Posts

I really enjoy many of Cloudflare’s services, especially considering that they provide excellent protection for free. You just enable proxying, Bot Fight Mode etc., and chill most of the time. So let’s say you have some public URL which should be protected by Cloudflare, deny all bot traffic and allow only real browser-based traffic. In one of my cases, that was a self-hosted Grafana instance. However, there were a few things I wanted to automate as part of the CI/CD pipeline, including provisioning Grafana resources like data sources, dashboards, alert rules etc. ...

I really like using AWS SSM Session Manager for EC2 instances management whenever it’s possible, and recently faced a case where the requirement was to use Ansible for configuration management of EC2 instances, but without opening SSH access to them. That sounded like a good use case for SSM Session Manager, but I had to do some research to figure out how to make it work with Ansible. I ended up using two approaches - one with a static inventory for a single instance, and another with dynamic discovery for a fleet of instances. Both are based on the community.aws.aws_ssm connection plugin, which uses SSM Session Manager under the hood to connect to the target instances without SSH. The main difference is how the inventory is built - either hardcoded with instance IDs or dynamically discovered via EC2 API queries. ...

In July 2023, GitHub released a new feature called repository rules. I didn’t pay much attention to it at first, but then I faced multiple cases where branch protection rules felt like “something is missing”, and recently I decided to give repository rules (A.K.A. repository rulesets) a try. I was surprised by how much more flexible and powerful they are compared to traditional branch protection rules, so I wanted to share useful stuff about them, especially for those who haven’t heard of / tried repository rules yet. ...

AWS SSM Session Manager became my default way of connecting to EC2 instances, since it’s convenient, secure and doesn’t require opening SSH ports / configuring bastion etc. It’s enough to have the right IAM permissions (AmazonSSMManagedInstanceCore managed policy) and SSM agent installed and running on the instance, which is the case for most default AMIs. You can start a session via AWS Console as simple as clicking “Connect” on the EC2 instance page and selecting “Session Manager” as the connection method: ...

Claude Code & Azure I’m sure you’ve heard about Anthropic’s Claude Code. I’ve been an active user for the past 3 months. It’s a great tool; however, it requires a separate subscription until now. Claude has always been available on AWS and GCP (and the main assumption is that it hasn’t been available on Azure due to Anthropic’s rivalry with OpenAI), but things have now changed—Microsoft announced a partnership with Anthropic and Claude models are available via Azure Foundry. ...

A small intro Although my main stack is far from this now, throughout my professional career I have had to work with the Windows Server stack, and the issue of secure RDP access has always been important. One of my favorite customers with Windows Server stack was a medium-size company in the financial sector, who’ve managed their custom software across multiple Windows Server environments, and their go-to solution for secure RDP access was Azure VPN. With all my love for Azure, their VPN (especially cert-based one, which required a lot of management overhead) was not the most user-friendly solution. ...

DockerHub rate limits DockerHub has a strict rate limit policy, especially for anonymous pulls. for anynomyous users: 100 pulls per 6 hours per IP address. for authenticated users: 200 pulls per 6 hours per IP address. => if your usage exceeds these limits, your requests are denied until the six-hour window elapses. Despite the fact that for authenticated users the rate limit is higher, these limits can easily break the CI/CD pipelines which use DockerHub as a source of base images, especially if runners aren’t ephemeral and use the same IP address for multiple builds. ...