You might have heard about VNet Flow Logs, I posted about this new Azure feature here. One of the applications of VNet Flow Logs is to gain visibility into traffic in places that had been blind spots until now, such as in the Gateway Subnets to inspect traffic on VPN or ExpressRoute. Talking about ExpressRoute, there is another feature that gives you traffic visibility: ExpressRoute Traffic Collector. This functionality was until recently only available for ExpressRoute Direct circuits, but since this is now working on provider-managed ExpressRoute circuits as well for bandwidths of 1Gbps or h ..read more

You might have heard about the General Availability of Virtual Network Flow Logs in Azure, and even read the announcement blog post. When writing that post with Harsha CS I had the chance to play a bit with VNet Flow Logs and Traffic Analytics, and I would like to share some of the learnings. What the heck am I talking about? Let me bring you up to speed very quickly (attention, oversimplification ahead!): NSG Flow Logs is a technology that logs every packet going through an NSG: in and out, allowed and dropped. The main issue of NSG Flow Logs is, well, that you need an NSG, and some resources ..read more

I have recently expanded my SDWAN in hub-and-spoke networks design guide to include SDWAN-to-firewall routing. Initially I didn’t have this point, but recent conversations have made me realize that not everybody understand this. The main difficulty in this topic is related to the fact that you cannot inspect the effective routes of your Virtual Network Gateways. Why is this important? Well, because that routing is going to Azure gateways and Azure Firewall Let’s start with the classical design of VPN or ExpressRoute gateways and Azure Firewall. Before adding any route table to the topology, th ..read more

Wow, that was a mouthful. But it describes what I would like to discuss in this post. Networks are at the basis of every IT infrastructure, so when they don’t work, everybody notices (and when they do work, nobody notices). Hence, monitoring computer networks to detect and fix problems as quickly as possible is a discipline where many IT professionals have invested countless hours. There are many ways in which you can monitor a network: watching for packet drops or unusual activity in the network devices statistics, getting notified when the health stats of routers and switches go South, etc ..read more

Azure PaaS service networking is quite a complex landscape to navigate. Documentation in Azure about this topic is located in different areas (under Networking and each specific PaaS service), and sometimes using inconsistent terminology. My goal in this blog post is setting a classification of PaaS services that can be used to navigate this complexity. I should start with the beginning. What is a PaaS service, in Azure parlance? It is a “managed” service, meaning something that Microsoft manages for you, opposed to a Virtual Machine where you would deploy your own software and configure it yo ..read more

Designing network connectivity in public cloud can very quickly become a daunting task. Of course, public cloud providers do offer native networking services, and with those it is fairly easy. This should always be your primary route (pun intended). For example, in the case of Azure, using Virtual WAN and its native integration with both Microsoft and third-party connectivity appliances. However, some times you have requirements that justify not using those native networking services, for example when you require more flexibility and control, or when your networking vendors of choice are not s ..read more

You might have heard of the new AKS Gateway API, which will allow for much more functionality than the good, old ingress API that we all know and love. One of those features is the support for TCP routes, since although HTTP(S) is the king protocol in today’s world, there are still many applications out there that work on TCP. Think AMQP, SQL or FTP, to name the first ones that come to mind. But did you know that even before the Gateway API was there, you could already use TCP routes in Istio gateways? The Envoy proxy, on which Istio is based, does support TCP proxy functionality, and so does ..read more

Certificate management is one of those IT disciplines that is nobody’s dream, and still it can have quite a dramatic (negative) impact in your web presence if not done properly, such as users being told by the browser that your site is not secure. Azure has a nice little tool to manage certificates and bring them to your virtual machines, but it is not that well documented: welcome to the Azure Key Vault extension. Prompted by my awesome colleague Bruna Moreira, I decided to have a look at it. Long story short: it does what it promises (copying and refreshing digital certificates from Azure Ke ..read more

This question has been bothering me for quite some time now. Other technology areas constantly look to reduce complexity: take for example one of the most difficult fields out there, data science. Some years ago you needed a degree to even start with it, and now you can build and deploy models while sipping your favorite cocktail at the swimming pool using tools like Azure ML Studio, Google Auto ML or AWS SageMaker, not to mention the advent of Python replacing R (partially because of its simplicity), and the myriad of products with wizards that do Machine Learning for you, such as Splunk, Pow ..read more

Monitoring is one of those underrated disciplines: everybody tells you to do it, but nobody tells you exactly how. As a consequence, there are many different approaches and few concrete recommendations. Before continuing, a word of caution: I am not going to cover introductory topics in this post. If you are not familiar with Virtual WAN, make sure you read the docs or watch the videos in https://aka.ms/vwanvideos. Especially related to this topic is the video on Virtual WAN monitoring and metrics by my colleague Nirmal. I have been looking into different ways of configuring Azure Monitor aler ..read more