In this post, I want to discuss how one should design network security in Microsoft Azure, dispensing with past patterns and combatting threats that are crippling businesses today. The Past Network security did not change much for a very long time. The classic network design is focused on an edge firewall.”All the bad guys are trying to penetrate our network from the Internet” so we’ll put up a very strong wall at the edge. With that approach, you’ll commonly find the “DMZ” network; a place where things like web proxies and DNS proxies isolate interior users and services from the Internet. Th ..read more

This is my updated post on providing information on what the MVP Summit is, what to expect, and some useful tips/tricks in the neighborhood. This is a big update on a post that I wrote in 2012. What’s an MVP? The MVP (Most Valuable Professional) award from Microsoft is exactly that – an award for expert community services relevant to products or services that Microsoft offers. Microsoft used to describe MVPs as: MVPs are independent experts who are offered a close connection with people at Microsoft. To acknowledge MVPs’ leadership and provide a platform to help support their efforts, Microso ..read more

This post will explain how you can connect your Azure network(s) with Oracle Cloud Infrastructure (OCI) via the Oracle Cloud Interconnect. Background Many mid-large organisations run applications that are based on Oracle software. When these organisations move to the cloud, they may choose to use Oracle Cloud for their Oracle workloads and Azure for everything else. But that raises some interesting questions: How do we connect Azure workloads to Oracle workloads? If Oracle is hosting data services, how do we minimise latency? The answer is: The Oracle Cloud Interconnect (OCI). Microsoft doc ..read more

This post is going to explain why you should not be putting any compute into your hub VNet. Background I was looking at some Azure Landing Zones (reference architectures) from Microsoft before the end of 2023. I was shocked to see compute (VMs) being placed in the hub. Years ago, I learned that putting any kind of compute in the hub eventually leads to issues that are not obvious at first. I would have expected Microsoft to know better. I posted something on Twitter and LinkedIn. Sure, there were plenty of people that agreed with me. However, there were respondents from Microsoft and elsewhere ..read more

In this Festive Tech Calendar post, I am going to explain how to get Private Endpoints working in the real world. Thank you to the team that runs Festive Tech Calendar every year for the work that they do and for raising funds for worthy causes. Private Endpoints When The Cloud was first envisioned, it was made a platform that didn’t really take network security seriously. The resources that developers want to use, Platform-as-a-Service (PaaS), were built to only have public endpoints. In the case of Microsoft Azure, if I deploy an App Service Plan, the compute that is provisioned for me share ..read more

I will share my early experiences with Microsoft Copilot, the positives and negatives, clear up some false expectations, and explain why I think of Generative AI as a digital intern. What is Generative AI? The name gives it away. Generative AI generates or creates something from other known things. Examples are: DALL-E: Creating images, such as Bing Create Chat GPT: A text-based interface for finding things and generating text, such as the Copilot brand from Microsoft. Pre-Microsoft There are lots of brands out there but the one that’s grabbing most of the headlines is Open AI because of Cha ..read more

Microsoft has announced that the default route, an implicit public IP address, is being deprecated 30 September 2025. Background Let’s define “Internet” for the purposes of this post. The Internet includes: The actual Internet. Azure services, such as Azure SQL or Azure’s KMS for Windows VMs, that are shared with a public endpoint (IP address). We have had ways to access those services, including: Public IP address associated with a NIC of the virtual machine Load Balancer with a public IP address with the virtual machine being a backend A NAT Gateway An appliance, such as a firewall NVA or ..read more

Something new appeared in recent times: the “Managed Private Endpoint”. What the heck is it? Why would I use it? How is it different from a “Private Endpoint”? Some Background As you are probably aware, most PaaS services in Azure have a public endpoint by default. So if I use a Storage Account or Azure SQL, they have a public interface. If I have some security or compliance concerns, I can either: Switch to a different resource type to solve the problem Use a Private Endpoint Private Endpoint is a way to interface with a PaaS resource from a subnet in a virtual network. The resource uses th ..read more

September is a month of storms. There appears to have been lots of activity in the Azure cloud last month too. Everyone working on Azure should pay attention to the PAY ATTENTION! section. PAY ATTENTION! Default outbound access for VMs in Azure will be retired— transition to a new method of internet access On 30 September 2025, default outbound access connectivity for virtual machines in Azure will be retired. After this date, all new VMs that require internet access will need to use explicit outbound connectivity methods such as Azure NAT Gateway, Azure Load Balancer outbound rules, or a dire ..read more

I spoke at Experts Live Europe last week and this post is a report of my experience at this independently run tech conference. Experts Live I cannot claim to be a historian on Experts Live Europe (I’ll call it Experts Live after this) but it’s a brand that I’ve known of for years. Many of the MVPs (Microsoft Valuable Professionals) and community experts that I know have attended and presented at this conference for as long as it has been running. It started off as a System Center-focused event and evolved as Microsoft has done, transitioning to a cloud-focused conference covering M365 and Azur ..read more