Posts

Traceroute in Azure

Image
Is it possible to traceroute in Azure? Despite a lot of negative statements, it is totally possible. Take a look: IPv4: IPv6: All you need is to meet 2 conditions here: Add Network Security Group rule allowing Inbound ICMP to this VM from Any source Configure VM with explicit instance-level public IP. Here's explanation for these conditions: 1. ICMP All the NSG rules in Azure, explicit or implicit, are stateful. This includes ICMP. As you may know, traceroute works by sending IP packets with very short TTL (starting with 1). Each router on the path is decreasing TTL by one, and the router that decreases packet TTL to 0, must drop it and should send ICMP message packet TTL Expired in transit. ICMP message will return to VM from the router, not from VM we are sening probes to. But NSG rules are only ready to receive responses from the end host. Opening ICMP inbound for all the hosts allows ICMP "Expired in transit" packets to reach original VM, and work tracert properly. 2....
Post a Comment
Read more

Split-brain DNS with Privatelink domains and Internet Fallback

Image
Disclaimer: While I work for Microsoft, this article does not represent a recommended or validated architecture. It reflects my personal thoughts on a possible usage scenario. There's a new Azure Private DNS feature that allows fallback to Public DNS record if private one is not defined. Private DNS zones and the feature itself is perfectly explained in the official documentation and in blog posts of my coworkers, and I won't even try to repeat this. ( John Savill , Jose Moreno , Official Doc ) They are mostly created for Private Endpoint support for services provided by Microsoft. However, anyone can use the same feature to create Split-brain DNS for their own domain. Several use cases, besides Microsoft-provided services using Private Endpoints, that can be useful Use case 1. Corporate Split-brain DNS Imagine, you have different website versions for external and internal users. With Private DNS zones it was possible to create split DNS before, however, managing all the recor...
Post a Comment
Read more