You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/virtual-networks-faq.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -130,7 +130,7 @@ Unicast is supported in virtual networks. Multicast, broadcast, IP-in-IP encapsu
130
130
131
131
Azure virtual networks provide DHCP service and DNS to Azure Virtual Machines. However, you can also deploy a DHCP Server in an Azure VM to serve the on-prem clients via a DHCP Relay Agent.
132
132
133
-
DHCP Server in Azure was previously marked not feasible since the traffic to port UDP/67 was rate limited in Azure. However, recent platform updates have removed the rate limitation, enabling this capability.
133
+
DHCP servers in Azure were previously considered not feasible since the traffic to port UDP/67 was rate limited in Azure. However, recent platform updates have removed the rate limitation, enabling this capability.
134
134
135
135
> [!NOTE]
136
136
> The on-premises client to DHCP Server (source port UDP/68, destination port UDP/67) is still not supported in Azure, since this traffic is intercepted and handled differently. This will result in timeout messages at the time of DHCP RENEW at T1 when the client directly attempts to reach the DHCP Server in Azure. The DHCP RENEW will succeed when the DHCP RENEW attempt is made at T2 via DHCP Relay Agent. For more details on the T1 and T2 DHCP RENEW timers, see [RFC 2131](https://www.ietf.org/rfc/rfc2131.txt).
@@ -280,10 +280,6 @@ Previously, the MAC address was released if you stopped (deallocated) the VM. Bu
280
280
* Delete the network adapter.
281
281
* Change the private IP address that's assigned to the primary IP configuration of the primary network adapter.
282
282
283
-
### Can I connect to the internet from a VM in a virtual network?
284
-
285
-
Yes. All VMs and Cloud Services role instances deployed within a virtual network can connect to the internet.
286
-
287
283
## Azure services that connect to virtual networks
288
284
289
285
### Can I use Web Apps with a virtual network?
@@ -406,7 +402,7 @@ You can connect to these resources via Azure ExpressRoute or network-to-network
406
402
407
403
### Can I enable virtual network peering if my virtual networks belong to subscriptions within different Microsoft Entra tenants?
408
404
409
-
Yes. It's possible to establish virtual network peering (whether local or global) if your subscriptions belong to different Microsoft Entra tenants. You can do this via the Azure portal, PowerShell, or the Azure CLI.
405
+
Yes. It's possible to establish virtual network peering (whether local or global) if your subscriptions belong to different Microsoft Entra tenants. You can do this via the [Azure portal](/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal), [PowerShell](/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-powershell), or the [Azure CLI](/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-cli).
410
406
411
407
### My virtual network peering connection is in an Initiated state. Why can't I connect?
412
408
@@ -509,13 +505,13 @@ Certain services (such as Azure SQL and Azure Cosmos DB) allow exceptions to the
509
505
Turning on the service endpoints on the network side can lead to a connectivity drop, because the source IP changes from a public IPv4 address to a private address. Setting up virtual network ACLs on the Azure service side before turning on service endpoints on the network side can help avoid a connectivity drop.
510
506
511
507
>[!NOTE]
512
-
> If you enable Service Endpoint on certain services likes "Microsoft.AzureActiveDirectory" you can see IPV6 address connections on Sign-In Logs. Microsoft use an internal IPV6 private range for this type of connections.
508
+
> If you enable Service Endpoint on certain services like "Microsoft.AzureActiveDirectory" you can see IPV6 address connections on Sign-In Logs. Microsoft use an internal IPV6 private range for this type of connection.
513
509
514
510
### Do all Azure services reside in the Azure virtual network that the customer provides? How does a virtual network service endpoint work with Azure services?
515
511
516
512
Not all Azure services reside in the customer's virtual network. Most Azure data services (such as Azure Storage, Azure SQL, and Azure Cosmos DB) are multitenant services that can be accessed over public IP addresses. For more information, see [Deploy dedicated Azure services into virtual networks](virtual-network-for-azure-services.md).
517
513
518
-
When you turn on virtual network service endpoints on the network side and set up appropriate virtual network ACLs on the Azure service side, access to an Azure service is restricted from an allowed virtual network and subnet.
514
+
When you turn on virtual network service endpoints on the network side, and set up appropriate virtual network ACLs on the Azure service side, access to an Azure service is restricted to an allowed virtual network and subnet.
519
515
520
516
### How do virtual network service endpoints provide security?
521
517
@@ -543,6 +539,8 @@ Yes, it's possible when you're using service endpoints for Azure Storage and Azu
543
539
544
540
By default, Azure service resources secured to virtual networks are not reachable from on-premises networks. If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from on-premises or ExpressRoute. You can add these IP addresses through the IP firewall configuration for the Azure service resources.
545
541
542
+
Alternatively, you can implement [private endpoints](/azure/private-link/private-endpoint-overview) for supported services.
543
+
546
544
### Can I use virtual network service endpoints to secure Azure services to multiple subnets within a virtual network or across multiple virtual networks?
547
545
548
546
To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, enable service endpoints on the network side on each of the subnets independently. Then, secure Azure service resources to all of the subnets by setting up appropriate virtual network ACLs on the Azure service side.
@@ -561,7 +559,7 @@ The service returns an HTTP 403 or HTTP 404 error.
561
559
562
560
Yes. For most of the Azure services, virtual networks created in different regions can access Azure services in another region through the virtual network service endpoints. For example, if an Azure Cosmos DB account is in the West US or East US region, and virtual networks are in multiple regions, the virtual networks can access Azure Cosmos DB.
563
561
564
-
Azure Storage and Azure SQL are exceptions and are regional in nature. Both the virtual network and the Azure service need to be in the same region.
562
+
Azure SQL is an exception and is regional in nature. Both the virtual network and the Azure service need to be in the same region.
565
563
566
564
### Can an Azure service have both a virtual network ACL and an IP firewall?
0 commit comments