Capability Attenuation: Scoped Tokens & Firewalls for AI Subagents
Applying NSX-T DFW microsegmentation principles to AI subagents. Scoping API tokens and tool access to prevent privilege escalation.
Architectural patterns, war stories, and engineering philosophy across 20+ years of production operations.
"Short on time? If you are reviewing my profile for a leadership role, start with these 3 foundation posts:"
Applying NSX-T DFW microsegmentation principles to AI subagents. Scoping API tokens and tool access to prevent privilege escalation.
How network BGP routing concepts (Local Pref, MED) inspired our multi-model LLM router, cutting API costs by 65%.
Why agentic execution loops need defensive stateful Circuit Breakers to prevent runaway API costs, rate-limit cascades, and infinite loops.
How we reduced Azure Log Analytics and SIEM ingestion bills by 40% using sampling, filtering, and basic telemetry tiering.
How we conducted comprehensive security audits across multi-tenant Azure landing zones to eliminate legacy tech debt.
Moving from tactical CLI troubleshooting to strategic enterprise architecture, business alignment, and team leadership.
Why punitive engineering cultures encourage technicians to hide mistakes. How we established a blameless post-mortem framework.
Using BGP Local Preference and MED attributes to steer outgoing cloud data traffic across lower-cost interconnect paths.
Architecting multi-region Azure ExpressRoute circuits with active/active BGP routing and VPN failover for enterprise resilience.
How we embedded Policy-as-Code and Infracost financial guardrails into GitHub Actions CI/CD pipelines for Azure landing zones.
How we automated the injection of Day-0 compliance firewall rules into newly provisioned NSX-T logical segments.
Why turning on 'Default Deny' firewall rules without flow mapping will break production. Lessons in microsegmentation staging.
Using PowerNSX PowerShell modules to programmatically audit and sync firewall rules across legacy vCenter environments.
A interrupted CI build corrupted a production Terraform state file. How we recovered state locking and restored infrastructure management.
Integrating Kubernetes container networking with enterprise virtual underlays using the NSX Container Plugin (NCP).
Provisioning Tier-0 gateways, Tier-1 routers, and overlay segments using Ansible collections for NSX-T Policy API.
How we shifted our entire network operations team from manual SSH sessions to GitOps pipelines using Ansible and GitLab CI.
Upgrading infrastructure is like changing the engines on a plane while flying. Here is how we moved a financial client from legacy NSX-V to NSX-T without dropping the banking app.
How we configured Arista switches as Hardware VXLAN Tunnel Endpoints (HW-VTEP) bound to VMware NSX Controller clusters.
When dynamic routing protocols (BGP/OSPF) redistribute across overlay and underlay boundaries, transitive loops can bring down entire clouds.
Detailed step-by-step engineering blueprint for migrating Distributed Firewall (DFW) policies and logical switches from NSX-V to NSX-T.
How we configured standalone NSX L2VPN client appliances to extend Layer 2 broadcast domains across high-latency WAN links.
Ingesting millions of log events per day across ESXi hosts, NSX Edge gateways, and physical firewalls using vRealize Log Insight.
Upgrading core overlay SDN infrastructure while processing live production transactions. How we migrated from NSX-V to NSX-T with zero downtime.
How we used vRealize Network Insight (vRNI) for 360-degree flow visibility, day-2 operations, and microsegmentation planning.
Comparing VXLAN and GENEVE encapsulation protocols. Why NSX-T adopted GENEVE for extensibility and dynamic metadata TLVs.
Spanning Tree is an insurance policy that costs you half your bandwidth. BGP is the better way.
How VMware HCX enabled zero-downtime bulk migrations of hundreds of virtual machines across multi-cloud infrastructure.
Scaling Remote Access VPN connections for 3,000+ remote workers. Resolving DTLS fallback issues and split-tunneling bottlenecks.
Deploying Next-Gen Firepower Threat Defense (FTD) caused sudden throughput drops. How we tuned Snort preprocessors and rule sets for line-rate inspection.
The moment I realized typing 'show ip route' on 50 routers manually was obsolete. How I learned Python to automate network operations at scale.
Over 70% of enterprise web traffic was encrypted, rendering legacy IPS firewalls blind. Here is how we deployed Palo Alto SSL Forward Proxy safely.
A single expired wildcard SSL certificate took down 40 production web applications. Here is how we automated certificate lifecycle monitoring.
Managing security across Checkpoint, Palo Alto, and Cisco ASA requires understanding the subtle semantic differences in how vendors process rules.
How we audited, consolidated, and eliminated thousands of shadow firewall rules across Checkpoint, Palo Alto, and Cisco ASA firewalls.
Comparing physical F5 BIG-IP appliances against early software-defined load balancers during enterprise cloud migrations.
Cisco End-of-Lifed the ACE load balancer module. Here is how we migrated 300+ Virtual Servers to F5 LTM without dropping active TLS connections.
When IPv6-only mobile networks exploded, legacy IPv4 applications faced sudden isolation. Here is how we implemented NAT64/DNS64 protocol translation.
Long before Datadog or Prometheus, Cacti and RRDtool were the eyes of the NOC. Here is how we scaled SNMP polling without crashing our poller.
When APNIC allocated our last IPv4 /22 block, we had to pivot. Here is how we deployed Dual-Stack IPv6 across thousands of customer subnets.
A junior engineer wiped the BGP config on our Core Router. The backup was missing. Panic ensued. Here is how RANCID saved the day.
Before Terraform and AWS, we built the cloud with bare hands. Lessons from the 'Iron Age' of infrastructure: PAC units, raised floors, and the smell of ozone.
A premium customer had slow speeds and 2% packet loss. We swapped routers, fibers, and prayers. Nothing worked. The culprit? A hidden duplex mismatch.