🕸️ Network

• Network rules are processed before application rules in Azure Firewall.
• NSGs are required for securing Load Balancer backend pools.
• When moving a virtual network, dependent resources must also be moved
• VNet peering is bidirectional and can be across subscriptions or tenants (if allowed).
• DNS operates on port 53.
• Peering gateway transit allows one VNet to use another’s VPN gateway.
• ExpressRoute supports BGP routing and private connectivity to Microsoft services.
• Site-to-Site VPNs use IPsec/IKE; IKEv2 is recommended.
• Point-to-Site VPNs support OpenVPN, IKEv2, and SSTP.
• Policy-based VPNs support IKEv1 only.
• Route-based VPNs support IKEv2 and dynamic routing.
• Azure Load Balancer operates at Layer 4 (TCP/UDP).
• Standard Load Balancer requires standard SKU public IPs in the same region.
• Basic Load Balancer supports VMs in one availability set or one scale set.
• Load Balancer backend pool VMs must be in the same VNet.
• Traffic Manager uses DNS-based load balancing across endpoints.
• Network Watcher supports up to 10,000 packet capture sessions per region.
• NSG flow logs capture traffic metadata for analysis.
• Azure DNS supports import and export of zone files in Portal, CLI, and PowerShell.