Category Archives: Multi-Cloud

Learnings from teaching multi-cloud networking and security to thousands

Last week was my 2-year anniversary at Aviatrix. I thought I would take a moment to reflect on my role and what it has meant to me.

I lead the technical enablement for the Aviatrix Certified Engineer (ACE) Training and Security program. When I joined the company, there were less than 500 certified individuals. I’m very proud to announce that Aviatrix has 18,000 ACEs just two years later.

  1. What’s the big deal about Aviatrix anyway?
  2. What’s the big deal about ACE anyway?
  3. What does ACE have in common with Peloton?
  4. ACE IaC – Bridging the gap between Developers and Network Engineers
  5. What are the desired outcomes of Customers in ACE trainings?
  6. What do our Customers think of ACE?

What’s the big deal about Aviatrix anyway?

Who are these 18,000 people and why did they invest their time in Aviatrix? For the most part, they represent Enterprise IT professionals who are facing a challenge of managing a multi-cloud infrastructure.

Earlier this year, I talked about it at length in a webinar titled ‘Getting Ahead in the Cloud: Use the Skills Gap to Your Advantage‘. In that talk, I identified some personas that I have typically encountered:

  1. On-prem networking professionals who need to adapt to the needs of the business in order to stay relevant. They know networking inside out, but since their company has recently moved to the cloud, network engineers find themselves having to play catch up.
  2. Cloud Infrastructure architects and engineers who need enterprise-grade networking with visibility, which is something the CSPs struggle to deliver because of their multi-tenancy model.

In general, they all come to Aviatrix to enable their business driver goals by adopting Public Cloud. These goals include:

  • Application turnaround and uptime – Just about every enterprise finds cloud a strategic enabler for their business. They move to the cloud to gain better agility and unearth new sources of revenue. This means that household names, such as Fortune 100 companies, are now technology companies. It doesn’t matter what industry or vertical they are in. But to get there, their applications need to be secure, highly performant, highly scalable, and highly available.
  • The massive skills gap in multi-cloud – Enterprises will adopt the best of each cloud to improve their business initiatives. And as soon as an enterprise goes multi-cloud, the IT team is put under immense pressure to re-tool with very little time.

Moreover, they want to adopt Aviatrix because they face operational challenges in the cloud such as:

  • CSPs disincentivized to support multi-cloud – That’s pretty obvious, but most important. Customers don’t want a different architecture for each of the 5 CSPs they are in. They want a single architecture that does it all.
  • Difficulty scaling out – Networking and automation have historically never gotten along well. DIY methods were hard enough in on-premises. In the cloud, where they don’t have control and visibility, it is impossible.

Aviatrix offers enterprises instant benefits with multi-cloud optionality. Even in a single region of a single cloud, Customers get a unified control, management, and automation plane for all their accounts, subscriptions, projects, or tenancies.

What’s the big deal about ACE anyway?

Simply put, Customers pursue the ACE training and certification program because they want to learn more about Aviatrix in a structured and standardized way.

When I joined Aviatrix, there were 2 ACE tracks – Associate and Professional. ACE Associate is an introductory course that fast-tracks cloud networking knowledge. It covers cloud networking for all CSPs along with a brief overview of Aviatrix. ACE Professional is deep product training with a blend of lectures, labs, and design exercises, which is great for network engineers and architects.

However, soon after I joined, it was becoming clear that our Customers needed more. They wanted hands-on training for their operators, so that they could be enabled to do their job in the cloud with better insights and better visibility. They needed this so that they could solve problems very quickly and securely build their multi-cloud infrastructure.

What does ACE have in common with Peloton?

The result was ACE Cloud Operations – an 8-hour training with 10 labs that walks students through CoPilot, which is the Day 2 Operations component of the Aviatrix platform. I like to compare this hands-on ACE Cloud Operations training with a Peloton bootcamp, where there are efforts and recoveries for optimum performance. The labs are analogous to efforts – fast-paced and focused on troubleshooting. The lectures are analogous to the recoveries – a quick recap of what the feature is all about.

One of the best parts about ACE Cloud Operations is how certification is awarded. It is 100% based on how well the student did in their labs. There are no facts to memorize, and no exams to study for. We believe that the components of a hands-on certification should be hands-on. And this approach has been very well received by our Customers and Partners.

ACE IaC – Bridging the gap between Developers and Network Engineers

However, there was still something significant missing. For decades, network engineers have felt out of place when interacting with software developers. The problem typically starts from college when they feel uncomfortable with programming language courses. They are more at ease with data in transit (i.e. networking) than writing thousands of lines of code. I most certainly was like that in school, and thousands of Customers I’ve worked with are like that as well.

But nowadays when application developers are relying extensively on the speed and agility that the cloud has to offer, they find it very frustrating when networking and security teams are slow to respond to the needs of the enterprise. Networking needs to codify their approach to building in the cloud.

And often just as soon as network engineers learn how Infrastructure as Code (IaC) works in one CSP (such as CloudFormation in AWS), they need to re-tool on very short notice when they company goes multi-cloud. This has happened with so many of my Customers. They need a cloud-agnostic approach. Enter Terraform.

We came up with ACE Infrastructure as Code (IaC) to bridge the gap between network engineers and developers. It is build on the principle of teaching DevOps for Network Engineers. We teach the concepts of DevOps, VCS, and CI/CD pipelines from a network engineer’s perspective. There are tons of free learning resources out there that cover these topics, but none that cover them so well for network engineers. This training assumes absolutely no pre-requisite in programming, but we sprinkle it with just the right amount of Terraform.

There are 3 hands-on labs with the goals of Build, Enhance, and Secure in mind respectively. By no coincidence, they map out neatly to Day 0, Day 1, and Day 2 Operations. The 3rd lab also covers a soft skill – Collaboration, and why it is important for the various stakeholders of an organization (Network Engineers, InfoSec, and Developers) to work closely together to build an enterprise-grade network.

Perhaps, best of all: this training is available for free to consume at your own pace. This is is more appealing to Customers who have different backgrounds in programming. I am especially proud of ACE IaC as there is nothing like it in the industry.

What are the desired outcomes of Customers in ACE trainings?

New customers are typically more interested in use cases like

  • How to get unstuck with cloud-specific implementations (such as AWS TGW or Azure Virtual WAN) by building on a repeatable architecture – Aviatrix Multi-Cloud Network Architecture (MCNA).
  • How to secure Egress traffic by filtering FQDNs.
  • How to build a solution for remote users to VPN to their cloud network that is cloud-agnostic.
  • How to leverage Single Pain of Glass embedded Threat Intelligence.

Existing customers, on the other hand, are more interested in deeper integrations with SD-WAN vendors. This means moving more towards the edge of the cloud network and learning how Aviatrix can work more closely in the on-prem Data Center ecosystem.

Lack of Visibility and Control in native CSP offerings was something all ACE attendees are concerned with.

What do our Customers think of ACE?

I have delivered live instructor-led training on multi-cloud networking and security to over a thousand Customers and Partners. Self-paced ACE trainings have been consumed by over 75,000 students. And I read every piece of feedback in post-training surveys.

Instructor-led training has given me the opportunity to understand the pain point of our Customers. And by and large, they come to ACE trainings because find it impossible to build a secure cloud infrastructure at scale, at a high performance, with visibility, and in multiple clouds without using Aviatrix.

The accolades I’ve received for ACE are overwhelming to say the least. Customers routinely make statements like this in surveys:

  • One of the best trainings I’ve ever had!
  • I use the skills I learned in ACE daily. In addition to providing training on Aviatrix products, the coursework took a deeper dive under the cloud providers’ covers. Thanks to this training, I have a better understanding of their underlay networks, which simplifies troubleshooting.
  • This post by a veteran in the industry.

It has been the most rewarding learning experience of my career and I’m excited with what lies ahead.

LastPass breach – Deja Vu all over again

Yesterday I got this notification from my Password Manager, LastPass:

The key phrase here is “unusual activity within portions of the LastPass development environment.” This looked too familiar.

One of the most well documented attacks of this nature is the SolarWinds supply chain attack in 2020. Although it is too early to say (the news just broke yesterday), it is very likely this lastPass breach is not much different.

We’ve seen this before on several occasions when hackers use a company’s development environment as an attack vector to inject malicious code. Often this is the case when an enterprise lets down their guard with their development environment and sacrifices security for cost. As a result, weakly secured controls allow the code to make its way into production.

Hence, it becomes critical to improve the security posture by segmenting East-West traffic. This is not easy to do. One could achieve this at a coarse level with network routing domains, but it is far more important to provide granular security – at an application level. This is what Micro-segmentation achieves – the ability to group applications together and then apply policy-based controls. Keep an eye out on how Aviatrix can solve that.

ACE IaC – Another Industry First by Aviatrix

Today Aviatrix launched the self-paced version of Aviatrix Certified Engineer (ACE) Infrastructure as Code (IAC) training and certification. This is the industry’s first multi-cloud networking and security Infrastructure as Code training, that too in a self-paced format.

ACE IaC brings together the concepts of DevOps by automating a multi-cloud network infrastructure through 3 hands-on labs. The self-paced training guides students towards building complex networks with the Aviatrix Multi-Cloud Networking and Security platform by using the principles of DevOps and Infrastructure as Code.

Students can expect to enter the training with no coding background and complete the training with a solid understanding of how to use IaC tools (GitHub and Terraform Cloud) to build, enhance, and secure multi-cloud networks at scale in an automated fashion. They will learn how to collaborate with other stakeholders in their organization by building CI/CD pipelines to apply a very common use case in the cloud – Egress Security.

Best of all, the lab guides are free.

Check out the FAQ for more details.

Introducing ACE Cloud Operations

Recently Aviatrix developed a new course in the Aviatrix Certified Engineer (ACE) program. Aviatrix Certified Engineer – Multi-Cloud Network Operations (or ACE Cloud Ops for short) is catered towards cloud operations practitioners who need to successfully run, operate, and manage business-critical Day-2 workloads in the cloud.

The ACE program recently announced its 10,000th certified engineer. That’s a phenomenal achievement considering our stretch goal for the year 2020 was only 500. It’s amazing how Covid 19 has resulted in expanding our reach to hundreds of students per week.

ACE Cloud Ops takes a unique view on operating cloud infrastructure, which is necessarily different from operating on-prem infrastructure.

Operations in the On-Prem World

In the On-prem world, enterprises own the underlay. They have full control over traffic patterns and have a familiar toolkit regardless of what vendor they use on-prem.

Of course some tools, such as SNMP died away, but ICMP-based tools such Ping and Traceroute are still going strong 40 years after RFC 792. IP doesn’t go away when you move to the cloud and neither should the network engineering toolkit.

Key skills for Infrastructure Operations engineers include:

  • Hardware (knowledge of cables, transceivers, switches, routers, racks, real estate, physical security, power, cooling)
  • Layer 2 (Spanning Tree is the worst use of an Operations Engineer’s time)
  • OSPF, BGP
  • Repeatability achieved by scripting tools such as Expect (which is really screen-scraping), Shell, Perl, Python (still invaluable). This is not true automation.

Capacity planning in the on-prem world often involves ordering the right number of spares to plan for outages, so that there is some form of high availability, although it does result in higher RPOs and RTOs.

We all know the financial benefits (when done well) of moving apps to the cloud. But while it offers great agility for Developers (you can  spin up a database within minutes), networking has been slow to catch up. Moreover, as we see a rapid shift towards multi-cloud, Operations teams are left on their own without guidance.

Operations in the Cloud World

Operations engineers have a harder time doing their job because of the lack of toolsets afforded to them by Cloud Service Providers (CSPs). Each CSP has proprietary tools that are intended to keep their customers locked into their cloud. Moreover, networking is not a source of revenue for CSPs. They don’t make networking easy and their networking tools are, simply put, not enterprise-ready. 

For example, consider what it takes just to view a route table in Azure. An intuitive approach would be to list the routes from the VNet or at least have a direct link to it. However, you would be mistaken into thinking that way.

Instead, buried in a list of connected devices in that VNet, you have to select the appropriate NIC, which may have an obscure ID.

Next, you have to select an even more obscure term called ‘Effective Routes’

Only then can you see the routes.

It is a very clunky approach to a routine task in the On-prem world. Of course the problem grows exponentially when having to deal with the oddities of each cloud when the enterprise goes multi-cloud. Each CSP abandons the networking toolkit and offers their platform as a blackbox to Operations teams.

When moving to the cloud, an Operations Engineer must have these new skills at a minimum:

  • Agile mindset
  • Infrastructure as Code (read Terraform)
  • CI/CD
  • VCS

Capacity planning takes place with cloud-native principles, such as elasticity and auto-scaling. It requires a new way of thinking, not just for Developers, but also for Operations teams. 

ACE Cloud Ops

The ACE Cloud Ops course better equips Cloud Operations teams  to run a multi-cloud network in their daily jobs. It builds on the immensely popular ACE program with some of the most common use cases we see our customers when operating in any cloud:

  • How to Ensure Business Continuity with an Enterprise-class Transit Solution
  • How to Strengthen Compliance and Audit Initiatives by providing Monitoring and Troubleshooting for Cloud Security Appliances
  • How to Efficiently Connect Remote Sites to Cloud
  • How to Improve your Cloud Egress Security posture
  • Best Practices for Platform Operations Management
  • DevOps for Network Engineers

There are also hands on labs focused on break-fix scenarios that are based on this topology:

The source code of the Terraform that built this topology is here.

ACE Associate is a pre-requisite for ACE Cloud Ops. 

Submit interest for taking ACE Cloud Ops here.

Building a Multi-Cloud Network for less than $1 an Hour – Aviatrix Kickstart

This is the post I had been meaning to write for ages. How do you leverage Infrastructure as Code to build a multi-cloud network? It turns out you don’t have to write the code yourself. This is the beauty of Aviatrix Kickstart.

For less than $1 an hour, I was able to build a multi-cloud transit network with 2 spoke VPCs in AWS, 2 spoke VNets in Azure, a transit VPC in AWS, a transit VNet in Azure, and a peered connection between the two. Oh, and also 2 EC2 test instances in AWS for various tests. All within an hour.

The quickest way to build this would have been to script it in Terraform. But with Kickstart, a containerized environment handles this for you. So you don’t need to have Terraform skills or write any code.

Kickstart is a Docker image that you can download from here. All you need to run it are:

  • Docker. You can do this either by installing Docker Desktop on your client PC (Windows or Mac) or running it on an AWS EC2 Linux 2 AMI.
  • An AWS account and optionally an Azure account. I built the entire environment in AWS and Azure Free Tier accounts.

Once you run docker run -it aviatrix/kickstart bash, the script walks you through the process and allows you to configure the region, names of the resources, and CIDRs of the Aviatrix Controller as well as the Multi-Cloud Network Architecture (MCNA) Transits. It then leverages Terraform to issue several Day-Zero activities. Aviatrix Kickstart makes it so easy that I was able to build the following architecture in less than an hour without writing a line of code.

Check out these resources for more details:

  • Guide to building the environment
  • 10-minute video of demo
  • Test cases to try out once you’ve built the environment