & Policies on that subnet . They need control of that subnet and be able to place rules on that

This is done by going to the Virtual network -hub --> Subnet --> Create a New subnet --> Delegate NGIX in our case which will delegate this subnet to the NGINX

Then we create an "App Service" .

Create a Prefix for Public IP Address

Section 3: 16

Some of the services that you work with in Azure needs multiple Public IP Addresses . Where you can setup a Prefix which is something like a Group of public IP addresses that are statically associated in Azure. which can be issued out for various services that you use.

If you have a Group of VMs that needed a IP address . You can use one or more of your group IP addresses for that or may be Azure scale sets scaling out multiple virtual machines. Other example might be Aure firewalls , Load balancer , VPN Gateways , NAT gateways . You can even represent your custom owned IP addresses as well.

Choose when to use Public IP Prefix

Section 3: 17

Google use Public IP Prefix you can find this article.

Plan and implement a custom public IP address prefix (bring your own IP)

Section 3: 18

When you have your static IP addressed given by your ISP provider you can basically associate it that with Azure . You basically have to Authorize Microsoft to do that. Once you authorize , Microsoft routing tables will associate with their environment . And the ISP whoever you registered will then register their routing tables and traffic will begin to flow through Azure environment for those IP Addresses.

They have to fill a form called ROA - Route Origin and Authorization. You get a self signed certificate Associated with that

The above is NOT a very commonly user service.

Create a New Public IP address

Section 3: 19

Allocated Public IP Address . from the public IP prefix -- Resource group -- public ip prefix and add ip

Associate public IP addresses to resources

Section 3: 20

I have created the public IP above but I haven't associated it.

So we will create a VM and associate the IP to it.

 

Here you can choose from the drop down box which will show up the IP Address you create in the process of building a VM machine

 

Section 4: Design and Implement name resolution

Let's see how Auze is going to deal with DNS involving vNet. 

DNS is our Domain name system

Public DNS Name Resolution : 

Public DNS (Domain Name System) name resolution refers to the process of translating human-readable domain names into IP addresses on the public internet. It is a fundamental part of how the internet functions, enabling users to access websites, services, and resources using easy-to-remember domain names rather than numerical IP addresses.

Here's how public DNS name resolution works:

1. DNS Hierarchy: The DNS system is organized in a hierarchical structure. At the top of the hierarchy are the root DNS servers, which hold information about the top-level domains (TLDs) such as .com, .org, .net, etc.

2. Domain Registration: When a domain name is registered, the domain owner specifies the authoritative DNS servers responsible for managing the domain's DNS records. These authoritative DNS servers store the mapping between the domain name and its associated IP address.

3. DNS Lookup: When a user enters a domain name (e.g., www.example.com) into their web browser or application, the DNS resolver on their device initiates a DNS lookup process. It first checks its local cache to see if it has recently resolved that domain name. If not, it proceeds to query the DNS servers to resolve the domain name.

4. Recursive DNS Resolution: The DNS resolver typically starts with the local DNS resolver, such as the user's ISP's DNS resolver. If the DNS resolver doesn't have the requested information, it recursively queries other DNS servers to find the authoritative DNS server responsible for the domain.

5. Authoritative DNS Server: Once the authoritative DNS server for the domain is identified, the DNS resolver queries it to obtain the IP address associated with the domain name. The authoritative DNS server responds with the IP address, which is then cached by the resolver for future use.

6. IP Address Resolution: The DNS resolver receives the IP address from the authoritative DNS server and returns it to the user's device. The device can then use the IP address to establish a connection to the requested domain or resource on the internet.

Public DNS name resolution is crucial for accessing websites, sending emails, connecting to remote servers, and many other internet-related activities. It enables users to navigate the internet using memorable domain names while the underlying DNS infrastructure handles the translation of those names into IP addresses.

Private DNS Name Resolution :

Private DNS (Domain Name System) name resolution refers to the process of resolving domain names within a private network or organization's internal infrastructure. It is used to map domain names to corresponding IP addresses within a closed or restricted network environment.

Here's how private DNS name resolution works:

1. Internal DNS Infrastructure: In a private network, an organization typically sets up its own DNS infrastructure to handle name resolution for internal resources. This infrastructure consists of DNS servers that are authoritative for the domain names used within the private network.

2. Local DNS Resolution: When a device within the private network needs to resolve a domain name, it sends a DNS query to the local DNS resolver or DNS server. The local DNS resolver is typically provided by the organization's network infrastructure, such as a router or dedicated DNS server.

3. Internal DNS Zones: The local DNS resolver is configured with one or more DNS zones that correspond to the domain names used within the private network. These DNS zones contain the mappings between domain names and their associated IP addresses or other relevant records.

4. DNS Lookup: The local DNS resolver processes the DNS query and checks its DNS zone configuration to determine if it has the necessary information to resolve the requested domain name. If it does, it provides the corresponding IP address or other record back to the requesting device.

5. Caching and Forwarding: Like public DNS resolution, private DNS resolution may involve caching to improve performance. The local DNS resolver may cache resolved domain names and their corresponding IP addresses to speed up future lookups. In some cases, if the local DNS resolver doesn't have the information for a specific domain, it may forward the query to an upstream DNS resolver or a designated DNS server configured to handle external DNS requests.

Private DNS name resolution is important for internal network communication and access to resources within a private network. It allows devices and services within the network to communicate using domain names that are specific to the organization's internal infrastructure. This internal name resolution is separate from public DNS resolution and is not visible or accessible from the internet at large.

Configure DNS setting inside a Vnet

Section 4: 22

Some of our DNS options available in Azure. When you add a Azure resource such as a VM . Azure will provide a dynamic name associated to that resource that is publicly accessible .

If you go to VM : you will find a Public IP associated to that and DNS given. When a Public IP is associated to that VM a public DNS is associated to that as well.

Design public DNS zones

Section 4: 23

The tutor has his zone hosted on godaddy and he wants to change the dns server to Azure.

Go to portal.azure.com

go to DNS zone , DNS zone is a public zone.

Plan and implement Azure Private DNS Resolver

Section 4: 27

If you have a DNS server on premise you will set this up with Outbound in one subnet and Inbound in one subnet. and create a Private DNS Resolver

Section 5 : Design and Implement Vnet Connectivity and routing

service chaining is a process is to allow traffic to flow through some kind of an appliance

The appliance here are the VPNGW, Azure Fire Wall , Load Balancer

Service chaining is forcing traffic to flow throw an appliance. How do we do that.
we can do it through UDR: User defined Route

Design virtual private network (VPN) connectivity between Vnets

Section 5: 29

You can configure VPNGW for each Vnet for additonal layer of security. 

You can tunnelling between the Hub VPNGW to

Configure monitoring, network diagnostics, and logs in Azure Network

Section 5 : 31

Azure already has built in routes that allows traffic between subnets in the same VNet as well as subnets in VNets that are peer

resource : route table

Routing to connect to  an on-premise network from VNet.

 

Next hob address is the device on VNet that will route you to the on-premise network.
we havent linked this routing table to anything yet.  we just basically set up a route

Associate a Route table with the subnet

Section 5 : 32

How can we associate a routing table to a subnet . You as associating to a subnet of the VNet rather than the whole VNet.

Associating a Route table to a subnet inside a VNet.

You can link subnet to a routing table in the same region. And cannot link it to a different region.- where the subnet is in a different region.

Configure forced Tunneling

Section 5: 33

Forced tunneling is a pretty common scenario. Where companies want all Azure Internet traffic have to pass to their on-premise network and go through their on-premise firewall.

Lets say you have VNets in Azure and you connected to your VPN network using a VPN or an ExpressGateway. You want all traffic from Azure to flow into your on-premise network and go to your on-premise internet connection so that your on-premises Firewall can control . Though I can also say I can go the other way round . Some companies are allowing the on-premised network to flow through Azure network and go through Azure Firewall

We would need a VPN Gateway to do this .

Resource : Virtual Network gateway

Diagnose and resolve routing issues

Section 5: 34

Route Tables : Diagnose and solve problems

You have something called "network wather" if you go to your Resource Group . We do not create this. This is in fact created automatically . 

Networkwatcher resource is created for all regions that has a VNet .

Understanding Azure Route Server

Section 5: 35

Network Virtual Appliance that you can hook into your On-Premises.

Benefits

Identify appropriate use cases for a Virtual Network NAT gateway

Section 5: 36

We will talk about Virtual NAT

There is only two ways for your VMs in a subnets inside the Vnet to communicate to the internet ,
1. It has a public IP aadress

what if if you do not want it to have a Public IP. You can have an applicance which will help the VMs to communicate to the Internet. You may need an Azure Firewall.

The NAT comes with it the AzureFirewall

The downside of that is that the Azurefire is a more expensive solution to the what I am about to explain.
I can use AzureFirewall for a NAT and it will definitely be a more secure solution But it is a more expensive solution.

Cheaper solution - I can set up a NAT Gateway.

The NAT gets a Public IP and a Private IP ( to connect to instance with in the network).

Section 6 Monitor Networks

40 . Configure monitoring, network diagnostics, and logs in Azure Network Network watcher . Any time you add a single VNET into Azure you will have a Network Water resource created.

Automatically gets added for Network monitoring and troubleshooting for that VNet for which the VNet is tied to.

There is something called "Topology" which will give you some Visual representation of the Resource group.

41. Monitor and repair network health by using Azure Network Watcher

Connecting to VM is described here. They are window machines.
using Network watcher for checking connectivity

42. Activate and monitor distributed denial-of-service (DDoS) protection

DDoS : Distributed Denial of Service

You can use this service in Azure and protect you machine from DDoS.

Briefly about DDos ?

DDoS stands for Distributed Denial of Service. It is a type of cyberattack in which multiple compromised computers or devices (referred to as a botnet) are used to flood a target system or network with a massive amount of traffic, requests, or data. The goal of a DDoS attack is to overwhelm the target's resources and infrastructure, causing it to become inaccessible to legitimate users or services.

The DDoS attack is considered "distributed" because the traffic comes from a multitude of sources, making it challenging to defend against and trace back to its origin. The attackers often utilize various techniques to amplify the attack, making it even more potent.

DDoS attacks can target different layers of the network stack, including:

1. Application layer (Layer 7): These attacks target specific applications or services, overwhelming them with excessive requests or consuming their resources.

2. Transport layer (Layer 4): These attacks focus on exploiting weaknesses in network protocols, such as TCP, UDP, or ICMP, to flood the target's network or server.

3. Network layer (Layer 3): These attacks involve sending a large volume of traffic to saturate the target's network bandwidth, causing congestion and making it difficult for legitimate traffic to get through.

DDoS attacks can have severe consequences for the targeted organization, including:

• Disruption of services: The target's website or online services may become unavailable to legitimate users, causing loss of business and reputation damage.

• Financial losses: Downtime and loss of productivity can lead to financial losses for the targeted organization.

• Resource depletion: DDoS attacks can consume significant network and server resources, resulting in increased costs for mitigating the attack.

• Damage to reputation: Extended periods of unavailability can damage the reputation and trust of the targeted organization among its customers and partners.

To defend against DDoS attacks, organizations often implement various security measures, such as using DDoS protection services, deploying firewalls, load balancers, and traffic filtering mechanisms. Additionally, cloud-based services can help distribute and absorb the attack traffic, reducing the impact on the target infrastructure.

Setting this up can cause - A good amount of Azure Credit on that.

43. Understanding Microsoft Defender for DNS

Defender for DNS is not free.

Section : 7 : Design , Implement and Manage a Site-to-Site VPN :

44. Design a Site-to-Site VPN including a High Availability :

One of the cheapest ways to do it.

45. Select an appropriate VNet gateway SKU for site-to-site VPN requirements.

search for azure vpn gateway on google.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

There are various SKUs that you can use.

P2S : Point to Site : -

46. Implement a site-to-site VPN connection

Create a Virtual Network Gateway.

47. Identify when to use a policy-based VPN versus a route-based VPN

Policy Based VPN uses IPsec and tradition way of setting up VPN ,

48. Create and configure an IPsec/IKE policy

We can do it using a Powershell , google IPsec/IKE policy

49. Diagnose and resolve virtual network gateway connectivity issues

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

network watcher -- VPN Troubleshoots .
we need to create a storage account here. And a container inside it to store the information.

50. Understanding Azure Extended Network

This is a new feature introduced. Ths goal is to have new subnet on the on-premises subnet that stretches out to the cloud. So you have a subnet that is partially on the cloud and partially on on-premise.

Say you are migrating some On-Premises VM on to the cloud those machine can keep their same IP address and all that stuff.

Section 8: Design, implement, and manage a point-to-site VPN connection

51. Select an appropriate virtual network gateway SKU for point-to-site VPNs

A Point-to-Site (P2S) VPN connection is a type of virtual private network (VPN) that allows individual client devices or endpoints to securely connect to a remote network or virtual network (VNet) over the public internet. Unlike a traditional Site-to-Site (S2S) VPN where entire networks are connected, a P2S VPN establishes a secure tunnel between a single user's device and the target network.

Here's how it works:

1. Client Setup: To initiate a P2S VPN connection, a client software or VPN client needs to be installed on the user's device, such as a laptop, desktop, or mobile device. This client handles the encryption and establishes the secure connection.

2. Authentication: When the user attempts to connect to the remote network, they need to provide valid credentials to authenticate themselves. This is typically done using a username and password, but it can also involve other methods like client certificates for added security.

3. Secure Tunnel: Once the user is authenticated, the VPN client establishes a secure tunnel between the user's device and the VPN gateway located on the remote network. This tunnel encrypts the data, ensuring that any data sent or received between the client and the remote network remains secure and private.

4. Access to Remote Network: After the VPN tunnel is established, the user's device appears as if it is directly connected to the remote network. This allows the user to access resources, services, and applications within the remote network as if they were physically present on-site.

Point-to-Site VPN connections are commonly used in scenarios where individual users or small groups of users need secure access to a corporate network or cloud-based virtual network, especially in situations where they are working remotely or connecting from various locations. It is a flexible and convenient solution for providing secure remote access to resources, while maintaining the security and privacy of the communication over the internet.

52. Select the appropriate tunnel type

The tunnel type is going to be the method and protocol by which clients are going to be able connect into the VPN Gateway 

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

VPN > Point-to-Site Configuration >

Tunnel types .

53. Select an appropriate authentication method

The method in which the user is going to authenticate the VPN Gateway

54. Configure RADIUS authentication

I am going to Install VM2 to be a Radius server . This is what is going to authorize your VPN gateway connection. we are going to make it access VM1

So for that we are going to create a subnet for Radius communication to utlize .

55. Configure certificate-based authentication & implement a VPN client config file

check the video...

56. Configure authentication by using Azure Azure AD, part of Microsoft Entra

P2S VPN Gateway connection using Azure AD Authentication.

57. Diagnose and resolve client-side and authentication issues

check the video.

58. Specify Azure requirements for Always On authentication

This has to be a Azure certification based authentication.

59. Understanding Azure Network Adapter    --- This one to start from

It means to say you do NOT require a On-Premise VPN Router

if you do not have a Azure Virtual Network gateway the WAC (Windows Admin Center) will ask Azure to create one for you .

60. Removing the VPN gateway

To safe Azure credits we are removing the VPN Gateway

Section 9: Design, implement, and manage Azure ExpressRoute

61. Select an ExpressRoute connectivity model

Express Route allows our On-Premise network to establish a WAN with an Azure Data center or Azure region. And we are going to do that with the help of Telecommunications provider. 

62. Select an appropriate ExpressRoute SKU and tier

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

63. Design and implement ExpressRoute, cross-region,

ExpressRoute is a connectivity solution provided by Microsoft Azure that allows you to establish a private and dedicated network connection between your on-premises network and the Azure cloud.

To set up ExpressRoute, you need to configure it both on-premises and in the Azure cloud:

1. On-Premises Configuration: You need to work with your network service provider to establish a physical connection from your on-premises network to the ExpressRoute location. This typically involves setting up the necessary routers and network devices on your premises and establishing a secure and reliable connection to the ExpressRoute location.

2. Azure Cloud Configuration: In the Azure portal, you need to configure the ExpressRoute circuit. This involves creating an ExpressRoute circuit and specifying its settings, such as the connectivity provider, peering locations, bandwidth, and any required routing preferences. You also need to establish the necessary peering connections, such as Microsoft peering for accessing Azure services and private peering for connecting to virtual networks in Azure.

Once both the on-premises and Azure configurations are complete, data can flow securely and privately between your on-premises network and the Azure cloud through the dedicated ExpressRoute connection. This provides benefits like higher bandwidth, lower latency, and more predictable network performance compared to using the public internet for connectivity.

It's important to note that the specific implementation of ExpressRoute can vary depending on factors such as your network provider, the location of your on-premises network, and the Azure regions you are connecting to

Redundancy.

Another thing that the Microsoft recommends is that you consider having redundancy between your On=Premises offices as well.

And another thing that can happen is you can peer these VNets.

64. Design and implement ExpressRoute Global Reach,FastPath,

In Global reach you will connect the express routes together. This is forms what you call a Global Reach Private Network.

By this you can creating a Virtual WAN .

Another feature that we have with Express Route is called fast path

The connect to the VM on Azure cloud one has to go through the Express Route throught the Express Router Reource and then connect to VM.

By Fastpath it is able to by pass the procssing of "Express Route Resource" . This gives faster connectivity with your virtual machines.

Express Route helps to tap directly into a peering location of the Azure environment . These are fiber locations that are strategically layed out all over the world.

65. Choose between private peering only, Microsoft peering only, or both

In Azure Private Peering you get access to , PAAS, IAAS, and some suffs of SAAS. But you do not get access to 365 services . when you are using Express route connection you can also add Microsoft Peering connection as well. There is NOT any IAAS in microsoft 365.

66 . Create an ExpressRoute Circuit & check the private peering & Microsoft