Tag: AWS

Nutshell Series

πŸ›‘οΈ Setting Up a DMZ in Azure: Approaches & Best Practices

Manjunath

A DMZ (Demilitarized Zone) in Azure is a network security boundary where incoming and outgoing internet traffic is inspected and controlled before reaching backend workloads. Unlike on-premises, Azure provides multiple virtualized patterns to achieve the same security principles.

1. DMZ with Azure Firewall (Recommended)

  • Place an Azure Firewall in a Hub VNet (DMZ subnet).
  • All inbound/outbound traffic flows through the firewall.
  • Use DNAT for inbound internet traffic (public IP β†’ private workload).
  • Use SNAT for outbound traffic to hide internal IPs.
  • Combine with Application Gateway (WAF) for L7 protection.

Use case: Centralized security, enterprise landing zones, compliance-heavy apps.

2. DMZ with Network Virtual Appliances (NVA)

  • Deploy 3rd party firewalls (Fortinet, Palo Alto, CheckPoint, Cisco ASA) in a DMZ subnet.
  • NVAs provide advanced features like IPS/IDS and SSL inspection.
  • Route internet traffic β†’ NVA β†’ internal VNets.
  • Requires high availability setup (at least 2 NVAs).

Use case: Enterprises with existing firewall vendor lock-in or advanced packet inspection needs.

3. DMZ using Application Gateway + WAF

  • Use Azure Application Gateway (AGW) with WAF as the public-facing endpoint.
  • Only web workloads (HTTP/HTTPS) are exposed.
  • AGW forwards traffic to backend workloads in private VNets.
  • Can be combined with Azure Firewall for layered security.

Use case: Web applications needing L7 security and SSL offloading.

4. DMZ with Bastion Host for Admin Access

  • Use Azure Bastion instead of exposing RDP/SSH via public IPs.
  • Admins log in securely through the Azure Portal over SSL.
  • No inbound ports (22/3389) exposed to the internet.

Use case: Secure administration of VMs without VPN.

5. DMZ in Hub-and-Spoke Architecture

  • Hub VNet = DMZ containing Azure Firewall, Bastion, VPN/ExpressRoute Gateway.
  • Spoke VNets = Workloads such as apps, databases, and services.
  • Internet and on-prem traffic always flows through the Hub (DMZ).

Use case: Enterprise-scale setups with centralized governance.

6. DMZ with Azure Front Door + WAF

  • Use Azure Front Door (AFD) as the global edge entry point.
  • Provides DDoS protection, WAF, SSL offloading, and global load balancing.
  • AFD forwards traffic β†’ App Gateway/Azure Firewall β†’ backend workloads.

Use case: Global apps needing low latency, DDoS protection, and CDN caching.

πŸ”’ Best Practices for Azure DMZ

  • Enable Azure DDoS Protection on the VNet hosting the DMZ.
  • Use NSGs (Network Security Groups) for subnet-level filtering.
  • Apply User Defined Routes (UDRs) to force traffic through Firewall/NVA.
  • Keep the DMZ in its own subnet, separate from workloads.
  • Log all DMZ traffic to Azure Monitor / Sentinel for auditing.

βœ… Summary

  • Modern cloud-native apps: Azure Firewall + Application Gateway (WAF).
  • Web-only apps: Application Gateway WAF or Front Door WAF.
  • Legacy lift-and-shift: NVAs replicate on-prem firewall policies.
  • Enterprise landing zones: Hub-and-Spoke with DMZ hub.
Nutshell Series

☁️ Cloud Migration Strategies in a Nutshell

Manjunath


Thinking about moving to the cloud? There’s more than one way to get there. Each migration approach has its own pros, cons, and ideal use cases. In this post, we’ll break down six major cloud migration strategies that organizations use to transition smoothly and smartly.

🧱 1. Lift and Shift (Rehost)

Move it as-is. This strategy involves migrating your existing apps to the cloud without any code changes.

  • βœ… Fastest method
  • βœ… No code changes
  • ❌ Doesn’t leverage cloud-native benefits
  • Best for: Legacy apps or fast migrations

πŸ› οΈ 2. Replatform

Tweak a little. Make minor changes to use managed cloud services (like migrating from on-prem SQL Server to Azure SQL Database).

  • βœ… Better performance
  • βœ… Less maintenance
  • ❌ Still not fully cloud-native
  • Best for: Apps needing light optimization

πŸ” 3. Refactor (Re-architect)

Redesign for the cloud. This involves reworking app architecture to use microservices, containers, or serverless technologies.

  • βœ… Maximum scalability and cloud benefits
  • βœ… Future-proof architecture
  • ❌ Higher cost and complexity
  • Best for: Strategic modernization of core systems

πŸ›οΈ 4. Repurchase

Buy new (SaaS). Replace your existing app with a SaaS solution, like moving to Salesforce or Microsoft 365.

  • βœ… Low maintenance
  • βœ… Fastest implementation
  • ❌ Limited customizability
  • Best for: Standard tools like CRM, HR, or Email

πŸ—‘οΈ 5. Retire

Let it go. Identify and decommission apps that are no longer used or necessary.

  • βœ… Saves cost
  • βœ… Reduces system clutter
  • ❌ Risk of dependencies
  • Best for: Obsolete or duplicate applications

⏳ 6. Retain

Keep it on-prem for now. Retain certain applications that are not ready for the cloud due to business or technical constraints.

  • βœ… Safe for sensitive workloads
  • ❌ Misses out on cloud benefits
  • Best for: Apps with regulatory or latency concerns

πŸ“Š Quick Comparison Table

Strategy Code Change Speed Cloud Benefits Best For
Lift & Shift ❌ None 🟒 Fast πŸ”΄ Low Legacy/Quick Wins
Replatform ⚠️ Minor 🟑 Medium 🟑 Partial Light Optimization
Refactor βœ… High πŸ”΄ Slow 🟒 Full Strategic Modernization
Repurchase ❌ None 🟒 Fast 🟒 Full (SaaS) Commodity Tools
Retire ❌ N/A 🟒 Fast πŸ”΄ N/A Unused Systems
Retain ❌ N/A N/A πŸ”΄ None Critical On-Prem Apps
Nutshell Series

AWS vs Azure vs GCP

Manjunath

AWS (Amazon Web Services) vs Azure (Microsoft) vs GCP (Google Cloud Platform) – A Quick Comparison of the main services

Storage

Service typeDescriptionAWSAzureGCP
Object storageFor storing any files you regularly useSimple Storage Service (S3)Blob StorageCloud Storage Buckets
Archive storageLow cost (but slower) storage for rarely used filesS3 Glacier Instant, Glacier Flexible, Glacier Deep Archive tiersBlob Cool/Cold/Archive tiersCloud Storage Nearline, Coldline, Archive tiers
File storageFor storing files needing hierarchical organizationElastic File System (EFS)FSxAvers vFXTFilesFilestore
Block storageFor storing groups of related filesElastic Block StorageDisk StoragePersistent Disk
Hybrid storageMove files between on-prem & cloudStorage GatewayStorSimpleMigrateStorage Transfer Service
Edge/offline storageMove offline data to the cloudSnowballData BoxTransfer Appliance
BackupPrevent data lossBackupBackupBackup and Disaster Recovery

Database

Service typeDescriptionAWSAzureGCP
Relational DB managementStandard SQL DB (PostgreSQL, MySQL, SQL Server, etc.)Relational Database Service (RDS)AuroraSQLSQL DatabaseCloud SQLCloud Spanner
     
NoSQL: Key-valueRedis-like DBs for semi-structured dataDynamoDBCosmos DBTable storageCloud BigTableFirestore
NoSQL: DocumentMongoDB/CouchDB-like DBs for hierarchical JSON dataDocumentDBCosmos DBFirestoreFirebase Realtime Database
NoSQL: Column storeCassandra/HBase-like DBs for structured hierarchical dataKeyspacesCosmos DBCloud BigTable
NoSQL: GraphNeo4j-like DBs for connected dataNeptuneN/AN/A
CachingRedis/Memcached-like memory for calculationsElastiCacheCache for RedisHPC CacheMemorystore
Time Series DBDB tuned for time series dataTimestreamTime Series InsightsCloud BigTable
BlockchainDogecoin, etc.Managed BlockchainBlockchain ServiceBlockchain WorkbenchConfidential LedgerN/A

Compute

Service typeDescriptionAWSAzureGCP
Virtual machinesSoftware-emulated computersElastic Compute Cloud (EC2)Virtual MachinesCompute Engine
Spot virtual machinesCost-effective VMsEC2 Spot InstancesSpot Virtual MachinesSpot VMs
AutoscalingAdjust resources to match demandEC2 Auto ScalingVirtual Machine Scale SetsInstance Groups
Functions as a service (Serverless computing)Execute code chunks without worrying about infrastructureLambdaFunctionsCloud Functions
Platform as a serviceManage applications without worrying about infrastructureElastic BeanstalkRed Hat OpenShift on AWSApp ServiceCloud ServicesSpring CloudRed Hat OpenShiftApp Engine
Batch schedulingRun code at specified timesBatchBatchBatchCloud Scheduler
Isolated serversVM on your own machine, for high securityDedicated InstancesDedicated HostSole-tenant NodesShielded VMs
On-premise/Edge devicesCloud-services on your own hardwareOutpostsSnow FamilyModular DatacenterStack HubStack HCIStack EdgeN/A
Quantum computingDetermine if cat is alive or deadBraketQuantumN/A

Analytics

Service typeDescriptionAWSAzureGCP
Data WarehouseCentralized platform for all your dataRedShiftSynapse AnalyticsBigQuery
Big data platformRun Spark, Hadoop, Hive, Presto, etc.EMRData ExplorerHDInsightDataproc
Business analyticsDashboards and visualizationQuicksightFinSpacePower BI EmbeddedGraph Data ConnectLookerLooker StudioVertex AI Workbench
Real-time analyticsStreaming data analyticsKinesis Data AnalyticsKinesis Data StreamsManaged Streaming for KafkaStream AnalyticsEvent HubsDataflowPub/SubDatastream
Extract-Transform-Load (ETL)Preprocessing and importing dataGlueKinesis Data FirehoseSageMaker Data WranglerData FactoryData FusionDataflowDataproc,Dataprep by Trifacta
Workflow orchestrationBuild data and model pipelinesData PipelineManaged Workflows for AirflowData FactoryCloud Composer
Data lake creationImport data into a lakeLake FormationData ShareCloud Storage
Managed searchEnterprise searchCloudSearchOpenSearch ServiceKendraCognitive SearchCloud Search
Data CatalogMetadata managementGlue Data CatalogPurviewData ExplorerData Catalog

ML & AI

Service typeDescriptionAWSAzureGCP
Machine LearningTrain, fit, validate, and deploy ML modelsSageMakerMachine LearningVertex AI
Jupyter notebooksWrite data analyses and reportsSageMaker NotebooksNotebooksColab
Data science/machine learning VMVirtual machines tailored to data workDeep Learning AMIsData Science Virtual MachinesDeep Learning VM
AutoMLAutomatically build ML modelsSageMakerMachine Learning Studio,Automated MLVertex AI Workbench
Natural language Processing AIAnalyze text dataComprehendText AnalyticsNatural Language AI
Recommendation AIProduct recommendation enginePersonalizePersonalizerRecommendations AI
Document captureExtract text from printed text & handwritingTextractForm RecognizerDocument AI
Computer visionImage classification, object detection & other AI with image dataRekognitionPanoramaLookout for VisionCognitive Services for VisionVision AI
Speech to textSpeech transcriptionTranscribeCognitive Services for Speech to TextCognitive Services for Speaker RecognitionSpeech-to-Text
Text to speechSpeech generationPollyCognitive Services for Text to SpeechText-to-Speech
Translation AIConvert text between human languagesTranslateCognitive Services for Speech TranslationTranslatorTranslation AI
Video IntelligenceVideo indexing and asset searchRekognition VideoVideo IndexerVideo Intelligence API
AI agentsVirtual assistants and chatbotsLexAlexa Skills kitBot ServiceCognitive Services for Conversational Language UnderstandingDialogflow
Human-in-the-loopHuman-based quality control for AIAugmented AI (A2I)Cognitive Services Content MonitorN/A

Networking & Content Delivery

Service typeDescriptionAWSAzureGCP
Content delivery networkServe content to usersCloudFrontContent Delivery NetworkCloud CDN and Media CDN
Application Programming Interface (API) managementBuild and deploy APIsAPI GatewayAPI AppsAPI ManagementApigee API Management
Domain Name System (DNS)Route end users to applicationsRoute 53DNSCloud DNS
Load balancingDistribute work evenly across machinesElastic Load Balancing (ELB)Application GatewayLoad BalancerTraffic ManagerCloud Load Balancing

Containers

Service typeDescriptionAWSAzureGCP
Managed containersRun and deploy containersElastic Kubernetes ServiceElastic Container ServiceKubernetes ServiceContainer AppsKubernetes Engine
Container registrationManage container imagesElastic Container RegistryContainer RegistryArtifact Registry

Management & Security, Identity

Service typeDescriptionAWSAzureGCP
Access managementUser permissions and authenticationIdentity and Access Management (IAM)Entra IDCloud Identity
Activity trackingTrack user ActivityCloudTrailMonitor Activity LogAccess Transparency and Access Approval
SecurityProtect your data, network and applicationsSecurity HubSecuritySecurity Command Center
MonitoringMonitor network traffic and detect anomaliesCloudWatchTransit Gateway Network ManagerMonitorAnomaly DetectorOperationsNetwork Intelligence Center
AutomationPreform processes automaticallyOpsWorksAutomationCompute Engine Management
Cost optimizationReduce your cloud spendCost OptimizationCost ManagementRecommender

Integration

Feature / ServiceAzure Integration ServicesAWSGCP
Primary Integration ServicesLogic Apps, API Management, Service Bus, Event GridStep Functions, API Gateway, EventBridge, SNS, SQSCloud Functions, Apigee API Management, Pub/Sub, Cloud Tasks
Workflow AutomationLogic AppsStep FunctionsWorkflows
API ManagementAPI ManagementAPI GatewayApigee
Event-Driven ArchitectureEvent GridEventBridgePub/Sub
Messaging & QueuesService BusSQS & SNSCloud Pub/Sub
Serverless FunctionsAzure FunctionsAWS LambdaCloud Functions
Hybrid & On-Premises ConnectivityOn-Premises Data GatewayAWS Direct ConnectCloud Interconnect
B2B & EDI IntegrationIntegration Account for Logic AppsAWS Transfer Family (SFTP, FTPS, FTP)Cloud Storage & Partner Solutions (no native EDI support)
Monitoring & ObservabilityAzure Monitor, Application InsightsAmazon CloudWatch, AWS X-RayCloud Operations (Stackdriver)
Security & ComplianceAzure Security Center, Key VaultAWS IAM, AWS KMS, AWS ShieldGoogle IAM, Security Command Center
Pricing ModelAzure Pricing (Logic Apps per execution, API Management tier-based)AWS Pricing (API Gateway per million requests, Lambda per invocation)GCP Pricing (Cloud Functions per execution, Pub/Sub per message)