🏠
Welcome to Agustín Hernán Borrajo 's cloud consulting microsite ! The main purpose of this web is to share my 20+ years of experience on Hybrid Cloud Infrastructure & Cybersecurity. A detailed description of concrete work experiences and skills can be found in my 2025 resume You can explore and read my online technical articles expanding the below menu: 📕 cloud consulting authored articles
Infrastructure performance challenges on advanced hybrid cloud implementations 🔽
Hybrid Cloud implementations eventually pose a high number of infrastructure interrelationships and dependencies.
Due to the complexity of the topologies involved, different issues may arise around connectivity and session stability.
Limitations on reachability between different network regions and backend services can affect the overall performance.
The main challenges usually whirl around understanding where to seek for the root cause of the WebApp performance degradation.
A recommended practice is to have a set of smart questions that help cloud support analysts tackle service disruptions or slowness.
Integrations with on-premises devices, hybrid networks and proxy technologies are assumed by the below WebApp performance checklist :
▶ Is the inaccessible web app reported as unreachable when scanning with Web Testing Tools ( dynamic red button ) in Online Web Testing Tools ?
🟩 if the web app is expected to be accessible via public internet : global_dns_check > qualys_ssl_labs > cloudflare_radar > urlscan.io ▶ Does the inaccessible web app have an active/enabled azure front door integration in place in your azure subscription ?
▶ Does the active azure front door show a frontend host ( *azurefd.net ) in the AFD overview section ?
🟩 *azurefd.net is expected to give net::ERR_CERT_COMMON_NAME_INVALID with CN=*.azureedge.net when queried externally from internet.
▶ Are azure front door custom domains and front ends added in azure front door designer/manager ?
▶ Dees the inaccessible web app have the expected custom domains enabled or mapped or dns-custom-domain provisioned ?
▶ Does the inaccessible web app have the minimum tls version selected/configured ?
▶ Does the azure front door have managed certificates or your own certs for the custom domains and endpoints ({ID.z[id]}.azurefd.net) ?
🟩 {ID.z[id]}.azurefd.net is expected to give net::ERR_CERT_COMMON_NAME_INVALID with CN=*.azureedge.net when queried externally from internet.
▶ Does the azure front door have the expected custom domain validation and certificate ok and https ok ?
▶ Does the azure front door have a web application firewall enabled ?
▶ Does the azure front door have one or more web application firewall policies applied ?
▶ Does the azure front door have session affinity enabled in the azure front door designer/manager domain settings ?
▶ Does the azure front door have one or more backend pools with *.azurewebsites.net enabled as backend hostname ?
🟩 *.azurewebsites.net is expected to give 403 forbidden from *.azurewebsites.net instead of DNS_PROBE_FINISHED_NXDOMAIN (from unauth networks).
▶ Does the azure front door have a backend pool with http port 80 and https port 443 enabled ?
▶ Are priority and weight assigned via traffic routing methods & origins or via traffic manager ?
▶ Does the azure front door have all routing rules enabled ?
▶ Do azure front door routing rules accept http only, https only or http and https ?
▶ Do azure front door routing rules have custom domain hostname as frontend/domains ?
▶ Do azure front door routing rules have pattern matching rules applied ? specifically "*/" ?
▶ Do azure front door routing rules have route type forward or redirect ?
▶ Does the azure front door have associated rules/actions/server_variables/url_rewrite/url_redirect configured ?
▶ Do azure front door routing rules have forwarding protocol https only ? http only ? match req ?
▶ Do azure front door routing rules have url rewrite enabled ?
▶ Do azure front door routing rules have caching enabled ?
▶ Does the azure front door web application firewall have the expected frontend & waf policies associated ?
▶ Does the azure front door web application firewall have valid sku settings for request body inspection ?
▶ Does the azure front door web application firewall have a policy with block response status code 403 ? err 500 ? 502 ? 503 ?
▶ Does the azure front door web application firewall have a policy with managed rules blocking injections/headers based on owasp ?
▶ Does the azure front door web application firewall have a policy with associations of frontends hosts & frontdoor instance ?
▶ Does the azure front door rules engine configurations show conditions and actions ?
▶ Does the inaccessible web app have an afdverify (afdverify.*.azurefd.net ) host added to azure dns recordset as cname ?
🟩 afdverify.*.azurefd.net is expected to give net::ERR_CERT_COMMON_NAME_INVALID with CN=*.azureedge.net when queried externally from internet.
▶ Does the inaccessible web app have a hostname added to azure dns recordset as cname azure resource linked to afd ?
▶ Does azure dns have @ hostname A type record for afd.net ip address in the recordsets section ? 🟩 "13." IP range .
▶ Does azure dns have @ hostname NS type record for azure-dns.com|net|org|info with highest ttl ?
▶ Does azure dns have @ hostname SOA type record ?
▶ Does the inaccessible web app have virtual inbound ip address displayed in networking section ? 🟩 "13." IP range .
▶ Does the inaccessible web app have public network access enabled with access restrictions ?
▶ Does the inaccessible web app have public network access enabled for selected virtualnet and ip addresses ?
▶ Does the inaccessible web app have the network unmatched rule action as deny by default ?
▶ Does the inaccessible web app rely upon a vnet integration with nsg and any_source-any_destination deny ?
▶ Does the inaccessible web app rely upon a vnet integration with nsg azureloadbalance_source-any destination allowed ?
▶ Does the inaccessible web app rely upon a vnet integration with nsg any_source-internet_destination allowed ?
▶ Does the inaccessible web app have a priority 1 access restriction rule for front door ip source ip range ?
🟩 "147. /16" IP range as action allowed ?
▶ Does the inaccessible web app have integrations via proxies/firewalls through internal/on-premise network ips allowed ?
▶ Does the inaccessible web app have outbound ip addresses reachable by external global dns propagation checker ?
🟩 "13." ; "20." ; "40." ; "157." IP range as outbound ?
▶ Does the inaccessible web app have the lowest priority access restriction rule as deny all for "any" source ?
▶ Does the inaccessible web app have environment variables including connection strings account names and keys ?
▶ Does the inaccessible web app have data source connection strings with database_url/port_1433/usr_id/usr_psw/dbname/timeout ?
🟩 web app has http_2.0 proxy ? websockets ? always-on ? session affinity ? https_only ? min_tls_1.2 ? e2e_tls ? incoming client certs & cert exclusion paths ?
▶ Does the inaccessible web app have identity provider configured as either system-assigned or user-assigned ?
▶ Does the inaccessible web app have custom domain with certificate expired sni ssl binding type ?
▶ Does the inaccessible web app have managed certificates ? bring your own cert pfx ? .cer publickeycert ?
🟩 python -m sslyze domain.domain2.com 443 --regular # exploring certificate fields # kali sslyze 🟩 scan cert fields programmatically with powershell > ip [system.net.dns]::gethostadresses
🟩 scan cert fields programmatically with powershell > resolve-dnsname system.net.webrequest getresponse system.net.webclient
🟩 scan cert fields programmatically with powershell > webrequest.servicepoint.certificate
🟩 scan cert fields programmatically with powershell > .getissuername .getserialnumberstring .getpublickeystring .getcerthashstring
▶ Does the inaccessible web app have any webjobs running ? Do web app logs show err/fatal/failed/unable/exiting/bad/missing/stop/await ?
▶ Do diagnostic logs show internal server error ? invalid ? exception ? null ? stackoverflow ? outofmemory? abort ? shutdown ?
▶ Does the inaccessible web app have diagnostic tools , network trace analyzer , collect profiler trace available ?
▶ Does the inaccessible web app logs show system.nullreferenceexception ? transaction/dependency/telemetry/unauthorized ?
▶ Does the inaccessible web app have a service connector configured ?
▶ Does the inaccessible web app have an app service plan with app slots and scalable instance count ?
▶ Does the inaccessible web app have user defined rules to scale on a schedule or based on app metrics ?
▶ Does the inaccessible web app have azure devops repos connected or github w/ APP_reg/auth/redir_uris & client secrets ?
▶ Does the inaccessible web app have an app registration api permissions granted, delegated and admin consent ?
▶ Does the inaccessible web app have a microsoft entra id enterprise app with assignment required ? visible to users ? sso / oic / oauth2 ?
▶ Does the inaccessible web app have exceptions in the azure application insights and diagnostic logs ?
▶ Does the inaccessible web app show transaction failures in the end-to-end transactions user flows ?
▶ Does the inaccessible web app show conflicting tcp handshakes when researching with network trace analyzer ?
▶ Does the inaccessible web app show a matching set of issues and errors when investigating via azure app service diagnostics ?
▶ Does the inaccessible web app have diagnostics data collected & performance troubleshooting info available ?
▶ Does the inaccessible web app have advanced tools kudu service showing details of w3wp.exe daasrunner.exe cmd.exe instances ?
▶ Does the inaccessible web app kudu service show system info, appsettings, iis path to executables, applicationhost.config , rootweb.config ?
▶ Does the inaccessible web app kudu service show allowanonymous, fqdn, daas storage conn string, account name, account key, environment variables ?
▶ Does the inaccessible web app kudu service show appdata path, azure logging , http headers, server variables ?
▶ Does the inaccessible web app kudu service allow to get web app diagnostics dump , app logfiles errors, detailed html format error reports, rawlogs ?
▶ Does the inaccessible web app kudu service allow to get network trace pcap files , site ext daas service loggin PID , url http codes, eventlog.xml ?
▶ Does the inaccessible web app kudu service allow to get home|site|wwwroot|bin|dlls|.config files & log4net.config xml appenders & loggers ?
▶ Does the inaccessible web app have a working log stream service for application logs & web server logs ?
▶ Does the inaccessible web app show azure log analytics entries and http verbs requested ?
▶ Is the inaccessible web app not resolving due to dns port 53 not opened from the originating network ? any recent dns zone changes ?
▶ Is the inaccessible web app implemented to be accessed via a proxied connection or application gate ? vpn ? fips mode enabled ?
▶ Is the inaccessible web app implemented to be accessed via a trusted network connection ? always on ? mac address policies ?
▶ Is the inaccessible web app implemented to be accessed from networks limiting traffic by lldp , connection string, app config, gateway ?
▶ Is the inaccessible web app implemented to be accessed from networks limiting vlan , vni , sdwan , vrf , router/switch/card & firewall traffic ?
▶ Is the inaccessible web app implemented to be accessed from networks with access point logging errors on websockets ?
▶ Is the inaccessible web app implemented to be accessed from networks with session time-out policies ?
▶ Is the inaccessible web app implemented to be accessed from networks showing errors on tcp keep-alive , syn-ack, fin-ack, ack ?
▶ Is the inaccessible web app implemented to be accessed from networks showing pre-login handshake errors ?
▶ Is the inaccessible web app integrated with internal Load Balancer pools without inservice http 200 health monitor ?
▶ Is the inaccessible web app meant to be accessed from ´company-net´ ? from internet ? via a VNG - BGP/LNG/VPN-GW + jumpserver ? # vpn-gateway-faq ▶ Is the inaccessible web app integrated with an on-premises VM/IIS showing protocol error at client code 1104 when trying to rdp ?
▶ Is the inaccessible web app integrated with an on-premises VM/IIS inaccessible via azure bastion ?
▶ Is the inaccessible web app integrated with an on-premises VM/IIS inaccessible via RDP enabled 3389 ?
▶ Is the inaccessible web app relying upon a network that can be troubleshooted with azure network watcher ?
▶ Is the inaccessible web app integrated with a backend having conflicts with client to server olap ports 2382/2383/2393/2394/2725 ?
▶ Is the inaccessible web app showing logged errors related to event id 4 kerberos combined with http 500 and http 404 errors ?
▶ Is the inaccessible web app showing logged errors related to 7 bad block memory ? 1000 app shutdown ?
▶ Is the inaccessible web app showing logged errors about 5002 DFSR distributed file system replication ?
▶ Is the inaccessible web app showing logged errors about 5011 iis app pool crash ?
▶ Is the inaccessible web app showing logged errors about 7023 was (windows-process activation service) ?
▶ Is the inaccessible web app showing logged errors about www publishing service w3svc and w3wp iiscore.dll crash ?
▶ Is the inaccessible web app showing related diagnostics/activity/metrics when querying via kusto query language on app-insights ?
▶ Is the inaccessible web app showing related errors/evidence when monitoring app service instances by using health check ?
▶ Is the inaccessible web app depending on outdated ado pipelines & service connections/webhooks/secrets/ ?
▶ Is the inaccessible web app responding as expected when performing well-known requests with postman ?
▶ Is the inaccessible web app showing the expected web-sequences when inspecting traffic/packets with wireshark ?
▶ Is the inaccessible web app showing the expected web-sequences when inspecting http requests & responses with f12 developer tools (edge) ?
▶ Is the inaccessible web app showing the expected web-sequences when inspecting http requests & responses with f12 developer tools (chrome) ? ▶ Is the inaccessible web app integrated to an on-premises VM/IIS via a reverse proxied virtual machine protected by a waf in a dmz network zone ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS behind a reverse proxied waf w/ events blocked by xss + waf exploits sec policies ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS showing a certificate with the global site selector url in the subject alternative name ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on cname entries not resolving or not in the cert's subject alternative name ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on ip-addresses-as-hostnames absent in the cert's subject alternative name ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS integrated/linked via ssl load balancer with certificate termination and pki ?
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on nodes that require testing filtered port using network commands ?
🟩 Test-NetConnection -ComputerName "thecomputername.domain" -InformationLevel "Detailed"
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on inf nodes that require active tcp connections seen by stat commands ?
🟩 netstat -e 🟩 netstat -ano
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on services supported by domain user accounts ?
🟩 net user default account ▶ Is the inaccessible web app integrated to an on-premises VM/IIS services accounts active directory security group memberships ?
🟩 dsquery user -samid lan_id -d domain
🟩 dsget user "cn=personasname, ou=ouname1, ou=ouname2, dc=domain_name,dc=dom2,dc=tld" -memberof
🟩 dsget group "cn=groupname, ou=ouname1, ou=ouname2, dc=domain_name, dc=dom2, dc=tld" -members -expand
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on infrastructure nodes that require confirming domain dependencies ?
🟩 systeminfo findstr domain 🟩 whoami /groups
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on infrastructure nodes that require packet inspection ?
🟩 icmp & asa package inspection 🟩 wireshark packet inspection
▶ Is the inaccessible web app integrated to an on-premises VM/IIS depending on inf nodes that show evidence of switch port and interface errors ?
🟩 show interface | i errors 🟩 show interfaces description | i interface_name 🟩 show capture capin | i ip_address
🟩 show service-policy 🟩 show ntp associations # network time protocol 🟩 show running-config | i keep # timeout issues
🟩 show run | i tcp 🟩 show arp vrf vfr_peer | i interface_ip_address # address resolution protocol # virtual routing forward
🟩 show mac address-table address interface_mac_address 🟩 show lldp neighbors | i interface_mac_address # link layer protocol
🟩 igw firewall srx security routing switching 🟩 show security flow session destination-prefix ip_address destination-port port_numb
🟩 show security policies policy-name name_of_the_policy detail
Infrastructure performance challenges on advanced hybrid cloud implementations 🔼
^ This article was originally published on 2025-FEB-27 and last reviewed on 2025-APR-18.
