Containment on Brewed in the Cloud by Chris Haileshttps://blog.brewedinthecloud.com/tags/containment/Recent content in Containment on Brewed in the Cloud by Chris HailesHugo -- gohugo.ioen-usTue, 02 Jun 2026 00:00:00 +1000Designing Networks That Fail Predictablyhttps://blog.brewedinthecloud.com/p/network-fails-designing-predictability/Tue, 02 Jun 2026 00:00:00 +1000https://blog.brewedinthecloud.com/p/network-fails-designing-predictability/<p>Every network fails eventually.</p> <p>Sometimes it’s physical. Sometimes it’s logical. Often it’s self‑inflicted, a containment rule pushed with the best intentions that quietly turns into a kill switch.</p> <p>The difference between a survivable incident and a chaotic one isn’t whether the network failed. It’s whether the failure behaved the way you <em>expected</em> it to.</p> <p>Predictable failure isn’t about being pessimistic. It’s about staying in control when parts of the system are no longer trustworthy.</p> <h2 id="the-mental-model">The Mental Model </h2><p><strong>Common assumption:</strong><br> “If we design enough resilience and security into the network, failure becomes unlikely and manageable when it happens.”</p> <p><strong>Why it breaks:</strong><br> Resilience delays failure; it doesn’t define its shape.</p> <p>As Azure networks grow, they accumulate invisible dependencies: centralised inspection, forced tunnelling, identity‑driven policy, platform service reachability. Under stress, those dependencies don’t fail cleanly. They fail <em>asymmetrically</em>.</p> <p>Some flows work. Others silently die. And the controls meant to protect you become the fastest way to lose visibility and access.</p> <p>Predictable failure starts by accepting that <strong>not all controls deserve to survive an incident</strong>.</p> <h2 id="how-it-really-works">How It Really Works </h2><p>In real incidents, containment actions usually remove connectivity faster than they restore clarity.</p> <p>The most common pattern looks like this:</p> <ol> <li>Suspicious activity is detected</li> <li>Egress is tightly constrained or forced through central inspection</li> <li>A dependency breaks DNS, identity, logging, update paths</li> <li>Defender access degrades alongside attacker access</li> <li>The network is now “secure” but unmanaged</li> </ol> <p>Azure doesn’t distinguish between <em>defensive isolation</em> and <em>self‑denial</em>. The platform will happily enforce whatever policy you give it, even if that policy collapses your ability to respond.</p> <p>Designing for predictable failure means deciding <strong>which capabilities must outlive containment</strong>.</p> <h2 id="realworld-impact">Real‑World Impact </h2><p>This changes how you design, deploy, and operate networks in a very practical way:</p> <ul> <li>You stop treating centralised egress inspection as an invariant</li> <li>You explicitly prioritise <strong>defender access and telemetry</strong> over uniform traffic control</li> <li>You design containment to <em>reduce attacker capability first</em>, not <em>remove all connectivity</em></li> <li>You accept that some security controls are conditional, not absolute</li> </ul> <p>The key shift: <strong>losing inspection is survivable; losing control is not</strong>.</p> <h2 id="designing-for-controlled-degradation">Designing for Controlled Degradation </h2><h3 id="1-fail-closed-at-trust-boundaries-not-at-egress">1. Fail Closed at Trust Boundaries, Not at Egress </h3><p>Under stress, the first thing you should be willing to lose is <em>cross‑trust communication</em>, not operator reachability.</p> <p>That means:</p> <ul> <li>East‑west traffic between trust zones fails before north‑south management access</li> <li>Isolation targets workloads, not the paths used to observe and recover them</li> <li>Containment reduces blast radius without collapsing the control plane</li> </ul> <p>Centralised egress inspection is valuable, until it becomes the narrowest choke point in the system.</p> <h3 id="2-intentionally-relax-centralised-egress-inspection-during-containment">2. Intentionally Relax Centralised Egress Inspection During Containment </h3><p>This is the uncomfortable trade‑off.</p> <p>In a containment scenario, it is often safer to temporarily allow <strong>direct workload egress</strong> than to enforce forced tunnelling through a brittle inspection path.</p> <p>Why?</p> <ul> <li>Forced egress concentrates failure into a single dependency</li> <li>When that dependency degrades, logging, updates, and identity often follow</li> <li>Defender access and telemetry are frequently collateral damage</li> </ul> <p>This is not an argument against inspection. It’s an argument against treating it as non‑negotiable during failure.</p> <p>Predictable failure means being explicit about this ordering:</p> <blockquote> <p><em>I am willing to lose uniform egress inspection before I am willing to lose defender access, telemetry, or recovery paths.</em></p> </blockquote> <h3 id="3-preserve-defender-control-paths-at-all-costs">3. Preserve Defender Control Paths at All Costs </h3><p>If a containment action can sever:</p> <ul> <li>Bastion or jump host access</li> <li>Break‑glass identities</li> <li>Log and alert egress</li> <li>Platform management endpoints</li> </ul> <p>…then it’s not a security control, it’s a denial‑of‑service against your own responders.</p> <p>Defender paths should be <strong>architecturally boring</strong>:</p> <ul> <li>Minimal dependencies</li> <li>Few enforcement layers</li> <li>Hard to accidentally include in broad deny rules</li> </ul> <p>If these paths disappear during containment, the network has failed <em>chaotically</em>, regardless of how “secure” it looks.</p> <h2 id="implementation-example-encoding-failure-order-with-nsgs">Implementation Example: Encoding Failure Order with NSGs </h2><p>This example is intentionally simple. It’s not a pattern to copy wholesale, it’s a way to encode <strong>failure intent</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bicep" data-lang="bicep"><span class="line"><span class="cl"><span class="kd">resource</span><span class="w"> </span><span class="nv">workloadNsg</span><span class="w"> </span><span class="s">&#39;Microsoft.Network/networkSecurityGroups@2023-11-01&#39;</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;nsg-workload-zone&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">location</span><span class="p">:</span><span class="w"> </span><span class="nf">resourceGroup</span><span class="p">().</span><span class="nv">location</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">securityRules</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// Allow trusted intra-zone traffic</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Allow-IntraZone&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">priority</span><span class="p">:</span><span class="w"> </span><span class="nv">100</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">direction</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Inbound&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">access</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Allow&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">protocol</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">sourceAddressPrefix</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;10.20.0.0/16&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">destinationAddressPrefix</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">sourcePortRange</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">destinationPortRange</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// Default deny for cross-zone traffic</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Deny-CrossZone&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">priority</span><span class="p">:</span><span class="w"> </span><span class="nv">4096</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">direction</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Inbound&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">access</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;Deny&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">protocol</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">sourceAddressPrefix</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;VirtualNetwork&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">destinationAddressPrefix</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">sourcePortRange</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">destinationPortRange</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>What this demonstrates:</strong></p> <ul> <li>Failure occurs first at trust boundaries</li> <li>Intra‑zone operation continues</li> <li>Containment is explicit and reversible</li> <li>The network degrades along known seams</li> </ul> <p>NSGs alone won’t save you but encoding <em>failure order</em> in policy forces architectural clarity.</p> <h2 id="visualising-predictable-failure">Visualising Predictable Failure </h2><div class="mermaid">flowchart LR subgraph Management Admins Bastion end subgraph ZoneA["Workload Zone A"] AppA end subgraph ZoneB["Workload Zone B"] AppB end Admins --> Bastion --> ZoneA Admins --> Bastion --> ZoneB ZoneA -.isolated first.-x ZoneB </div> <p>When containment is applied:</p> <ul> <li>Workload‑to‑workload trust is severed</li> <li>Management access remains intact</li> <li>Egress inspection may be relaxed to preserve visibility</li> </ul> <p>That’s not weakness, that’s control.</p> <h2 id="gotchas--edge-cases">Gotchas &amp; Edge Cases </h2><ul> <li>Relaxing egress inspection <strong>does increase short‑term risk</strong> that risk must be bounded and time‑limited</li> <li>Attackers may attempt to exploit relaxed paths but defender lockout is usually worse</li> <li>Platform dependencies (DNS, identity, logging) often bypass intended failure order</li> <li>“Temporary” containment rules have a habit of becoming permanent scars</li> </ul> <p>Predictable failure requires ongoing review, not just good intent.</p> <h2 id="best-practices">Best Practices </h2><ul> <li>Decide and document <strong>which control fails first</strong></li> <li>Treat centralised inspection as conditional under stress</li> <li>Keep defender access paths simple and isolated</li> <li>Avoid deep dependency chains in security enforcement</li> <li>Assume containment will be executed by tired humans</li> </ul> <div class="insight"> <div class="insight-icon">🍺</div> <div class="insight-content"> <strong>Brewed Insight:</strong> If your network only behaves safely when every control is intact, it isn’t resilient, it’s fragile. Predictable failure means choosing control over coverage when it matters most. </div> </div> <style> .insight { display: flex; align-items: center; background-color: #0089e41c; border-left: 10px solid #D69A2D; padding: 10px; margin: 20px 0; border-radius: 4px; } .insight-icon { font-size: 24px; margin-right: 10px; } .insight-content { flex: 1; } </style><h2 id="learn-more">Learn More </h2><ul> <li><a class="link" href="https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview" target="_blank" rel="noopener" >Azure Network Security Groups – Concepts</a></li> <li><a class="link" href="https://learn.microsoft.com/azure/architecture/framework/security/design-network-segmentation" target="_blank" rel="noopener" >Design network segmentation</a></li> <li><a class="link" href="https://learn.microsoft.com/azure/security/fundamentals/network-best-practices" target="_blank" rel="noopener" >Azure security best practices for network isolation</a></li> </ul>