Tag: vpn

Do not let ExpressRoute, VPN and SDWAN traffic bypass your firewall

by erjosito

I have recently expanded my SDWAN in hub-and-spoke networks design guide to include SDWAN-to-firewall routing. Initially I didn’t have this point, but recent conversations have made me realize that not everybody understand this. The main difficulty in this topic is related to the fact that you cannot inspect the effective routes of your Virtual Network … Continue reading Do not let ExpressRoute, VPN and SDWAN traffic bypass your firewall

Monitoring Azure Networks with Alerts

by erjosito

Monitoring is one of those underrated disciplines: everybody tells you to do it, but nobody tells you exactly how. As a consequence, there are many different approaches and few concrete recommendations. Before continuing, a word of caution: I am not going to cover introductory topics in this post. If you are not familiar with Virtual … Continue reading Monitoring Azure Networks with Alerts

You want to use AS-path as your virtual hub routing preference

by erjosito

Wow, that was a long title. Let me give you another one: if you haven’t tested your High Availability (HA) or Disaster Recovery (DR) plans, you shouldn’t rely on them. This is of course regardless of whether your infrastructure runs on your premises, on public cloud, or anywhere else. In this post I am going … Continue reading You want to use AS-path as your virtual hub routing preference

Virtual Network Gateways routing in Azure

by erjosito

If you have ever used Azure, you probably have used one of these Virtual Network Gateways too: whether it is to connect your branches and headquarters with Azure via IPsec VPN or ExpressRoute, or to provide connectivity to your mobile workers or external partners through Point-to-Site VPNs. In this post I will go deep on … Continue reading Virtual Network Gateways routing in Azure

Overlapping IP addresses in a hub-and-spoke network (feat. AVNM & ARS)

by erjosito

I have had some questions around a common theme asked by some large Azure customers. These refrains might sound familiar to you: “I have run out of IPv4 addresses“, “My network team can only allocate so many IPs for Azure“, “How can I reuse IP space in Azure?“. If they do, I have a hack … Continue reading Overlapping IP addresses in a hub-and-spoke network (feat. AVNM & ARS)

Azure DNS Private Resolver without VNet Peerings

by erjosito

As you might already know, Azure DNS Private Resolver is an Azure service that support DNS forwarding between Azure and on-premises DNS servers. It is very useful to provide Azure DNS resolution to on-premises clients (for example to access private endpoints), or to provide on-premises DNS resolution to Azure clients (to access on-prem resources). Last … Continue reading Azure DNS Private Resolver without VNet Peerings

Azure Virtual WAN Hub Routing Preference

by erjosito

You probably know Azure Virtual WAN: it is an Azure service that provides any-to-any connectivity across regions out of the box, or a “global transit network architecture”, as they describe here: Essentially Virtual WAN is a set of Microsoft-managed virtual hubs peered to each other, where you would connect your VNets and/or branches (ExpressRoute, Site-to-Site … Continue reading Azure Virtual WAN Hub Routing Preference

Tunnels Between Clouds

by erjosito

I see more and more organizations deploying workloads across different clouds, and some times those workloads need to communicate between each other. There are multiple options to connect clouds together, the cheapest being an encrypted network tunnel over the public Internet, also known as IPsec VPN. All clouds support deploying your favorite network vendor as … Continue reading Tunnels Between Clouds

Sending Internet Traffic from P2S Clients Through an NVA

by erjosito

Azure can be used to offer Point-To-Site (P2S) connectivity for individual users, that by leveraging a VPN client on their systems (Windows, Linux or Mac) can get connectivity to Azure resources. This P2S connectivity is often limited to Azure resources, but by leveraging the Azure Route Server, additional access is offered. For example, if an … Continue reading Sending Internet Traffic from P2S Clients Through an NVA

Using Route Server to firewall onprem traffic with an NVA

by erjosito

In a previous blog we had a setup with a Network Virtual Appliance (NVA) for Internet egress and hybrid connectivity based on Azure Virtual Network Gateways. There is another fairly typical use case with regards to traffic between on-premises an Azure: firewalling it with an NVA: In some situations customers will combine the role of … Continue reading Using Route Server to firewall onprem traffic with an NVA