packetpushers.net Open in urlscan Pro
172.67.183.126 Public Scan

Back to summary

URL:
https://packetpushers.net/podcast/day-two-cloud-113-multi-cloud-network-visibility-and-automation-with-aviatrix-sponsored/
Submission: On September 15 via api (September 15th 2021, 6:58:25 pm UTC) from US — Scanned from DE

Form analysis
3 forms found in the DOM

GET https://packetpushers.net/

<form class="search-form" method="get" action="https://packetpushers.net/" role="search"><input class="search-form-input" type="search" name="s" id="searchform-1" placeholder="Search this website"><input class="search-form-submit" type="submit"
    value="Search">
  <meta content="https://packetpushers.net/?s={s}">
</form>

POST https://packetpushers.net/wp-comments-post.php

<form action="https://packetpushers.net/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p>
  <p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
  <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required"></p>
  <p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="51556" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="bf2b732062"></p><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input
    type="hidden" id="ak_js" name="ak_js" value="1631732300683">
</form>

GET https://packetpushers.net/

<form class="search-form" method="get" action="https://packetpushers.net/" role="search"><input class="search-form-input" type="search" name="s" id="searchform-2" placeholder="Search this website"><input class="search-form-submit" type="submit"
    value="Search">
  <meta content="https://packetpushers.net/?s={s}">
</form>

Text Content

Packet Pushers

Where Too Much Technology Would Be Barely Enough

* Podcasts

* Heavy Networking
* Day Two Cloud
* Network Break
* Heavy Strategy
* Briefings In Brief + Tech Bytes
* Full Stack Journey
* IPv6 Buzz
* Community
* Your Podcast Hosts
* Packet Pushers On Spotify
* Priority Queue (Retired)
* Datanauts (Retired)
* Articles

* Tech Blogs
* Industry News
* SD-WAN Vendor List
* Books And Whitepapers
* Toolbox – IT Resource Collections
* Newsletter
* Slack
* Subscribe
* Sponsor

You are here: Home / Podcast / Day Two Cloud 113: Multi-Cloud Network Visibility
And Automation With Aviatrix (Sponsored)

DAY TWO CLOUD 113: MULTI-CLOUD NETWORK VISIBILITY AND AUTOMATION WITH AVIATRIX
(SPONSORED)

Ethan Banks September 1, 2021

Audio Player
https://media.blubrry.com/packetpushers/p/content.blubrry.com/packetpushers/D2C_113_Multi-Cloud_Network_Visibility_And_Automation_With_Aviatrix_Sponsored_.mp3

00:00
00:00
00:00

Use Up/Down Arrow keys to increase or decrease volume.

Podcast: Download (44.2MB) | Embed

Today’s Day Two Cloud episode dives into multi-cloud networking with sponsor
Aviatrix. As infrastructure moves to public cloud, visibility can become an
issue. For instance, unlike with on-prem switches, you can’t just plug in a tap
and start collecting flow records.

Automation can also be a challenge in the cloud. Network teams have to keep up
with their counterparts in the organization, but may not be familiar with
automation tools, processes, and constructs.

Aviatrix offers a cloud network platform with a common data plane and
operational model that works across public clouds and supports visibility and
automation. We dig into the Aviatrix product with Aviatrix and a customer.

Our guests are John Smoker, Customer Solutions Architect at Aviatrix; Justin
Payne, Cloud Network & Security Architect at Mueller Water Products; and James
Devine, co-author of the AWS Certified Advanced Networking Official Study Guide.

SHOW LINKS:

Aviatrix

@aviatrixsys – Aviatrix on Twitter

Aviatrix on Twitter

Heavy Networking 589: Cloud Networking’s Good, Bad, And Ugly: What CSPs Don’t
Tell You (Sponsored) – Packet Pushers

Heavy Networking 507: Build And Run A Multi-Cloud Network Architecture With
Aviatrix (Sponsored) – Packet Pushers

TRANSCRIPT:

[00:00:05.720] – Ethan
Welcome to Day two Cloud. We got a sponsored show for you today with Aviatrix.
Aviatrix does multicloud networking, and they make the whole cloud networking
thing suck less. They’ve been on the Packet Pushers podcast network before, and
we’re going to get into aspects of visibility, that challenge and then
automation and what’s going on with that. Ned, what stood out to you in this
recording?

[00:00:26.940] – Ned
I think the thing that stood out to me is the automation conversation we had
when you get to any kind of scale in cloud, automation is key. One of the
guests, Justin, was talking about doing things manually in the UI, and we all
agreed that’s a terrible idea to do even more than once, because we’re all
terrible typist and we all make mistakes. So it was really good to hear about
the automation that Aviatrix brings to the table.

[00:00:50.460] – Ethan
I don’t know what you’re talking about. This typing in errors. I’ve never had
that problem, except every time. Anyway, please enjoy this episode with our
guests. They are Justin Payne, Cloud Networking and Security architect at
Mueller Water Products. He’s an Aviatrix customer is going to be speaking
firsthand about what he’s done with the product. John Smoker, Customer Solutions
architect at Aviatrix. And he’s a former Aviatrix customer before he joined
Aviatrix. And then last but not least, James Devine, coauthor of the AWS
Certified Advanced Networking Official Study Guide, former AWS Human, and now
another one that has joined the Aviatrix team. Please enjoy this show.

[00:01:28.160] – Ethan
James, welcome to the show. First question to you, the problem of visibility
when I have moved my infrastructure to public cloud because as an enterprise
guy, I am used to really owning everything, being able to see everything, have
my monitoring systems that tell me all the things that someone asked me a
question I can say, yeah, it’s this see the thing that’s out of range or
whatever the problem is. But with public cloud, I feel like, well, maybe that’s
the question James. How much visibility am I losing as I move Ops into public
cloud?

[00:01:59.020] – James
You know, a lot of folks think that they’ll get that same level of visibility in
the cloud, but actually, the constructs are quite different. You can’t plug in
network switches and taps, you can’t just set up net flow on routers. In fact,
there aren’t even routers. We’re working on the overlay network on top of the
providers. So you actually do lose a good amount of that ability to do physical
tapping and put devices in the network and run net flow and all of those things
that you’d really just expect to be there.

[00:02:25.280] – James
And the provider will tell you if you’re in AWS, we have flow logs. If you’re in
Azure, there’s traffic flow or there’s traffic logs, we got you covered. And
it’s not. Like essentially you’re getting allow and deny list and what you do
with that and how you use it becomes really difficult. Like, how do I take flow
logs across 100 different accounts and aggregate them to get an actual holistic
view of my network? Not an easy problem to solve, actually.

[00:02:49.200] – Ethan
So where are you taking us down the road here. You said that we have you
covered, as in Aviatrix, and I think what you’re getting to is the CoPilot
product. Is that right?

[00:02:57.880] – James
Yeah. So certainly we do. And the provider will tell you they have you covered,
but then kind of mislead you and send you a bunch of blog posts on how you can
kind of stitch these things together. I don’t know. Many network engineers that
I’ve talked to that know things about deep analytics and and all of these
services that you need to stitch together to get an EndToEnd workflow that you
can just do on Prem. It’s not really an analogy.

[00:03:21.370] – Ned
Yeah. James, if I may, I know AWS is notorious for this. They’ll say, oh, yeah,
we can solve that. No problem. But what they actually give you is 16 of their
solutions that have been cobbled together with Lambda scripts, and you’re just
now responsible for managing that entire mess. And they go, Well, we do have a
solution. You can use it. Yeah, you can use it. But it’s going to require a lot
of admin overhead on your part. So I’m assuming A, your solution has little less
admin overhead, and B, it’s going to work in more than just AWS, right?

[00:03:53.600] – James
Ssh, totally. Yeah. That’s the benefit of our platform. It’s multicloud aware,
pick a cloud and deploy our infrastructure, and then get the visibility. We do
net flow by default. So all of our gateways that we deploy for our data plane
are actually exporting net flow directly to our net flow collectors that we call
CoPilot. So we have deep insight, and we’re actually quite uniquely positioned
to have really deep visibility across your entire multicloud network.

[00:04:21.080] – Ned
Okay. So if I have multiple cloud presences, is this something that I need to
install a bunch of agents everywhere, or is it something a little bit lower
touch than that? Because I know that can be a difficulty is getting things
rolled out in all the various accounts and subscriptions I have across all my
different cloud presences.

[00:04:42.180] – James
Yeah. And that is a common concern we hear from customers. And the good news is
we do all of that automation for you. So we’ll build out our gateways, we’ll
update your route tables. In fact, I’ve deployed in clouds that I’ve never
logged into GCP and configured anything. I’ve deployed network infrastructure
into it. So that’s the power of our platform, for sure.

[00:05:01.940] – Ned
Yeah. If you’ve ever logged into the GCP portal, you might have regretted it. So
I think not having to touch it is actually a bonus. That’s pretty awesome.

[00:05:12.180] – John
Yeah, Just to speak to what James was saying there and kind of give some context
that might resonate with some folks when I was an Aviatrix customer. So on the
other side of the fence, prior to bringing Aviatrix in, we had actually spent
developer cycles on putting together our own visibility tooling because of what
was lacking from the cloud provider. And of course, it was time we spent. It was
very specific to certain infrastructure that we had and very specific to the
cloud that we were in.

[00:05:48.850] – John
And so once you’ve done that, if you want to expand, well, now you’ve got to do
all of that work over again.

[00:05:56.980] – Ned
So that was a custom solution that your developers actually wrote in house, and
you were responsible for maintaining it yourself. What did that look like if you
were rolling out a new region or a new account, how much work did you have to do
with your custom solution to get that integrated into your monitoring?

[00:06:17.490] – John
Yeah it was, as long as you were in the same region, we had many accounts. And
so we had had made it work such that each development team could deploy that and
get that visibility for themselves. But again, if they wanted to use a different
cloud product offering, it would have to be tweaked for that. Maybe it doesn’t
work with RDS or some other thing that we hadn’t accounted for. And so you have
constant care and feeding.

[00:06:52.180] – Ned
Right. And Clouds are constantly introducing new services and features that
developers are like, oh, I want two of those. So now you’re on the hook for the
monitoring aspect. So it sounds like you kind of gave up on that a little bit.
Or at least you tried some other products and this Aviatrix Copilot was the one
that you landed on?

[00:07:11.470] – John
Well, even before CoPilot was out, and we brought Aviatrix into the
organization. We brought Aviatrix in originally for VPN and expanded from there
because of all of the other things it gave us. But just right out of the box,
Flight Path gave us much of what that tooling had given us previously. Just
end-to-end, can this thing talk to that thing> and what Flight Path gave us on
top of that, was this is why you can’t talk from this thing to that thing.

[00:07:43.500] – Justin
We did use, Ned as you said with Amazon Services, it was always my joke was for
an extra nickel or $0.25 they’d give me some flow log or give me some extra
feature. And before long, we found, you know the cloud was always supposed to be
cheaper. Before long, we saw it to be really expensive. We were fortunate enough
to be able to take advantage of Copilot, here where I work now, and being an old
time 25 years in an on premise net flow, using all those types of Cisco devices
and things like that, I really was not wanting to move to the cloud.

[00:08:18.070] – Justin
I was fighting it tooth and nail. But using Copilot with Aviatrix, it’s been a
real enjoyment to see to just be able to see those source and destination ports
coming through those controllers. Being able to pick up all those even down to
everything having a Geo to it so I can see the countries I’m going to. When your
on Prem, you don’t. You don’t worry as much about that because you kind of
control the edge and you kind of control that a little better. With AWS and its
scalability, you find more.

[00:08:49.410] – Justin
At least we do developers wanting to spin up their own stuff, so it becomes a
lot more kind of this scope creep type of thing. But the flow IQ that they have
in that product has really been enjoyable. Plus some of the things like they
have a topology replay where you actually can go back months and actually see
every change up down. Like if we have down, like a controller or gateway, that’s
having some issues, I can go back and say, okay, over the past three months,
this has been down ten times.

[00:09:23.840] – Justin
And see why, go actually go look at the changes throughout that period and
actually replay the topology changes within our network in the cloud, which is
really impressive for us to be able to do that as well.

[00:09:35.490] – Ethan
So Justin as an end user of the Aviatrix Copilot take us, let’s go back a step.
I want to understand what this is because we started out saying, hey, flow
collector and flow collector, I think for network engineers, brings in a certain
kind of image in mind. You’ve got metadata about a flow and here’s these stack
graphs and different things like that. Sometimes you can drill into them and
sometimes it’s helpful and sometimes it’s okay. But then you said topology and
history, and so it feels like this is more than just a flow collector.

[00:10:05.660] – Justin
Absolutely. So CoPilot at least of my perspective, the Aviatrix crew there can
explain it more, but from an end user, it’s more as its name. It’s really meant
to be kind of your copilot along your journey and quickly see things from a
dashboard GUI type thing. So there’s quite a few, quite a few terminologies and
technologies. There’s a dashboard when you log in, that kind of lays out what’s
up, what’s down, what’s connected, how your overall multicloud looks from your
Azure or AWS being a multicloud for us, being able to see how that overall
looks.

[00:10:42.620] – Justin
And then as you kind of see things are up or down or you need to look in deeper,
you can go into the flow. It is very easy to look at. You don’t have to be a
network engineer to do it. I think they kind of roll it around there, but you
can drill down often drill down and actually pick two endpoints or pick two
technology as protocol or service and actually start to drill down and look at
that a lot deeper in some things. I don’t like what I see.

[00:11:10.240] – Justin
Like, hey, I’ve got something talking to China and I’m like, what is that? I’ll
drill down. I kind of get that anxiety, that pressure, and I’ll drill down and
like, okay, you that’s something they expected, but they also have built in some
newer things. I’ve been a copilot user for about 16-18 months, was a beta user,
one of the first there and kind of rode into production, but they have recently
added the ability to actually see threats through those controllers. Some of the
ideas, basically, that each one of your networks has a controller in there.

[00:11:42.780] – Justin
And so we can see the data coming back and forth as you get that east to west
type traffic. And actually to be able to see hey, these are some bad IPs on a
block list or dynamic. They have some reputation to them that are not good. Your
machines are talking to those, and being able to actually see that
vulnerability, that protocol is really helpful to us as well.

[00:12:03.320] – Ethan
So CoPilot then, is your visual look at the entirety of the network, all of your
Aviatrix endpoints, all of your presence in the cloud. It knows topology. So
that tells me you could do something like, show me the path that this flow is
taking from AWS to Azure or something like that.

[00:12:23.080] – Justin
Absolutely. It will for us. We can actually point at an instance. And like an
EC2 instnace figure looking at AWS or a virtual machine or those type of things,
you actually point an instance. And on two points that actually see the latency
to see the path it takes to see the trend, which is really cool. Like, if I want
to see hey, is this thing starting to spike at midnight or 02:00 a.m.. What’s
going on? And then drill down to that a little better, but yeah, endpoint to
endpoint.

[00:12:51.670] – Justin
It draws out a nice graphic for you. Kind of the old school flows. You remember
how the old school flow graphs look? It does that as well, but also it can be a
very simple here’s the route it takes here’s. All your ACLs pass all your
security groups pass. Those type of things look good. So you might want to dig a
little deeper and get more into maybe what third party or something out there is
blocked. It pretty neat.

[00:13:17.110] – John
I like to describe it as your Visio diagram or your Lucid chart that’s AWS
always up to date that you can troubleshoot right from within the diagram.

[00:13:27.950] – James
It was actually a big ask when I was at AWS talking to customers. What does my
network look like? How do I even know? And I always had to say, well, you know,
there’s third party tools out there that will do that, but it just wasn’t seen
as something that needed to be in the platform. So it’s not and you’ll see, some
of the CSPs do have it, but it’s very rudimentary. So we not only have the data
plane since we know how to make API calls into all the clouds, we get a lot more
visibility and insight into all of these things.

[00:13:54.330] – James
Kind of all under the Copilot product, and that’s just kind of the day two
operations part of our products, whereas we have a product that does the
controlling infrastructure, the controller, the CoPilot is the visualization
object. It’s hard to show that on a podcast. It’s a really compelling demo,
especially if you’ve seen other tools out there. It’s really nice, but we can
always set up demos with customers, and we share that a lot, and we’re rapidly
innovating on it as well, which is really exciting.

[00:14:24.560] – James
We just recently came out with Threat IQ, the feature that Justin was talking
about. And it’s actually really nice because we’re in the data plane. We’re
seeing all of the traffic going through the network within a cloud, within a
region between clouds. We see all of these data flows. We can actually alert on
malicious IP addresses. So if there’s bad IP ranges. So the first release that
we’ve put out, it’ll do kind of that alerting and let you know what’s going on,
and then the Sky’s the limit.

[00:14:52.170] – James
From there, we can actually go in and in the future, be able to do block rules
and add more capability to be Proactive about security as well. So we take that
really seriously. It’s a nice feature.

[00:15:02.140] – Ethan
James, a couple of questions. The first one is when you were at AWS and people
were asking for some insight, you were like all these third party tools. Why
didn’t you just shame them and say, first of all, buy my book, second of all,
what do you mean, you don’t know your own network? I mean, you could have gone
down the road. It would have been fun, man.

[00:15:18.520] – James
Yeah, we always tried to be customer obsessed, and I didn’t want to push it. I
didn’t get any royalties on that book.

[00:15:25.300] – Ethan
Even if you got royalties. Hey, how much would those have added up to? Not much.
Let’s face it, not much.

[00:15:30.840] – Ned
Yeah, we don’t write books for the money, that’s for sure.

[00:15:33.560] – James
It’s a labor of love.

[00:15:35.680] – Ethan
Another question here about latency. Latency monitoring, I was triggered. It’s
one of my favorite topics, isn’t it, Ned? I know, I’m sorry. But can I tell Hop
by Hop what my latency is it? Is it end-to-end? How do I get a latency
measurement from CoPilot?

[00:15:50.830] – James
Anywhere we can measure latency between our gateways, we show that those
latencies you can see within a region between regions between clouds. We also
for site for we call the site to Cloud VPN connection. We can monitor the
latency on that type of connection as well. And then our feature called App IQ,
that’s a feature of CoPilot. So anywhere that we have a link, so be it from
gateway to gateway across clouds, across regions within clouds, and also our VPN
connections to on premises and other locations.

[00:16:23.900] – James
We can track the latency on all of those and show them real time. And then you
can pick two source and destination in your network throughout the topology, and
then we can actually map out that entire data flow and then show you the
latencies along each hop. So it’s a really good way. Someone complains. My
application slow. The first thing they’re going to say, it’s the network. So we
can show a map and say, Well, it’s not the network. Maybe it’s the application
kind of back and forth between app and networking folks.

[00:16:53.700] – Ned
Another interesting thing that I pick out from that is not just the latency
aspect, but when you’re trying to figure out why two things just can’t talk to
each other, and there are some rudimentary tools in AWS and in Azure that will
let you do sometimes endpoint to endpoint within the same cloud. But when you’re
trying to troubleshoot across two clouds or down to on Prem, that’s super
complicated. So it sounds like that’s something that Justin, you’ve used this
before, is to troubleshoot getting out of the cloud, down to whatever instance
you’re working on. Can you tell me a little more about that?

[00:17:27.060] – Justin
Of course, that’s one of my favorite things that saved me more times than I can
count, because when I started building out cloud for us, nobody wanted to touch
it. And then once I get it all done, everybody wants their credit for it and the
the glory of it. So they’ll spin up an EC2 instance, a perfect example. They’ll
spin up an EC2 instance and put a security group there that doesn’t allow what
should happen. And then they tell me the network’s broke something’s wrong.

[00:17:53.340] – Justin
Nothing can talk that type of emergency, and being able to use CoPilot or Flight
Path like John was saying and actually pull up those two instances. Okay, here’s
a starting point. Here’s an endpoint that you just built and actually look and
say, hey, it’s because your security group is blocking it. So it’ll actually run
through a number of checks and say, hey, your route is good. Your security
groups are good, your ACLs are good, the network is fine. And if one of those
doesn’t pass, then, you’ll know, immediately it’ll say a big red box say, hey,
your security groups bad.

[00:18:25.840] – Justin
And then I just call the guy and say, hey, why you open that in your security
group, you’ll be fine. And they’re oh, How’d you do that? You know? And of
course, I take all the credit and don’t tell them I have Aviatrix, you know, so
it works out well.

[00:18:36.460] – Ned
Oh, that’s great.

[00:18:37.430] – Ethan
Justin, to qualify that you said security groups, are we talking cloud native
AWS security groups or Aviatrix security group magic.

[00:18:45.020] – Justin
We’re talking to AWS. It’ll actually those basically open Port source,
destination Port security groups.

[00:18:52.980] – Ethan
Well, Justin, thank you for the look at CoPilot. I’ve got a pretty good image of
this in my mind here. And this it’s one of those things that where if you’re a
network engineer and you’re used to that on Prem World, and you want to have all
the tooling that you have and you’re used to and you’ve had for so long in the
cloud. This is a way to get it with CoPilot, but now I want to move us to the
future. Justin, Well, I don’t know.

[00:19:15.820] – Ethan
Is it the future for you? Automation? That’s the big question here. How have you
guys done with network automation as you’ve headed up to public cloud?

[00:19:23.710] – Justin
That’s a great question. Yes, automation is the future, because as most IT
groups, they never give me enough hands. And I’m only one person, and Cloning is
not working well yet. So I do need to automate some features. Absolutely. And we
do have a little bit of automation in our network around Paloo Alto type things.
But fortunately, I’ve been talking to Aviatrix about using Terraform for ours
because we’re spinning up new accounts, new VPCs, sometimes twice a day, and
with just a small group, with all we manage it’s hard.

[00:20:01.900] – Justin
So our goal and I know John could talk with more about this. Our goal is to
basically use Terraform, use automation to, hey, trigger, do some trigger
through some tickets, instance, type things, and actually do all that work for
us and be good there.

[00:20:17.750] – Ethan
So before we get to the specifics then Justin, can you describe the set up where
you see automation being used? As in you got tickets coming in describing some
kind of work? Is that like someone spinning up a workload and you need to do
some sort of network provisioning in conjunction with that? Or is it like you
got to pave the road ahead of time sort of thing, like we’ve done historically.

[00:20:38.150] – Justin
A little bit of both. So it’s really for us and our environment is, as we scale
adding new accounts, so they’ll spin up account in AWS or in Azure and need
actual network, whether it’s like a VPC or some sort of virtual private cloud
there. And in order for that to talk to other things, some action has to be
taken. If not, they won’t be able to remote into their EC2 instances or into
their VMs. They won’t be able to do their work, get to it access.

[00:21:09.290] – Justin
We won’t be able to talk to other functions, databases and things like that. So
where we’re heading is actually allowing our ticketing system. They will open up
a ticket and say, hey, I’ve opened a new VPC or a new account, and they actually
use Terraform and Aviatrix actually do that connection for us. And from that
with that automation, we don’t have to actually go into the UI. The UI is really
good. It’s easy.

[00:21:33.980] – Justin
I’ve used it for 50 plus accounts, but it’s really easy to go in and actually
join those. You just do a Terraform, I mean a cloud formation script and
actually just pull that in there and it’ll onboard the account. It’s really easy
to name it a few things, but automation would save me a lot of time during the
day.

[00:21:52.600] – Ned
Yeah, I don’t know about you, but I’m a terrible typist. So doing anything in
the UI more than one is just a bad idea. I’m just inviting horror to myself.

[00:22:04.100] – Justin
Ned do you have this problem where you’ll name it one way and then you’ll forget
how you named it on the next one? And so even my standards, my tagging gets
messed up, and I’m like, oh, capitalize this. And that’s where the automation
really helps for me.

[00:22:17.470] – Ned
Justin, I feel seen that. I really do because I can never remember. Oh, did I
name it VM name and then region name and then country name or did I do it the
other way? And it’s like, no, I put it in automation, and it just does it the
same way every time. Set the standard once. Let something else worry about it.
That’s what I’m looking for when it comes to automation.

[00:22:37.633] – Justin
I feel you there.

[00:22:39.320] – John
And once you go down that path, it’s really addictive. Once your infrastructure,
it not only just named the same, but acting the same. You’ve written some code
and you’ve deployed a development network and then use that same code to deploy
your production network. And you have that confidence that you can build
networks over and over again, and you know that they’re exactly identical.

[00:23:04.340] – Ned
So I’m curious in terms of workflow, you have someone come in and they want to
get something done. So they go into a ticketing system, they open a ticket, and
I’m sure you’ve given them some fields they have to fill out. Once they’ve done
that submitted the ticket, where does it go from there? Do you have to sanitize
inputs? Are you plugging into specific APIs? Like, how the workflow go from that
ticket to actually realizing what they want?

[00:23:28.020] – John
I think you have to. It depends on which workflow you’re talking about. And I
know when I’ve implemented this as the customer, this kind of thing, I wanted to
just expose to the ticketing system or the repository those things that the
person making the request cares about and write the code in such a way that it
just takes those as input, drops them in where it needs to go, and the
automation runs from there. Just an example of this was we had automation
pipeline for user onboarding.

[00:24:06.510] – John
Nothing to do with the networking team, but user gets onboarded. And just out of
that system, we were able to hook in Aviatrix’s VPN Terraform such that it would
just drop a person’s email address and what group they were in. I belong to the
sales Department, and the Terraform would just go out and apply that
configuration and give that person VPN access and set them up with the access
that was reasonable for somebody on the sales team. That was different than
somebody who was getting VPN access that was part of the IT team, much less
access for somebody on the sales team.

[00:24:53.550] – Justin
And for this, when we’re talking Aviatrix, in AWS and the cloud, you can go a
few ways to get your network kind of connected. You can go a transit gateway, or
you can go the old school what they call an IPsec transit, which is basically a
bunch of IPsec tunnels that cut you some east to west type traffic. Aviatrix has
what they call now the Aviatrix Transit, which basically puts these controllers
at the gateway at entry points. And whenever a new account needs to come on, a
new VPC, see a new virtual private cloud or new subnets, you can actually
automate those.

[00:25:31.460] – Justin
And our goal is to actually automate those. So it spins up those those gateways
at the edge there of that new virtual private cloud and makes that connection on
the back plane to the rest of the network. So basically, it’s like spinning up a
multi side or another side, another facility, if you use on Prem type thing,
that MPLS or whatever, it might be.

[00:25:50.860] – Ned
Okay. And so are you hooking into an Aviatrix API to do this, or are you
directly going to Terraform? So what’s the interaction there when it comes to
the automation component?

[00:26:02.220] – John
You have those options, right? You can hook directly into the API if that suits
your needs. Obviously, we recommend Terraform and our official Terraform
provider, which sits on top of the API. It’s calling the API underneath. We
recommend that for sure, as if you can use that. But there are certainly use
cases where you can just go to the API directly.

[00:26:27.180] – Ethan
Wait a minute, John. You’re hedging on the API. Is this documented? And I can
use the API. And it’s all cool because you’re like, but use Terraform. What are
you trying to say, man?

[00:26:38.090] – John
No, absolutely. We definitely publish our API spec for customers. And then, like
I said, Terraform is just we build that with feature parity with what’s in the
UI, and what’s in the API.

[00:26:55.060] – Ned
Okay. Got you. So if I am in a shop where I’m already using Terraform to a
certain degree, it’s very easy to integrate Aviatrix because it’s another
provider, and I’m pretty familiar with using those. Not a problem.

[00:27:08.150] – John
100% when we moved from using the CSP’s, NAT gateways to Aviatrix gateways, we
already had a pipeline built with Terraform to do that for all of our accounts.
And so it was just as simple as taking out the Terraform that did the Cloud
native gateway and putting in the Aviatrix Gateway and running the same
pipeline. We had very little effort to make that switch. We definitely recommend
Terraform because I think of Terraform as being the network automation
multicloud specialist. Just like Aviatrix is the multicloud networking
specialist. Right?

[00:27:51.530] – John
It really goes hand in hand. So once you learn the skills around how to write
Terraform code, you don’t have to relearn that for different cloud. Each cloud
has their own infrastructure as code platform.

[00:28:07.380] – Ned
Right. Yes. Familiar with all of them. And to varying degrees, they are
successful. Here’s a point. If I’m using Terraform to deploy networking to, say,
AWS and Azure, I’m using Terraform to do it. But I’m using different providers,
and I still have to understand the constructs that exist in AWS and Azure. And
anything else I bring in. Is there anything about the Aviatrix provider that
further abstracts some of that for me? So I just have to understand how Aviatrix
works. And now I’m good on all the clouds.

[00:28:37.100] – John
Yeah, for sure. So when you’re using the Aviatrix provider, you’re not going to
the cloud directly. You’re going to the Aviatrix controller, and then the
controller is orchestrating all of that. So our resources are built in such a
way that it’s really just a matter of kind of defining what you want, what
gateways or your network architecture you want. And then it’s just parameters
that say, do this in Azure, this and do this in AWS. And we even package up some
of the the concepts and architectures into Terraform modules that we publish as
well.

[00:29:17.410] – John
And you can just pull those off the shelf, and it’ll just do very specific
things. It’s kind of an Ala carte, pick what you need and deploy.

[00:29:26.720] – Ethan
As in I pull, basically, I pull the recipe from you, deploy it, and it builds
out some canned topology for me.

[00:29:35.120] – John
Exactly. Right. And in some cases, that will be exactly what you need. And in
some cases, that will be a model by which you would then customize to your
needs.

[00:29:46.500] – Ethan
Deploy the model, and then tweak it for whatever the bits are I need from there.

[00:29:51.730] – John
Exactly.

[00:29:52.960] – Ethan
So how do I get that stuff at all? Is that GitHub? Is that up on Aviatrix’s
site? Where do I get all that stuff?

[00:29:59.140] – John
Yes, it’s all of that. So as an official Terraform provider. You go out to the
Terraform Registry, you see all of our resources, all of the modules that we
publish with links to GitHub on the back end, like the actual code you can also
go look at.

[00:30:19.120] – Ned
Right. So if the module you published is close, but it’s not quite there, I can
clone that module and customize it for my organization, and then either host it
on my own GitHub. Or I think you can now publish back to the Terraform Registry
if you sign up for an account or something like that.

[00:30:36.920] – John
Exactly. Right. For sure. Or you could just keep it to yourself locally if you
want it, if you don’t want to share, you’re embarrassed.

[00:30:45.840] – Justin
Or if you’re like me, who’s like a bull in an China shop when it comes to
Terraform, I say, hey, John, can you help me? And John says, sure, I’ll help
you. They’re really good about helping us old school, hate the cloud. Why is the
cloud out there? I think.

[00:31:05.160] – Ethan
Justin, how far are you in your mind from getting to the fully automated state
you’d like to be?

[00:31:11.300] – Justin
We’re not as far as what I want for sure thought was attainable. I mean, I’d say
we’re really close. We finally have a stability. Sometimes it’s more of my
uncomfortableness of actually automating things, because I’m like, Do I really
want to trust what it’s doing? Because what if it wipes everything out and then
I have to work all night to manually rebuild that thing? But the hold up is not
the technology. The technology is there, Aviatrix does a great job with
resources. They’ve asked me many times, Can we help you automate this?

[00:31:42.160] – Justin
I don’t think I’m quite yet ready, but the more work comes, and I’m like, okay,
I need help. I think it’s more just me becoming comfortable. I don’t think
there’s any hold ups. Even as chaotic is our network sometimes might look from
all the different Tweaks and the different custom stuff. It’s easily done. It’s
just taking that step.

[00:32:04.980] – Ethan
Do you have a lab environment or some way that you’re testing this out to help
get that comfort level?

[00:32:10.990] – Justin
Well, yeah, I probably should. Let’s just say I’ve broke a lot of stuff. How’s
that? And then it’s like, okay, why is that broke? I ain’t telling them I was
playing with this for that, but we probably should. We’re getting there. It’s
really for us. It’s been a whirlwind. And I think that’s probably a lot with the
cloud. They don’t want to wait. So it’s always quickly. And so I figured out on
the fly, and then when it just becomes overwhelming is when I look to do stuff
like that.

[00:32:39.040] – Justin
But yes, absolutely. We should probably have a lab environment. Yes.

[00:32:43.760] – John
Did I mention a Terraform modules that you can just pull off the shelf and spin
these things up?

[00:32:50.730] – Justin
You did you did. So don’t call John? I think that’s what he said. Don’t call
him.

[00:32:56.190] – Ned
I’m curious how much you’re using it to spin up the initial infrastructure
versus ongoing maintenance and changes, because that’s one of the big challenges
I’ve encountered. Is it’s easy to spin it up in a vacuum, right. I don’t have
anything that exists. But now someone wants to go in and tweak something and
they don’t tell me. And then I go to try to run my Terraform config to update.
And it’s like there’s all these changes Terraform doesn’t know about. Have you
run into that problem, or are you working through that now?

[00:33:22.360] – Justin
So for us, yes. That’s a good point. I mean, we do have some Terraform. Like I
said, with our Palo Altos and things like that. And I have run into that a lot,
Ned, where somebody will change the load balancer or something. And then I get
that dreaded. What’s different when it goes to the environment? The thing I
found about Avaitrix is, it is pretty self learning in a lot of ways. To that,
I’m sure, James and John can expand on that. But if we had add a subnet, it will
pick those up.

[00:33:49.220] – Justin
If we add certain things. Once that’s there, it’s not like something where I’ve
got to manually take care of a route table in AWS with the transit gateway, you
got to manually update those routes. Can get very hard, with Aviatrix it’ll
actually see if I had a new subnet. If a new route comes on, it will learn that
automatically for me and start applying it where it needs to be so very little
tweaking like that. If a new VPC comes up, you do have to run it to join that
kind of bring it on to the network.

[00:34:17.450] – Justin
But from that point, the tweaks it will learn pretty sufficient fail over
automatic things. That that nature. So it does cut down even, Aviatrix cuts down
a lot of the need to constantly be an error fixing, adjusting things that
somebody else has done.

[00:34:31.600] – James
Also, all the manual work that’s error prone.

[00:34:34.920] – Justin
That’s true.

[00:34:37.240] – John
Yeah. And I think, Justin, for you particularly here, what I’m hearing is maybe
a hesitance to maybe you don’t know where to start. And that’s what’s kind of
beautiful about Terraform and our use of it is that you really don’t feel that
you have to automate the whole thing, end to end, data plane, control plane,
security segmentation, like all of this stuff. You really don’t want to, because
then that’s kind of all your responsibility, right? You can just pull off pieces
and do what makes sense and do more over time and kind of bring it all together
and build pipelines and workflows that are managed not by you necessarily.

[00:35:27.210] – John
Like I mentioned the user VPN, I handed that automation off to the folks who did
user onboarding and they took care of it, and then I didn’t have to worry about
it. And so it’s really easy to kind of start small and then build out over time.
Terraform even will allow you to you have resources that are deployed that you
then want to bring under infrastructure as code control. You can import that
into Terraform and then start building your pipelines around that, even though
originally you built that infrastructure by hand.

[00:36:01.550] – Ethan
John, I love that you’re just saying pipeline and pipelines throwing that word
around, because back in the day, what pipeline meant was ticket, me, change
control, approval, maintenance window, me, testing, it’s working. Yes, I can go
home now. Close ticket. That was pipeline. And what you mean by pipeline is such
a different animal.

[00:36:22.720] – John
Now, what I mean is when a developer wants a firewall changed because they know
what their application needs to talk to, I don’t have to, as the network
operator, I don’t have to be the one responsible for deciding whether that’s a
good idea. I can put that off on the security folks who actually have that
responsibility and make them do the approval and then have that automatically
applied and take the me out of all of that that you just described.

[00:36:54.130] – Justin
Unless you’re at a job like me where nobody wanted to touch the cloud. So now I
am cloud architect. Cloud security. On Prem security later. So it’s like it’s
all me. Now.

[00:37:06.440] – Ethan
There’s some conference room or some email Chamber. You raised your hand,
Justin, and you can point to the day now you’re the guy.

[00:37:15.460] – Justin
And Ethan, can you imagine the inner dialogue I have? There were guys like, just
allow him, so I don’t have to hear him complain anymore. And the security guys
like, no, you can’t do it, you know, and it’s a mad mess in my mind for sure.

[00:37:28.040] – Ned
That brings up an interesting perspective, which is the DevSecOps perspective,
where security is intertwined with the rest of this pipeline and everything
else. Is there anything on the Aviatrix platform that helps look at a proposed
configuration you might be trying to run with Terraform or something and picks
out? Oh, that’s not such a good idea from a security perspective, or the
security team can review it before it actually gets applied to your environment.

[00:37:53.540] – John
So from my perspective on that, James, I don’t know. Maybe you want to chime in
about Flight Check, but what I was describing a pipeline where someone with the
developer persona wanting changes to firewall roles and actually doing a pull
request, a GitHub pull request, actually modifying the code, which I had written
in such a way that abstracted them from the actual Terraform resources. They
just needed to go update the I want to talk to this thing on these ports. And
once that pull request was generated, that would automatically alert the
security team who had to approve prior to merging of that code and the merging
of the code was the, there was automation in place to implement that code.

[00:38:52.240] – John
So from that standpoint, it’s not an automatic check, it’s not the product
validating, but it’s putting in a process that involves the people who are
responsible for that approval to force them to be be there and do it in an
automated way.

[00:39:12.900] – Ethan
So it sounds like there’s not, like, integrated testing at this point. What we
could say, is there anything that sanity checking that is done before a change
is deployed?

[00:39:22.480] – James
Yeah, definitely. So one of the things that we do in the controller is that we
look at all of the IP CIDRs across all of the clouds and all of the deployments,
so we can actually let you know if you’re using our automation to create a VPC
or VNet, we can say, hey. Just so you know.

[00:39:37.400] – James
That CIDR already exists, it’s probably going to be a bad idea to do that unless
you’ve segmented your network and you have separate different types of paths.
But, yeah, we’re looking for that networking correctness. And evaluating it in
part of our controller. And in fact, we can alert on that, too. So if someone
did go ahead and do something like that. We could send the alert out.

[00:39:55.840] – Justin
And Ned, Ethan, one of the neat things that really drew me to Aviatrix was I
really was struggling to get East West traffic in AWS. It was really hard to get
those cross VPC, what is talking to what type traffic, and Aviatrix has a real
nice solution to deploy basically East West firewalls, and you can use various
different products, but it’s baked into their product. And so a lot of the
security checks for us is actually built into our firewall rules. So even if
somebody spends something up and it somehow got run to connect, our firewall
rules that govern that East West would protect us.

[00:40:33.300] – Justin
So some of that is baked if you do the firewalls and stuff just comes up on the
network. Aviatrix gives you that East West inspection. And beyond that, they
also have I’m sure James could talk to it, but one of the neat things is they
have actual not just you can actually segment by what they call domains,
security domains. So you can have a Prod domain. You could have a Dev QA or
whatever. And you can say these accounts can talk to these accounts. These
virtual private clouds can talk to these, whether it’s multicloud or whatever.

[00:41:02.220] – Justin
And if something comes up and tries to jump over that, that’s going to be a
hard, basically route block on them. It’s really nice.

[00:41:09.590] – Ethan
This has been a good discussion. It’s one of those things where as you begin to
spend time in the public cloud and you run into the shortcomings, you hear a
solution like this and go, okay, this is filling out a lot of the blanks for me.
So Aviatrix, thank you for coming on the show. One remaining question I really
have, James, is this, this feels like I don’t want to say a heavy lift, but
there’s a lot here to implement if I want more, what are my resources from
Aviatrix to help me get this thing rolled out in my production environment?

[00:41:39.200] – James
And I would say a lot of our customers get up and running quickly. In fact, I’ve
never seen a provider put out a kind of do a proof of concept and have it up and
running. It like 10-20 minutes or certainly under an hour if everything’s going
good. So we do POCs with customers all the time, and we are here too as
resources. And I think Justin can attest to that we love our customers. We give
them lots of support, even when they’re coming up with the most insane NAT
scenarios you’ve ever seen.

[00:42:08.480] – James
We’re able to do those and test them out. We’re here to support that kind of
being the Swiss Army knife of capabilities for the cloud and solving these
complex problems that are unique and pervasive enough that we can solve them,
but they’re hard to do at the CSP scale. So I think that we of a good future
there and be relevant. And we also offer training. We actually have our Aviatrix
certified engineer. I think we’re up to over 12,000 certified engineers now. So
that’s been a really successful program.

[00:42:37.860] – James
We have an associate version of that that we typically do for free. We have a
professional version that’s kind of in classroom virtual type of certification
as well. And we’re expanding to even more certifications as well. We have a
DevOps cert, and we’re looking to add more to and expand that. And that’s a
multicloud certification too, our associate one. You learn about all of the
major cloud providers. And actually, it’s not anything about Aviatrix. It’s the
professional course where we start getting into the Aviatrix platform and how to
use it.

[00:43:07.500] – James
In addition, we have professional services, and we can certainly provide our
kind of hands on the keyboard type of support. And we have great people that do
that. That’s my next call that I’m on. They’re great with helping the customers
come up with options and think through everything, because it’s easy to as you
go into cloud. I’ll just check this box and don’t think about it or I’ll just
deploy this and don’t think about it. And then that becomes difficult. So we’ll
help you think through all those options to come up with the best architecture.

[00:43:35.540] – James
And then we also have our CCoE, our cloud center of Excellence, where we can
actually do kind of like a staff augmentation if you need more dedicated support
on your team, we’re really here to help customers be successful and deploy their
cloud network. That’s not something you want to get wrong. You only get one
chance when you’re going into a cloud to do the network right.

[00:43:52.620] – Ethan
Great stuff. Thank you again, all of you for joining us today. James Devine,
John Smoker and Justin Payne for having this discussion about Aviatrix, the
CoPilot product, and many of the automation tools that are there. If you’re
listening and you want to find out more Aviatrix com they are on Twitter at
Aviatrix Sys and on LinkedIn Aviatrix Systems. Now, if you’re looking for more
technical discussion, you want to dive into more about how Aviatrix works on the
back end, there are more Aviatrix shows and the Packet Pushers catalog.

[00:44:20.470] – Ethan
If you go to Packet Pushers Net and search for Avaitrix, a whole bunch of
content is going to pop up, including heavy networking episodes 507 and 589.
Thank you to Aviatrix for sponsoring today’s show. And hey, you’re still
listening. There you are listening. Boy, you’re awesome virtual high five to you
for tuning in. You awesome human. If you have suggestions for future shows, we
would love to hear them. You can hit Ned and I up on Twitter. We’re listening to
you at day two cloud show.

[00:44:45.630] – Ethan
Or you can fill out the form on Ned’s fancy website Ned in the cloud dotcom. One
bit of housekeeping for you this week. Packet Pusher has a weekly newsletter.
Human Infrastructure magazine. HIM is loaded with the very best stuff we find on
the Internet, plus our own feature articles in Commentary. It’s free, and it
doesn’t suck. We don’t sell your soul, or give away your email or anything like
that. We just want to get you the newsletter each week. That’s all it’s about.
Packet Pushers net newsletter.

[00:45:10.180] – Ethan
And until then, just remember, Cloud is what happens while IT is making other
plans.

ABOUT ETHAN BANKS

Co-founder of Packet Pushers Interactive. Writer, podcaster, and speaker
covering enterprise IT. Deep nerdening for hands-on professionals. Find out more
at ethancbanks.com/about.

packetpushers.net Open in urlscan Pro 172.67.183.126 Public Scan

Form analysis 3 forms found in the DOM

GET https://packetpushers.net/

POST https://packetpushers.net/wp-comments-post.php

GET https://packetpushers.net/

Text Content

packetpushers.net Open in urlscan Pro
172.67.183.126 Public Scan

Form analysis
3 forms found in the DOM