11 posts tagged with "Cloud"

I like to point out to people that it's easier to train a network person on cloud than it is to train a cloud person on networks. It's a glib generalisation but it holds true for the most part because there is so much to networking that comes from history and quite a lot of grounding that a seasoned network engineer or architect will already understand. A big chunk of the AWS and Azure networking certification covers BGP and that's one of the reasons they are considered quite hard for some but quite easy for others. BGP is a topic that many very experienced network engineers in enterprise networking can get through their entire career without touching, but for those who operate at scale or work with MSP and telco networks it's bread and butter.

This is a pretty niche feature preview and you can find the official documentation here. In some cases you might want to expand the size of a subnet but if you have a constrained IP space you might not have contiguous space available; here's what you can do.

A little while ago I set out to find a way to measure the overhead that FQDN filtering places on https web traffic. The results are shared here however I thought I would take the opportunity to discuss the methodology here in a bit more detail.

I found an interesting little field hidden in plain sight in Microsoft documentation. A clever chap recently said this to me: 'if you can figure out what problem the engineers were trying to solve then it makes it easier to understand why the product works the way it does'.

When you create a VNet in Azure or a VPC in AWS you have to allocate a CIDR range from which you subnets will be allocated. There are some nuances between the different service providers as you try to expand your networks which can lead to some challenges. Knowing the different rules from the start can help you plan your CIDR ranges appropriately. We'll start with what's the same across AWS and Azure and then look at the differences.

I took a look at egress security a little while ago and advocated for the 'less is more' approach for most organisations due to the proliferation of VPCs and vNets and the risk of either having a very large amount of very expensive firewalls providing very little value or, perhaps worse, another pet in the form of centralised internet egress. There may be another way.

What to do about global site load balancing.

The Mystery Begins​

The reason I fell down the rabbit hole with regard to finding my public ip was because of a section in an old Azure networking book my friend was reading which said:

To allow Azure internal communication between resources in Virtual Networks and Azure services, Azure assigns public IP addresses to VMs, which identifies them internally. Let's call these public IP addresses AzPIP (this is an unofficial abbreviation). You can check the Azure internal Public IP address bound to the VM with the command dig TXT short o-o.myaddr.google.com.

My Perspective​

Over two decades of experience implementing network and cloud infrastructure across financial services, retail, healthcare, and public sector organisations has shown me a clear pattern: the success of cloud initiatives correlates strongly with an organisation's readiness for cloud adoption. Yet surprisingly few organisations conduct thorough readiness assessments before embarking on their cloud journey.

The problem​

I used to run a hosted linux web server, which was great for stuff like all those weird little scripts and things I wanted to run 'always on'. After a while I put a few websites on it, and some websites for friends, and my little brother, and the local residents association, and next thing I knew I was running a load of instances of Wordpress. I was also constantly fending off the advances of hackers who were forever finding exploits in the famously insecure blogging platform.

The Case for Application-Level Controls

Introduction​

The approach to securing outbound internet traffic often reflects an organisation’s security maturity more than its technical requirements. System-to-system communication, such as API calls to cloud services, presents fundamentally different challenges compared to user browsing. Understanding these differences is crucial for implementing effective security controls without unnecessary complexity or risk.