AWS cloud services, architecture patterns, and implementation guides
View All Tags
Second Sunday in the column, and the routing tables are doing that thing where the headline isn't really a thing, it's a vibe. Public/private boundaries blurring, an Australian backbone having a bad Friday, and Azure Networking taking the week off. Tea's gone cold. Let's get on with it.
A like-minded colleague and I used to look at network topologies and ask one simple question. If there was a traffic-engineering choice to make, could we leave more of the hard work to the routing protocol and simplify everything else?
AWS is now running production data centre networks that are wired at random and still deliver strong performance. That sounds wrong at first, but the paper Expanding into Reality: Random Graphs for Datacenter Networks shows why it works.
The key idea is simple: move from rigid hierarchy to high-connectivity randomness, then design routing and operations around that choice.
I used to joke that the cloud networking exams, AZ-700 for Azure, and AWS Advanced Networking, were mostly just “BGP in a GUI”.
It’s not really true. Both exams cover a lot more than that: security, load balancers, DNS, design patterns… the works.
But the joke exists for a reason: as soon as you get into hybrid connectivity and multi-cloud architecture, BGP is everywhere.
And it’s not fair to assume that every enterprise network engineer has spent years living in BGP. Plenty of excellent network engineers can build entire careers with only a light touch of it (often just “peer to the MPLS provider and move on”).
So this post is an explainer of the key BGP concepts that an enterprise network engineer needs to feel comfortable designing and operating hybrid, multi-cloud connectivity, where BGP plays its vital role.
I have been working on a comprehensive approach to bringing network automation and documentation into a development style workflow. Rather than replacing the traditional ITSM approach to change management it moves infrastructure towards a CI/CD approach to releases with automation and baked in documentation.
I have found that Azure networking has been designed to be familiar to network engineers, even though a lot of the logical constructs are based on smoke and mirrors they largely behave like the things we're used to; a great example being the VNet that doesn't exist or the load balancer that is also a figment of our imagination. AWS Networking on the other hands seems to have been created by a bunch of developers high on peyote who thought they knew better than everyone else. This is why it took me a few years to pass the AWS Advanced Networking exam but only a few days to pass the Azure Networking Engineering Associate exam.
I like to point out to people that it's easier to train a network person on cloud than it is to train a cloud person on networks. It's a glib generalisation but it holds true for the most part because there is so much to networking that comes from history and quite a lot of grounding that a seasoned network engineer or architect will already understand. A big chunk of the AWS and Azure networking certification covers BGP and that's one of the reasons they are considered quite hard for some but quite easy for others. BGP is a topic that many very experienced network engineers in enterprise networking can get through their entire career without touching, but for those who operate at scale or work with MSP and telco networks it's bread and butter.
When you create a VNet in Azure or a VPC in AWS, you need to allocate a CIDR range for your subnets. There are key differences between these cloud providers when expanding networks, which can create challenges. Knowing these rules from the start helps you plan your CIDR ranges better. I'll start with what's similar across AWS and Azure, then look at the differences.
There seems to be an obsession over on Reddit about the Mandela Effect which was named after a collective but strongly held false memory that the eponymous Nelson Mandela had died in prison in the '80s. It seems that our minds can play tricks on us and sometimes things which we clearly remember turn out to be a shared fantasy. I feel a little like this about those weird two weeks in about April 2021, in midst of the 'rona years, where everyone on LinkedIn got Aviatrix certification for free and then shared it with their contacts so that they too could benefit from a free certification in an emerging technology vendor's product. The reason I'm not sure if it's a Mandela Effect is that I don't really think I've heard of anyone since who has actually used that certification for anything other than to pad out their Credly.
I took a look at egress security a little while ago and advocated for the 'less is more' approach for most organisations due to the proliferation of VPCs and vNets and the risk of either having a very large amount of very expensive firewalls providing very little value or, perhaps worse, another pet in the form of centralised internet egress. But I think there may be another way.
When working with Azure cloud networking, I've noticed certain limitations, particularly around DNS capabilities for private networks. In this post, I'll explore an unconventional approach: using Amazon Route 53 to address some of Azure's DNS limitations. While this might seem controversial, it offers interesting solutions to two specific challenges: cross-region failover for private resources and closest-instance routing within private networks.
After 20+ years implementing network and cloud infrastructure across finance, retail, healthcare, and public sector, I've seen a clear pattern: cloud success strongly links to an organisation's readiness. Yet surprisingly few organisations do thorough readiness checks before starting their cloud journey.
I recently went down the AWS Gateway Load Balancer rabbit hole, and I've found it to be an interesting solution to some quite specific problems. There are use cases for it on ingress and egress where regulatory requirements, or more likely legacy skillsets, dictate that traffic passes through NVA-based network security appliances. The problem with NVAs in AWS is often the difficulty in scaling them. You need to distribute traffic, and typically you need a load balancer, but you can't use an ALB or an NLB because unlike Azure, the load balancers in AWS don't allow for traffic routing, so they can't be targets for route tables in the same way Azure load balancers can be targets for UDRs.