Here are the steps and explanations for creating a policy that can be linked to the planned application gateway and block connections from IP addresses in the 131.107.150.0/24 range:

To create a policy, you need to go to the Azure portal and select Create a resource. Search for WAF, select Web Application Firewall, then select Create1.

On the Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

Policy for: Regional WAF (Application Gateway)

Subscription: Select your subscription name

Resource group: Select your resource group

Policy name: Type a unique name for your WAF policy

On the Custom rules tab, select Add a rule to create a custom rule that blocks connections from IP addresses in the 131.107.150.0/24 range2. Enter or select the following information for the custom rule:

Rule name: Type a unique name for your custom rule

Priority: Type a number that indicates the order of evaluation for this rule

Rule type: Select Match rule

Match variable: Select RemoteAddr

Operator: Select IPMatch

Match values: Type 131.107.150.0/24

Action: Select Block

On the Review + create tab, review your settings and select Create to create your WAF policy1.

To link your policy to the planned application gateway, you need to go to the Application Gateway service in the Azure portal and select your application gateway3.

On the Web application firewall tab, select your WAF policy from the drop-down list and select Save

Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:

To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations. You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution1.

To create a diagnostic setting, you need to go to the Azure portal and select your virtual network. Then select Diagnostic settings under Monitoring and select + Add diagnostic setting1.

On the Add diagnostic setting page, enter or select the following information:

Diagnostic setting name: Type a unique name for your diagnostic setting.

Destination details: Select the destination where you want to send the data. For example, you can select Send to Log Analytics workspace and choose your workspace from the list.

Log: Select the categories of logs that you want to collect. For VNET1, you can select NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter as the log categories2.

Metric: Select AllMetrics to collect all the platform metrics for VNET12.

Select Save to create your diagnostic setting1.

To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination. Then select Logs under General and enter your KQL query in the query editor3.

For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:

NetworkSecurityGroupEvent

| where TimeGenerated > ago(24h)

| where ResourceId contains "VNET1"

| summarize count() by EventID

| top 10 by count_

Copy

Select Run to execute your query and view the results in a table or a chart3.

Box 2: One NSG

The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could attach the NSG to VMScaleSet2 and restrict inbound traffic. Either way you would need two custom NSG rules.

Box 1: Two custom rules

With the NSG attached to VMScaleSet2, you would need to create a custom rule blocking all traffic from VMScaleSet1. Then you would need to create another custom rule with a higher priority than the first rule that allows traffic on port 443.

The default rules in the NSG will allow all other traffic to VMScaleSet2.

For the first question, only ExpressRoute GW SKU Ultra Performance support FastPath feature.

For the second question, vnet1 will connect to ExpressRoute gw, once Vnet1 peers with Vnet2, the traffic from on-premise network will bypass GW and Vnet1, directly goes to Vnet2, while this feature is under public preview.

====Reference

ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

To configure FastPath, the virtual network gateway must be either:

Ultra Performance

ErGw3AZ

VNet Peering - FastPath will send traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.

https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath

Gateway SKU

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

To ensure that the owner of VNET3 receives an alert whenever an administrative operation is performed on the virtual network, you can set up an Activity Log Alert in Azure Monitor. Here’s how you can do it:

Step-by-Step Solution

Step 1: Create an Activity Log Alert

Navigate to the Azure Portal.

Search for “Monitor” and select it.

In the Monitor blade, select “Alerts” from the left-hand menu.

Click on “New alert rule”.

Step 2: Configure the Alert Rule

Select the Scope:

Click on “Select resource”.

Choose “Virtual Network” as the resource type.

Select VNET3 from the list of virtual networks.

Define the Condition:

Click on “Add condition”.

In the “Signal type” dropdown, select “Activity Log”.

Choose “Administrative” as the category.

Select the specific operations you want to monitor (e.g., Microsoft.Network/virtualNetworks/write for any write operations on the virtual network).

Set the Alert Details:

Enter a name for the alert rule (e.g., VNET3 Admin Operations Alert).

Provide a description if needed.

Configure the Action Group:

Click on “Add action group”.

Enter a name for the action group.

Select the action type (e.g., Email/SMS/Push/Voice).

Enter the details of the recipient (e.g., the email address of the owner of VNET3).

Review and Create:

Review the alert rule settings.

Click on “Create alert rule”.

Explanation

Activity Log Alerts: These alerts notify you when specific operations are performed on your Azure resources. By setting up an alert for administrative operations, you ensure that any changes to VNET3 are promptly reported.

Action Groups: These define the actions to take when an alert is triggered. You can configure notifications via email, SMS, or other methods to ensure the owner of VNET3 is informed immediately.

Administrative Operations: Monitoring these operations helps in tracking changes and maintaining the security and integrity of your virtual network.

By following these steps, you can ensure that the owner of VNET3 receives timely alerts for any administrative operations performed on the virtual network, helping to maintain oversight and security.

To configure a policy in Azure API Management that can be used by an Azure Application Gateway to protect against known web attack vectors and only allow requests from IP addresses in Canada, follow these steps:

Step-by-Step Solution

Step 1: Create or Access Your API Management Instance

Navigate to the Azure Portal.

Search for “API Management services” and select your API Management instance.

Step 2: Configure the Policy

In the API Management instance, go to the “APIs” section.

Select the API you want to apply the policy to.

Go to the “Design” tab.

Select “All operations” if you want to apply the policy to all operations, or select a specific operation.

Step 3: Add the Inbound Policy

In the Inbound processing section, click on “+ Add policy”.

Select “IP filter” from the list of policies.

Add the IP address ranges for Canada. You can find the IP ranges for Canada from a reliable source or use a service that provides this information.

Here is an example of the XML configuration for the policy:

Save the policy to apply the changes.

Explanation

IP Filter Policy: This policy allows you to filter incoming requests based on their IP addresses. By specifying the IP ranges for Canada, you ensure that only requests originating from these IPs are allowed.

Inbound Processing: Applying the policy in the inbound section ensures that the requests are filtered before they reach your API.

By following these steps, you can configure a policy in Azure API Management that restricts access to your API to only those requests originating from IP addresses in Canada, thereby enhancing security and compliance

VNet 1 will get the default from BGP and propagate it to VNET 2 and 3

planation:

To achieve the task of ensuring that virtual machines on VNET1 and VNET2 are included automatically in a DNS zone named contoso.azure, and that they can resolve the names of the virtual machines on either virtual network, you can follow these steps:

Step-by-Step Solution

Step 1: Create a Private DNS Zone

Navigate to the Azure Portal.

Search for “Private DNS zones” in the search bar and select it.

Click on “Create”.

Enter the DNS zone name as contoso.azure.

Select the appropriate subscription and resource group.

Click on “Review + create” and then “Create”.

Step 2: Link VNET1 and VNET2 to the DNS Zone

Go to the newly created DNS zone (contoso.azure).

Select “Virtual network links” from the left-hand menu.

Click on “Add”.

Enter a name for the link (e.g., VNET1-link).

Select the subscription and virtual network (VNET1).

Enable auto-registration to ensure that VMs are automatically registered in the DNS zone.

Click on “OK”.

Repeat the process for VNET2.

Step 3: Configure DNS Settings for VNET1 and VNET2

Navigate to VNET1 in the Azure Portal.

Select “DNS servers” under the “Settings” section.

Ensure that the DNS server is set to “Default (Azure-provided)”.

Repeat the process for VNET2.

Step 4: Verify Name Resolution

Deploy a virtual machine in VNET1 and another in VNET2.

Connect to the virtual machines using Remote Desktop Protocol (RDP) or Secure Shell (SSH).

Test name resolution by pinging the VM in VNET2 from the VM in VNET1 using its hostname (e.g., ping .contoso.azure).

Explanation

Private DNS Zone: This allows you to manage and resolve domain names in a private network without exposing them to the public internet.

Virtual Network Links: Linking VNET1 and VNET2 to the DNS zone ensures that VMs in these networks can register their DNS records automatically.

Auto-registration: This feature automatically registers the DNS records of VMs in the linked virtual networks, simplifying management.

DNS Settings: Using Azure-provided DNS ensures that the VMs can resolve each other’s names without additional configuration.

By following these steps, you ensure that virtual machines on VNET1 and VNET2 are included automatically in the DNS zone contoso.azure and can resolve each other’s names seamlessly.

Here are the steps and explanations for ensuring that the storage34280945 storage account will only accept connections from hosts on VNET1:

To restrict network access to your storage account, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.

On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.

Under Virtual networks, select + Add existing virtual network. Then select VNET1 from the list of virtual networks and select the subnet that contains the hosts that you want to allow access to your storage account1. This will enable a service endpoint for Storage in the subnet and configure a virtual network rule for that subnet through the Azure storage firewall2.

Select Add to add the virtual network and subnet to your storage account1.

Select Save to apply your changes1.

Here are the steps and explanations for ensuring that all hosts deployed to subnet3-2 connect to the internet by using the same static public IP address:

To use the same static public IP address for multiple hosts, you need to create a NAT gateway and associate it with subnet3-2. A NAT gateway is a resource that performs network address translation (NAT) for outbound traffic from a subnet1. It allows you to use a single public IP address for multiple private IP addresses2.

To create a NAT gateway, you need to go to the Azure portal and select Create a resource. Search for NAT gateway, select NAT gateway, then select Create3.

On the Create a NAT gateway page, enter or select the following information and accept the defaults for the remaining settings:

Subscription: Select your subscription name

Resource group: Select your resource group

Name: Type a unique name for your NAT gateway

Region: Select the same region as your virtual network

Public IP address: Select Create new and type a name for your public IP address. Select Standard as the SKU and Static as the assignment method4.

Select Review + create and then select Create to create your NAT gateway3.

To associate the NAT gateway with subnet3-2, you need to go to the Virtual networks service in the Azure portal and select your virtual network.

On the Virtual network page, select Subnets under Settings, and then select subnet3-2 from the list.

On the Edit subnet page, under NAT gateway, select your NAT gateway from the drop-down list. Then select Save.

Box 1: VM2, VM3 and VM4.

VM1 is in VNet1/Subnet1. VNet1 is peered with VNet2 and VNet3.

There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in VNet3.

Box 2:

VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.

There is no virtual network peering between VM4’s VNet (VNet3) and VM5’s VNet (VNet4). To enable the VMs to communicate over the Microsoft backbone network a VNet peering is required between VNet3 and VNet4.

Box 1: No

Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.

Box 2: Yes

VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.

Box3: No

VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you won’t be able to enable auto-registration on the link.

NGS1 only

VM2, VM3, VM4 and VM5

No

subnet1(WM1->NSG1 outbound->NSG10 outbound)->subnet2(NSG1 inbound->NSG11 inbound->VM2)

Yes

NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2ג€™s subnet (VNet1/Subnet2).

No

NSG11 blocks RDP (port TCP 3389) destined for ג€˜VirtualNetworkג€™. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked.