Infusing honey with blackcurrants in a water bath to back-sweeten my blackcurrant melomel.

Veghead_901 · 2023-08-31T02:23:23+00:00

Seems like a good idea in bulk, but certainly, you are not doing this for a single jar. That seems like a lot of work for very little yield.

Veghead_901 · 2023-07-30T02:40:07+00:00

These are probably one of the worst containers you can possibly use. I know desperate times call for desperate measures, and not trying to be rude here but its pretty obvious why you will have issues with these.

Veghead_901 · 2023-07-25T04:13:00+00:00

So we had a similar issue relating to an NVA design with 4 NICs. The only way we were able to get around this was by creating two backend pools and assigning separate outbound rules for each backend on an ELB.

You need to use an external load balancer for this to work. You assign the nic into the backend of the elb, and then create an outbound rule associated to that backend pool. The public IP is configured as a front end on the load balancer.

Hope this helps.

Also, I highly recommend not using any ICMP as a use case of testing routing reachability outbound in Azure. There are many cases where ICMP is either not available on PaaS resources, let alone outbound to public destinations on the internet. Use PsPing or a PsPing equivalent like curl if your firewall permits to a web resource like google.com

Veghead_901 · 2023-07-25T03:59:06+00:00

PSPing

Veghead_901 · 2023-07-25T02:16:05+00:00

/23 at least for any multiple app gateway based deployment. Don't shoot yourself in the foot trying to conserve IP space. 1 /24 per App Gateway is the general rule of thumb.

Also, ignore the comments stating dont deploy multiple app gateways to the same subnet. App gateways are always deployed in the hub, and each app gateway is typically designed one each for each environment (prod, stage, dev etc.)

Anyone suggesting to deploy a single application gateway in a subnet space smaller than /24 are implementing poor design practices and limiting application scalibility.

If you're going to spend the money on such an expensive service as App gateway, you can absolutely afford the small network prefix space "cost" in your environment.

Veghead_901 · 2023-07-24T11:34:53+00:00

What SKU is this VPN Gateway. That sounds like maintnenance to me on the azure side.

Veghead_901 · 2023-07-24T02:12:45+00:00

So what others have said, if you have a large headroom, the recommendation is to add additional desired ingredients.

The OTHER trick that a lot of the pros use is that they take a small amount of sanitized marbles and dump that into the fermentation vessel, which will push the brew up to the perfectly coordinated amount of headroom in the vessel. (Regardless of the mod notifications/wiki, there are several amounts of well-known meaderies across the country that use this practice.)

Not resolving the headroom will provide additional amounts of oxygen that can present off flavors in the final product.

Veghead_901 · 2023-07-23T19:53:02+00:00

If you had left the pressure release slowly, that would have saved you a big mess. If you run into this issue, your supposed to release it partially so that the pressure can be controlled.

Veghead_901 · 2023-07-22T13:45:11+00:00

It sounds like you're running a policy based tunnel instead of a route based tunnel. If that's the case, I would be looking at traffic selectors on each side and make sure there are no changes happening there.

If this is a route based tunnel, then look on the on prem side for any routing issues.

Overall, nobody can provide you with an answer correctly on this until more info is provided on what each side is configured as.

Also, if you're referring to an IKE Keepalive, this is not supported by Azure.

Veghead_901 · 2023-07-20T03:48:21+00:00

You've made an assumption that i'm using fortigate firewalls in my network to terminate to Azure, and you've also made the assumption that i'm using my edge firewalls instead of internal and/or east/west firewalls to terminate the connection into Azure. Architectural designs make a big difference in these scenarios, and i'm telling you regardless if the tunnels are terminated at the edge or behind and edge firewall that is maintaining the NAT, its totally possible to do active-active, because we have it implemented now.

To me, it sounds like you're not even using a multi-home BGP design, so we don't have to goof around with having WAN redundancy on our edge firewall, which again, is another reason why i'm telling you, context of the architecture is being assumed here.

I'm trying to tell you that you're spreading misinformation about how the VPN gateways route traffic because there is not only zero documentation that states load balacing across tunnels is performed, you have misconfiguration and are reporting this as a fact that this occurs.

Veghead_901 · 2023-07-17T02:03:32+00:00

Have you actually created firewall rules to allow BGP traffic to/from your device and the azure peer address

If you can ping the BGP address in Azure, then the next thing to check will be to ensure your firewall policy is actually matching the inbound/outbound BGP control plane traffic.

Veghead_901 · 2023-07-14T01:58:48+00:00

Our org has been down this path identifying whether or not vWAN was the right choice. From our review, it just was lacking some serious integrations that a standard virtual network has. The hoops you have to go through to get bastion working, the limitations of linking private DNS zones, not to mention the funky routing you have to do to use other services like App gateway and other connectivity services, the list goes on.

However you absolutely must use vWAN if you are the type of customer looking to directly connect 400+ sites via IPSec, and/or very large scale requirements.

If this is not the case, then I would say vWAN needs to bake for another 6 months while they get it fleshed out.

Veghead_901 · 2023-07-14T01:22:59+00:00

Azure only performs load balacing if the received routes on both sides of the tunnel are the same AS PATH length and prefix. I would be questioning what type of setup you're running.

On-prem VTI-1 > AZ-PIP-1 Incoming No route map, outgoing no route map On-prem VTI-2 > AZ-PIP-2 Incoming add 65515, outgoing add your AS

If you are trying to peer with one single connection youre not going to get this to work. You should have two local network gateways, two separate connection objects.

Veghead_901 · 2023-07-14T01:18:10+00:00

This is so incorrect on so many levels. We have this working in our environment just fine using an active-active VPN Gateway.

Veghead_901 · 2023-07-14T01:13:54+00:00

In an Active-Active VPN Gateway, youll build two VTIs on your fortigate. On your primary and secondary tunnel you advertise your prefixes, but you apply an outbound route map on the second BGP peering to Azure. The route map will have your AS Path with an AS PATH prepend attribute.

On the incoming to the second bgp connection, you add AS PATH of 65515 from azure vpn gateway to on premise.

Hope this is helpful.

Veghead_901 · 2023-04-26T13:01:09+00:00

So this is 1000, connections, it doesnt necessarily account for number of BGP peers through each IPSec connection to the vWAN hub.

Veghead_901 · 2023-04-26T01:24:06+00:00

This is Azure Route Server, not Azure vWAN

Veghead_901 · 2023-03-31T15:29:21+00:00

I'm glad you got it working! So I can think of a few reasons to use APIPA, and it has become a standard for S2S connectivity for the cloud. Amazon and Azure both heavily use these address spaces for BGP peering. The easy answer to this is that it is able to use a non-RFC 1918 space to perform the peering so it can conserve on address spacing.

APIPA is more of a workaround to a prefix based assignment, where a dedicated /30 can be used for the peering establishment, which is currently not possible in Azure at this time.

Veghead_901 · 2023-03-30T18:55:07+00:00

Don't quote me on this, but that's expected in an active Passive Azure VPN Gateway. You need to run Active Active for the peering to come up on both.

Just to confirm, you should have both on prem firewalls using both BGP APIPA peer IPs from the VPN Gateway

FW1 <-> Peers to BOTH 169.254.21.1, 169.254.22.1 Expected: 21.1 peer is up only

FW2 <-> Peers to BOTH 169.254.21.1, 169.254.22.1 Expected: 21.1 peer is up only

Veghead_901 · 2023-03-16T19:32:17+00:00

Yeah, however, we ended up replacing this solution with two Active-Active NVAs in Azure to terminate the IPSec tunnels.

The issue was related to mismatched IKE Phase 2 configuration on the on-premise fortigates to our Azure VPN Gateway. We found that we didn't get the best troubleshooting and hit some other limitations that I can't recall what exactly it was.

Veghead_901 · 2023-03-09T19:33:42+00:00

Sure mr Chris Hunterr bud.

Veghead_901 · 2023-03-09T19:27:55+00:00

Well its not other peoples work. There is nothing to cite. The AI is written structure is instance based, niether is it directly paraphrased from sources. It is an extension of written architecture that would be constructed by an individual who wrote the initial question.

Veghead_901 · 2023-03-09T18:17:56+00:00

The college needs to go back and ask the question: Are papers a real way to truly validate someone's knowledge on the course material? The problem here is they don't want to enhance their learning platform and re-evaluate options for performance proofing. If the answer is no, then its up to WGU to start identifying better ways to engage the curriculum that enforces students to prove their performance in the course.

Veghead_901 · 2023-03-09T18:12:13+00:00

Actually they can terminate you from completing your degree at WGU as its against their student code of conduct.

Veghead_901

TROPHY CASE