Search
Follow me:
Listen on:

Day Two Cloud 113: Multi-Cloud Network Visibility And Automation With Aviatrix (Sponsored)

Today’s Day Two Cloud episode dives into multi-cloud networking with sponsor Aviatrix. As infrastructure moves to public cloud, visibility can become an issue. For instance, unlike with on-prem switches, you can’t just plug in a tap and start collecting flow records.

Automation can also be a challenge in the cloud. Network teams have to keep up with their counterparts in the organization, but may not be familiar with automation tools, processes, and constructs.

Aviatrix offers a cloud network platform with a common data plane and operational model that works across public clouds and supports visibility and automation. We dig into the Aviatrix product with Aviatrix and a customer.

Our guests are John Smoker, Customer Solutions Architect at Aviatrix; Justin Payne, Cloud Network & Security Architect at Mueller Water Products; and James Devine, co-author of the AWS Certified Advanced Networking Official Study Guide.

Show Links:

Aviatrix

@aviatrixsys – Aviatrix on Twitter

Aviatrix on Twitter

Heavy Networking 589: Cloud Networking’s Good, Bad, And Ugly: What CSPs Don’t Tell You (Sponsored) – Packet Pushers

Heavy Networking 507: Build And Run A Multi-Cloud Network Architecture With Aviatrix (Sponsored) – Packet Pushers

Transcript:

[00:00:05.720] – Ethan
Welcome to Day two Cloud. We got a sponsored show for you today with Aviatrix. Aviatrix does multicloud networking, and they make the whole cloud networking thing suck less. They’ve been on the Packet Pushers podcast network before, and we’re going to get into aspects of visibility, that challenge and then automation and what’s going on with that. Ned, what stood out to you in this recording?

[00:00:26.940] – Ned
I think the thing that stood out to me is the automation conversation we had when you get to any kind of scale in cloud, automation is key. One of the guests, Justin, was talking about doing things manually in the UI, and we all agreed that’s a terrible idea to do even more than once, because we’re all terrible typist and we all make mistakes. So it was really good to hear about the automation that Aviatrix brings to the table.

[00:00:50.460] – Ethan
I don’t know what you’re talking about. This typing in errors. I’ve never had that problem, except every time. Anyway, please enjoy this episode with our guests. They are Justin Payne, Cloud Networking and Security architect at Mueller Water Products. He’s an Aviatrix customer is going to be speaking firsthand about what he’s done with the product. John Smoker, Customer Solutions architect at Aviatrix. And he’s a former Aviatrix customer before he joined Aviatrix. And then last but not least, James Devine, coauthor of the AWS Certified Advanced Networking Official Study Guide, former AWS Human, and now another one that has joined the Aviatrix team. Please enjoy this show.

[00:01:28.160] – Ethan
James, welcome to the show. First question to you, the problem of visibility when I have moved my infrastructure to public cloud because as an enterprise guy, I am used to really owning everything, being able to see everything, have my monitoring systems that tell me all the things that someone asked me a question I can say, yeah, it’s this see the thing that’s out of range or whatever the problem is. But with public cloud, I feel like, well, maybe that’s the question James. How much visibility am I losing as I move Ops into public cloud?

[00:01:59.020] – James
You know, a lot of folks think that they’ll get that same level of visibility in the cloud, but actually, the constructs are quite different. You can’t plug in network switches and taps, you can’t just set up net flow on routers. In fact, there aren’t even routers. We’re working on the overlay network on top of the providers. So you actually do lose a good amount of that ability to do physical tapping and put devices in the network and run net flow and all of those things that you’d really just expect to be there.

[00:02:25.280] – James
And the provider will tell you if you’re in AWS, we have flow logs. If you’re in Azure, there’s traffic flow or there’s traffic logs, we got you covered. And it’s not. Like essentially you’re getting allow and deny list and what you do with that and how you use it becomes really difficult. Like, how do I take flow logs across 100 different accounts and aggregate them to get an actual holistic view of my network? Not an easy problem to solve, actually.

[00:02:49.200] – Ethan
So where are you taking us down the road here. You said that we have you covered, as in Aviatrix, and I think what you’re getting to is the CoPilot product. Is that right?

[00:02:57.880] – James
Yeah. So certainly we do. And the provider will tell you they have you covered, but then kind of mislead you and send you a bunch of blog posts on how you can kind of stitch these things together. I don’t know. Many network engineers that I’ve talked to that know things about deep analytics and and all of these services that you need to stitch together to get an EndToEnd workflow that you can just do on Prem. It’s not really an analogy.

[00:03:21.370] – Ned
Yeah. James, if I may, I know AWS is notorious for this. They’ll say, oh, yeah, we can solve that. No problem. But what they actually give you is 16 of their solutions that have been cobbled together with Lambda scripts, and you’re just now responsible for managing that entire mess. And they go, Well, we do have a solution. You can use it. Yeah, you can use it. But it’s going to require a lot of admin overhead on your part. So I’m assuming A, your solution has little less admin overhead, and B, it’s going to work in more than just AWS, right?

[00:03:53.600] – James
Ssh, totally. Yeah. That’s the benefit of our platform. It’s multicloud aware, pick a cloud and deploy our infrastructure, and then get the visibility. We do net flow by default. So all of our gateways that we deploy for our data plane are actually exporting net flow directly to our net flow collectors that we call CoPilot. So we have deep insight, and we’re actually quite uniquely positioned to have really deep visibility across your entire multicloud network.

[00:04:21.080] – Ned
Okay. So if I have multiple cloud presences, is this something that I need to install a bunch of agents everywhere, or is it something a little bit lower touch than that? Because I know that can be a difficulty is getting things rolled out in all the various accounts and subscriptions I have across all my different cloud presences.

[00:04:42.180] – James
Yeah. And that is a common concern we hear from customers. And the good news is we do all of that automation for you. So we’ll build out our gateways, we’ll update your route tables. In fact, I’ve deployed in clouds that I’ve never logged into GCP and configured anything. I’ve deployed network infrastructure into it. So that’s the power of our platform, for sure.

[00:05:01.940] – Ned
Yeah. If you’ve ever logged into the GCP portal, you might have regretted it. So I think not having to touch it is actually a bonus. That’s pretty awesome.

[00:05:12.180] – John
Yeah, Just to speak to what James was saying there and kind of give some context that might resonate with some folks when I was an Aviatrix customer. So on the other side of the fence, prior to bringing Aviatrix in, we had actually spent developer cycles on putting together our own visibility tooling because of what was lacking from the cloud provider. And of course, it was time we spent. It was very specific to certain infrastructure that we had and very specific to the cloud that we were in.

[00:05:48.850] – John
And so once you’ve done that, if you want to expand, well, now you’ve got to do all of that work over again.

[00:05:56.980] – Ned
So that was a custom solution that your developers actually wrote in house, and you were responsible for maintaining it yourself. What did that look like if you were rolling out a new region or a new account, how much work did you have to do with your custom solution to get that integrated into your monitoring?

[00:06:17.490] – John
Yeah it was, as long as you were in the same region, we had many accounts. And so we had had made it work such that each development team could deploy that and get that visibility for themselves. But again, if they wanted to use a different cloud product offering, it would have to be tweaked for that. Maybe it doesn’t work with RDS or some other thing that we hadn’t accounted for. And so you have constant care and feeding.

[00:06:52.180] – Ned
Right. And Clouds are constantly introducing new services and features that developers are like, oh, I want two of those. So now you’re on the hook for the monitoring aspect. So it sounds like you kind of gave up on that a little bit. Or at least you tried some other products and this Aviatrix Copilot was the one that you landed on?

[00:07:11.470] – John
Well, even before CoPilot was out, and we brought Aviatrix into the organization. We brought Aviatrix in originally for VPN and expanded from there because of all of the other things it gave us. But just right out of the box, Flight Path gave us much of what that tooling had given us previously. Just end-to-end, can this thing talk to that thing> and what Flight Path gave us on top of that, was this is why you can’t talk from this thing to that thing.

[00:07:43.500] – Justin
We did use, Ned as you said with Amazon Services, it was always my joke was for an extra nickel or $0.25 they’d give me some flow log or give me some extra feature. And before long, we found, you know the cloud was always supposed to be cheaper. Before long, we saw it to be really expensive. We were fortunate enough to be able to take advantage of Copilot, here where I work now, and being an old time 25 years in an on premise net flow, using all those types of Cisco devices and things like that, I really was not wanting to move to the cloud.

[00:08:18.070] – Justin
I was fighting it tooth and nail. But using Copilot with Aviatrix, it’s been a real enjoyment to see to just be able to see those source and destination ports coming through those controllers. Being able to pick up all those even down to everything having a Geo to it so I can see the countries I’m going to. When your on Prem, you don’t. You don’t worry as much about that because you kind of control the edge and you kind of control that a little better. With AWS and its scalability, you find more.

[00:08:49.410] – Justin
At least we do developers wanting to spin up their own stuff, so it becomes a lot more kind of this scope creep type of thing. But the flow IQ that they have in that product has really been enjoyable. Plus some of the things like they have a topology replay where you actually can go back months and actually see every change up down. Like if we have down, like a controller or gateway, that’s having some issues, I can go back and say, okay, over the past three months, this has been down ten times.

[00:09:23.840] – Justin
And see why, go actually go look at the changes throughout that period and actually replay the topology changes within our network in the cloud, which is really impressive for us to be able to do that as well.

[00:09:35.490] – Ethan
So Justin as an end user of the Aviatrix Copilot take us, let’s go back a step. I want to understand what this is because we started out saying, hey, flow collector and flow collector, I think for network engineers, brings in a certain kind of image in mind. You’ve got metadata about a flow and here’s these stack graphs and different things like that. Sometimes you can drill into them and sometimes it’s helpful and sometimes it’s okay. But then you said topology and history, and so it feels like this is more than just a flow collector.

[00:10:05.660] – Justin
Absolutely. So CoPilot at least of my perspective, the Aviatrix crew there can explain it more, but from an end user, it’s more as its name. It’s really meant to be kind of your copilot along your journey and quickly see things from a dashboard GUI type thing. So there’s quite a few, quite a few terminologies and technologies. There’s a dashboard when you log in, that kind of lays out what’s up, what’s down, what’s connected, how your overall multicloud looks from your Azure or AWS being a multicloud for us, being able to see how that overall looks.

[00:10:42.620] – Justin
And then as you kind of see things are up or down or you need to look in deeper, you can go into the flow. It is very easy to look at. You don’t have to be a network engineer to do it. I think they kind of roll it around there, but you can drill down often drill down and actually pick two endpoints or pick two technology as protocol or service and actually start to drill down and look at that a lot deeper in some things. I don’t like what I see.

[00:11:10.240] – Justin
Like, hey, I’ve got something talking to China and I’m like, what is that? I’ll drill down. I kind of get that anxiety, that pressure, and I’ll drill down and like, okay, you that’s something they expected, but they also have built in some newer things. I’ve been a copilot user for about 16-18 months, was a beta user, one of the first there and kind of rode into production, but they have recently added the ability to actually see threats through those controllers. Some of the ideas, basically, that each one of your networks has a controller in there.

[00:11:42.780] – Justin
And so we can see the data coming back and forth as you get that east to west type traffic. And actually to be able to see hey, these are some bad IPs on a block list or dynamic. They have some reputation to them that are not good. Your machines are talking to those, and being able to actually see that vulnerability, that protocol is really helpful to us as well.

[00:12:03.320] – Ethan
So CoPilot then, is your visual look at the entirety of the network, all of your Aviatrix endpoints, all of your presence in the cloud. It knows topology. So that tells me you could do something like, show me the path that this flow is taking from AWS to Azure or something like that.

[00:12:23.080] – Justin
Absolutely. It will for us. We can actually point at an instance. And like an EC2 instnace figure looking at AWS or a virtual machine or those type of things, you actually point an instance. And on two points that actually see the latency to see the path it takes to see the trend, which is really cool. Like, if I want to see hey, is this thing starting to spike at midnight or 02:00 a.m.. What’s going on? And then drill down to that a little better, but yeah, endpoint to endpoint.

[00:12:51.670] – Justin
It draws out a nice graphic for you. Kind of the old school flows. You remember how the old school flow graphs look? It does that as well, but also it can be a very simple here’s the route it takes here’s. All your ACLs pass all your security groups pass. Those type of things look good. So you might want to dig a little deeper and get more into maybe what third party or something out there is blocked. It pretty neat.

[00:13:17.110] – John
I like to describe it as your Visio diagram or your Lucid chart that’s AWS always up to date that you can troubleshoot right from within the diagram.

[00:13:27.950] – James
It was actually a big ask when I was at AWS talking to customers. What does my network look like? How do I even know? And I always had to say, well, you know, there’s third party tools out there that will do that, but it just wasn’t seen as something that needed to be in the platform. So it’s not and you’ll see, some of the CSPs do have it, but it’s very rudimentary. So we not only have the data plane since we know how to make API calls into all the clouds, we get a lot more visibility and insight into all of these things.

[00:13:54.330] – James
Kind of all under the Copilot product, and that’s just kind of the day two operations part of our products, whereas we have a product that does the controlling infrastructure, the controller, the CoPilot is the visualization object. It’s hard to show that on a podcast. It’s a really compelling demo, especially if you’ve seen other tools out there. It’s really nice, but we can always set up demos with customers, and we share that a lot, and we’re rapidly innovating on it as well, which is really exciting.

[00:14:24.560] – James
We just recently came out with Threat IQ, the feature that Justin was talking about. And it’s actually really nice because we’re in the data plane. We’re seeing all of the traffic going through the network within a cloud, within a region between clouds. We see all of these data flows. We can actually alert on malicious IP addresses. So if there’s bad IP ranges. So the first release that we’ve put out, it’ll do kind of that alerting and let you know what’s going on, and then the Sky’s the limit.

[00:14:52.170] – James
From there, we can actually go in and in the future, be able to do block rules and add more capability to be Proactive about security as well. So we take that really seriously. It’s a nice feature.

[00:15:02.140] – Ethan
James, a couple of questions. The first one is when you were at AWS and people were asking for some insight, you were like all these third party tools. Why didn’t you just shame them and say, first of all, buy my book, second of all, what do you mean, you don’t know your own network? I mean, you could have gone down the road. It would have been fun, man.

[00:15:18.520] – James
Yeah, we always tried to be customer obsessed, and I didn’t want to push it. I didn’t get any royalties on that book.

[00:15:25.300] – Ethan
Even if you got royalties. Hey, how much would those have added up to? Not much. Let’s face it, not much.

[00:15:30.840] – Ned
Yeah, we don’t write books for the money, that’s for sure.

[00:15:33.560] – James
It’s a labor of love.

[00:15:35.680] – Ethan
Another question here about latency. Latency monitoring, I was triggered. It’s one of my favorite topics, isn’t it, Ned? I know, I’m sorry. But can I tell Hop by Hop what my latency is it? Is it end-to-end? How do I get a latency measurement from CoPilot?

[00:15:50.830] – James
Anywhere we can measure latency between our gateways, we show that those latencies you can see within a region between regions between clouds. We also for site for we call the site to Cloud VPN connection. We can monitor the latency on that type of connection as well. And then our feature called App IQ, that’s a feature of CoPilot. So anywhere that we have a link, so be it from gateway to gateway across clouds, across regions within clouds, and also our VPN connections to on premises and other locations.

[00:16:23.900] – James
We can track the latency on all of those and show them real time. And then you can pick two source and destination in your network throughout the topology, and then we can actually map out that entire data flow and then show you the latencies along each hop. So it’s a really good way. Someone complains. My application slow. The first thing they’re going to say, it’s the network. So we can show a map and say, Well, it’s not the network. Maybe it’s the application kind of back and forth between app and networking folks.

[00:16:53.700] – Ned
Another interesting thing that I pick out from that is not just the latency aspect, but when you’re trying to figure out why two things just can’t talk to each other, and there are some rudimentary tools in AWS and in Azure that will let you do sometimes endpoint to endpoint within the same cloud. But when you’re trying to troubleshoot across two clouds or down to on Prem, that’s super complicated. So it sounds like that’s something that Justin, you’ve used this before, is to troubleshoot getting out of the cloud, down to whatever instance you’re working on. Can you tell me a little more about that?

[00:17:27.060] – Justin
Of course, that’s one of my favorite things that saved me more times than I can count, because when I started building out cloud for us, nobody wanted to touch it. And then once I get it all done, everybody wants their credit for it and the the glory of it. So they’ll spin up an EC2 instance, a perfect example. They’ll spin up an EC2 instance and put a security group there that doesn’t allow what should happen. And then they tell me the network’s broke something’s wrong.

[00:17:53.340] – Justin
Nothing can talk that type of emergency, and being able to use CoPilot or Flight Path like John was saying and actually pull up those two instances. Okay, here’s a starting point. Here’s an endpoint that you just built and actually look and say, hey, it’s because your security group is blocking it. So it’ll actually run through a number of checks and say, hey, your route is good. Your security groups are good, your ACLs are good, the network is fine. And if one of those doesn’t pass, then, you’ll know, immediately it’ll say a big red box say, hey, your security groups bad.

[00:18:25.840] – Justin
And then I just call the guy and say, hey, why you open that in your security group, you’ll be fine. And they’re oh, How’d you do that? You know? And of course, I take all the credit and don’t tell them I have Aviatrix, you know, so it works out well.

[00:18:36.460] – Ned
Oh, that’s great.

[00:18:37.430] – Ethan
Justin, to qualify that you said security groups, are we talking cloud native AWS security groups or Aviatrix security group magic.

[00:18:45.020] – Justin
We’re talking to AWS. It’ll actually those basically open Port source, destination Port security groups.

[00:18:52.980] – Ethan
Well, Justin, thank you for the look at CoPilot. I’ve got a pretty good image of this in my mind here. And this it’s one of those things that where if you’re a network engineer and you’re used to that on Prem World, and you want to have all the tooling that you have and you’re used to and you’ve had for so long in the cloud. This is a way to get it with CoPilot, but now I want to move us to the future. Justin, Well, I don’t know.

[00:19:15.820] – Ethan
Is it the future for you? Automation? That’s the big question here. How have you guys done with network automation as you’ve headed up to public cloud?

[00:19:23.710] – Justin
That’s a great question. Yes, automation is the future, because as most IT groups, they never give me enough hands. And I’m only one person, and Cloning is not working well yet. So I do need to automate some features. Absolutely. And we do have a little bit of automation in our network around Paloo Alto type things. But fortunately, I’ve been talking to Aviatrix about using Terraform for ours because we’re spinning up new accounts, new VPCs, sometimes twice a day, and with just a small group, with all we manage it’s hard.

[00:20:01.900] – Justin
So our goal and I know John could talk with more about this. Our goal is to basically use Terraform, use automation to, hey, trigger, do some trigger through some tickets, instance, type things, and actually do all that work for us and be good there.

[00:20:17.750] – Ethan
So before we get to the specifics then Justin, can you describe the set up where you see automation being used? As in you got tickets coming in describing some kind of work? Is that like someone spinning up a workload and you need to do some sort of network provisioning in conjunction with that? Or is it like you got to pave the road ahead of time sort of thing, like we’ve done historically.

[00:20:38.150] – Justin
A little bit of both. So it’s really for us and our environment is, as we scale adding new accounts, so they’ll spin up account in AWS or in Azure and need actual network, whether it’s like a VPC or some sort of virtual private cloud there. And in order for that to talk to other things, some action has to be taken. If not, they won’t be able to remote into their EC2 instances or into their VMs. They won’t be able to do their work, get to it access.

[00:21:09.290] – Justin
We won’t be able to talk to other functions, databases and things like that. So where we’re heading is actually allowing our ticketing system. They will open up a ticket and say, hey, I’ve opened a new VPC or a new account, and they actually use Terraform and Aviatrix actually do that connection for us. And from that with that automation, we don’t have to actually go into the UI. The UI is really good. It’s easy.

[00:21:33.980] – Justin
I’ve used it for 50 plus accounts, but it’s really easy to go in and actually join those. You just do a Terraform, I mean a cloud formation script and actually just pull that in there and it’ll onboard the account. It’s really easy to name it a few things, but automation would save me a lot of time during the day.

[00:21:52.600] – Ned
Yeah, I don’t know about you, but I’m a terrible typist. So doing anything in the UI more than one is just a bad idea. I’m just inviting horror to myself.

[00:22:04.100] – Justin
Ned do you have this problem where you’ll name it one way and then you’ll forget how you named it on the next one? And so even my standards, my tagging gets messed up, and I’m like, oh, capitalize this. And that’s where the automation really helps for me.

[00:22:17.470] – Ned
Justin, I feel seen that. I really do because I can never remember. Oh, did I name it VM name and then region name and then country name or did I do it the other way? And it’s like, no, I put it in automation, and it just does it the same way every time. Set the standard once. Let something else worry about it. That’s what I’m looking for when it comes to automation.

[00:22:37.633] – Justin
I feel you there.

[00:22:39.320] – John
And once you go down that path, it’s really addictive. Once your infrastructure, it not only just named the same, but acting the same. You’ve written some code and you’ve deployed a development network and then use that same code to deploy your production network. And you have that confidence that you can build networks over and over again, and you know that they’re exactly identical.

[00:23:04.340] – Ned
So I’m curious in terms of workflow, you have someone come in and they want to get something done. So they go into a ticketing system, they open a ticket, and I’m sure you’ve given them some fields they have to fill out. Once they’ve done that submitted the ticket, where does it go from there? Do you have to sanitize inputs? Are you plugging into specific APIs? Like, how the workflow go from that ticket to actually realizing what they want?

[00:23:28.020] – John
I think you have to. It depends on which workflow you’re talking about. And I know when I’ve implemented this as the customer, this kind of thing, I wanted to just expose to the ticketing system or the repository those things that the person making the request cares about and write the code in such a way that it just takes those as input, drops them in where it needs to go, and the automation runs from there. Just an example of this was we had automation pipeline for user onboarding.

[00:24:06.510] – John
Nothing to do with the networking team, but user gets onboarded. And just out of that system, we were able to hook in Aviatrix’s VPN Terraform such that it would just drop a person’s email address and what group they were in. I belong to the sales Department, and the Terraform would just go out and apply that configuration and give that person VPN access and set them up with the access that was reasonable for somebody on the sales team. That was different than somebody who was getting VPN access that was part of the IT team, much less access for somebody on the sales team.

[00:24:53.550] – Justin
And for this, when we’re talking Aviatrix, in AWS and the cloud, you can go a few ways to get your network kind of connected. You can go a transit gateway, or you can go the old school what they call an IPsec transit, which is basically a bunch of IPsec tunnels that cut you some east to west type traffic. Aviatrix has what they call now the Aviatrix Transit, which basically puts these controllers at the gateway at entry points. And whenever a new account needs to come on, a new VPC, see a new virtual private cloud or new subnets, you can actually automate those.

[00:25:31.460] – Justin
And our goal is to actually automate those. So it spins up those those gateways at the edge there of that new virtual private cloud and makes that connection on the back plane to the rest of the network. So basically, it’s like spinning up a multi side or another side, another facility, if you use on Prem type thing, that MPLS or whatever, it might be.

[00:25:50.860] – Ned
Okay. And so are you hooking into an Aviatrix API to do this, or are you directly going to Terraform? So what’s the interaction there when it comes to the automation component?

[00:26:02.220] – John
You have those options, right? You can hook directly into the API if that suits your needs. Obviously, we recommend Terraform and our official Terraform provider, which sits on top of the API. It’s calling the API underneath. We recommend that for sure, as if you can use that. But there are certainly use cases where you can just go to the API directly.

[00:26:27.180] – Ethan
Wait a minute, John. You’re hedging on the API. Is this documented? And I can use the API. And it’s all cool because you’re like, but use Terraform. What are you trying to say, man?

[00:26:38.090] – John
No, absolutely. We definitely publish our API spec for customers. And then, like I said, Terraform is just we build that with feature parity with what’s in the UI, and what’s in the API.

[00:26:55.060] – Ned
Okay. Got you. So if I am in a shop where I’m already using Terraform to a certain degree, it’s very easy to integrate Aviatrix because it’s another provider, and I’m pretty familiar with using those. Not a problem.

[00:27:08.150] – John
100% when we moved from using the CSP’s, NAT gateways to Aviatrix gateways, we already had a pipeline built with Terraform to do that for all of our accounts. And so it was just as simple as taking out the Terraform that did the Cloud native gateway and putting in the Aviatrix Gateway and running the same pipeline. We had very little effort to make that switch. We definitely recommend Terraform because I think of Terraform as being the network automation multicloud specialist. Just like Aviatrix is the multicloud networking specialist. Right?

[00:27:51.530] – John
It really goes hand in hand. So once you learn the skills around how to write Terraform code, you don’t have to relearn that for different cloud. Each cloud has their own infrastructure as code platform.

[00:28:07.380] – Ned
Right. Yes. Familiar with all of them. And to varying degrees, they are successful. Here’s a point. If I’m using Terraform to deploy networking to, say, AWS and Azure, I’m using Terraform to do it. But I’m using different providers, and I still have to understand the constructs that exist in AWS and Azure. And anything else I bring in. Is there anything about the Aviatrix provider that further abstracts some of that for me? So I just have to understand how Aviatrix works. And now I’m good on all the clouds.

[00:28:37.100] – John
Yeah, for sure. So when you’re using the Aviatrix provider, you’re not going to the cloud directly. You’re going to the Aviatrix controller, and then the controller is orchestrating all of that. So our resources are built in such a way that it’s really just a matter of kind of defining what you want, what gateways or your network architecture you want. And then it’s just parameters that say, do this in Azure, this and do this in AWS. And we even package up some of the the concepts and architectures into Terraform modules that we publish as well.

[00:29:17.410] – John
And you can just pull those off the shelf, and it’ll just do very specific things. It’s kind of an Ala carte, pick what you need and deploy.

[00:29:26.720] – Ethan
As in I pull, basically, I pull the recipe from you, deploy it, and it builds out some canned topology for me.

[00:29:35.120] – John
Exactly. Right. And in some cases, that will be exactly what you need. And in some cases, that will be a model by which you would then customize to your needs.

[00:29:46.500] – Ethan
Deploy the model, and then tweak it for whatever the bits are I need from there.

[00:29:51.730] – John
Exactly.

[00:29:52.960] – Ethan
So how do I get that stuff at all? Is that GitHub? Is that up on Aviatrix’s site? Where do I get all that stuff?

[00:29:59.140] – John
Yes, it’s all of that. So as an official Terraform provider. You go out to the Terraform Registry, you see all of our resources, all of the modules that we publish with links to GitHub on the back end, like the actual code you can also go look at.

[00:30:19.120] – Ned
Right. So if the module you published is close, but it’s not quite there, I can clone that module and customize it for my organization, and then either host it on my own GitHub. Or I think you can now publish back to the Terraform Registry if you sign up for an account or something like that.

[00:30:36.920] – John
Exactly. Right. For sure. Or you could just keep it to yourself locally if you want it, if you don’t want to share, you’re embarrassed.

[00:30:45.840] – Justin
Or if you’re like me, who’s like a bull in an China shop when it comes to Terraform, I say, hey, John, can you help me? And John says, sure, I’ll help you. They’re really good about helping us old school, hate the cloud. Why is the cloud out there? I think.

[00:31:05.160] – Ethan
Justin, how far are you in your mind from getting to the fully automated state you’d like to be?

[00:31:11.300] – Justin
We’re not as far as what I want for sure thought was attainable. I mean, I’d say we’re really close. We finally have a stability. Sometimes it’s more of my uncomfortableness of actually automating things, because I’m like, Do I really want to trust what it’s doing? Because what if it wipes everything out and then I have to work all night to manually rebuild that thing? But the hold up is not the technology. The technology is there, Aviatrix does a great job with resources. They’ve asked me many times, Can we help you automate this?

[00:31:42.160] – Justin
I don’t think I’m quite yet ready, but the more work comes, and I’m like, okay, I need help. I think it’s more just me becoming comfortable. I don’t think there’s any hold ups. Even as chaotic is our network sometimes might look from all the different Tweaks and the different custom stuff. It’s easily done. It’s just taking that step.

[00:32:04.980] – Ethan
Do you have a lab environment or some way that you’re testing this out to help get that comfort level?

[00:32:10.990] – Justin
Well, yeah, I probably should. Let’s just say I’ve broke a lot of stuff. How’s that? And then it’s like, okay, why is that broke? I ain’t telling them I was playing with this for that, but we probably should. We’re getting there. It’s really for us. It’s been a whirlwind. And I think that’s probably a lot with the cloud. They don’t want to wait. So it’s always quickly. And so I figured out on the fly, and then when it just becomes overwhelming is when I look to do stuff like that.

[00:32:39.040] – Justin
But yes, absolutely. We should probably have a lab environment. Yes.

[00:32:43.760] – John
Did I mention a Terraform modules that you can just pull off the shelf and spin these things up?

[00:32:50.730] – Justin
You did you did. So don’t call John? I think that’s what he said. Don’t call him.

[00:32:56.190] – Ned
I’m curious how much you’re using it to spin up the initial infrastructure versus ongoing maintenance and changes, because that’s one of the big challenges I’ve encountered. Is it’s easy to spin it up in a vacuum, right. I don’t have anything that exists. But now someone wants to go in and tweak something and they don’t tell me. And then I go to try to run my Terraform config to update. And it’s like there’s all these changes Terraform doesn’t know about. Have you run into that problem, or are you working through that now?

[00:33:22.360] – Justin
So for us, yes. That’s a good point. I mean, we do have some Terraform. Like I said, with our Palo Altos and things like that. And I have run into that a lot, Ned, where somebody will change the load balancer or something. And then I get that dreaded. What’s different when it goes to the environment? The thing I found about Avaitrix is, it is pretty self learning in a lot of ways. To that, I’m sure, James and John can expand on that. But if we had add a subnet, it will pick those up.

[00:33:49.220] – Justin
If we add certain things. Once that’s there, it’s not like something where I’ve got to manually take care of a route table in AWS with the transit gateway, you got to manually update those routes. Can get very hard, with Aviatrix it’ll actually see if I had a new subnet. If a new route comes on, it will learn that automatically for me and start applying it where it needs to be so very little tweaking like that. If a new VPC comes up, you do have to run it to join that kind of bring it on to the network.

[00:34:17.450] – Justin
But from that point, the tweaks it will learn pretty sufficient fail over automatic things. That that nature. So it does cut down even, Aviatrix cuts down a lot of the need to constantly be an error fixing, adjusting things that somebody else has done.

[00:34:31.600] – James
Also, all the manual work that’s error prone.

[00:34:34.920] – Justin
That’s true.

[00:34:37.240] – John
Yeah. And I think, Justin, for you particularly here, what I’m hearing is maybe a hesitance to maybe you don’t know where to start. And that’s what’s kind of beautiful about Terraform and our use of it is that you really don’t feel that you have to automate the whole thing, end to end, data plane, control plane, security segmentation, like all of this stuff. You really don’t want to, because then that’s kind of all your responsibility, right? You can just pull off pieces and do what makes sense and do more over time and kind of bring it all together and build pipelines and workflows that are managed not by you necessarily.

[00:35:27.210] – John
Like I mentioned the user VPN, I handed that automation off to the folks who did user onboarding and they took care of it, and then I didn’t have to worry about it. And so it’s really easy to kind of start small and then build out over time. Terraform even will allow you to you have resources that are deployed that you then want to bring under infrastructure as code control. You can import that into Terraform and then start building your pipelines around that, even though originally you built that infrastructure by hand.

[00:36:01.550] – Ethan
John, I love that you’re just saying pipeline and pipelines throwing that word around, because back in the day, what pipeline meant was ticket, me, change control, approval, maintenance window, me, testing, it’s working. Yes, I can go home now. Close ticket. That was pipeline. And what you mean by pipeline is such a different animal.

[00:36:22.720] – John
Now, what I mean is when a developer wants a firewall changed because they know what their application needs to talk to, I don’t have to, as the network operator, I don’t have to be the one responsible for deciding whether that’s a good idea. I can put that off on the security folks who actually have that responsibility and make them do the approval and then have that automatically applied and take the me out of all of that that you just described.

[00:36:54.130] – Justin
Unless you’re at a job like me where nobody wanted to touch the cloud. So now I am cloud architect. Cloud security. On Prem security later. So it’s like it’s all me. Now.

[00:37:06.440] – Ethan
There’s some conference room or some email Chamber. You raised your hand, Justin, and you can point to the day now you’re the guy.

[00:37:15.460] – Justin
And Ethan, can you imagine the inner dialogue I have? There were guys like, just allow him, so I don’t have to hear him complain anymore. And the security guys like, no, you can’t do it, you know, and it’s a mad mess in my mind for sure.

[00:37:28.040] – Ned
That brings up an interesting perspective, which is the DevSecOps perspective, where security is intertwined with the rest of this pipeline and everything else. Is there anything on the Aviatrix platform that helps look at a proposed configuration you might be trying to run with Terraform or something and picks out? Oh, that’s not such a good idea from a security perspective, or the security team can review it before it actually gets applied to your environment.

[00:37:53.540] – John
So from my perspective on that, James, I don’t know. Maybe you want to chime in about Flight Check, but what I was describing a pipeline where someone with the developer persona wanting changes to firewall roles and actually doing a pull request, a GitHub pull request, actually modifying the code, which I had written in such a way that abstracted them from the actual Terraform resources. They just needed to go update the I want to talk to this thing on these ports. And once that pull request was generated, that would automatically alert the security team who had to approve prior to merging of that code and the merging of the code was the, there was automation in place to implement that code.

[00:38:52.240] – John
So from that standpoint, it’s not an automatic check, it’s not the product validating, but it’s putting in a process that involves the people who are responsible for that approval to force them to be be there and do it in an automated way.

[00:39:12.900] – Ethan
So it sounds like there’s not, like, integrated testing at this point. What we could say, is there anything that sanity checking that is done before a change is deployed?

[00:39:22.480] – James
Yeah, definitely. So one of the things that we do in the controller is that we look at all of the IP CIDRs across all of the clouds and all of the deployments, so we can actually let you know if you’re using our automation to create a VPC or VNet, we can say, hey. Just so you know.

[00:39:37.400] – James
That CIDR already exists, it’s probably going to be a bad idea to do that unless you’ve segmented your network and you have separate different types of paths. But, yeah, we’re looking for that networking correctness. And evaluating it in part of our controller. And in fact, we can alert on that, too. So if someone did go ahead and do something like that. We could send the alert out.

[00:39:55.840] – Justin
And Ned, Ethan, one of the neat things that really drew me to Aviatrix was I really was struggling to get East West traffic in AWS. It was really hard to get those cross VPC, what is talking to what type traffic, and Aviatrix has a real nice solution to deploy basically East West firewalls, and you can use various different products, but it’s baked into their product. And so a lot of the security checks for us is actually built into our firewall rules. So even if somebody spends something up and it somehow got run to connect, our firewall rules that govern that East West would protect us.

[00:40:33.300] – Justin
So some of that is baked if you do the firewalls and stuff just comes up on the network. Aviatrix gives you that East West inspection. And beyond that, they also have I’m sure James could talk to it, but one of the neat things is they have actual not just you can actually segment by what they call domains, security domains. So you can have a Prod domain. You could have a Dev QA or whatever. And you can say these accounts can talk to these accounts. These virtual private clouds can talk to these, whether it’s multicloud or whatever.

[00:41:02.220] – Justin
And if something comes up and tries to jump over that, that’s going to be a hard, basically route block on them. It’s really nice.

[00:41:09.590] – Ethan
This has been a good discussion. It’s one of those things where as you begin to spend time in the public cloud and you run into the shortcomings, you hear a solution like this and go, okay, this is filling out a lot of the blanks for me. So Aviatrix, thank you for coming on the show. One remaining question I really have, James, is this, this feels like I don’t want to say a heavy lift, but there’s a lot here to implement if I want more, what are my resources from Aviatrix to help me get this thing rolled out in my production environment?

[00:41:39.200] – James
And I would say a lot of our customers get up and running quickly. In fact, I’ve never seen a provider put out a kind of do a proof of concept and have it up and running. It like 10-20 minutes or certainly under an hour if everything’s going good. So we do POCs with customers all the time, and we are here too as resources. And I think Justin can attest to that we love our customers. We give them lots of support, even when they’re coming up with the most insane NAT scenarios you’ve ever seen.

[00:42:08.480] – James
We’re able to do those and test them out. We’re here to support that kind of being the Swiss Army knife of capabilities for the cloud and solving these complex problems that are unique and pervasive enough that we can solve them, but they’re hard to do at the CSP scale. So I think that we of a good future there and be relevant. And we also offer training. We actually have our Aviatrix certified engineer. I think we’re up to over 12,000 certified engineers now. So that’s been a really successful program.

[00:42:37.860] – James
We have an associate version of that that we typically do for free. We have a professional version that’s kind of in classroom virtual type of certification as well. And we’re expanding to even more certifications as well. We have a DevOps cert, and we’re looking to add more to and expand that. And that’s a multicloud certification too, our associate one. You learn about all of the major cloud providers. And actually, it’s not anything about Aviatrix. It’s the professional course where we start getting into the Aviatrix platform and how to use it.

[00:43:07.500] – James
In addition, we have professional services, and we can certainly provide our kind of hands on the keyboard type of support. And we have great people that do that. That’s my next call that I’m on. They’re great with helping the customers come up with options and think through everything, because it’s easy to as you go into cloud. I’ll just check this box and don’t think about it or I’ll just deploy this and don’t think about it. And then that becomes difficult. So we’ll help you think through all those options to come up with the best architecture.

[00:43:35.540] – James
And then we also have our CCoE, our cloud center of Excellence, where we can actually do kind of like a staff augmentation if you need more dedicated support on your team, we’re really here to help customers be successful and deploy their cloud network. That’s not something you want to get wrong. You only get one chance when you’re going into a cloud to do the network right.

[00:43:52.620] – Ethan
Great stuff. Thank you again, all of you for joining us today. James Devine, John Smoker and Justin Payne for having this discussion about Aviatrix, the CoPilot product, and many of the automation tools that are there. If you’re listening and you want to find out more Aviatrix com they are on Twitter at Aviatrix Sys and on LinkedIn Aviatrix Systems. Now, if you’re looking for more technical discussion, you want to dive into more about how Aviatrix works on the back end, there are more Aviatrix shows and the Packet Pushers catalog.

[00:44:20.470] – Ethan
If you go to Packet Pushers Net and search for Avaitrix, a whole bunch of content is going to pop up, including heavy networking episodes 507 and 589. Thank you to Aviatrix for sponsoring today’s show. And hey, you’re still listening. There you are listening. Boy, you’re awesome virtual high five to you for tuning in. You awesome human. If you have suggestions for future shows, we would love to hear them. You can hit Ned and I up on Twitter. We’re listening to you at day two cloud show.

[00:44:45.630] – Ethan
Or you can fill out the form on Ned’s fancy website Ned in the cloud dotcom. One bit of housekeeping for you this week. Packet Pusher has a weekly newsletter. Human Infrastructure magazine. HIM is loaded with the very best stuff we find on the Internet, plus our own feature articles in Commentary. It’s free, and it doesn’t suck. We don’t sell your soul, or give away your email or anything like that. We just want to get you the newsletter each week. That’s all it’s about. Packet Pushers net newsletter.

[00:45:10.180] – Ethan
And until then, just remember, Cloud is what happens while IT is making other plans.

Episode 113