You administer an Azure solution that uses a virtual network named fabVNet. FabVNet has a
single subnet named Subnet-1.
You discover a high volume of network traffic among four virtual machines (VMs) that are
part of Subnet-1.
You need to isolate the network traffic among the four VMs. You want to achieve this goal
with the least amount of downtime and impact on users.
What should you do?
A.
Create a new subnet in the existing virtual network and move the four VMs to the new
subnet.
B.
Create a site-to-site virtual network and move the four VMs to your datacenter.
C.
Create a new virtual network and move the VMs to the new network.
D.
Create an availability set and associate the four VMs with that availability set.
Explanation:
http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx
I would say A or C
“A”
Windows Azure provides routing across subnets within a single virtual network.
Reference: Network Isolation Options for Machines in Windows Azure Virtual Networks
Incorrect:
not B: A site-to-site VPN allows you to create a secure connection between your on-premises site and your virtual network.
Use a site-to-site connection when:
* You want to create a branch office solution.
* You want a connection between your on-premises location and your virtual network that’s available without requiring additional client-side configurations.
http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx
The answer cannot be A, because of what you wrote yourself: Network traffic is routed between subnets within a single virtual network. The requirement is to isolate the network traffic among the four VMs. The correct answer is C therefore.
I think C
Answer is A
This is basic networking, putting the VMs on their own subnet will isolate the traffic between them. The logic above of ruling it out because traffic is routed between the 4 VMs and other machines does not address what the question asks which was simply isolating traffic between the 4 machines. The question also stipulates “with least amount of downtime and impact on users” which would certainly not be the case creating a new virtual network and connecting it back to the users.
I also searched and don’t see that Microsoft has added the ability to move VMs between virtual networks so C is not possible anyways, though it is really tough being tested on technology that is changing constantly you can never be sure they didn’t sneak a feature in.
VMs are routable between subnets in the same VNet. There is no isolation.
You move VMs between VNets by de-provisioning and re-provisioning.
C is the correct answer.
Reading this http://azure.microsoft.com/blog/2014/03/28/network-isolation-options-for-machines-in-windows-azure-virtual-networks/
moving VMs in another subnet in the same VNET makes no difference until you really lock them down using windows firewalls.
Agreed – makes sense. The only way to isolate the four VMs is by moving them to a new VNET. If that VNet ever needed to talk to other Vnets we’d configure a hub and spoke VNET-to-VNET connection.
The VMs are all on the same broadcast domain or subnet. All the OSI layer 2 traffic like NetBIOS and all the broadcasts are network traffic which may be caused by other VMs.
Creating a new subnet also creates a new broadcast domain. The OSI layer 3 traffic will be routed between the subnets but not the OSI layer 2 traffic. Moving the 4 VMs to the new subnet will prevent them from receiving all the broadcasts and NetBIOS stuff from the first subnet but they will be reachable by TCP/IP. Creating a new Vnet also provides the same result. There is a problem. This 4 VMs will not be able to reach the VMs on the first VNet without extra configuration like a VNet-to-VNet connection.
B is probably right answer. Moving the VMs to own DC will surely isolate them from other VMs. Since the traffic is high between them perhaps they need minimal communication with other VMs / service on azure, in which case site-site will help.
D will not solve the issue because availability set relates to … avalability in case of a crash or an update
A, B, C may solve the issue
But A is the solution with the least amount of administrative work.
So the answer is A
concerning B: does anybody seriously mean that Azure could not solve a traffic performance issue?
I would say the answer is A. D is obviously not correct, but B and C would require shutting down the machine and migrating it. With option A you could configure everything via PowerShell without ever shutting down the machine.
Definitely C, move them to a new subnet, from https://azure.microsoft.com/en-us/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/ it says:
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses. So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security.
There is no mention there is a lot of broadcast traffic, so seperating servers in a subnet wouldn’t help. I think B is correct. C can help, but it will be done with downtime for the users.
Its either A or C.
Subnetting is basically just a way of splitting a TCP/IP network into smaller, more manageable pieces. The basic idea is that if you have an excessive amount of traffic flowing across your network, then that traffic can cause your network to run slowly. When you subnet your network, you are splitting the network into a separate, but interconnected network. That way, most of the network traffic will be isolated to the subnet in which it originated.
But with C you’d have to redeploy all the four VMs to be on the newly created network and this = downtime + impact. (remember you cant easily swap network association on the Azure VM like you can with Hyper-V etc). So answer must be A.
B again would cause downtime + impact
D wont help at all
I’m going for ‘C’ – why? cos this is the only method to isolate the four VMs.
http://www.virtualizationadmin.com/articles-tutorials/cloud-computing/microsoft/virtual-networks-microsoft-azure-part1.html
Create a new Subnet!
https://azure.microsoft.com/en-us/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/
In fact – I have to agree ‘new subnet’ = the least amount of downtime and impact on users.
Subnet
Get-AzureVM –Name –ServiceName
Set-AzureSubnet –SubnetNames | Update-AzureVM
C.
Create a new virtual network and move the VMs to the new network.
This has the least amount of downtime and impact on the users because the VM’s will not be required to change subnets and can restrict traffic via the virtual network.
http://www.virtualizationadmin.com/articles-tutorials/cloud-computing/microsoft/virtual-networks-microsoft-azure-part1.html
https://azure.microsoft.com/en-us/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/
A.
Create a new subnet in the existing virtual network and move the four VMs to the new
subnet
question states “You want to achieve this goal with the least amount of downtime and impact on users.”
answer is A.
create a new subnet, move VMs into subnet and apply ACL or NSG to isolate network traffic
You can move existing virtual machines into a subnet or move a virtual machine out of a subnet.
http://blogs.technet.com/b/canitpro/archive/2014/05/20/step-by-step-move-a-microsoft-azure-vm-to-a-different-subnet-within-a-vnet.aspx
Answer is A.
Isolation should be with an NSG on the new Subnet.