This post is about using either Network Rules or Application Rules in Azure Firewall for internal traffic. I’m going to discuss a common scenario, a “problem” that can occur, and how you can deal with that problem. The Rules Types There are three kinds of rules in Azure Firewall: DNAT Rules: Control traffic originating from the Internet, directed to a public IP address attached to Azure Firewall, and translated to a private IP Address/port in an Azure virtual network. This is implicitly applied as a Network Rule. I rarely use DNAT Rules – most modern applications are HTTP/S and enter the virt ..read more

Microsoft recently announced a public preview of User-Defined Route (UDR) management using Azure Virtual Network Manager. I’ve taken some time to play with it, and here are my thoughts. Azure Virtual Network Manager (AVNM) AVNM has been around for a while but I have mostly ignored it up to now because: The connectivity configuration feature (centrally manage VNet connections) was pointless to me without route management – what’s the point of a hub & spoke in a business setting without a firewall? I liked the Security Admin Rule configuration (same tech as NSG rules in the Hyper-V switch p ..read more

Have you wondered why an Azure subnet with no route table has so many default routes? What the heck is 25.176.0.0/13? Or What is 198.18.0.0/15? And why are they routing to None? The Scenario You have deployed a virtual machine. The virtual machine is connected to a subnet with no Route Table. You open the NIC of the VM and view Effective Routes. You expect to see a few routes for the non-RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, etc) and “quad zero” (0.0.0.0/0) but instead you find this: What in the nelly is all that? I know I was pretty freaked out when I first saw it some time ago. Here ar ..read more

I found myself in a situation where I needed to document a lot of Azure Private DNS Zones. I needed the following information: Name of the zone Subscription name Resource group name Name of associated virtual networks The list was long so a copy and paste from the Azure Portal was going to take too long. Instead, I put a few minutes into a script to do the job – it even writes the content as a Markdown table in a .md file, making it super simple to copy/paste the entire piece of text into my documentation in VS Code. cls $subs = Get-AzSubscription $outString = "| Zone Name | Subscription ..read more

In this post, I want to discuss how one should design network security in Microsoft Azure, dispensing with past patterns and combatting threats that are crippling businesses today. The Past Network security did not change much for a very long time. The classic network design is focused on an edge firewall.”All the bad guys are trying to penetrate our network from the Internet” so we’ll put up a very strong wall at the edge. With that approach, you’ll commonly find the “DMZ” network; a place where things like web proxies and DNS proxies isolate interior users and services from the Internet. Th ..read more

This is my updated post on providing information on what the MVP Summit is, what to expect, and some useful tips/tricks in the neighborhood. This is a big update on a post that I wrote in 2012. What’s an MVP? The MVP (Most Valuable Professional) award from Microsoft is exactly that – an award for expert community services relevant to products or services that Microsoft offers. Microsoft used to describe MVPs as: MVPs are independent experts who are offered a close connection with people at Microsoft. To acknowledge MVPs’ leadership and provide a platform to help support their efforts, Microso ..read more

This post will explain how you can connect your Azure network(s) with Oracle Cloud Infrastructure (OCI) via the Oracle Cloud Interconnect. Background Many mid-large organisations run applications that are based on Oracle software. When these organisations move to the cloud, they may choose to use Oracle Cloud for their Oracle workloads and Azure for everything else. But that raises some interesting questions: How do we connect Azure workloads to Oracle workloads? If Oracle is hosting data services, how do we minimise latency? The answer is: The Oracle Cloud Interconnect (OCI). Microsoft doc ..read more

This post is going to explain why you should not be putting any compute into your hub VNet. Background I was looking at some Azure Landing Zones (reference architectures) from Microsoft before the end of 2023. I was shocked to see compute (VMs) being placed in the hub. Years ago, I learned that putting any kind of compute in the hub eventually leads to issues that are not obvious at first. I would have expected Microsoft to know better. I posted something on Twitter and LinkedIn. Sure, there were plenty of people that agreed with me. However, there were respondents from Microsoft and elsewhere ..read more

In this Festive Tech Calendar post, I am going to explain how to get Private Endpoints working in the real world. Thank you to the team that runs Festive Tech Calendar every year for the work that they do and for raising funds for worthy causes. Private Endpoints When The Cloud was first envisioned, it was made a platform that didn’t really take network security seriously. The resources that developers want to use, Platform-as-a-Service (PaaS), were built to only have public endpoints. In the case of Microsoft Azure, if I deploy an App Service Plan, the compute that is provisioned for me share ..read more

I will share my early experiences with Microsoft Copilot, the positives and negatives, clear up some false expectations, and explain why I think of Generative AI as a digital intern. What is Generative AI? The name gives it away. Generative AI generates or creates something from other known things. Examples are: DALL-E: Creating images, such as Bing Create Chat GPT: A text-based interface for finding things and generating text, such as the Copilot brand from Microsoft. Pre-Microsoft There are lots of brands out there but the one that’s grabbing most of the headlines is Open AI because of Cha ..read more