Combining Azure Firewall and Flow Log analysis

As you might already know, there are a couple of ways of filtering traffic in Azure Virtual Networks: Network Security Groups (NSGs) and Azure Firewall. NSGs offer unlimited performance for Layer 4 filtering, while Azure Firewall is more powerful with features like deep packet inspection or application-level intelligence. However, even if these solutions follow a … Continue reading Combining Azure Firewall and Flow Log analysis

Azure Bastion routing in Virtual WAN

As you might know, Azure Bastion enables management connectivity to virtual machines without having to assign them public IP addresses, and without having to maintain jump hosts in your Virtual Network. Up to recently, the virtual machines needed to be immediately peered to the VNet where Azure Bastion was deployed, but with IP-based connections Azure … Continue reading Azure Bastion routing in Virtual WAN

Azure Virtual WAN Hub Routing Preference

You probably know Azure Virtual WAN: it is an Azure service that provides any-to-any connectivity across regions out of the box, or a “global transit network architecture”, as they describe here: Essentially Virtual WAN is a set of Microsoft-managed virtual hubs peered to each other, where you would connect your VNets and/or branches (ExpressRoute, Site-to-Site … Continue reading Azure Virtual WAN Hub Routing Preference

Azure Firewall’s sidekick to join the BGP superheroes

Azure Firewall is a fantastic product: oversimplifying, an architecture that scales out great, provides traffic forwarding and security in Azure, and is very easy to integrate in a network. Some times you need to manipulate the default routing of Azure VNets, and Azure Route Server offers an invaluable tool for that. However, Azure Route Server … Continue reading Azure Firewall’s sidekick to join the BGP superheroes

Where do I put my SDWAN?

You might have come across a post from my good friend Adam on SDWAN Design options in Azure, where he details seven design alternatives when incorporating SDWAN to an Azure network. While I was reading Adam’s great summary, I was wondering whether I could summarize his design options and recommendations using the 3-tier cloud netowrk … Continue reading Where do I put my SDWAN?

Private Link and Azure Monitor: what is an AMPLS?

Today I came across a concept while not being too new in Azure, I had not met before: Private Link Scopes. This is something that specific services do, more concretely Azure Arc and Azure Monitor (see here for the official docs on how to configure this for Azure Monitor). In the case of the latter, … Continue reading Private Link and Azure Monitor: what is an AMPLS?

Multi-region design with Azure Route Server without an overlay

Some time ago I posted a blog commenting on a possible design for interconnecting multiple Azure regions by means of Network Virtual Appliances (NVAs) and the Azure Route Server (ARS), where I used an overlay tunnel between the NVAs with VXLAN as encap protocol. I have received multiple questions to whether it would be possible … Continue reading Multi-region design with Azure Route Server without an overlay

CLI-based analysis of an ExpressRoute private peering

Quite frequently I see Azure connectivity diagrams that do not reflect accurately the topology of Azure Virtual Networks connnected to on-premises data centers via ExpressRoute. Additionally, I got the question last week of how to do some basic BGP troubleshooting in the involved networking devices in a way which is understandable by network administrators (read … Continue reading CLI-based analysis of an ExpressRoute private peering

VNet peering settings, those familiar strangers

Hey everybody! In this post I would like to talk about some of the settings that you can configure in VNet Peerings, and how those actually work. Even if you have been using VNet peerings for years now, I bet I have some surprises for you. TL;DR: Do not rely in the VirtualNetwork service tag … Continue reading VNet peering settings, those familiar strangers

Azure Route Server and NVAs running on Scale Sets

There are a couple of ways in which you can deploy NVAs in Azure, from a redundancy perspective: 1+1 (active/passive): least scalable solution, your maximum throughput will be equivalent of the one of the active NVA, while you normally have to pay for 2 VMs and 2 NVA licenses 1+1 (active/active): 2 NVAs forwarding traffic … Continue reading Azure Route Server and NVAs running on Scale Sets