Multi-region design with Azure Route Server without an overlay

Some time ago I posted a blog commenting on a possible design for interconnecting multiple Azure regions by means of Network Virtual Appliances (NVAs) and the Azure Route Server (ARS), where I used an overlay tunnel between the NVAs with VXLAN as encap protocol. I have received multiple questions to whether it would be possible … Continue reading Multi-region design with Azure Route Server without an overlay

CLI-based analysis of an ExpressRoute private peering

Quite frequently I see Azure connectivity diagrams that do not reflect accurately the topology of Azure Virtual Networks connnected to on-premises data centers via ExpressRoute. Additionally, I got the question last week of how to do some basic BGP troubleshooting in the involved networking devices in a way which is understandable by network administrators (read … Continue reading CLI-based analysis of an ExpressRoute private peering

VNet peering settings, those familiar strangers

Hey everybody! In this post I would like to talk about some of the settings that you can configure in VNet Peerings, and how those actually work. Even if you have been using VNet peerings for years now, I bet I have some surprises for you. TL;DR: Do not rely in the VirtualNetwork service tag … Continue reading VNet peering settings, those familiar strangers

Azure Route Server and NVAs running on Scale Sets

There are a couple of ways in which you can deploy NVAs in Azure, from a redundancy perspective: 1+1 (active/passive): least scalable solution, your maximum throughput will be equivalent of the one of the active NVA, while you normally have to pay for 2 VMs and 2 NVA licenses 1+1 (active/active): 2 NVAs forwarding traffic … Continue reading Azure Route Server and NVAs running on Scale Sets

Listen to the Whispers of BGP

An old Cherokee proverb says: “Listen to the whispers and you won’t have to hear the screams”. Routing problems are hard: Hard to uncover, because sometimes they will not become apparent until something happens. For example, when your backup routes disappear, and you only notice when the primary routes are gone too. And hard in … Continue reading Listen to the Whispers of BGP

New Azure Sample: ACI in VNet with Init and Sidecar Containers

Hey there! I have recently published a new Azure Sample: ACI in VNet with Sidecar Containers. It has generated a bit of controversy (there is a reason why I picked such a crowded image for the post title), so let me add some color to it. But let me give you the TL;DR first: the … Continue reading New Azure Sample: ACI in VNet with Init and Sidecar Containers

A day in the life of a packet in Azure Redhat Openshift (part 3)

This is part 3 of a blog series around networking in Azure Redhat Openshift, and we will see how pods talk to each other inside of the cluster and to other systems in the virtual Network or on-premises. Other posts in the series: Part 1: Intro and SDN Plugin Part 2: Internet and Intra-cluster Communication … Continue reading A day in the life of a packet in Azure Redhat Openshift (part 3)

A day in the life of a packet in Azure Redhat Openshift (part 2)

In this part 2 of my blog series around ARO networking we will have a look and how inbound and outbound Internet connectivity works, as well as connectivity between different pods in the cluster. Other posts in the series: Part 1: Intro and SDN Plugin Part 2: Internet and Intra-cluster Communication Part 3: Inter-Project and … Continue reading A day in the life of a packet in Azure Redhat Openshift (part 2)

Filtering traffic to Private Endpoints with Azure Firewall

If you are reading this, you probably already know what Azure Private Link is: a representation of a service such as Azure Storage, Azure SQL Database, Azure Application Service, or even some application running in a different Virtual Network, in your own Virtual Network with a private IP address of your own. This is a … Continue reading Filtering traffic to Private Endpoints with Azure Firewall

A Day in the Life of a Packet in AKS (part 2): kubenet and ingress controller

Hey again, to complete the previous post on the Azure CNI, here it goes using kubenet instead. To make it a bit more interesting we are going to explore a bunch of additional stuff: Deploying AKS with kubenet in your own vnet (note that this is not well documented or supported by Microsoft at the … Continue reading A Day in the Life of a Packet in AKS (part 2): kubenet and ingress controller