Follow me:
Listen on:

Day Two Cloud 119: Unifying Multi-Cloud Security With Valtix (Sponsored)

Episode 119

Play episode

The Valtix website describes their product as, “The first and only multi-cloud network security platform delivered as a service that enables cloud teams to meet the most stringent security requirements in a cloud-first & simple way.”

There are a lot of promises made in that sentence. Security, of course, but the way that security is delivered is where the magic is. Multi-cloud. As-a-service. Accessible to teams. Cloud-first. And simple.

Valtix has sponsored today’s episode to explain exactly how they are delivering cloud-first, simple security to your public cloud environments. If you’ve got some virtual firewall in the cloud more or less mirroring what you’ve got on premises and think that’s good enough, we challenge you to listen to this episode to understand the Valtix approach. For most of you, the Valtix architecture is not the same thing you’re doing today, and we think you’re going to find the tech worth considering.

Our guests are Vishal Jain, co-founder & CTO, and Douglas Murray, CEO at Valtix.

More About Valtix? But Of Course!



[00:00:05.570] – Ethan
Welcome to Day Two Cloud. We’ve got a sponsored episode today with a shiny new cloud security startup, Valtix, who wants to talk tech.

[00:00:13.600] – Ned
Yeah. The Valtix website describes their product as the first and only multicloud network security platform delivered as a service that enables cloud teams to meet the most stringent security requirements in a cloud first and simple way. But if I can break that down, there’s a lot of promises in that sense. But we’ve got security. Of course it’s a security startup, but the way the security is delivered is where they sprinkle a little bit of magic. We’re talking multicloud as a service accessible to teams, cloud first and above all, simple.

[00:00:43.940] – Ethan
Yes. Ned and Valtix has sponsored today’s episode to pretty much prove all of that. They’re going to explain exactly how they are delivering cloud first simple security to your public cloud environments. Maybe you’ve got some virtual firewall on the cloud more or less mirroring what you’ve got on premises. And you think that’s good enough, if that’s where you’re at, I challenge you to listen to this episode to understand the Valtix approach. For most of you, the Valtix architecture is not the same thing you’re doing today, and I think you’re going to find the tech worth considering.

[00:01:12.160] – Ned
That’s right. So our guest today are Vishal Jane co founder and CTO, and Douglas Murray, CEO at Valtix. Both of these gentlemen are folks you’ve heard of if you’ve been paying attention to successful networking startups over the last decade plus, but you’ll hear their brief intros in just a moment.

[00:01:30.820] – Ethan
Indeed. Please enjoy our conversation with Vishal and Doug.

[00:01:35.120] – Ethan
Vishal. Welcome to Day Two Cloud. It is a pleasure to have you here today. Sir. Would you introduce yourself just briefly to the audience?

[00:01:42.260] – Vishal
Thank you, Ethan. And thank you, Ned. My name is Vishal. I am the Cofounder and CTO of Valtix. I’m coming from the background of networking, security and cloud. Before starting Valtix, I was one of the early members of the ACI team. We saw how the software defined networking revolutionized networking. We saw it lacking on the network security side, especially as the enterprises are going to the cloud. So we are bringing the same concepts. Of course, the newer problems than your use cases. Technology can be reused. All of that?

[00:02:17.620] – Ethan
Yes. You said the ACI team, and that was a bit of an understatement the way you phrase that. You were certainly heavily involved with all of that. But again, nice to have you on the show today. Doug Murray same question to you. Would you briefly introduce yourself to the audience?

[00:02:31.900] – Doug
Yeah, sure. Again. Great to be here, guys. Appreciate the time. So I’m Doug Murray and the CEO of Valtix. I joined Vishal and his cofounders on the journey a year ago. Really excited about the company. Before that, I spent 7 years a CEO of a company called Big Switch Networks, which I know you guys know well, the company was sold to Arista, Gosh almost two years ago. Now, which is just amazing to me. And then before that, I spent a long time at Juniper. Most relevant for this discussion.

[00:02:59.600] – Doug
I was the GM of the security business unit AKA Net screen for a number of years. So this gets me really excited because the Valtix play is one that marries both the networking world of the past that both Vishal and I have, but also the security assets as well. So excited for the dialogue today.

[00:03:18.100] – Ethan
Net Screen man, you took me back when you said that, brand boy. Oh, boy. I worked at a VAR once upon a time, I installed some Net screen back in.

[00:03:25.300] – Doug
I still have NetScreen stickers on my desk.

[00:03:27.910] – Ethan
Yes, we’re here to talk about Valtix. So Doug give us the elevator pitch. Who is Valtix? What does Valtix do?

[00:03:35.320] – Doug
Yeah. So at Valtix. So we have a multicloud security platform that we deliver as a service. So what does that mean? Let’s break it down. So as people move from data centers into the public clouds, of course, security and your security disposition plays a critical role in that journey. So our platform includes all the relevant features that you would expect from a Net SEC point of view. So App Firewall, IDs, IPS, DLP, AV, et cetera, et cetera. But really, what makes us different is not just the security that we do.

[00:04:08.060] – Doug
Well, it’s actually how we do it. So it comes into play using several things. First, we have continuous visibility, which really allows for a constant understanding of what people are doing, what’s happening with their cloud workloads. So we tie into the CSP API’s themselves and are doing that on a continuous basis. The second thing is the architecture that we leverage we’ll get deep on that today. But it really plays to the original thesis of software defined networking, which is the logical separation of the control plane and the data plane, and that’s something that’s incredibly unique and is very cloud friendly.

[00:04:44.010] – Doug
And then lastly, simplicity, how do you do this in a way that is incredibly intuitive, easy to use supports platforms like Terraform et cetera, where you can then have one policy plane that you can use across regions you can use across clouds and just makes the overall experience much more cloud native cloud friendly. And so today we’re live in AWS and Azure, GCP and Oracle Cloud and have paying customers across all of them.

[00:05:09.180] – Ethan
Yeah, you’ll have to sell us on the whole simple thing, because what you’re doing isn’t simple. So if it’s simple to consume, I mean, you’ll have to make us a believer as the show goes.

[00:05:18.910] – Doug
That’s what we’re here to do.

[00:05:20.500] – Ethan

[00:05:21.120] – Ned
Yeah. You just mentioned four different clouds that all have very distinct and different approaches to networking and security. And is there a common control plane or something that you configure your solution across all of those? Or do you have one in each little bubble for each cloud.

[00:05:40.450] – Vishal
Sure, that’s a great question. Ned. So we have a common control plane. So think about we took whatever the policies management all up in the air into a cloud and it is delivered as a SaaS, so you don’t install anything. So it is delivered as a SaaS, which simplifies your operations in a heavy way. Now single control plane can see across four clouds across your Vnets, VPC, account, subscriptions and can have real time visibility into what’s happening there. And then you can define policies which can span across a cloud, and then we enforce them in each data plane.

[00:06:23.160] – Vishal
So data plane is customer cloud resident, but the control plane is delivered as SaaS and global.

[00:06:30.320] – Ned
Okay, and for that data plane, are we talking only about components that Valtix is managing? Or are we also talking about some of the cloud native functionality thinking like network security groups in Azure or some sort of firewall within AWS?

[00:06:45.360] – Vishal
So 90% of time we manage our gateways running in the customer accounts and do security on them. But there are instances where you can’t be in the path the customer might have NSG, as you said, the control plane can see everything and can also manage that.

[00:07:04.500] – Ned
Okay. So that begs the question if we could compare this to some of the other security related products that are in the cloud, how does this stack up to things like security groups in AWS that control the flow between different groups of instances or the native AWS and Azure firewalls. Let’s just start with those two. How does it stack up or integrate maybe with those existing solutions?

[00:07:31.560] – Doug
That’s actually one of the things that got me really excited about joining the company when you look at what’s in market today, just from a tech perspective, people are trying to do, at times a fairly unnatural act to try to make this work effectively. In one respect, you have offerings from the CSPs, as you mentioned. So security groups, which is commonly used AWS as a lightweight firewall. So does Azure, and that may be sufficient for somebody who has maybe one or two applications. Maybe is just sitting in AWS only.

[00:08:02.100] – Doug
Or Azure only, where we really shine is when people are deeper in their cloud journey by design or multi region and who are multicloud and having a common policy plane is something that’s incredibly important for them. So one is the multicloud element of this. And then, of course, the other book end is the traditional vendors taking virtual instances of their appliances and taking a box like approach to throwing that into public cloud. And clearly we see that as insufficient.

[00:08:31.560] – Ethan
So what happens if I’m trying to position this with maybe not cloud native stuff so much, but more like I got a CheckPoint or a Palo box that I’m running as a firewall up in my up in my public cloud instance, would Valtix replace that or augment that or manage that for me, how does that fit?

[00:08:50.780] – Doug
I think in most instances, we would be replacing it. Right. So if you look at the experience that somebody to have from a more traditional firewall, traditional firewall was built for data centers, and they do it really well. So companies like Cisco like Palo Alto, Checkpoint do a remarkable job of creating a cookie cutter like approach to network security for data centers. They’ve done it for a long time. They have been remarkably successful doing that. What we see is that as people move to public cloud, cloud is just different, and it warrants a different architecture.

[00:09:20.320] – Doug
It really warrants a different way to look at at how one would employ network based security. And for us, that’s where taking a lot of what we learned in SDN, I think plays such a pivotal role in this. So it’s not about taking a virtual Palo Alto box and just kind of roll it right into public cloud. It’s really trying to provide a comprehensive experience for end users. So what we see is that we’ll have a lot of our customers that we have today use. Companies like Palo Alto or Cisco on Prem, and they use us for the public cloud elements of what they do.

[00:09:51.370] – Ethan
Interesting. Okay. Well, based on that answer, I think I know the answer to this question, but I’m going to ask it anyway. Doug, how does Valtix fit if I’m say a Zscaler or a NetSkope, sort of a customer, that is the model where there is some kind of a redirection happening, that inspection can happen by this third party as traffic is flowing between me and the cloud.

[00:10:12.560] – Doug
A great question. So when you look at this specific space, so companies like NetSkope and Zscaler, again, great companies on amazing tears right now, they really focus on the user aspect of security, and that’s where they shine. They do that. Well, where we sit is I’ll call it the other side of security, which is really more on the network and application side. So that’s very similar to what you would see in the data centers themselves where you’ll have user. But then you also have the network aspect.

[00:10:42.680] – Doug
We focus on the network aspect of a public cloud security.

[00:10:45.520] – Ned
Okay. I think I understand where you’re sitting in the application and network stack. So the next question would be I think we’ve already gotten a sense of this a little bit. But who are you targeting with the Valtix solution? What type of organization is your ideal customer? And where might you not be a good fit?

[00:11:01.520] – Doug
Yeah. So when we look at our customer base, if somebody is mostly like, if you’re Fortunate 500 account, you 95 percent on Prem and data centers and you’re just dabbling in public cloud, probably not ready for us yet. I think it might be at some point in the next hopefully three to five years where we see the sweet spot is typically people that are deeper in their cloud journey. The majority of what they do sits in public cloud. I mean, they still might have data centers, but they’re committed to a public cloud strategy, and typically they have challenges because they leverage more than one cloud.

[00:11:32.220] – Doug
So recently, as a good example. What we added Oracle cloud because we had a customer that was managing workloads across AWS and OCI and wanted a common experience. And so we started the process of building that into the platform as well.

[00:11:46.880] – Ned
Interesting, if I am only in one cloud, let’s say I am an organization that has most of my workloads in AWS. Does Valtix. Would there still be an advantage there for me, or should I just stick with the cloud native features now?

[00:12:00.660] – Doug
They’re absolutely advantageous, especially if you have multiple applications and you have a lot of different services that you’re using and say, AWS, we’re a great fit for that. People that are multi region that has challenges when we look at things like at the point of egress traffic, leaving your account going off to PaaS services making sure that layer is secure, it’s certainly something that is warranted. And many of our customers are single cloud, but multiple applications across the specific cloud.

[00:12:31.770] – Ethan
Vishal, did you want to jump in there because I saw you nodding vigorously.

[00:12:34.480] – Vishal
Yeah. Now I can add there, like even in a single cloud, if you take the basic security from the cloud vendors, I think as you can see, they do the bare minimum infrastructure companies are never leaders in security. I mean, I am coming from the background of I was in Microsoft long them back. We had Windows Firewall, people still deployed your mix and Firewalls, so they do bare minimum. So if you are serious about security and if you are a single cloud, you cannot just use native controls from the AWS or Azure, they do a bare minimum job.

[00:13:11.340] – Ethan
Well, then let’s get into the architecture of this Vishal, I want to understand from an engineering perspective how this all works. So over the next bit, let’s piece this all together. Start the beginning. If I’m installing Valtix, what is it that I’m installing? I know there’s a control plane component, there’s a data plane component, but is there an agent? Is there a virtual firewall sort of a thing in an EC2 instance, give us the high level.

[00:13:34.800] – Vishal
Yeah. So this is a good problem and a good question. We are so conditioned to boxes in the network security world that we talk about installing a virtual box, a virtual appliance, no. In Valtix. You install nothing. You install nothing. You as a customer, install nothing. The control plane is delivered as a SaaS. You log into the control plane, you give your AWS or Azure credentials. And then, yes, we do have a cloud customer resident data plane, but you don’t install it. Valtix control plane fully takes care of that.

[00:14:08.530] – Vishal
So the thing is, you own your network security infrastructure because your data plane runs in the customer accounts, which basically means your keys traffic stays in your account, but you don’t have to maintain it. I mean, in some sense, what I will always say is we are making network security. From kind of a noun to a verb? You don’t install nouns, you just use it. So you just instantiate that. So that’s what we are bringing into the cloud world. And that’s where in all of our things we call it unboxing.

[00:14:46.080] – Vishal
So we are kind of the anti box. We don’t take those boxes and install them and you manage yourself. And that’s I think, the biggest value where even a single cloud across cloud, where customers see things about operationalizing. If you take boxes, then you as an enterprise spend 90% time trying to make them operational. How do you install them? How do you upgrade them? How do you scale them? And you spend 10% of time on security. With Valtix, I would say we pretty much spend about 10% time on operational aspects and 90% time on being security.

[00:15:22.360] – Ethan
Oh, it’s the Sdn model. I’ve got a controller and the controller is the thing that sits above whatever is happening underneath. And in a sense, I don’t want to have to care about individual boxes. I want to manage the system as a whole. So what you’re describing to me is I log into Valtix, which you provide for me the login. And I assume that I’m going to give keys and enable Valtix to talk to all of my different public cloud instances. And then as I build policy, as I describe where enforcement points are going to be, Valtix is dealing with all of that for me.

[00:15:53.890] – Ethan
And it sounds like from what you’re saying, there’s not a point where I actually have to install that data plane box. I’m not standing up an EC2 firewall, at least not by hand.

[00:16:05.140] – Vishal
Not by hand. And I think I’m coming from the world of Sdn. There were two differences. First of all, the control plane in that world, you still deploy a bunch of VMs and manages it. Now what cloud happen? We do lean on the new technologies, right? So control plane is SaaS delivered, so we make it more scalable. And that’s why you can span across accounts across cloud. We lean on a lot of new cloud technologies as we talked about Data Dog, Snowflake, elastic. We use all those cloud constructs, we lean on them and build up a control plane.

[00:16:37.390] – Vishal
So you don’t install anything. For example, in the world of NSX, ACI, you still install that controller in your account and manage it here you don’t. And second thing is the data plane because of the right credentials of let’s say IAM. We have the access and we can install in the customer account enforcement points without they have to worrying about it. So just say I give me two to five scale just to make sure that they don’t really out run their budgets and we take care of everything for them.

[00:17:09.690] – Vishal
And that’s the beauty of what we bring in. So it is SDN, but we decouple the data plane and control plane, but the comparison stop there because we do a lot more because it’s cloud delivered.

[00:17:22.190] – Ethan
Well, you said the magic words there. We were saying you don’t install anything, but that doesn’t mean nothing gets installed. Something is getting installed. It’s just Valtix doing it for me. Zoom in on that part of the architecture. Then what is it that’s actually installed? You said enforcement point, which sounds like a firewall or a box to me. I know it’s not a box, but go ahead, explain that to us.

[00:17:44.800] – Vishal
Yeah. So it definitely is something which runs on EC2 compute in AWS or a Azure Compute think about how you think about AWS load balancer. There’s something there something installed, but you don’t know about it. So yes. So there is our software installs on data plane on EC2 compute and then it’s a scale out cluster. We have right orchestrations to get in the path for ingress, egress, East West. And that’s another beauty of that. Every cloud offers different cloud constructs for getting in the path, routing. We normalize all that.

[00:18:22.290] – Vishal
And that’s the thing from the control point perspective, the customer just give the intent. I want to do a spoke and hub model. Okay, you give the intent, we take care of rest. I want to use a distributed security model. I want to Bake my security HTPC. We take care of that. So we don’t impose a network security architecture. We ask customer to just give the intent and we take care of rest. Normalize the operations, normalize the cloud capabilities and give them a single management plane. Single policy plane delivered over Saas.

[00:18:56.520] – Ethan
You just justified why it’s not a box because this doesn’t sit on the perimeter and it doesn’t sit in this specific place between these two points. It’s not like a firewalls in that way. It’s not that kind of thinking because you said inbound outbound East West, meaning you can enforce policy anywhere within the VPC, whatever the group is. And it’s policy that defines how that is getting done. So now I think if I was missing it before, it just clicked for me Vishal.

[00:19:22.650] – Ned
So that sort of begs the question, how does it get in the path? How does it become that enforcement point? And maybe we can Zoom in on a specific cloud because I know it’s going to be different for all different clouds. So let’s just use AWS as a representative example. I set up the control plane. I’m going to go deploy the data plane with my AWS account. What are you actually creating on your side to create that data plane and get in the path of my network traffic?

[00:19:52.120] – Ethan
And please Vishal, don’t say it’s an agent or I’m going to cry a little.

[00:19:55.220] – Vishal
No, I think it’s not an agent, and I think that’s a great segue into one thing. I want to point here, like a lot of the customers we have, right? It’s always about security and agility, and you will know all about that. They’re always at loggerheads, always attention in the cloud. It’s all about agility. So as our goal is how you can provide security, same visibility, same controls, but not compromise the Agility. So any agent based solution you’re actually compromising the Agility here have to install agents.

[00:20:28.300] – Vishal
A lot of the enterprises have in the cloud or variable architecture. They use PaaS services, they use serverless. How do you install agents on them? Network is a common point. It’s a great point to get visibility and control every app touches it. And that kind of led to the following principles. Why we built Valtix. Now, coming to your question Ned about double clicking on AWS, how do you get in the path? Yes.

[00:20:55.820] – Vishal
Thanks to all the cloud providers, they do offer ways to get in the path, like in AWS, you can do a hub and spoke architecture by doing transit gateway, gate load balancer or various ways. So what we do is you just specify that I want to be in a hub and architecture, Valtix will install security, our gateways in a security VPC in customers account, we will integrate with the AWS routing. Get all the traffic from the spoke VPCs where the applications are running to this security VPC and can do ingress security egress and East West between your applications, between your VPCs.

[00:21:42.380] – Vishal
That’s kind of the under the hood. But from the customer point of view. They don’t know that. I mean, they know that, but they don’t care about that. It’s fully managed.

[00:21:52.040] – Ethan
Yeah. So you use routing then to stick your gateway in the path. But again, to stress this, it’s all automated. I’m building policy. You’re figuring out the mechanics underneath to force that traffic through the gateway.

[00:22:05.460] – Vishal
That is correct. So for example, on the ingress side, you become a reverse proxy. On the egress side, we can be in the forwarding mode. It can be the forward proxy in the East West side. Again. So we support all those ways to get in the path. And the cloud provider does offer a lot of those cloud constructs, and we use them to get in the path.

[00:22:27.960] – Ned
I see. So you’re not only standing between me and the Internet, like my VPC and the Internet, you’re also standing between two VPCs to filter that traffic between on Prem and that VPC or potentially another cloud. So by setting up that security VPC that’s doing the inspection, you can get in the path of a lot of different things. Is the general, do you generally deploy one data plane instance per region? Is that the usual architecture, or is it data plane per account sort of. How does that usually get set up?

[00:23:00.720] – Vishal
Yes, I think typically what we see is again, I hate to use the word instance because it’s not a box. So when we call a gateway is an abstraction of think about a scale out cluster. So it’s never a single single instance. Think about this a bunch of EC2 compute running across availability zones. So we have the full state of that in the control plane so we can take care of high availability liability. Typically, you install one gateway underneath is a cluster of gateway instances in one region.

[00:23:36.340] – Vishal
Customers can choose it to run that Hub VPC across accounts within each account. We again do not impose the architecture. We let customers use what they want. They give the intent and we support what they want and that’s the beauty of it. I mean, there was a question earlier about Zscaler NetSkope, so our data plane is customer cloud resident, so we don’t pull traffic out so we don’t have access to the control plane, does not have access to the data network keys, but we still can enforce everything close to the application.

[00:24:14.320] – Ethan
So how do I size this thing then? Because of where it goes and how the traffic flows, I need to be able to process all the traffic, especially if I’m going all the way up the stack with DPI. Is it an auto scaling exercise, or do I actually have to think about how big I maybe should have an EC2 instance sized?

[00:24:32.300] – Vishal
So again comes to same thing about unboxing. So in the box world you will talk about how big you choose the box. You will talk about fail open, fail closed. Cloud is not about that. You don’t fail open or fail closed. You are elastic as your applications increase. As your number of VPC and VNets increase, as your traffic increases. Valtix will elastically scale up and down that gateway and controller is again the brain behind that every, again, it gets the state of each instance. Figures out what’s going on is it reachable? CPU, memory, a lot of other parameters and then pretty much it’s a fabric.

[00:25:14.930] – Vishal
It scales up and down with your traffic with your applications.

[00:25:17.840] – Ethan
So do I bound it in some way then because if I’m scaling up, it’s going to cost me something. So if something goes really badly wrong, maybe I want to cap how big it gets.

[00:25:27.960] – Vishal
So we do allow you to cap it like typically the customers use like min size minus. Typically two. You want to run two or one in each availability zone and then the Max can be think about five or six depending on their application traffic. Single instance can still do a lot of throughput. We’ve built a single PaaS architecture for your inspection. So compared to any competition which were all built on a hardware and then shoved into a VM in the cloud, we can still do three or four X times of that.

[00:26:02.770] – Vishal
And we have decryption built in. So it’s not like you’ll hear 80% performance goes down without decryption. No, we have a single PaaS architecture. Of course, performance goes down because of decryption, but the customer doesn’t care because it’s a scale out elastic cluster.

[00:26:18.570] – Ethan
I was just going to ask you about decryption, because in theory, you’re in more or less X 86, or are you are you able to do cryptographic acceleration?

[00:26:26.920] – Vishal
Yeah, we have a version in AWS where we can leverage the FPGA instances to do the thing. But again, today, in deployments, we still use X 86 because the customers have not hit those bandwidth requirements. I mean, I think the cloud is still like they have more distributed architecture. As you can see, there’s no single gate, cloud is more dynamic, more distributed, more regions. So you don’t have a single point to get the 50 gig 100 gig traffic. So X 86 is still good enough, and then we scale out.

[00:27:04.400] – Ned
Got you. So I think we’ve got a pretty good idea of what the architecture looks like from a data plane and control plane. So I think that leads us naturally into the next portion, which is where you said customers are spending 90% of their time in policy, creating policies and enforcing them. So can you describe what goes into a policy? What are you actually building in that control plane?

[00:27:28.810] – Vishal
With Valtix, they spend 90% time doing policies, looking at the visibility reports, looking at the security. So what goes in a policy? Again, we all come from that world of network and security. The policies are always based on identity and the context. Now the identity and the context has changed. When you move from data center to the cloud. In the data center, identity was all about IP addresses, subnets, interfaces. Now in the cloud, they mean nothing. So so what discovery, which is a big piece of the control plane we discover in the cloud APIs applications the userdefined Tags, which VPCs they are running on.

[00:28:13.130] – Vishal
So, for example, we get the policies defined in terms of identities like the Tags and the context, like where they’re running. Think about you want to have an application A in a production VPC have one policy, but an application B in a dev VPC to a different policy. So you do that, right. Abstraction, you have minimum policies. Control plane magically takes care of that translates them to imperative policies enforced in the data plane. So from the customer point of view.

[00:28:44.220] – Vishal
You define the intent. You must have heard about that intent based policies. You define the intent, we take care of rest and we enforce that in data plane.

[00:28:52.660] – Ned
Okay. So if I have a bunch of EC2 instances that I want a policy apply to, I can just set a metadata tag on those instances that will be picked up by the policy, and the appropriate rules will be enforced against those instances. Okay, that makes, I can do that for source and destination. Right? I’m not just limited to source Tags.

[00:29:12.220] – Vishal
That is correct. For example. And you can even do more abstraction. You can do, for example, Azure resource groups, which basically means a bunch of applications. So a bunch of applications can talk to other bunch of applications and have this policy. So we have all the membership what belongs to our resource group. What are the IP addresses for each application in the resource group? And we do it across your IaaS, your PaaS, your containers. Whatnot? So from the customer point of view. We just give the intent across the resources and write abstractions. And then we take care of the rest.

[00:29:49.560] – Ethan
Because ultimately it does come down to there’s an IP address that’s being monitored and denied if the rule is demands that. But the point is you’re dealing with all of that. As a policy writer, I’m functioning at a way higher level, again, with metadata or Tags, Ned as you mentioned, and writing policy against those things. And then it is up to Valtix to compile all of that information, come up with a policy and then keep keep going with it.

[00:30:19.150] – Ethan
Because the cloud environment is going to be ephemeral. There’s a short life cycle to some of the objects that might be there. And so I assume then you’re monitoring in real time and then recompiling policy more or less constantly to reflect the current reality of the cloud environment.

[00:30:32.590] – Vishal
Yeah, absolutely. That’s why I said and explain the control plane. Visibility becomes super important. You need to get a real time visibility into changes happening in the cloud. So we’ll listen to all that. And again, it’s a very scalable architecture built using a pub sub model. You’re right Ethan. The router and the network does not know tags. In the end, it has to become an IP address. In coming from the SDN world. They didn’t know EPGs, they only know VLANs and they only know IP addresses right from the point of view of the customer.

[00:31:05.310] – Vishal
It’s all about being app centric, and that’s I think one of the key things, what we build. It’s all about apps in the cloud. And that’s why we said the operation aspects. It’s all about apps. Focus on apps, not on operationalizing security. That’s where customers deploy us define policies in terms of apps. Not in terms of IP addresses. So again, app centric is a mantra we follow on everything we do here.

[00:31:29.200] – Ned

[00:31:29.690] – Ethan
There’s still a piece of this, though, that is a little intimidating because I don’t want to have to walk in as a brand new Valtix administrator and build a policy from scratch. Do you help me build the policy somehow?

[00:31:39.520] – Vishal
Yeah, we definitely do, especially for the enterprises coming from the On prem, and they say, OK, I have these applications. I had this environment in the on prem. Can you help? Yeah, we have some tools. Plus, on top of that, the cloud is not same as data center. So we work closely. Our services team can work closely with them and define the policies. But once we define them, it’s all about just running. So that’s why they get the right Agility if they use IP address and whatnot? Every change requires five days, you need to make a change or create a ticket, then Ask for approvals.

[00:32:17.100] – Vishal
Figure out. And now the main thing is, as I said, we reduce the tension between Agility and security and everything we do here for security and for Ops is towards that.

[00:32:28.770] – Ned
Is there anything in the product that helps me model out what a change might do? Because that’s another big thing that I worry about is I’m about to apply the security policy or maybe an update to that security policy. And I don’t want to blow everything up. I don’t want to start blocking good packets and have my application owner screaming at me. So do you either model it or allow deployment in a monitoring mode, so I don’t blow up my application owners traffic?

[00:32:54.910] – Vishal
Yeah. I mean, these are all standard things, which we have built over in the other products right? You first make the changes, put some new rules being the monitoring mode, and you see how it’s going and then you make them enforced. The good thing about is a central control plane. So again, you’re not managing individual boxes, not managing individual places. You just do at one place. If you get new threats, like few days back, a new threat came. Oh, my God. Right. You don’t have to worry about it.

[00:33:26.320] – Vishal
We have an auto update of those in the control plane and we push it out to the data plane. So from the customer point of view. Again, as I said, they focus on apps they don’t focus on, like, operationalizing these things.

[00:33:39.190] – Ethan
What’s the plumbing between the control plane and the data plane so I can push policy and such.

[00:33:43.660] – Vishal
So again, everything happens via a mutual TLS connection between the control plane data plane. So the idea is that you can’t just spin up a random data plane and then join the control plane. There is a mutual authentication, and then everything is secure. What happens on the control plane is global policies which are pushed to the data plane, which enforces them and then logs and metadata from those events come to the control plane, where we give all the right analytics, your indicator of compromises. And then we can also integrate with your same systems your source and whatnot?

[00:34:24.040] – Vishal
So the tool is not like a standalone tool and you just take it. It integrates very well with your SOC and your entire ecosystem.

[00:34:32.900] – Ned
Let’s expand this out because we tend to think of instances virtual machines, our applications running on that. But clouds got a little bit more to it than just that. So let’s expand this out to other services on the cloud. And maybe we can talk about two different things. One would be Kubernetes. And if Valtix has an integration there and then maybe some of the other PaaS type and maybe serverless functions. But first, let’s start with Kubernetes. Is there an integration between Valtix and Kubernetes?

[00:35:01.250] – Vishal
Yeah. That’s a great question. Again. So we are sitting in the network. So the way we play is that we can be an ingress to a Kubernetes cluster. We can even egress out. We can play between Kubernetes and let’s say, talking to a container cluster, talking to a VM, talking to a PaaS service today, we work with them again. Maybe tomorrow we have a presence in the Kubernetes like a side car. Today we don’t do that. There are enough solutions doing that and we can integrate with them.

[00:35:34.540] – Vishal
But when we say network, it doesn’t make sense to take everything out from a Kubernetes pod to outside. So we play between content cluster and out and anything coming into it. Anything going out. And we have deployments with customers like that. I mean, Kubernetes Security offers basic segmentation, but if you want deep security, want to make sure you don’t leave it out. You do right. Deep inspection security, then we coming int the picture.

[00:36:05.660] – Ned
Got you. Communication between pods on the same cluster. You’re not getting in the path of there, but you can be that egress or ingress to that cluster and protect the traffic that way.

[00:36:16.480] – Vishal
That’s correct. And even East West from that cluster to, let’s say a PaaS service or to let’s say, a bare metal or an application or a VM.

[00:36:23.900] – Ned
Right. So the PaaS services, let’s say I’m using Azure App Service or AWS Lambda, something along those lines. Are there some integrations there or again, is it just between the traffic on those services and any other virtual machines or other services you’re running in the cloud?

[00:36:39.740] – Vishal
Yeah. So again, if we discover all those applications, we discovered the PaaS services. Discovery knows about the resources and things like those. Now there are ways to get in the path. For example, for a serverless application, you can be a proxy there. Right?

[00:36:55.020] – Vishal
So we have a proxy built in into Data plane. Now, as I said earlier, 90% of the time, we can be the path, but we do depend on the cloud provider for a lot of things. So there are instances, for example, for a PaaS service, think about a private endpoint or whatnot where you can’t be in the path. Now, where we come in is the control plane is aware of all that. All these PaaS services do support network ACLs. What we do is give you the right abstraction where instead of them defining network ACLs in terms of IP addresses that can now define a policy.

[00:37:31.560] – Vishal
Again, in terms of the Tags, a resource group A, can talk to a Cosmos DB, not about IP A, IP B, IP C can talk to Cosmos DB, and we can do the right programming from the control plane to those PaaS APIs. So again, we really want to be in the path. We do depend on the cloud provider, and most of the time we are in the path because the right architecture. But there are instances where we cannot. Again, you take care of it right?

[00:37:58.990] – Ned
There are some services where you can put like, a Vnet service endpoint in Azure or something, and you could get in the path then. But if you can’t get in that path, then you can at least marry up the tagging to use the native cloud constructs. That makes a lot of sense. Okay, now most people are going to have an existing cloud real estate, right? They’re not coming from Greenfield. They have stuff that’s already deployed, and I would get a little nervous about suddenly shifting all my traffic over to Valtix.

[00:38:27.880] – Ethan
You say nervous Ned. I’ll say utterly terrified, but yeah, okay.

[00:38:32.060] – Ned
That would be the one yeah. So how does one go from not having Valtix deployed to having Valtix deployed without blowing up my existing environments?

[00:38:41.530] – Vishal
So we support multiple use cases. Right? As I said, Ingress egress East West visibility, correct. So you don’t have to. There are enterprises where they’re like. Okay, I am hybrid. I am using my own favorite virtual firewall to connect to the data center, and that’s how I extend my data center to the cloud.

[00:39:04.080] – Ned
Fine. We don’t have to worry about replacing that. First thing is visibility. So now they deploy us in the visibility mode and as I said visibility does not require installing any gateway in your account. It’s self serve. You just give your read only credentials into the controller and a few minutes and we start reading all your VPC logs. Vnet logs, DNS logs, your Tags. We triangulate all that very app centric way. Give them the indicator of compromises. Now the customer will see. Okay, I have everything protected on the Ingress side through let’s say, my virtual firewall, but my Egress is still open.

[00:39:46.260] – Vishal
I’m talking to a SaaS API, talking to GitHub. How do I enforce policies then you can deploy Valtix again in a few minutes so we don’t have to do everything we do now. We can give enter with one use case and then go with next use cases. We can also do security for, let’s say, one region, and that’s the beauty of the cloud. There is no single gate. Unlike data center. You can be using the existing solution for one part, but use Valtix for second part.

[00:40:21.440] – Doug
And add to that Vishal. I think what’s been interesting to us since we solve for a multitude of different insertion points of view. Well, when you look at Ingress East West egress as an example, what we’ve seen in the last year is actually the biggest land. It tends to be egress the egress specific use case where somebody is now, they’re in the cloud. They’re typically compliance oriented. So financial services, health care, et cetera. And they want to make sure that as an example as a health care provider, that patient records are not leaving their account.

[00:40:52.350] – Doug
So just adding that layer at egress same thing with financial services with customer information, credit cards, et cetera. So just ensuring that you’re compliant from be it HIPAA or some other regulatory requirement where even if you’re sending data off to an S3 bucket to do back up. A lot of our customers don’t want to do that. They want to make sure that the right data is staying within the account. So we start there and then start to expand based upon that. And that’s where the usage grows and it becomes an expansion plan.

[00:41:20.500] – Ethan
I like the visibility mode, especially just to be able to start with that at the beginning and then come up with your list of use cases. It almost gives you your roadmap from there. How are you going to implement it then you can phase it all in. Well, okay. Let’s say I’ve had Valtix installed for a while and I’m doing that whole infrastructure as code thing. I would like to automate and cloudify this infrastructure thing as much as possible. And what you described all sounds very friendly to that.

[00:41:47.660] – Ethan
But when I’m at that point where as an app is deployed and there’s a pipeline and I want the Valtix provisioning to be handed out to that pipeline is there. Can I do that?

[00:41:57.540] – Vishal
Yeah, absolutely. We actually have customers doing that. And that’s why everything is fully Terraform. So as soon as your applications are spawned as your VPCs come up, you can have automation by saying, okay, I want to have Valtix deployed in that VPC and can have the right policies. And we have a customer who actually was using kind of legacy solution was taking like days. Everything in their pipeline was CICD except security. Now with Valtix, everything is CI CD, so full Terraform, whatever we do.

[00:42:34.500] – Ned
Okay, can you also manage the policies and the control plane with the Terraform provider or an API?

[00:42:41.930] – Vishal
Yeah. Everything again not bound from the control plane is all Terraform. Again, anything between the control plane and data plane is all Valtix secret sauce. We don’t need API for that. That is just you give the intent and we do all the work. When we say Terraform, it’s all about not bound off the control plane. Whatever you can do from the UI, you can do anything and everything via Terraform.

[00:43:04.800] – Ethan
This has been a lovely engineering conversation, but there is a practical aspect that we have not gotten into that is about licensing. How is how is Valtix? Is it metered? Is it like, I don’t know. Explain it to us. What is the licensing model here?

[00:43:23.640] – Doug
Yeah, we charge per box. No. See, I couldn’t help myself there. So we focus on we’re a consumption play. So we have a series of customers that pays you go. So they just monthly, whatever their usage is, we send in the bill and the majority of our professors do bulk credit hours, so very similar to what you see with Snowflake and Data Dog and others. Where the typical pays you go is going to be a dollar 38 per hour so if you do the math of that, that’s basically about twelve grand a year per instance.

[00:43:56.410] – Doug
And so you have customers that do that. If you want something less than a dollar 38, you buy bulk credit hours and burn those hours down over time. So typically our customers work with us to determine this is what they would expect in terms of consumption over the course of a given time period. Such as twelve to 18 months. They buy that bulk credit hours and then get a lower price by doing so. So very flexible. If you’re paying for what you use, you’re not doing the normal thing that you would do on Prem with with boxes and licenses.

[00:44:25.470] – Doug
It’s one price for every aspect of what we do, which is a dollar 38.

[00:44:30.100] – Ethan
There’s still going to be a compute charge that I’m paying from my cloud provider. Correct.

[00:44:35.340] – Doug
That is correct. So the data plane that resides within the end user account that is actually using their own compute that actually is on the customer to pay for that aspect. That is correct. And then the other thing I will add is discovery, which is a really important part of what we do and getting that visibility upfront. That’s free. As Vishal mentioned it. Right. So we want people to use discovery. We want them to get that experience and then over time be more and more open to turning on security services. So we see that is a very powerful way to get inserted cloud accounts.

[00:45:06.540] – Ethan
Did you just tell me that this is how I try Valtix for free, more or less that I can put it on a discovery mode and there’s not going to be enforcement happening, but I could kind of get a sense of it and it cost me. Is it truly nothing except for my compute?

[00:45:19.540] – Doug
That is correct.

[00:45:20.620] – Vishal
Well Ethan, actually there are two pathways. In discovery mode. First, discovery mode. You don’t even pay for your compute. It’s all using cloud.

[00:45:30.080] – Doug
It’s not enforcement, which is happening in compute. Right. So it’s actually technically it’s free all the way around for an end user.

[00:45:37.210] – Ethan

[00:45:38.220] – Ned

[00:45:39.170] – Ethan
Pretty cool. Well, this is already a robust offering, but I am curious to know what’s next. Is there a road map for Valtix?

[00:45:48.270] – Vishal
For sure. As we touch up on some other things, we want to own the network security for the apps in the cloud. That is where we stand. Anywhere we can’t be. We see that as a gap. For example, we touched upon some areas about containers, about PaaS. We continue to evaluate different application architectures and continue to cover everything from network security. We want to own that. So all of our roadmap is towards that. I mean, the enforcement point today, for example, is think about if you do compute, but it can be somewhere on a side car tomorrow.

[00:46:27.180] – Vishal
So that’s where we see we want to be in the path everywhere and do network security, and we continue to enhance our platform for that, we continue to look at cloud providers for some of that. And that’s where I think is a bulk of where we come from.

[00:46:44.830] – Ned
Got you. So if folks are interested in learning more, taking advantage of that free discovery process, Doug, where are some places they could go to check that out?

[00:46:54.140] – Doug
Yeah, for the listeners here, we actually have a promo at Valtix dot com forward slash day two so they can go try it out. So it’s not just discovery, but also we’re doing a little bit of a promo to get people interested in the platform. And of course, you go to Valtix dot com and there are videos. There’s a demo walk through the product and of course, you can try it. We’d love to have people kick the tires and let us know what they think.

[00:47:22.150] – Ned
Awesome, and we will include all of those links in the show notes, so you don’t have to try to remember them off your top of your head. But if you do, want to remember that one link it’s Valtix dot com slash day Two two is the number two that is going to do it for us today. Many thank yous to Doug Murray and Vishal Jane for introducing Valtix to day Two Cloud listeners and to Valtix for sponsoring Today’s show and virtual high fives to you for tuning in. If you have suggestions for future shows, we would love to hear them hit either of us up on Twitter at day Two Cloud show, or you can fill out the form on my fancy website.

[00:47:56.470] – Ned
Ned in the cloud dot com. If you like engineering oriented shows like this one, visit Packet pushers dot net slash subscribe all of our podcasts, newsletters and websites are there. It’s all nerdy content designed for your professional career development until next time. Remember, Cloud is what happens while IT is making other plans

More from this show

Day Two Cloud 153: IaC With GPPL Or DSL? IDK

On Day Two Cloud we’ve had a lot of conversations about using infrastructure as code. We’ve looked at solutions like Ansible, Terraform, the AWS CDK, and Pulumi. Which begs the question, which IaC solution should you learn? A Domain Specific Language...

Episode 119