Dynatrace: Monitor your Aviatrix Environment

in Linux

Table of Contents

Description

If you landed here then you must have searched for examples about how you can get Dynatrace to work with Aviatrix.

Worry not…I also searched for those as I’m a pretty lazy person and prefer not to reinvent the wheel if I can avoid it.

I found a VSCode dynatrace plugin that makes things easier but then no premade examples so I went out to try Chat GPT / Gemini AI.

I lost 1h thinking that AI is the holy grail which will save me time and I was proven wrong.

Not a single line of code from it worked. I just ended up being frustrated.

See below what I came up with and how…

Also, to avoid confusion between VSCode and Dynatrace I call:

  • plugin the Dynatrace VSCode extension itself (which enables you to write Dynatrace Portal Extensions)
  • extension the Dynatrace extensions that get uploaded to their service and are used for gathering metrics and setting up Dynatrace-Aviatrix monitoring

Continue reading

AWS Firewall: je ne sais quoi

in Cloud

Table of Contents

Description

Last week I got asked by a customer what I think about the AWS Firewall and if it would be wise for him to implement it in his environment.
I browsed fast through the various tech documents about it, got initially confused and realised that this is not one of those topics that I was going to understand fast and move on.

I invested more time into it, started reading about rule groups, stateless, statefull rules and … I needed a break. There was surely no quick answer in sight.

Going into the topic even deeper I reached the proverbial French saying “je ne sais quoi”.

Would I implement this firewall in my own environment ?

Maybe
Then again I’m a perfectionist, always afraid of failing…

I tend to find limitations, restrictions, imperfections and get easily disappointed.

If you want to learn I invite you to join me in this journey :)

Continue reading

Burp: When Terraform just does not cut it

in Linux

Table of Contents

Description

Each time I visit a potentially new customer, there’s always that moment after a sip of coffee, after a few whiteboarding events and heated technical discussions when the following question pops up:


“How do you manage this Multicloud environment ?”
“Isn’t this complex for my Operations Team ?"


If you had asked me this 5-6 years ago…I would have probably said yes.
I was there jumping into action, incidents in the middle of the night, pager alarms and zombie eyes after 4-5h of sleep and the rollercoaster just kept going.

The daily struggle to reduce configuration and administration headaches was something real. I used Bash scripts, Python, Ruby, a mix of various vendor tools and still lost a lot of time investigating each time what went wrong.


This is where in the last few years Terraform has come to the rescue and has provided a consistent way of defining infrastructure while at the same time making tracking of changes easy

(hint: Github/Gitlab + a CI/CD pipeline).


Sounds like a dream come true, right ? Not if you're restless like me and always want to see what's under the hood...

Continue reading

SSL Certs: Create own CA + cert for S2S VPN auth - RSA and ECDSA

in Linux

Table of Contents

Description

I recently had to configure Strongswan with Certificate Authentication to a Checkpoint GW and got lost a bit in all the articles I could find about the openssl utility and how to generate a CA, CSRs, sign a certificate and so on.
I will summarize here the steps required for generating the CA/cert so that everything is in a single place.

I give an example with RSA and one with ECDSA.

The changes are minimal.

On the Checkpoint side I only had to import the CA from Strongswan side and configure it under the Public Key auth pertaining to the Network Interoperable Device (representation of 3rd party device Checkpoint wise).

Continue reading

MongoDB: Upgrade to 4.x breaks mmapv1 storage type

in Linux

Table of Contents

Description

I was using a custom solution running MongoDB in the Backend on Ubuntu 18.04 and recently decided to try out an

apt-get update
apt-get dist-upgrade

I got quickly reminded why doing such operations require a bit more planning ahead instead of the just do it way of thinking.

systemctl status mongod
● mongod.service loaded failed failed MongoDB Database Server

cat /var/log/mongodb/mongod.log

“ctx”:“initandlisten”,“msg”:“Storage engine to use detected by data files”,“attr”:{“dbpath”:"/var/lib/mongodb", Functions"storageEngine":“mmapv1”}}

Cannot start server with an unknown storage engine: mmapv1"}}

Luckily in IT, there’s always a solution for everything and a chance to reverse engineer what happened…

Continue reading

GCP: Functions - Connectivity, Security, Visibility with Aviatrix

in Cloud

Table of Contents

Description

A customer recently asked me about extending his existing Aviatrix environment from Azure to GCP.
This came with a small caveat.

In GCP he is using Functions.
One of those functions needs to:

  • reach a backend in Azure
  • be accessed from the Internet
  • be accessed by customers landing over Site2Cloud connections on Spokes

My initial lab setup for this scenario looked similar to this

Can you see the challenge here?
Wherever I would deploy a GCP function, it would just live outside the VPC by default.
I would NOT be able to control where traffic flows.
NOT able to easily apply various layers of security to it.
Have NO straightforward and consistent way to monitor what happens in real time and take measures in case I need to troubleshoot and fix its functionality.
I would be walking blind in the dark and get annoyed with the whole process.

For any challenge there is a solution :)
That’s the reason I chose to be a techie.

Continue reading

Azure: Ingress via Firenet with Palo

in Cloud

Table of Contents

Description

This will NOT be a 5 min reading article.
It will require more time but it will cover all areas of interest :)
Most importantly, at the end, your Setup will WORK.

Kudos to Adam, my colleague, who first tested this in his lab.
It served as a basis for both me and the customer later on.

To start things off, a little while back someone asked me how he can have:
Incoming Traffic from Outside -> Azure Aviatrix Environment with FW Inspection -> Spoke with his Application
and also Preserve the source IP address when it hits the FW Rules.

Why this ?

He wanted to use the real source IP for logging and filtering purposes on Aviatrix FireNet attached FWs.
Pretty understandable and reasonable.

He read our article from here:
Spoke Ingress with Application Gateway
He saw the Diagram:

but noticed that the Azure Application Gateway does SNAT and as such his Firenet Firewalls are not seeing the original User IP of the request.

One could argue that the X-Forwarded-For header added by the Azure Application Gateway can be used to preserve the original IP…

Do you see a corner case here ?
I for one did not at the beginning. I always rush through things.

What if your Application is NOT a WebApp and as such there is NO HTTP Header where to add the X-Forwarded-For to?

Continue reading

Author's picture

Mihai Tanasescu

All Rounder and Jack of all trades (master of none? :) ).
Sailing the Cloud world with my fantastic team@Aviatrix, former Network, Systems Engineer (Cisco, Juniper, Linux, Openshift, Openstack).
A flavor of Security added to the mix (Offensive Security OSCE).
If there’s anything new and cool, then I like to learn about it. I’m also a fan of deep diving under the hood of a product to see what makes it tick as well as what breaks it.

Solutions Architect @ Aviatrix

Switzerland