2.5. Reflection Checkpoint

Key Takeaways

Before proceeding, ensure you can:

• Design VNet address spaces that avoid overlap and allow for growth
• Choose between public DNS zones, private DNS zones, and DNS Private Resolver
• Configure VNet peering with gateway transit for hub-spoke architectures
• Create UDRs to force traffic through firewalls or NVAs
• Use Network Watcher tools to diagnose connectivity issues
• Select appropriate DDoS protection tier for given requirements

Connecting Forward

In Phase 3, you'll build on this foundation to implement hybrid connectivity—connecting your Azure networks to on-premises datacenters using VPN, ExpressRoute, and Virtual WAN.

Self-Check Questions

1. A company has VNets in East US (10.0.0.0/16) and West US (10.1.0.0/16), plus an on-premises network (10.0.0.0/24). Can they peer the East US VNet with on-premises via ExpressRoute? Why or why not?

2. You need VMs in a spoke VNet to resolve names for Private Endpoints in a hub VNet. What DNS configuration is required?

3. Traffic from a subnet with a UDR (0.0.0.0/0 → NVA) isn't reaching the NVA. What Network Watcher tool would you use first, and what might be wrong?