Antho's Blog

Firecracker Micro-VMs : the power behind AWS Lambda

Tue, 12 Aug 2025 15:24:59 +0100

We all use AWS Lambda, either at work to automate some workloads, or unconsciously on our daily lives, using our favorite apps and services. When it was introduced by AWS in 2014, Lambda marked a turning point in the way we develop and deploy our applications and services, making it easier than ever : simply upload your micro-service code, and let AWS handle the rest (compute resources, scaling, availability, and maintenance). This new paradigm, later known as serverless computing, then became a foundation for modern cloud-native architectures by introducing the FaaS (function-as-a-service) model.

AWS re:Invent 2024 : wrap up !

Tue, 17 Dec 2024 19:05:53 +0100

This year, I had the luck to attend AWS re:Invent in Las Vegas, the “grand-messe” of Amazon’s Cloud. Despite the very ambitious agenda that I planned, I was able to attend all my booked sessions and keynotes (at the cost of dozens of kilometers of walking, but I’ll come back on it later ^^), and I will try do give in this blog post most of the outcomes from those passionating discussions.

Under the hood : Netflix Open Connect

Thu, 26 Sep 2024 19:05:53 +0100

In today’s digital entertainment and streaming services, only a few names resonate as strongly as Netflix. With million of unique users daily, Netflix is not only known for its impressive content library, but also for the quality of the delivering of this content. As network engineers, we easily understand that smooth streaming to viewers around the globe is a huge challenge. Netflix representing (as of today), 15% of the total Internet traffic, it is a challenge not only for Netflix, but also for all ISPs connecting Netflix users. At the heart of this delivery system lies Netflix CDN, or Content Delivery Network, known as Open Connect.

Leveraging BGP to mitigate network attacks: A comprehensive guide

Wed, 20 Mar 2024 19:05:53 +0100

In today’s world, network attacks occurs everyday, targeting all organisations, from the smallest to the biggest. Denial of Services attacks (DoS or DDoS) are innumerable, and their scale increases from month to month.

These attacks can disrupt services, overwhelm network infrastructure, and cause significant financial and reputational damage to organizations. However, network administrators have a powerful ally in their arsenal to combat such threats : the Border Gateway Protocol (BGP). In this article, we will explore how BGP can be leveraged to mitigate DoS attacks, focusing on key techniques such as Remote Triggered Black Hole Filtering (RTBH), Source-Based RTBH, and BGP Flow Specification (FlowSpec).

PaloAlto / Python - how changing matching logic divided DAG processing time by 300

Tue, 20 Jun 2023 19:05:53 +0100

If you ever worked with Palo Alto DAG (Dynamic Address Groups), you have an idea of how powerful it can be. If you ever worked with Palo Alto DAG, you also have an idea of how unscalable it is (at the time of writing this post).

Using it in production (mixed with static groups, which are the most commonly used yet), we noticed that devices using DAG take a lo[oooooooooo]t more time to commit changes than others (up to 45 minutes for some). Based on Palo Alto TAC support, it’s because of the matching logic, which is performed at commit time, and populates groups which becomes static based on the DAG condition string and objects tags : “Flattening the config to use static address group is the only option as DAGs involve TAG table construction and evaluation of DAGs for every IP”

Sending of large file through sockets boosted with Zero-copy !

Fri, 14 Apr 2023 19:05:53 +0100

Here we are for a new interesting (I hope !) technical topic.

To be honest, I’ll talk here about something I discovered very recently, by looking at a very interesting presentation from Netflix, talking about their OCA (Open Connect Appliances). Those are powerful cache appliances Netflix uses on its pops and which they also offer to ISP, which build their CDN (called Open Connect).

Of course, those appliances are intended to store as much content as possible, while delivering it at maximum speed to the largest amount possible of users. Working at this scale, each performance increase is infinitely geared down. And one of the “boosters” they use to increase the speed at which they deliver their content is the use of a feature called “ZeroCopy”.

Have fun with AWS GWLB : I wrote a Geneve router in Python :-)

Sat, 18 Feb 2023 19:05:53 +0100

AWS introduced GWLB (Gateway Load Balancers) a few years ago (Introducing AWS Gateway Load Balancer).

This type of load balancers permits to drastically simplify the way you inspect your traffic among several VPCs, avoids having to use complex routing between VPCs, avoids having to use “sandwich design” with firewalls in each VPC, and also permits (depending on the design) to inspect all public VPCs traffic in a central point while having the possibility to provide each VPC a public elastic IP.

PaloAlto – Digging into API keys

Mon, 16 Jan 2023 19:05:53 +0100

I recently had to work on some stuff around PAN-OS API keys which made me want to understand how they are built and what they contain. This is part of the “secrets” embedded in PAN-OS code, but trying to understand what API keys are built from might help you understand some strange behaviours you could eventually match, and perhaps avoid you some service disruptions… 🙂

The observation :

On its documentation, Palo Alto explicitly writes “To change an API key associated with an administrator account change the password associated with the administrator account.“

Python refcount and garbage collection : under the hood

Fri, 25 Nov 2022 19:05:53 +0100

In this (first) article, I will try to explain how Python track objects and reclaims memory space through its famous garbage collector. We’ll also learn (or review) some interesting stuff about Python variables and what they really are 🙂 .

Almost every Python developer knows that the interpreter is smart enough to manage memory by itself, which is one of the reasons which makes it handsome. However, most of them also confuses the garbage collector with the reference counting mechanism, which is way more active than the garbage collector in deleting unused (de-referenced) objects.