-
An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI – Part 2
This is the second part of a three-part series about “An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI”. -> https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-1/ We will focus today on how to enable Cilium native routing with WireGuard Transparent Encryption on Azure Kubernetes Service BYOCNI. Enable Cilium native routing with WireGuard Transparent Encryption In this example,…
-
An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI – Part 1
This is the first part of a three-part series about “An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI”. Cilium supports two routing modes, encapsulation and native routing. Due to its versatility of not depending on the underlying network, the encapsulation, also called tunneling, mode is the default one for most Cilium…
-
Use Azure Log Alerts with Azure Data Explorer
Since July 2024, the Azure Log Alerts support for Azure Data Explorer is generally available, and you might be familiar with log alerts already by using them with Log Analytics or Application Insights. -> https://azure.microsoft.com/en-us/updates/?id=log-alerts-for-azure-data-explorer Hence, we will focus on specific configuration best practices and a hidden gem that allows you to easily write your…
-
Azure Data Explorer network access restrictions
Azure Data Explorer offers several configuration options to restrict the network access to and from an Azure Data Explorer cluster. -> https://learn.microsoft.com/en-us/azure/data-explorer/security-network-restrict-public-access -> https://learn.microsoft.com/en-us/azure/data-explorer/security-network-restrict-outbound-access Today, we look into the options that still allow us to reach the Azure Data Explorer from the outside world and prevent data exfiltration by restricting the outbound access. Prevent data…
-
Use node initialization taints on Azure Kubernetes Service with Cilium
On an Azure Kubernetes Service cluster with Bring Your Own Container Network Interface (BYOCNI) using Cilium, you could not use Cilium’s agent-not-ready taint functionality. -> https://docs.cilium.io/en/stable/installation/taints/ The reason for that is that the Azure control plane blocks add/remove operations on taints via the Kubernetes API. You have to remove taints via the Azure Kubernetes Service…
-
Cilium’s new Hubble flow policy log field
Cilium in version 1.18 introduced a new useful feature called “policy log field” for Hubble flows. -> https://isovalent.com/blog/post/cilium-1-18/#hubble-flow-policy-log-field This feature provides additional possibilities for further insights/checks on which network policy was applied to a network flow. We have a look at how to configure the policy log field and what a Hubble flow looks like…