I have recently expanded my SDWAN in hub-and-spoke networks design guide to include SDWAN-to-firewall routing. Initially I didn’t have this point, but recent conversations have made me realize that not everybody understand this. The main difficulty in this topic is related to the fact that you cannot inspect the effective routes of your Virtual Network Gateways. Why is this important? Well, because that routing is going to Azure gateways and Azure Firewall Let’s start with the classical design of VPN or ExpressRoute gateways and Azure Firewall. Before adding any route table to the topology, th ..read more

Wow, that was a mouthful. But it describes what I would like to discuss in this post. Networks are at the basis of every IT infrastructure, so when they don’t work, everybody notices (and when they do work, nobody notices). Hence, monitoring computer networks to detect and fix problems as quickly as possible is a discipline where many IT professionals have invested countless hours. There are many ways in which you can monitor a network: watching for packet drops or unusual activity in the network devices statistics, getting notified when the health stats of routers and switches go South, etc ..read more

Azure PaaS service networking is quite a complex landscape to navigate. Documentation in Azure about this topic is located in different areas (under Networking and each specific PaaS service), and sometimes using inconsistent terminology. My goal in this blog post is setting a classification of PaaS services that can be used to navigate this complexity. I should start with the beginning. What is a PaaS service, in Azure parlance? It is a “managed” service, meaning something that Microsoft manages for you, opposed to a Virtual Machine where you would deploy your own software and configure it yo ..read more

Designing network connectivity in public cloud can very quickly become a daunting task. Of course, public cloud providers do offer native networking services, and with those it is fairly easy. This should always be your primary route (pun intended). For example, in the case of Azure, using Virtual WAN and its native integration with both Microsoft and third-party connectivity appliances. However, some times you have requirements that justify not using those native networking services, for example when you require more flexibility and control, or when your networking vendors of choice are not s ..read more

You might have heard of the new AKS Gateway API, which will allow for much more functionality than the good, old ingress API that we all know and love. One of those features is the support for TCP routes, since although HTTP(S) is the king protocol in today’s world, there are still many applications out there that work on TCP. Think AMQP, SQL or FTP, to name the first ones that come to mind. But did you know that even before the Gateway API was there, you could already use TCP routes in Istio gateways? The Envoy proxy, on which Istio is based, does support TCP proxy functionality, and so does ..read more

Certificate management is one of those IT disciplines that is nobody’s dream, and still it can have quite a dramatic (negative) impact in your web presence if not done properly, such as users being told by the browser that your site is not secure. Azure has a nice little tool to manage certificates and bring them to your virtual machines, but it is not that well documented: welcome to the Azure Key Vault extension. Prompted by my awesome colleague Bruna Moreira, I decided to have a look at it. Long story short: it does what it promises (copying and refreshing digital certificates from Azure Ke ..read more

This question has been bothering me for quite some time now. Other technology areas constantly look to reduce complexity: take for example one of the most difficult fields out there, data science. Some years ago you needed a degree to even start with it, and now you can build and deploy models while sipping your favorite cocktail at the swimming pool using tools like Azure ML Studio, Google Auto ML or AWS SageMaker, not to mention the advent of Python replacing R (partially because of its simplicity), and the myriad of products with wizards that do Machine Learning for you, such as Splunk, Pow ..read more

Monitoring is one of those underrated disciplines: everybody tells you to do it, but nobody tells you exactly how. As a consequence, there are many different approaches and few concrete recommendations. Before continuing, a word of caution: I am not going to cover introductory topics in this post. If you are not familiar with Virtual WAN, make sure you read the docs or watch the videos in https://aka.ms/vwanvideos. Especially related to this topic is the video on Virtual WAN monitoring and metrics by my colleague Nirmal. I have been looking into different ways of configuring Azure Monitor aler ..read more

If you are following the Azure Kubernetes Service space, I am sure you noticed that Azure CNI powered by Cilium is Generally Available. But is this a big thing? What does it mean for you? Well, yes, it is big indeed. It is like changing the wheels of your car to new ones: Cilium is working with an improved network data plane powered by eBPF, read more about it in https://cilium.io/. The first thing you might notice when deploying a cluster with the cilium data plane you need to use the cilium network policy (the other options “azure” and “calico” are not available). And this is a good thing! T ..read more

Virtually every expert out there recommends following an Infrastructure-as-Code approach to manage Azure Networks, and even more so when dealing with traffic segmentation features such as firewall rulesets and network security groups (those tend to change more frequently than other resources). And yet, there is surprisingly little guidance on how to do so, and about the potential challenges and difficulties that can (will) come up during such a process. So I decided to give this a try, and I created a Github repo to store Azure Networking configurations for Azure Firewall and Network Security ..read more