Series MapLesson 109 / 112
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

Hybrid Cloud Platform Integration

Private Endpoints Registries Monitoring Hybrid Connectivity DNS TLS Failure Modes

Cloud/on-prem integration dan failure mode platform untuk Java/JAX-RS enterprise backend: private endpoints, container registries, monitoring, hybrid connectivity, DNS, TLS, debugging, and PR review

8 min read1539 words
PrevNext
Lesson 109112 lesson track93–112 Final Stretch
#private-endpoint#hybrid-connectivity#ecr#acr+5 more

Part 109 — Private Endpoints, Registries, Monitoring, Hybrid Connectivity, DNS/TLS Failure Modes

Fokus part ini: memahami integrasi platform cloud/on-prem di sekitar Java/JAX-RS service: private endpoint, container registry, monitoring, hybrid connectivity, DNS, TLS, dan failure mode yang sering terlihat seperti bug aplikasi padahal penyebabnya berada di platform/network layer.

Catatan penting:

This part does not assume CSG uses AWS PrivateLink, VPC Endpoint,
Azure Private Endpoint, Azure Private Link, ECR, ACR, CloudWatch,
Azure Monitor, VPN, Direct Connect, ExpressRoute, Transit Gateway,
Azure Virtual WAN, private DNS zone, split-horizon DNS, service mesh,
or any specific hybrid connectivity model.

Treat every platform and network detail as an internal verification item.

Core idea:

A production JAX-RS service is not only a Java process.
It is a participant in a platform graph:

image registry -> CI/CD -> cluster -> pod identity -> private endpoint -> DNS -> TLS -> monitoring -> incident workflow

When this graph breaks, the Java code may be correct but the service is still unavailable.

Senior engineer asks:

Can the pod pull the image?
Can the pod resolve private DNS names?
Can the pod reach private endpoints?
Can cloud services authenticate the workload identity?
Can telemetry leave the cluster?
Can on-prem systems reach the service path?
Can the service validate TLS certificates?
Can we prove where the request or connection failed?

1. Platform Integration Mental Model

A Java/JAX-RS service normally depends on more than its own container:

flowchart TD Code[Source Code] CI[CI Pipeline] Registry[Container Registry ECR/ACR/Internal] GitOps[GitOps/IaC] Cluster[Kubernetes Cluster] Pod[JAX-RS Pod] DNS[DNS / Private DNS] PrivateEndpoint[Private Endpoint / VPC Endpoint] CloudSvc[Cloud Service: Storage/Secret/Config/Monitoring] OnPrem[On-Prem / Partner Network] Obs[Monitoring / Logs / Traces / Metrics] Code --> CI --> Registry Registry --> Cluster GitOps --> Cluster Cluster --> Pod Pod --> DNS --> PrivateEndpoint --> CloudSvc OnPrem --> DNS Pod --> Obs

The dangerous assumption:

"The application is failing because the code is wrong."

The better model:

A production request can fail before Java sees it.
A dependency call can fail before the SDK sends a valid request.
A deployment can fail before a container starts.
An incident can be caused by DNS, TLS, registry auth, routing, firewall,
identity binding, or observability pipeline failure.

For a senior engineer, the work is not just fixing Java code. The work is finding the failed boundary.


2. Private Endpoint Mental Model

A private endpoint gives access to a service through a private network path instead of a public internet path.

Generic model:

flowchart LR Pod[JAX-RS Pod] VNet[VPC / VNet] DNS[Private DNS] PE[Private Endpoint] Service[Managed Cloud Service] Pod --> DNS DNS --> PE Pod --> VNet --> PE --> Service

Examples of services that often use private endpoints:

  • object storage
  • database service
  • secret manager
  • config service
  • message broker
  • container registry
  • monitoring ingestion endpoint
  • internal API gateway
  • partner/on-prem endpoint

Key point:

Private endpoint is not only routing.
It usually requires correct DNS, network policy, firewall, identity, and TLS.

A pod may have network access but still fail because DNS resolves to the public endpoint. A pod may resolve private IP but still fail because route tables or firewall rules block it. A pod may connect but fail TLS because the certificate name does not match the endpoint being used.


3. AWS-style Private Connectivity Concepts

Do not assume these are used internally. Use this as vocabulary for verification.

Common AWS-side concepts:

  • VPC Endpoint
  • Gateway Endpoint
  • Interface Endpoint
  • PrivateLink
  • private hosted zone
  • Route 53 resolver
  • security group
  • route table
  • network ACL
  • Transit Gateway
  • Site-to-Site VPN
  • Direct Connect
  • ECR private registry access
  • CloudWatch endpoint access

Typical private access path:

flowchart LR Pod[Pod in EKS/VPC] DNS[Route 53 / Private DNS] ENI[Interface Endpoint ENI] SG[Security Group] AWSService[AWS Managed Service] Pod --> DNS --> ENI --> SG --> AWSService

Questions to verify:

Is traffic using public internet, NAT gateway, gateway endpoint, or interface endpoint?
Is private DNS enabled for the endpoint?
Does the pod subnet route to the endpoint ENI?
Does the endpoint security group allow source traffic?
Does IAM allow the action after network succeeds?
Does the SDK endpoint override point to the intended service endpoint?

Failure signatures:

SymptomLikely boundary
DNS resolves public IP unexpectedlyprivate DNS not configured or wrong resolver path
connection timeoutroute/security group/NACL/firewall
connection refusedendpoint/service listener not reachable
TLS hostname mismatchwrong endpoint hostname or certificate path
403 after successful connectionIAM/resource policy
image pull failsECR auth/network/registry policy
telemetry missingCloudWatch/collector endpoint blocked

4. Azure-style Private Connectivity Concepts

Do not assume these are used internally. Use this as vocabulary for verification.

Common Azure-side concepts:

  • Azure Private Endpoint
  • Azure Private Link
  • private DNS zone
  • VNet integration
  • Network Security Group
  • route table / UDR
  • Azure Firewall
  • Application Gateway
  • Azure API Management internal mode
  • Azure Container Registry private endpoint
  • Azure Monitor private link scope
  • VPN Gateway
  • ExpressRoute
  • Azure Bastion / jump host pattern

Typical private access path:

flowchart LR Pod[Pod in AKS/VNet] DNS[Private DNS Zone] PE[Private Endpoint NIC] NSG[NSG / Firewall] AzureService[Azure Managed Service] Pod --> DNS --> PE --> NSG --> AzureService

Questions to verify:

Is the service exposed through public endpoint, private endpoint, or both?
Is the private DNS zone linked to the VNet?
Does AKS use Azure CNI, overlay, or another network model?
Are NSG/firewall/UDR rules allowing traffic?
Is ACR reachable privately by the node/pod path?
Is Azure Monitor ingestion available from the cluster network?

Failure signatures:

SymptomLikely boundary
DNS returns public IPprivate DNS zone not linked or not used
timeout to private IPNSG/firewall/UDR path issue
image pull errorACR identity/private endpoint/network issue
401/403 from serviceworkload identity/managed identity/RBAC issue
TLS errorwrong DNS name, private endpoint alias, custom domain issue
metrics/logs absentAzure Monitor/collector/private link issue

5. Container Registry as Production Dependency

A deployment cannot start if nodes cannot pull the image.

Registry path:

flowchart TD CI[CI Build] Image[Container Image] Registry[ECR / ACR / Internal Registry] Cluster[Cluster Node Runtime] Pod[Pod] CI --> Image --> Registry Registry --> Cluster --> Pod

Common registry failure modes:

  • image tag does not exist
  • wrong digest
  • image pull secret missing
  • registry authentication expired
  • node identity lacks pull permission
  • private endpoint/DNS path broken
  • registry blocked by firewall
  • image scanning policy blocks promotion
  • signed image verification fails
  • architecture mismatch, for example amd64 vs arm64
  • mutable tag points to unexpected image

Production rule:

Deploy by immutable digest when possible.
Do not rely only on mutable tags for regulated or high-risk production rollout.

Example deployment snippet:

containers:
  - name: quote-order-api
    image: registry.example.com/csg/quote-order-api@sha256:abc123...
    imagePullPolicy: IfNotPresent

Internal verification checklist:

[ ] Which registry is used: ECR, ACR, internal registry, or another registry?
[ ] Is image promotion tag-based, digest-based, or both?
[ ] Are images scanned before promotion?
[ ] Are images signed?
[ ] Are base images governed?
[ ] Can cluster nodes pull via private network?
[ ] Is imagePullSecret or workload/node identity used?
[ ] Is rollback image still available?
[ ] Is registry access observable during deployment failure?

6. Monitoring and Observability Platform Connectivity

Observability is also a dependency. When observability is broken, incidents become longer.

Telemetry flow:

flowchart LR App[JAX-RS App] Agent[OTel Agent / SDK / Log Agent] Collector[Collector / Sidecar / DaemonSet] Backend[Monitoring Backend] Alert[Alert Manager / Incident Tool] App --> Agent --> Collector --> Backend --> Alert

Important distinction:

Application is healthy != telemetry is healthy.
Telemetry is flowing != telemetry is useful.

Telemetry connectivity failure modes:

  • collector cannot resolve backend
  • collector cannot reach private ingestion endpoint
  • TLS trust issue between collector and backend
  • tenant/project/workspace key invalid
  • rate limit or ingestion throttling
  • metric cardinality explosion
  • log volume throttling
  • trace sampling unexpectedly too aggressive
  • namespace/resource labels missing
  • service name inconsistent across deployments

Operational impact:

If telemetry path is broken, mean time to detection and mean time to recovery increase.
If telemetry labels are inconsistent, dashboard queries silently miss affected pods.
If telemetry is too noisy, real incidents drown in irrelevant alerts.

Internal verification checklist:

[ ] Where do logs go?
[ ] Where do metrics go?
[ ] Where do traces go?
[ ] Is OpenTelemetry collector used?
[ ] Is telemetry egress public or private?
[ ] Are service.name, environment, cluster, namespace, and tenant labels standardized?
[ ] Are telemetry endpoints reachable from all node pools/subnets?
[ ] Are ingestion failures monitored?
[ ] Are alerts tied to SLOs or only infrastructure symptoms?

7. Hybrid Connectivity Mental Model

Hybrid connectivity connects cloud workloads with on-prem systems, partner systems, or private enterprise networks.

Generic model:

flowchart LR Pod[JAX-RS Pod] CloudNet[Cloud VPC/VNet] Hybrid[VPN / Direct Connect / ExpressRoute / Interconnect] OnPremFW[On-Prem Firewall] OnPremDNS[On-Prem DNS] Legacy[Legacy / Partner / Mainframe / BSS OSS] Pod --> CloudNet --> Hybrid --> OnPremFW --> Legacy Pod --> OnPremDNS

Hybrid integration adds failure modes that normal cloud-only systems do not have:

  • asymmetric routing
  • overlapping CIDR ranges
  • MTU fragmentation
  • firewall state timeout
  • TLS interception
  • enterprise proxy requirement
  • DNS forwarding loop
  • stale route propagation
  • on-prem maintenance window
  • partner allowlist not updated
  • NAT source IP mismatch

Senior review question:

Does this service have a dependency path outside the cluster/cloud region?
If yes, what is the routing, DNS, TLS, firewall, identity, timeout, retry, and runbook model?

8. DNS Failure Modes

DNS is often invisible until it fails.

Resolution path:

flowchart TD App[JAX-RS App / SDK] JVM[JVM DNS Cache] Node[Node Resolver] ClusterDNS[CoreDNS / Cluster DNS] Forwarder[DNS Forwarder] CloudDNS[Cloud Private DNS] PublicDNS[Public DNS] Answer[IP / CNAME] App --> JVM --> Node --> ClusterDNS --> Forwarder Forwarder --> CloudDNS --> Answer Forwarder --> PublicDNS --> Answer

Common DNS failure modes:

FailureConsequence
wrong private DNS zonetraffic goes public or nowhere
missing VPC/VNet linkprivate endpoint name resolves incorrectly
stale JVM DNS cacheapp keeps using old IP
CoreDNS overloadedintermittent lookup timeout
split-horizon mismatchpod and local workstation resolve different IPs
CNAME chain too long/wrongSDK endpoint failure
search domain surprisewrong internal hostname is used

Java-specific concern:

The JVM may cache DNS lookups.
If DNS changes during failover, a running process may not immediately observe it,
depending on JVM/networkaddress.cache.ttl/security configuration and runtime behavior.

Debug checklist from inside pod:

kubectl exec -n <namespace> <pod> -- nslookup <host>
kubectl exec -n <namespace> <pod> -- dig <host>
kubectl exec -n <namespace> <pod> -- getent hosts <host>
kubectl exec -n <namespace> <pod> -- cat /etc/resolv.conf

Application-level debugging:

Log dependency hostnames at startup.
Log resolved endpoint family only when safe and non-sensitive.
Avoid logging secrets, tokens, signed URLs, or full connection strings.
Expose dependency readiness only if it does not create cascading startup failure.

9. TLS Failure Modes

TLS problems frequently appear as vague client errors.

TLS path:

sequenceDiagram participant App as JAX-RS App / Client participant DNS as DNS participant Server as Remote Endpoint participant CA as Trust Store App->>DNS: Resolve hostname DNS-->>App: IP address App->>Server: TLS ClientHello with SNI Server-->>App: Certificate chain App->>CA: Validate chain and hostname CA-->>App: Trusted / rejected App->>Server: HTTP request over TLS

Common TLS failure modes:

SymptomPossible cause
certificate unknownCA missing from truststore
hostname mismatchDNS name does not match certificate SAN
handshake timeoutnetwork/firewall/proxy issue
protocol version errorTLS version/cipher mismatch
mTLS handshake failclient cert missing/expired/wrong CA
works locally, fails in poddifferent truststore, proxy, DNS, or egress path
works public, fails privateprivate endpoint custom DNS/cert mismatch

Java-specific TLS checks:

# From local or debug container if openssl exists
openssl s_client -connect example.internal:443 -servername example.internal -showcerts

# For Java-level debugging in non-production reproduction only
-Djavax.net.debug=ssl,handshake

Do not enable verbose TLS debugging in high-volume production without a controlled plan. It can expose sensitive metadata and overwhelm logs.

Internal verification checklist:

[ ] Which truststore is used by the JVM?
[ ] Are internal CA certificates injected into the image or mounted at runtime?
[ ] Is mTLS used for service-to-service traffic?
[ ] Where does TLS terminate inbound traffic?
[ ] Is TLS re-encrypted between gateway/ingress/service?
[ ] Are certificates rotated automatically?
[ ] Are certificate expiration alerts configured?
[ ] Is SNI required by downstream endpoints?

10. Private Endpoint + DNS + TLS Interaction

The hardest failures often combine DNS and TLS.

Example:

The pod resolves storage.company.internal to a private IP.
The TLS certificate is issued for storage.cloudprovider.com.
The app connects using storage.company.internal.
TLS hostname validation fails.

Another example:

The SDK expects account.blob.core.windows.net or bucket.s3.region.amazonaws.com.
Internal DNS overrides the name to a private endpoint.
The private IP is correct, but firewall blocks the subnet.
The app reports timeout.

Decision rule:

Do not "fix" TLS by disabling certificate validation.
Fix DNS name, certificate, trust chain, endpoint configuration, or SDK endpoint usage.

Bad pattern:

// Do not approve this in production PRs.
// Trust-all TLS clients turn network misconfiguration into security exposure.

Senior PR review should block:

  • trust-all certificate managers
  • hostname verifier that always returns true
  • disabled TLS validation
  • hardcoded private IP endpoints
  • logged connection strings
  • silent fallback to public endpoint without approval

11. Monitoring the Platform Graph

Platform dependencies should be observable explicitly.

Useful platform-level signals:

SignalWhat it protects
image pull error countdeployment reliability
pod pending timescheduling/storage/registry issues
DNS lookup latency/errordependency resolution
TLS handshake failuretrust/cert/hostname issues
connection timeout by dependencyrouting/firewall/private endpoint
401/403 dependency responseidentity/RBAC/IAM/policy issue
telemetry ingestion errorincident visibility
certificate expiry daysoutage prevention
registry scan failuressupply chain gate
deployment rollout durationrelease health

Application metrics should separate:

request latency != dependency latency
HTTP 500 != network timeout
auth failure != network failure
DNS failure != TLS failure
connection timeout != response timeout

Suggested error tags:

dependency.name
dependency.operation
failure.boundary = dns | connect | tls | auth | authorization | timeout | throttling | protocol | application
retryable = true | false

Be careful with cardinality. Do not put raw URL, customer ID, tenant ID, quote ID, order ID, or full exception message as metric label.


12. Runbook: Dependency Call Fails from Pod

When a Java/JAX-RS service cannot call a dependency:

1. Identify dependency name, host, port, protocol, and operation.
2. Check whether failure is DNS, connect, TLS, auth, authorization, timeout, or application response.
3. Exec into same namespace/pod class when safe.
4. Resolve DNS from inside cluster.
5. Test TCP connectivity.
6. Test TLS handshake with SNI.
7. Check network policies, security groups, NSG, firewall, route table.
8. Check workload identity/IAM/RBAC/resource policy.
9. Check dependency-side logs/audit trail.
10. Check recent deployment/config/DNS/cert/network changes.
11. Decide rollback, config fix, route fix, credential fix, or dependency escalation.

Example commands:

kubectl get pods -n <namespace>
kubectl describe pod -n <namespace> <pod>
kubectl logs -n <namespace> <pod> --previous
kubectl exec -n <namespace> <pod> -- getent hosts <host>
kubectl exec -n <namespace> <pod> -- nc -vz <host> 443
kubectl exec -n <namespace> <pod> -- curl -vk https://<host>/health

In locked-down production clusters, these tools may not exist in app images. Use approved debug pod or ephemeral container process if allowed by internal policy.


13. Runbook: Image Pull Failure

Symptoms:

ImagePullBackOff
ErrImagePull
unauthorized: authentication required
manifest unknown
x509 certificate signed by unknown authority
connection timeout to registry

Triage sequence:

1. Confirm image reference and tag/digest.
2. Confirm image exists in registry.
3. Confirm namespace has correct pull secret or node/workload identity.
4. Confirm registry policy allows cluster identity.
5. Confirm private DNS resolves registry endpoint.
6. Confirm network path from node/subnet to registry.
7. Confirm image architecture matches node architecture.
8. Confirm admission controller/signature/scanning policy did not block pull.
9. Confirm rollback image still exists.

Senior PR review should ask:

Can this image be pulled by production clusters before rollout begins?
Is the tag immutable or is digest pinned?
Is there a rollback artifact?
Is the image signed/scanned according to policy?

14. Runbook: Monitoring Missing During Incident

Symptoms:

  • app appears down but no logs
  • metrics stop for one namespace
  • traces missing for new deployment
  • alert does not fire despite customer impact
  • collector restart loop
  • ingestion quota exceeded

Triage:

1. Check whether app is producing telemetry locally.
2. Check agent/sidecar/collector logs.
3. Check collector queue/drop metrics.
4. Check egress/private endpoint to observability backend.
5. Check credentials/workspace/project key.
6. Check service.name/environment labels.
7. Check sampling config.
8. Check metric cardinality/relabeling/drop rules.
9. Check alert query changed or labels drifted.
10. Add incident note that observability gap affected MTTR.

Corrective action examples:

  • add collector health alert
  • add telemetry ingestion SLO
  • standardize labels
  • block deployment if service name missing
  • define fallback log access path
  • add synthetic check independent from app telemetry

15. Hybrid Connectivity Review

When a JAX-RS service depends on on-prem/partner systems, PR and design review must cover the network path.

Checklist:

[ ] What systems are reached outside cloud/cluster?
[ ] Is dependency synchronous or asynchronous?
[ ] Is route public, private, VPN, Direct Connect, ExpressRoute, or partner link?
[ ] Are source IPs allowlisted?
[ ] Is NAT involved?
[ ] Is DNS cloud-owned, on-prem-owned, or split?
[ ] Who owns certificate lifecycle?
[ ] Are maintenance windows known?
[ ] What timeout/retry budget protects the service?
[ ] What fallback exists if on-prem system is unavailable?
[ ] Is customer impact documented?

Critical rule:

Hybrid dependencies are often slower and less elastic than cloud-native dependencies.
Do not apply aggressive retry or high concurrency without explicit capacity agreement.

16. Common Anti-Patterns

Anti-pattern 1 — Assuming DNS is stable forever

Bad:

Hardcode resolved IP or rely on indefinite JVM DNS cache.

Better:

Use stable DNS names, controlled TTL, verified private DNS, and dependency reconnect behavior.

Anti-pattern 2 — Trust-all TLS to "fix" connectivity

Bad:

Disable certificate and hostname validation.

Better:

Fix truststore, certificate SAN, SNI, DNS, or endpoint selection.

Anti-pattern 3 — Registry is not treated as production dependency

Bad:

Deployment assumes image pull will work because CI pushed successfully.

Better:

Verify registry access from cluster, image immutability, scan status, and rollback artifact.

Anti-pattern 4 — Observability is best-effort only

Bad:

Telemetry failure is invisible until incident.

Better:

Monitor collector health, ingestion failure, label quality, and alert query coverage.

Anti-pattern 5 — Private endpoint without DNS ownership

Bad:

Endpoint exists, but workloads still resolve public hostname or wrong private zone.

Better:

Treat private endpoint, DNS, route, firewall, identity, and TLS as one deployable capability.

17. PR Review Checklist

For changes involving private endpoint, registry, monitoring, DNS, TLS, or hybrid connectivity:

[ ] Does the change alter DNS names, private zones, endpoint hostnames, or service discovery?
[ ] Does the change alter TLS certificate, truststore, mTLS, or SNI behavior?
[ ] Does the change alter registry path, image tag, digest, signing, or scan policy?
[ ] Does the change alter telemetry destination, service name, labels, or collector config?
[ ] Does the change introduce public egress where private path is expected?
[ ] Does the change introduce private endpoint dependency without DNS verification?
[ ] Does the change affect on-prem/partner allowlist or routing?
[ ] Does the change include rollback strategy?
[ ] Does the change include runbook or operational note?
[ ] Can we validate the path from inside the cluster before production traffic uses it?

Block PR if:

[ ] TLS validation is disabled.
[ ] Private IPs are hardcoded.
[ ] Secrets/connection strings are logged.
[ ] No rollback artifact exists for deployment change.
[ ] Monitoring labels drift from dashboard/alert expectations.
[ ] Hybrid dependency has no timeout/retry/fallback model.

18. Internal Verification Checklist

For CSG Quote & Order or any enterprise JAX-RS production service, verify:

Runtime/platform:
[ ] Which cloud(s) are used: AWS, Azure, both, on-prem, hybrid?
[ ] Which clusters run the service: EKS, AKS, OpenShift, other Kubernetes, VM, app server?
[ ] Is traffic public, private, or hybrid?

Private endpoints:
[ ] Are AWS VPC Endpoints/PrivateLink used?
[ ] Are Azure Private Endpoints/Private Link used?
[ ] Which dependencies require private access?
[ ] Who owns private DNS zones?
[ ] How are endpoint policies/firewalls reviewed?

Registry:
[ ] Which registry is used: ECR, ACR, internal?
[ ] Are image tags immutable?
[ ] Are deployments digest-pinned?
[ ] Is image signing enforced?
[ ] Is vulnerability scanning a hard gate?

Monitoring:
[ ] Which logging backend is used?
[ ] Which metrics backend is used?
[ ] Which tracing backend is used?
[ ] Is OpenTelemetry collector used?
[ ] Are telemetry ingestion failures alerted?

Hybrid:
[ ] Does service call on-prem or partner systems?
[ ] What network path is used?
[ ] Are source IPs allowlisted?
[ ] Is DNS split-horizon?
[ ] What is the escalation path when hybrid link fails?

DNS/TLS:
[ ] Is JVM DNS cache policy defined?
[ ] Are private DNS zones linked to service networks?
[ ] Are internal CA certs managed centrally?
[ ] Are certificate expiry alerts configured?
[ ] Is mTLS used anywhere?

19. Senior Mental Model

For this part, the senior-level takeaway is:

Application availability is an emergent property of code + runtime + network + identity + DNS + TLS + registry + telemetry + operations.

A Java/JAX-RS service can be perfectly implemented and still fail because the platform graph is broken.

When reviewing or debugging production systems, do not stop at:

Does the code compile?
Does the endpoint work locally?
Does the unit test pass?

Ask:

Can production pull it?
Can production resolve it?
Can production reach it?
Can production trust it?
Can production authenticate it?
Can production observe it?
Can production roll it back?
Can production explain customer impact when it fails?

That is the real boundary between application development and production engineering.

Lesson Recap

You just completed lesson 109 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.