Shannon Eldridge Kuehn

Conway’s Law: What Your Cloud Team Can Learn from Stressed Out Kitchen Staff I was reminded of Conway’s Law the day I watched an episode of The Bear where Carmy tried to redesign the entire kitchen workflow in the middle of lunch service. Onions were flying. Pans were screamin...

If your cloud architecture feels like Carmy’s kitchen during lunch rush, you might be running headfirst into Conway’s Law. I wrote about it.

www.shankuehn.io/post/conway-...

#conwayslaw #thebear #squads

Updating Your Scripts: PowerShell and Python for the New Azure PAYG APIs In my last post, I talked about what’s changing with Azure’s Pay-As-You-Go (PAYG) APIs and why the old Usage Details endpoint is being retired. Now it’s time to roll up our sleeves! If your FinOps aut...

My old Pay-As-You-Go API: 💀
My new Exports API: 😎

Microsoft is changing the endpoint, so I wrote a blog to save you the debugging spiral.

👉 Read it here: www.shankuehn.io/post/updatin...

#Azure #FinOps #Cloud

The Azure PAYG API Shift: What’s Actually Changing (and Why It Matters) If you pull cost data from Azure’s Pay-As-You-Go (PAYG) subscriptions, you might have noticed something new in Microsoft’s documentation lately: the legacy “Get Usage Details” API is being deprecated....

RIP to the old Azure Usage Details API. You served us well, throttles and all.

Time to meet your replacement: Cost Details and Exports.

What’s changing, why it matters, and how to stay ahead of the cutoff:
www.shankuehn.io/post/the-azu...

Latency vs Throughput: Why They Get Mixed Up and Why That Matters People often toss around latency and throughput like they are one and the same. They are not. They live in the same world but serve very different roles. One cares about how fast something starts. The...

Latency gets up early and moves fast.
Throughput stays up late moving a lot.

Read the full breakdown (and why your “slow” app might not be what you think):
👉 www.shankuehn.io/post/latency...

#Cloud #FinOps #PlatformEngineering #Azure #AWS #Latency #Throughput

Achievement Unlocked!

What Exactly is the "Azure Well-Architected Review"? Picture this: you have built a castle in the cloud (filled with all your Azure workloads). Everything looks amazing, but is it safe, strong, and efficient? Will it handle a sudden rush of traffic or u...

So this STILL comes up in conversations with customers (take note, Microsoft!):

Even wizards need architecture reviews. Check your castle before the dragons show up (in Azure).

#waf #wafr #wellarchitected #azure

www.shankuehn.io/post/what-ex...

Identifying Over-Privileged Identities Using Microsoft Graph All code for this blog can be found here.I keep hearing more and more interest by customers I work with in exploring Cloud Infrastructure Entitlement Management (CIEM) solutions. Their focus is usuall...

CIEM is fancy, but sometimes all you need is Microsoft Graph, PowerShell (or Python), and a quick reality check on who has way too much access.

#entraid #overprivileged #identity #IAM

www.shankuehn.io/post/identif...

When GitHub Won’t Clone: Fixing the SSL Certificate Problem on Windows So there I was, ready to pull down a GitHub repo and get to work finishing a recent blog. I typed in the familiar command:git clone https://github.com/sbkuehn/transit-routing-vnet-peer.gitAnd what doe...

There’s nothing like an SSL certificate error to remind you technology is basically duct tape and trust. Blog’s up on the quick fix for GitHub clones on Windows (yeah, yeah, yeah...I should probably just use a Mac at some point).

www.shankuehn.io/post/when-gi...

Resetting MFA in Microsoft Entra ID: The Three Flavors of Reset All code for this blog can be found here. I've been trailblazing with Azure since 2016. Before 2016, I set up an Entra ID (formerly Azure Active Directory) tenant for my O365/Exchange Online environme...

MFA resets: Because apparently everyone’s phone disappears right before Monday’s all-hands. New post breaks down the three ways to reset MFA in Entra ID. Spoiler: Not all resets are created equal.

👉 www.shankuehn.io/post/resetti...

Transitive Routing in 2025: Still Relevant, Still Causing Trouble All code for this blog can be found here.So this is still relevant in 2025. Having worked at Microsoft, I always believed customers were at the AI level of cloud adoption. After Microsoft and working ...

Transitive routing in 2025: still breaking my home lab. Turns out the problem was me (and my networking design). Blog’s here:

shankuehn.io/post/transit...

#networking #cloud #design #transitiverouting

Flipping a Spot VM to PAYG in Azure (Without Losing Your Disks, NIC, or Sanity) All code for this blog can be found here.So you went all-in on Spot VMs to save money, but now you’ve hit that dreaded eviction wall. Whether your instance was deallocated or you’re simply ready to mo...

Me: “Let’s save money with Spot VMs.”
Azure: “LOL. Cute. Evicted.”

So I:

1. Dug up the disks & NIC
2. Deleted the VM
3. Rebuilt it PAYG
4. Enabled Trusted Launch
5. No IPs harmed. No restore point needed.

Blog: www.shankuehn.io/post/flippin...

#Azure #CloudOps #PowerShell

Site-to-Site Networking with Tailscale: Part 3 — Two Regions, One Tailnet All code for this blog post can be found here.By now you’ve probably figured out I like to make things harder on myself before I make them easier. The first blog post was about beating the UDM Pro int...

Pulled the plug on my Azure S2S VPN. Everything still works. Tailscale: 1, old VPN: 0. 🐢🌐

www.shankuehn.io/post/site-to...

#tailscale #meshvpn #azure #cloudops #part3

Fixing “Sudo Status Check Failed” in Azure Update Manager All code for this blog can be found here.Azure Update Manager promises to make patching easier. The idea is simple: assess your VMs, install updates, and report on compliance without you logging into ...

Azure Update Manager didn’t work. Now it does. The fix? One sudoers line. 🎤 www.shankuehn.io/post/fixing-...

#azure #update #manager #sudoer #fixitall #learnitall

When Az CLI and Windows Stop Playing Nice Shannon's Disclaimer: All code for this blog can be found here. I'm going to start out code based blogs with their own repo and will clean up older blog posts as time allows.If you spend enough time w...

Az CLI on Windows: where az login turns into chaos engineering. where.exe az found the culprit, cleanup fixed it.

#azcli #windows #dllnotfound

www.shankuehn.io/post/when-az...

Demystifying Log Retention in Azure Often times I think the idea is not to confuse, but when you sort of pile on all the different services in Azure, some of the details get muddy and quickly. One of the areas that I even have hard time...

Not all Azure logs are created equal. Some stick around for 90 days, some for years, and others vanish unless you export them. I broke it down in Demystifying Log Retention in Azure.

www.shankuehn.io/post/demysti...

#monitorallthethings #log #retention #azure #cheat #sheet

"I'm Using GRS...Aren't I Covered?" A Curious Question Met With The Reality of Azure Storage This post came from a customer conversation that started with a seemingly innocent question:“I’m using GRS for my storage accounts. Doesn’t that basically cover me if there’s a compelling event?”On th...

Durability ≠ Resiliency ≠ Backups.

A customer asked me: “Doesn’t GRS mean we’re covered?”

I wrote up why the answer is “partially”...plus shared a PowerShell script to check your own Blob accounts. #Azure #storage

🔗 www.shankuehn.io/post/i-m-usi...

More Home Networking Wrestling! One of the joys of running a homelab is the constant reminder that technology never sits still. I'm currently in the middle of a massive overhaul at home and I've heard that my posts have helped other...

Spent part of the weekend in my homelab making packets flow like magic… because “everyone connected everywhere with ease” doesn’t configure itself.
#homelab #pihole #networking

www.shankuehn.io/post/more-ho...

Site to Site Networking with Tailscale: Part 2 — Teaching Azure Some New Tricks In Part 1, I wrestled my Unifi Dream Machine Pro into submission and got it talking on Tailscale. That gave me a subnet router for my home LAN (192.168.1.0/24). Now it is time to bring Azure into the ...

Looked simple on paper. Reality? Approvals, retries, and angry routes before my Azure subnet router finally behaved. Now the tailnet stretches clean across on-prem + cloud. Part 2 blog with the scars included.

#tailscale #azure #azcli

👉 www.shankuehn.io/post/site-to...

Site to Site Networking with Tailscale: Part 1 — Wrestling a UDM Pro Into Submission I set out to replace my traditional Azure site to site VPN with something lighter and easier to manage (plus Microsoft is effectively retiring the Basic S2S VPN SKU on January 31, 2026). The idea was ...

Standard VPNs in Azure are expensive. Wrestling a UDM Pro into Tailscale is comedy. At least the repo errors built character. 😂 #part1of3 #tailscale #udmpro

www.shankuehn.io/post/site-to...

Building the Right Platform Engineering Team Platform engineering isn’t just about standing up Kubernetes clusters or pushing Terraform templates. It’s about creating a team that accelerates developers instead of slowing them down. In today’s cl...

Platform engineering teams succeed when they scale together...not when one person is sweating bullets while everyone else just codes away. #teamdynamics #structureyourteamright #platformengineering

www.shankuehn.io/post/buildin...

Kubernetes without an Operating Model is Just Controlled Chaos Containers and Kubernetes often arrive in organizations with big promises. I can't tell you the amount of customers I work with who believe Kubernetes is the promised land (oh contraire mon frere). Ge...

Some more content comin' for ya'!

Kubernetes is magical, but the real trick is having an operating model so the magic does not burn down the village. #k8s #kubernetes #sorcery #magic

www.shankuehn.io/post/kuberne...

How to Remove Microsoft Sentinel (Security Insights) from a Log Analytics Workspace Over the course of my career, I've picked up various Visual Studio Subscriptions that enable me to build and maintain a small Azure footprint to the tune of $150/month. My Microsoft Certified Trainer ...

Pro tip: Don’t “accidentally” enable Sentinel in your VS sub with IaC… unless you want it to self-destruct in 17 days. 😅

I learned the hard way. Here’s how to turn it off without redeploying:

🔗 www.shankuehn.io/post/how-to-...

#Azure #Sentinel #LogAnalytics #TipsFromTheField

Turning on Boot Diagnostics for Every VM in Your Azure Tenant Like a lot of my posts lately, this one kicked off with a customer question. An innocent question at that, but the kind that makes you pause and realize plenty of others are probably wondering the sam...

The easy questions never make it to my meetings.

What makes it to my meetings?

“How do I save the day when every VM across my tenant forgot boot diagnostics?”

Answer: PowerShell, Policy, and a new blog post to follow.

#azure #bootdiagnostics #howto

www.shankuehn.io/post/turning...

Past the Price Tag: What FinOps Success Really Looks Like When people hear the word FinOps, their minds almost always jump to one thing: savings. • “How much money can we cut from the cloud bill?” • “Where can we shave costs?” • “Why is this so expensive?” ...

NEXT BLOG POST!

You can’t cut your way to growth. FinOps success isn’t measured in discounts, it’s measured in decisions. Here’s the next step beyond savings.

www.shankuehn.io/post/past-th...

#metricsthatmatter #beyondcostsavings #finopsevolution

The Great Disk Space Hunt: Why Azure Resource Graph Won’t Tell You Everything Like a lot of my blog posts as of late, I get asked all sorts of questions by customers struggling to make sense of Azure and in this case, it all started innocently enough: A customer asked me a seem...

Me: How much free space do my Azure VMs have? Azure Resource Graph, do you know?
Azure Resource Graph: Lol, nope.
Me: PowerShell + Log Analytics to the rescue.

www.shankuehn.io/post/the-gre...

From Scratch to Saved: My Pi-hole Rebuild Adventure A few weeks ago, my Pi-hole started throwing up errors that I may have incorrectly identified as a bad upstream DNS provider. Now do I fault the learnings I gleaned? I don't. I really enjoyed reading ...

Pi-hole errors a few weeks ago? Yeah it was evidently my SD card softly whispering “I’m dying.”

Did I back up? LOL no.

Catastrophic failure → Scrambled recovery → Backups now running.

We grow.

🔗 www.shankuehn.io/post/from-sc...
#pihole #disasterrecovery #bash #powershell

Stop Running FinOps Like a Finance Project...Build It Like a Platform! Like a lot of my posts, this conversation came up last week with a customer. As per usual, I figured a quick glimpse into what I've seen work with customers might help demystify concepts that customer...

Leaving FinOps to just finance is like asking your accountant to fix your leaky sink. Leaving FinOps to just engineering is like asking your plumber to run your company budget.

P.S. Treat it like a platform. Everyone wins.

www.shankuehn.io/post/stop-ru...

#finops #platformengineering #blendit

Azure Migrate: Agentless or Agent-Based? What You Actually Need to Know What's interesting is there are still customers I work with who are considering a full blown datacenter migration to cloud. This is why I've loved my job at AHEAD because I'm back in the mix of actual...

Before you install an agent on 200 servers, read this! No need to YOLO your migration strategy...into #Azure!

www.shankuehn.io/post/azure-m...

#agentless #fullofagents #butnotagentic

Kubernetes, But Make It Fashionable: Breaking Down OKD, ARO, ROSA, OpenShift Virtualization, AKS, EKS, and GKE I am genuinely starting to realize there's still a lot of confusion out there and arguably I'm also pretty confused myself a lot of days (especially with new tech or terminology I'm not familiar with)...

Me: I just want to run containers.

The cloud: Cool. Here's OKD, ARO, ROSA, Virtualization, AKS, EKS, and GKE. Good luck.

I made a guide that actually explains the difference...no buzzwords, just what you need to know.

www.shankuehn.io/post/kuberne...

Shannon's Recent Take: The best Public DNS Servers for BOTH Unifi & Pi-Hole If you're running a Pi-hole on your network or managing internet traffic through Ubiquiti's UniFi gear like the Dream Machine or UDM Pro, you're already thinking like an enterprise architect (yes, eve...

I refreshed upstream DNS servers in my home lab, did a bunch of reading along the way, and figured I'd share my insights in case you have a similar setup at home (or are considering a similar setup)! #publicdns #dns #unifi #pihole #ubiquiti #udm

www.shankuehn.io/post/shannon...