Tuesday, January 14, 2025

Azure Networking Interview Q&A

 

1. What is the difference between NSG and ASG?

Network Security Group (NSG):

  • Controls inbound and outbound traffic to Azure resources.

  • Applied at subnet or network interface (NIC) level.

  • Rules are based on IP address, port, and protocol.

Application Security Group (ASG):

  • Logical group of VMs based on application role.

  • Used in conjunction with NSGs to simplify rule management.

  • Enables defining security rules based on application tags rather than individual IPs.

Use Case: In a multi-tier application, ASGs can group front-end, back-end, and database VMs, allowing you to apply security rules cleanly and efficiently.

2. How can you block access to a VM from a subnet?

  • By default, Azure allows traffic between subnets within a VNet due to the built-in NSG rule: AllowVnetInBound (priority 65000).

  • To block access:

    • Create a Deny rule in the NSG with a priority number lower than 65000.

    • Example: Create a rule with priority 100 to deny traffic from a specific subnet.

3. Are Azure NSGs stateful or stateless?

NSGs are stateful.

  • This means that if an inbound rule allows traffic into a VM, the response is automatically allowed outbound.

  • Example: If port 80 is allowed inbound, you do not need to explicitly allow outbound port 80 for response traffic.

4. What is the difference between Azure Firewall and NSG?

FeatureAzure FirewallNetwork Security Group (NSG)
LayerApplication + Network layersNetwork layer only
StatefulYesYes
Advanced FilteringFQDN, URL, Threat IntelligenceIP, Port, Protocol
ScopeEntire VNet/SubnetsSubnets or NICs
Use CaseCentralized traffic controlBasic traffic filtering per subnet/NIC

5. What are the advantages of Azure Resource Groups?

  • Logical Organization: Group related resources by project, environment, or application.

  • Lifecycle Management: Deploy, update, and delete resources as a single unit.

  • Tagging: Apply tags for cost tracking and management.

  • RBAC: Assign permissions to users at the resource group level.

  • Cost Management: View and control costs for grouped resources.

  • ARM Templates: Enable repeatable and consistent deployments.

  • Resource Locks: Protect critical resources from accidental changes.

6. What is the difference between Azure User Data and Custom Data?

FeatureUser DataCustom Data
PersistencePersistent, survives rebootsOne-time use, discarded after boot
AccessCan be retrieved and updated anytimeOnly accessible during provisioning
Use CaseDynamic configuration, boot scriptsInitial setup during VM creation

7. Difference between Azure Application Gateway and Azure Load Balancer?

FeatureAzure Application GatewayAzure Load Balancer
OSI LayerLayer 7 (Application Layer)Layer 4 (Transport Layer)
FeaturesSSL termination, WAF, URL-based routingTCP/UDP-based load distribution
Use CaseWeb apps with advanced routing needsBasic load balancing across VMs

8. Explain the traffic flow to an application in the Web Subnet (Azure VNet).

  1. User Access:

    • A user accesses the application via a domain name.

    • DNS resolves the domain to a public IP.

  2. Traffic Enters Azure:

    • Public IP is mapped to Azure Front Door, App Gateway, or Load Balancer.

    • These services handle load balancing and SSL termination.

  3. Routing to Web Subnet:

    • Traffic is forwarded to backend web servers in the web subnet.

  4. NSG Enforcement:

    • NSGs on the subnet or NIC control traffic based on defined rules.

  5. VNet Infrastructure:

    • Web subnet is part of an isolated VNet; routing happens internally between subnets as needed.

  6. Application Servers:

    • Web servers process the request and send the response back through the same route.

9. Describe the purpose of Azure Bastion and when to use it.

Azure Bastion provides secure and seamless RDP/SSH access to VMs directly from the Azure portal without exposing public IP addresses.

Key Benefits:

  • Secure Remote Access: No need to open RDP/SSH ports to the internet.

  • Elimination of Public Exposure: VMs remain on private IPs.

  • Reduced Attack Surface: Minimizes risk from brute-force attacks.

  • Azure Portal-Based Access: Access directly through browser.

  • RBAC Integration: Role-based access ensures controlled permissions.

  • MFA Support: Integrates with Azure AD for strong authentication.

  • Audit and Monitoring: Logs access for compliance and auditing.

at No comments:
Labels:
Subscribe to: Posts (Atom)