Sunday, February 13, 2022

Why would a Senior Network Architect decide to leave his comfort zone in the Customer World to join a Vendor?


Following years in comfortable position in the financial industry, I decide to leave and join a Silicon Valley technology innovator to focus and build a new career  in Secure Cloud Networking...Did I lose my mind?? 

I will tell you my (professional) story but more important than the character, I want to share all of the reasoning behind my decision.

Enjoy some music while reading.. Your ears will also travel into the Clouds...

    

From On Prem Networks to (multi)Cloud Network(s): my digital transformation

2 decades ago... I was a young professional with 2 years of experience in Networks. I configured at that time IPX, CAT5k, SUP-1a or SUP2/MSFC2, C3920 (yes Token Ring switch with multiple-choices menu) and migrated my first networks from ATM/LANE to Ethernet.. At 24 (in 2002), I comfortably passed the CCIE in the first attempt having worked like a crazy for an entire year. I felt on the top of the world having achieved something difficult...

When I look back, I see myself as a naïve and young network engineer.  This was only the starting point of my career..  Yes, CCIE gave me the (good) foundations and authority to work, as a contractor, for demanding customers on their enterprise networks.

Rather soon after, I had the opportunity to work for SWIFT (Society for Worldwide Interbank Financial Telecommunication); the global Provider of secure financial messaging services.  For those who still don't know SWIFT despite the geopolitical activity, check this out



For 15 years, I did lots of Network Architectures & Designs there in the "on-prem" world, mainly relying on Cisco products. Cisco is a very good Hardware company in the networking and switching area: no doubt! .. This was comfortable, too comfortable.. Repetitive even... For so long, no revolutionary product.. Having to design Cisco Instant Access Switches (you don't know? This is normal, we were the only customer in Europe!) or ACI solutions (Yes, it hurts) 😑, I lost focus and passion.. 

Luckily, in 2020, I started my Cloud journey as SWIFT launched new cloud-based business initiatives.. Waouw the Cloud, AWS precisely.. How easy is that? How could I spin up a VM so easily with no racking, cabling & Software patching.. For a system-agnostic like me, that was so good!! I started to learn about the Cloud Networking, enhanced my knowledge in that domain and yes I could also become a DevOps Cloud Engineer and learn the concepts of Terraform and CI/CD for a better provisioning & automation of the Cloud network resources! 

Confessions of a Cloud Network Engineer on a single Cloud Service Provider


In the Cloud, you can easily & quickly (non exhaustive list)
- Spin up VMs of any kind
- Launch Load Balancer of any flavours (performance vs application requirement)
- Secure the communication between 2 workloads 
- Connect your public cloud securely (IPSEC) to your Data Centers over private lines or Internet

This is so powerful but imagine when you have to deploy a fully secured hybrid infrastructure for the first time. How to troubleshoot and pinpoint where there is a misconfiguration??  

It took me dayS to troubleshoot.:
- NACLs everywhere
- Security Groups everywhere and cross accounts with OU / LZ
- Multiple TGW Routing Tables, attachment, associations & propagations
- Same thing on prem (FW and routing)


Personally, I like AWS Transit Gateway Network Manager with its 'Route Analyser" utility. It traces a flow all the way through the TGW constructs: TGW itself but also TGW attachments and TGW Route Table / TGW Route and tells you where something is missing @network level. But what about the flow before and after crossing through the TGW(s)? VPC Flow Logs? Do you like it? 2 different tools to see a E2E flow?


Lack of Visibility & Control is then the first CSP's limitation I faced.. Did anyone think about us, Cloud Network engineers? Is the Cloud Network layer important enough for the Cloud Service Providers? Then Aviatrix crossed my road.. The more I learned, the more I wanted to be part of this company.. I applied for a product, not for a job...

AVIATRIX concept

Aviatrix is the pioneer & leader in the Secure Cloud Network. It partners with all biggest Cloud Service Providers: AWS, Azure, GCP, OCI and AliCloud. But, most of all, it does what Cloud Native can't achieve!

Aviatrix layered model


The approach is with 3 main layers:
1. Applications layer where workloads (VPC/VNET/VCN) are configured
2. Core layer or Transit layer where
    - workloads are aggregated to Aviatrix Transit Gateways
    - Aviatrix Transit Gateways from different CSP's peer together to form a multi-cloud secured network architecture
3. Access Layer to connect public Clouds to on prem networks

On top of these 3 layers, the Operation layer is a transversal layer allowing:
- The provisioning & automation of the cloud infrastructure (WEBUI via Aviatrix Controller, Aviatrix Terraform provider for Infrastructure as a Code)
- The visibility & Control with Aviatrix CoPilot for any kind of Cloud network troubleshooting

AVIATRIX and its 4 pillars

The intend here is not to describe Aviatrix platform in details but just to give you some examples why Aviatrix is a fantastic addition to the CSP's listed above..

Tell me another company today providing a complete solution to the following: 

1. Single & MultiCloud connectivity
2. Cloud Network Security
3. DAY1 Operations - Provisioning & Automation
4. DAY2 Operations - Visibility & Control

1. Some Cloud Connectivity use cases

a. Connecting your 2 public clouds: obviously, CSP's do not want to leverage a MultiCloud solution as this is against their interest. As seen above, Aviatrix enables the capability of connecting CSP's together in a securely and resilient manner

b. Connectivity performance: when you enable IPSEC between your public Cloud and your Data Center, the throughput is limited to 1.25 Gbps. Aviatrix with its "Insane Mode" enables HPE (High Performance Encryption) which means IPSEC encryption @nearly line rate (up to 9.6 Gbps vs 1.25 Gbps)

c. Intra/Inter Region connectivity in a Single Cloud: does any CSP have a complete and dynamically resilient solution for inter & intra Region workloads communications? Aviatrix with its Active Mesh concept


 What this is? 
Provides network resiliency, improved convergence time and high performance 
- Both Aviatrix Gateways forward traffic simultaneously leveraging ECMP 
- Everything is dynamic as Aviatrix Controller reprograms the Aviatrix Gateways Route Table in the case of a failure

d. IP Overlapping: If a company has some acquisitions or is a SaaS provider, it might face IP Overlapping challenge between on-prem and Cloud networks. 
The concept with Aviatrix is fairly simple: Network mapping for Source and Destination.. Real Source and Destination Networks are overlapping, then you have to replace both with a Virtual Network.


e. IPSEC encryption over AWS DX private lines
- Cisco vCSR is a solution to connect your Cloud to on prem over IPSEC / DX Lines but do you like Cisco vCSR? I don't, because it is either very expensive (hourly billed) or very complicated to put in place (BYOL and Cisco Smart Licensing)
- AWS Native Solution? Not really!
    - if you have Private VIF, you can forget S2SVPN natively with TGW
    - if you have Transit VIF, then you can do it but
        - only with Direct Connect Location (not hosted VIF)
        - limitations with Transit VIFs
        - it is in Preview only, not GA

2. Security use cases


a. Network Segmentation: mostly with CSP's and AWS, you can do it.. But @what cost?
    - AWS Network FW: ok but this is costly and complicated to deploy as you have to redirect your traffic into an 'inspection VPC with FW'
    - TGW Route Tables / Cloud WAN: sure but TGW RT's are not designed primarily to segregate the traffic (by default, limitation is 20 RT's and says it all). Cloud Wan relies heavily on TGW constructs and faces about same limitations.. Adding this, it is in Preview release only, meaning not mature product..
    - Aviatrix provides a solution with 'labelling' (Security Domains & Connection Policies) in 4 clicks without interfering with routing and route tables; no matter if the segments are in the Cloud or outside of the Cloud..

1. Enable Transit for segmentation
2. Create Security Domains
3. Create Connection policy
4. Associate Spoke to Security Domain

For reference: Aviatrix Security Domains = 200 vs Cloud Wan Segments (by default) = 20


Copilot view with different security domains and how they can communicate with Connection policies


b. FQDN filtering: when your workloads need Security patching from Internet, would you bother having additional IPSEC links to a 3rd party (Zscaler, Netskope) ? If an embedded solution exists...

For reference: most 3rd parties: FQDN on HTTP(s) vs Aviatrix FQDN filtering : all TCP / UDP based protocols

c. Next Generation FW insertion


Of course 3rd party NGFW are as much mature as Aviatrix solution, but for the ease of use, it is another story.. Who can tell me it was a seamless FW insertion? With Aviatrix and a single provisioning method (either AVX TF provider or Aviatrix Controller), you can insert a Virtual NG FW like Fortinet or Palo Alto.. And even better, most routes types are directly configured with Controller again without manual intervention...

For reference: Same process no matter the CSP is + Performance Transit to FW up to 75 Gbps + Active Mesh benefits

3. DAY1 Operations - Provisioning & Automation


Let's focus on Terraform: Terraform is an agnostic service for provisioning Cloud resources. 
- it is idempotent, meaning you can run relentlessly the same TF code, you will get the same result. It is not prone to human errors.
- Version Control can be used to track configuration changes with CICD (Continuous Integration, Continuous Deployment)

With Aviatrix as an official Terraform Provider, you can configure your Cloud Network exactly the same way (/code) for the 5 CSP's..

Many public Aviatrix modules already exist to deploy your Cloud Network in minutes.. Don't bother with 2+ ways of configuring a VPC...



4. DAY2 Operations - Visibility & Control


Here we go - back to Square 1: the first capability why I looked into Aviatrix... A complete set of troubleshooting tools unmatched to date in the Cloud...

- ping, traceroute & packet capture capabilities

- tracing E2E flow with Flight Path


- Other capabilities


Bridge the (skills) gap

What is better than certifications to really dig deep?  With ACE- Associate, you will feel like Aviatrix is a cool product... With ACE-PRO, you will understand the magnitude and the potency of the Aviatrix platform..




With Aviatrix, you have a clear certification path:
- ACE Associate (foundation level; exam)
- ACE PRO (intermediate level with a mix of theory and labs about Aviatrix solutions; exam)
- ACE IaC (Intermediate level around Terraform Cloud / Git / CICD concepts. Self paced Labs)
- ACE Operations: DAY1 (automation & provisioning) & DAY2 (Visibility & Control; instructor led labs)
- ACE-DE (Design Expert; Expert level; you have to present in front of a panel an existing multiCloud Network Architecture AND an improvised architecture)

What is like the first month as an AVIATRIX employee


Let's be clear and straight forward: being an AVIATRIX employee is NOT a walk in the park. It is dense and intense.. You accomplish so many things in a limited period of time. But if you are passionate in The Secure Cloud Networking and want to make history like Cisco 30 years ago; I would say it is worth it!

In 1 month -- what did I do?

- 20 labs on Aviatrix platform with 2 CSPs (AWS & Azure)
- ACE PRO Certification
- OCI Foundations Associate certification
- Sales Kick Off (SKO) in Madrid
- Starting to be active in Architecture Review for REAL prospects / Customers
- Going to 1 week-holidays and twisted my knee @ski (that is why I have some time to write this)


More to come soon - Stay tuned!

- Why AVIATRIX is a perfect fit for financial institutions
- Cisco Cloud ACI vs Aviatrix

Make any suggestions  for future topics in comments.

PS: Don't take the BLOG name seriously, I did not have any inspiration 😐


Maxime


Aviatrix-Episode3: Connecting OnPrem Remote site to Aviatrix Cloud infrastructure via BGPoIPSEC (incl. BGP route approval)

  Today, we will simulate an "On Prem" Data Centre connected to our existing MultiCloud Network infrastructure . For this, we will...