Cloud Infra Solution Engineer @ Microsoft · Azure Networking specialist
I help enterprise customers design, validate, and troubleshoot hybrid & cloud-native networks on Azure —
ExpressRoute, VPN, Virtual WAN, Hub & Spoke, Private Link, DNS, NVAs, and Azure Firewall.
This profile is a curated index of reproducible labs built from real customer scenarios,
plus GitHub Copilot CLI AI agent extension packs (networking, finance, compute, financial services).
Contributor to the Azure Networking Blog on Microsoft Tech Community.
Topics: Azure Networking · Hub & Spoke · Virtual WAN · ExpressRoute · VPN · Private Link · DNS · NVA · Azure Firewall · GitHub Copilot CLI extensions
I focus on Azure networking — designing, testing, and documenting connectivity, routing, security, and hybrid scenarios. This profile is a curated index of hands-on labs, sample scripts, and reference implementations I maintain across multiple repositories. Most content is reproducible end-to-end so you can deploy, break, and learn from real Azure topologies.
🔭 Currently: building GitHub Copilot CLI extension packs (Network Desk, Money Desk, Compute Desk, Financial Services) and publishing reproducible Azure networking labs from real customer scenarios.
📫 Connect: LinkedIn · GitHub Gists · Azure Networking Blog (Tech Community)
- 👋 About
- ⭐ Featured
- 🧰 Tools & Extensions
- 🔗 Hybrid Connectivity (VPN & ExpressRoute)
- 🕸 Hub & Spoke Architecture
- 🌐 Virtual WAN
- 🧭 Routing, Route Server & NVAs
- 🔒 Private Link & DNS
- 🛡 Firewall & Network Security
- 🧱 Core Networking & Edge
- ☁ GCP & Multi-Cloud
- 🌟 Recommended Repos
- 📊 GitHub Statistics
- 🆕 Recently Updated
- 🧩 New / Not-Yet-Curated
- Financial Services — GitHub Copilot CLI extension pack (9 verticals + 10 specialists, ~169 tools) — personal project
- Network Desk — GitHub Copilot CLI extension pack (20 cloud-networking specialist agents)
- Money Desk — GitHub Copilot CLI personal-finance extension pack (20 specialist agents) — personal project
- Compute Desk — GitHub Copilot CLI Azure IaaS VM extension pack (20 specialist agents, collaboration)
- OPNsense NVA Firewall in Azure
- Deploy Linux or Windows VM as Routers (IPv4/IPv6/NAT)
- LAB: Azure DNS Security Policy
- LAB: Azure Virtual Network Encryption
Note: Money Desk and Financial Services are personal hobby projects driven by my interest in personal finance — they are not affiliated with Microsoft.
- Financial Services — (personal project) GitHub Copilot CLI port of the Claude for Financial Services pack: 9 verticals + 10 specialists (~169 tools) covering equity research, pitch decks, M&A, credit, ESG, and more, with 12 optional MCP data connectors (FactSet, Daloopa, LSEG, S&P Global, Moody's, Pitchbook, …)
- Network Desk — GitHub Copilot CLI extension pack: 20 specialist AI agents for cloud networking (Azure/AWS/GCP), firewalls (14 vendors), and report generation
- Money Desk — (personal project) GitHub Copilot CLI personal-finance extension pack: 20 specialist AI agents (budget, tax, investing, retirement, debt, credit, insurance, estate, FIRE, and more). Zero deps, analysis-only, private by default
- Compute Desk — GitHub Copilot CLI extension pack for Azure IaaS VMs: 20 specialist AI agents covering SKU sizing, cost, performance, DR, backup, security, migration, and report generation (collaboration)
Azure Site-to-Site VPN — labs & scripts
- Azure Site-to-Site VPN
- Verify BGP Information on Azure VPN and ExpressRoute Gateways
- Troubleshooting IPSec by Using IKE Logs
- Site-to-Site VPN between Azure and GCP (static routing)
- LAB: NAT on Azure VPN Gateway
- LAB: Transit between ExpressRoute and Azure S2S VPN using Route Server
- LAB: Azure Firewall to Inspect Traffic between VPN and ExpressRoute
- PowerShell: Azure Virtual Network Gateway Packet Capture
Sub-items above are part of dmauser/Lab
Azure ExpressRoute — labs & scripts
Azure Hub and Spoke — labs & scripts (ExpressRoute, VPN Gateway, Azure Route Server & NVAs such as OPNsense)
- Azure Hub and Spoke — Labs and articles for Hub and Spoke network architecture on Azure, each focused on a specific connectivity or routing scenario
- LAB: ExpressRoute Hub Transit — ExpressRoute-based transit between two hub and spoke environments (Hub1 and Hub2)
- LAB: ExpressRoute Migration — Migration scenario with on-premises (emulated in GCP) connected to Azure via ExpressRoute and Azure Route Server
- LAB: Hub with DMZ Firewall (OPNsense) — Dedicated DMZ VNET with OPNsense NVA inspecting traffic between spokes and on-premises
- LAB: Hub ER+VPN Transit with OPNsense — ExpressRoute and VPN gateways with transit, plus Azure Route Server Branch-to-Branch
- LAB: Hub and Spoke with ExpressRoute Gateway Scaling — Impact of gateway SKU and scaling settings on throughput and routing
- LAB: Hub and Spoke with On-Premises via ExpressRoute (Azure) — On-premises emulated inside Azure with a separate VNET and ExpressRoute gateway
- LAB: Hub and Spoke with On-Premises via ExpressRoute (GCP) — Cross-cloud connectivity to on-premises emulated in GCP via ExpressRoute partner interconnects
- LAB: ExpressRoute MSEE Hairpin — Tests MSEE hairpin behavior over ExpressRoute (intra-region and inter-region)
- LAB: Multi-Region ExpressRoute with Azure Route Server — Hub and spoke in two regions (East US 2 and Central US) connected via ExpressRoute with ARS
- LAB: SD-WAN with Traffic Inspection — OPNsense as SD-WAN NVA with branch traffic inspected by a next-hop firewall load balancer
- LAB: Single Region VPN + ExpressRoute Coexistence — VPN and ExpressRoute gateways coexisting in a single region with failover testing
- LAB: Vendor VNET with Azure Route Server — Third-party SD-WAN vendor VNET exchanging routes with the hub via ARS using OPNsense
- LAB: Third-Party VNET Integration with ExpressRoute — Vendor VNET integration via ExpressRoute with static and BGP-based routing
- LAB: VNET with Azure Route Server, ExpressRoute, and OPNsense — Branch VNET using OPNsense connected to the hub via ARS and ExpressRoute
- LAB: IPSec VPN over ExpressRoute (Hub and Spoke) — IPSec/IKE VPN tunnels over ExpressRoute private peering with ARS hub routing preference
Azure Virtual WAN (VWAN) — labs & scripts
- Azure Virtual WAN
- LAB: Validating Virtual WAN Next Hop IP Feature
- Multiple Virtual WANs (Prod and Dev)
- vWAN VPN Gateway Packet Capture
- Sample Script: Migrate Spoke VNET from Hub/Spoke to vWAN
- Azure Virtual Network Gateway IKE Logs
- LAB: Virtual WAN — Any-to-Any
- LAB: Route Traffic Through Azure Firewall Spoke
- LAB: Route Traffic Through NVA Spoke
- LAB: Route Traffic Through NVA Spoke using BGP Peering
- LAB: Isolated VNETs using Custom Route Tables
- LAB: NVA on Spoke for Internet Breakout
- Script: Dump All vHUBs Effective Routes
- LAB: Secured Virtual Hubs and Routing Intent (Intra-Region)
- LAB: Secured Virtual Hubs Inter-region via ExpressRoute
- LAB: IPsec VPN over ExpressRoute
- LAB: IPsec VPN with NAT over ExpressRoute
- LAB: Forced Tunneling over ExpressRoute
- LAB: Validating Virtual WAN Next Hop IP Feature
Some sub-items above are part of dmauser/Lab
Azure Route Server — labs & scripts
- Azure Route Server
- Forced Tunneling: Active-Active OPNsense Firewalls with Route Server (ExpressRoute)
- Transit between ExpressRoute and Azure S2S VPN using Route Server
- Azure Firewall to Inspect Traffic between VPN and ExpressRoute
- LAB: ER-to-ER Transit using NVAs/ARS (reverse hairpin)
- LAB: High Available NVAs with Azure Route Server
NVAs & Load Balancing — labs & scripts
Private Link — DNS integration scenarios & known issues
- Private Link
- Private Endpoint DNS Integration Scenarios
- Known Issue: Customers Unable to Access Each Other's PaaS Resources after PrivateLink
- DNS Client Configuration Options for Private Endpoints
- Private Endpoint DNS Integration using Active Directory
- Private Endpoint DNS Integration over Point-to-Site VPN
- Using Private Link Service for On-premises Workloads
- Network Performance Considerations: Azure Files over Private Endpoint
Azure DNS — labs & scripts
Azure Files — labs & scripts
Firewall & Network Security — labs & scripts
Azure Virtual Network — labs & scripts
Azure Front Door — labs & scripts
Azure VMware Solution (AVS) — labs & scripts
Running DHCP Server on Azure — labs & scripts
Random Scripts — labs & scripts
GCP & Multi-Cloud — labs & scripts
Recommended community repositories
Community repositories with great Azure Networking content:
| GitHub |
|---|
| @fabferri |
| @paolosalvatori |
| @jocortems |
| @erjosito |
| @adstuart |
| @jwrightazure |
| @jtracey93 |
| @fguerri |
| @hsze |
| @mddazure |
The snake animation is generated by a GitHub Action (see .github/workflows/snake.yml); images appear after the workflow's first run.
Recently updated repositories
Auto-generated daily from my public repositories — see .github/workflows/update-repos.yml.
- azure-er-vpn-coexistence
- network-desk — Network Desk - GitHub Copilot CLI extension pack: 20 specialist AI agents for cloud networking (Azure/AWS/GCP), firewalls (14 vendors), and report generation
- azure-virtualwan — Azure Virtual WAN articles and LABs
azure·networking·virtual·wan - money-desk — Your personal-finance AI team for GitHub Copilot CLI — 20 specialist agents (budget, tax, investing, retirement, debt, credit, health & Medicare, P&C, life & disability, estate, purchases, education/529, net worth, self-employed, life events, real estate, behavioral, expat, financial literacy, FIRE). Zero deps, analysis-only, private by default.
ai-agent·budgeting·copilot-cli·copilot-extension·financial-planning·github-copilot - azure-hub-spoke — Labs and articles related to Hub and Spoke
- gcp-network-base-lab — This repo helps you build a simple Lab environment in GCP with a single VPC, an Ubuntu VM, Cloud Router for Interconnect, and VPN.
- powerplat-network-security — Power Platform VNet support demo lab — private access to Azure Key Vault, SQL, Storage via VNet-injected Managed Environments (US geo, eastus+westus)
- azure-gateway-lb — Azure Gateway Load Balancer using OPNSense Firewalls in HA
- ms-foundry-pe-demo — Demo: Azure OpenAI public-to-private endpoint migration with .NET 8 App Service
- powerbi-sql-networking — Power BI + Azure SQL Private Link demo - secure private connectivity with no public endpoint exposure
New / not-yet-curated repositories
Public repos not yet filed into a topic section above — auto-generated, a worklist for curation.
- powerplat-network-security — Power Platform VNet support demo lab — private access to Azure Key Vault, SQL, Storage via VNet-injected Managed Environments (US geo, eastus+westus)
- ms-foundry-pe-demo — Demo: Azure OpenAI public-to-private endpoint migration with .NET 8 App Service
- powerbi-sql-networking — Power BI + Azure SQL Private Link demo - secure private connectivity with no public endpoint exposure
- powerbi-network-security — Network Security Scenarios with Power BI
- azure-pls-scale
- azure-er-scalablegw — Lab: Implement and manage ER Scalable Gateway
- azure-opnsense-labs — Templates and Labs with OPNSense
- azure-appgw-mtls — Demonstrate mtls with Azure Application Gateway
- azure-nsp-lab
- fabric-network-security
- azure-p2s-er-issue-repro — This a lab to repro an issue with P2S VPN Gateway and ExpressRoute
- conn-hs-vwan-diagrams — Network Diagrams for Hub and Spoke and Virtual WAN interconnection options.
- azure-vwan-vrf — Azure Virtual WAN VRF segmentation
- azure-vm-net-tools — How to get popular networking tools installed on Azure Linux or Windows VMs.
- azure-hub-spoke-base-lab
- mauser-demo2
- azure-bastion-entra_auth — Accessing Bastion using Entra Authentication
- azure-skytap-vwan — Skytap Lab using Virtual WAN Routing Intent for ER to ER transit
- azure-zt-lab — Lab using Zero Tier
- azure-dhcp-perftest
- azure-subnet-ext
- azure-vpn-p2s — Azure P2S VPN lab and articles
- azure-expressroute-deploy — Provision ExpressRoute with Private peering config pre-populated
- azure-loadbalancer — Articles /references related to Azure Load Balancer
- azure-firewall — Content related to Azure Firewall
- LinuxNVA
- webapp-cdn-sample
- dmauser.github.io — Mauser Blog
- WebAppTM
- pfsense-azure
- PS-Network-Capture — Network Capture via Powershell
