Workload identity on AKS with Python: boring

I finally decided to carve out an afternoon to test workload identity on AKS. I had done some preliminary reading, and my conclusion was that there had to be some voodoo magic and quantum entanglement at play there to make it work, so I braced myself for failure. The goal of the exercise was clear: … Continue reading Workload identity on AKS with Python: boring

Azure DNS Private Resolver without VNet Peerings

As you might already know, Azure DNS Private Resolver is an Azure service that support DNS forwarding between Azure and on-premises DNS servers. It is very useful to provide Azure DNS resolution to on-premises clients (for example to access private endpoints), or to provide on-premises DNS resolution to Azure clients (to access on-prem resources). Last … Continue reading Azure DNS Private Resolver without VNet Peerings

Pimp your serial console with tmux

I have a short one for today, which I just found out with a colleague when troubleshooting Kubernetes: we only had connectivity to a VM over the console, but we needed to execute two commands at the same time: generate some traffic on one side, and have some tcpdump running on the other. First of … Continue reading Pimp your serial console with tmux

Azure Route Server: to encap or not to encap, that is the question

Azure Route Server is a very powerful tool that thas been recently brought to the Azure Networking toolset: it offers a BGP API so that virtual machines can communicate with a VNet to learn and advertise routes. I have written some articles about Route Server in the past on how to achieve certain scenarios, but … Continue reading Azure Route Server: to encap or not to encap, that is the question

“You are doing your design reviews wrong”

I have the privilege of working in a team in Microsoft with very talented individuals, where we help Microsoft customers to overcome technical challenges with their Azure deployments. One of the most common engagements that we do for organizations using Azure is helping them to verify that their Azure designs fulfill their functional and non-functional … Continue reading “You are doing your design reviews wrong”

Test like a champ with Azure Connection Monitor

If you work in Azure, you probably know about Connection Monitor, a tool that generates synthetic traffic to test connectivity and measure response times. You configure sources (Virtual Machines) to generate traffic that can be addressed to destinations such as other Virtual Machines or any external endpoint outside of Azure. Alerts can be automatically generated … Continue reading Test like a champ with Azure Connection Monitor

Cisco ACI and Microsoft Azure

Sometimes you meet an old friend you haven’t seen for many years, and although both of you might have evolved differently during that time, most often than not you find the common ground and the reasons why you loved each other. Before I get any more sentimental, that is a bit of what I have … Continue reading Cisco ACI and Microsoft Azure

Listen to the Whispers of BGP

An old Cherokee proverb says: “Listen to the whispers and you won’t have to hear the screams”. Routing problems are hard: Hard to uncover, because sometimes they will not become apparent until something happens. For example, when your backup routes disappear, and you only notice when the primary routes are gone too. And hard in … Continue reading Listen to the Whispers of BGP

Using Route Server to firewall onprem traffic with an NVA

In a previous blog we had a setup with a Network Virtual Appliance (NVA) for Internet egress and hybrid connectivity based on Azure Virtual Network Gateways. There is another fairly typical use case with regards to traffic between on-premises an Azure: firewalling it with an NVA: In some situations customers will combine the role of … Continue reading Using Route Server to firewall onprem traffic with an NVA