good afternoon wherever you're located um my name is Ron Reed I am a Solutions engineer leader here at aviatrix I've been here for about two years and looking forward to talking to you guys about how to build a secure Cloud networking architecture I'll let Luke introduce himself everyone thank you for joining uh Luke bunkelman I've been at aviatrics almost four years now and uh thank you for the time and uh look forward to this conversation yeah we're going to give it one more minute just to let make sure everybody's uh who wants to log in is logging in and if there's some people trying to log in it's taking them a few uh we'll give another minute so just stand by for a minute we'll start and I'll let everybody know too in the meantime if you have a question just feel free to post it down there and let us know what your questions are and we'll try to answer them either live or in the chat box by responding to them all right Luke you ready foreign all right everybody thank you and uh we're gonna kick it off and start so look forward to the interactions that we're gonna have with everybody um so let's get into how to build a secure Cloud networking architecture with aviatrix so real quick if you want to uh look and see who we're working with today as far as customers this is a NASCAR splash page of all our logos of brands that have used and chosen aviatrix to solve problems are overcome challenges and to build a a cloud Network architecture that is secure and repeatable across their different clouds that they're in today um next slide and if you want to look here for business critical applications and you want to see where in the stack does aviatrics fall into that you can see here at the very bottom down there you have the csps and their architectures then on top of that you have workload and performance management software by datadog you have data and analytics software by snowflake automation software by hashicorp and of course at the layer where there's networking and security software is aviatrics in there and so what we do is build on top of the Native constructs and repeat that architecture across those different clouds so what is aviatrix if you look at today in each of these clouds they're essentially ships in the night um you know they operate independently of each other and they have different constructs that make them up whether it's a tgw a VLAN or a drg across these different clouds those clouds all have different visibility different security different architectures essentially that you're setting up in the cloud um AWS has is set up and that's one architecture Azure is set up and configured and that's another architecture so essentially you're managing several different architectures in the cloud and you're having different routing and networking configurations in each of those clouds and security policies and there's no consistency across the clouds let alone visibility across the clouds and some very little if any visibility within each of these clouds given to you by the native CSP constructs so what we aim to do at aviatrix is present to you a secure Cloud networking architecture built with a common architecture across them and so each of our components that you deploy inside the cloud will take over and lay on top of the Native constructs and then connect those and provide you the capabilities to have a consistent multi-cloud Network a consistent visibility control consistent embedded security consistent multi-cloud on Automation and also your consistency and routing and visibility can even be pushed down into your data center equinix facilities your Edge facility facilities across there and so what's the value of that so no longer are you having to manage these different clouds and these different environments with your different accounts across them you can essentially go to one Central visibility tool one Central orchestration Tool and manage these clouds push a security policy so think about how you would do that today if you wanted to deploy a new VPC and you wanted to do that in AWS West and you wanted to a policy pushed out to there you'd have to go and configure that manually or use Hashi core terraform to do that and then you'd have to repeat that same process in the constructs in which Azure has it correct and then without having something like AVH it's there it's not a repeatable design it's not consistent and it's very different in each of these different clouds Luke do you have anything you want to fill in there no no this is uh you're exactly right I mean I think that the main thing here is there's a learning curve for each cloud and uh it's always the network team and security team that's the last to know right everyone you know we're always stuck with the ball at the 11th hour and there's a deadline where the apps are driving this and and the apps and the lines of business you know make these decisions we're no longer in a world where you know you could pick your own switches and routers you had to uh in this case you're stuck with these different clouds and and managing them as well as architecting them and um that's really a challenge that we uh that that we help overcome and accelerate that consumption of these new clouds uh and these and and and lower you know the learning curve needed to to manage them operate them and again have that consistency right yeah yeah I think you're right on point I think you know with aviatrix we want to remove that complexity of having to go learn each cloud and just you learn aviatrix and you deploy it and you don't have to learn a new Cloud whenever you do mergers and Acquisitions or whenever the app team comes to you and says hey we want to move into Azure even though we're all AWS today because this app will work better in azure and so that that consistent capability across all the clouds is really valuable for customers right all right so let's let's think about how we're going to build that consistency across the networking Automation and Security in our Cloud environments that we have today whether you're one cloud or multi-cloud it doesn't matter the complexity in one cloud is the same because you're going to have multiple regions if you have all the AWS or the complexity can be there and the limitations of some of the Native constructs competitors too so with avatrix we want to move those native limitations uh whether it be one cloud of multi-clouds and we want to give you the capability to extend and operate more efficiently in an Enterprise level within each of these clouds so how we do that is we have what's called avh's controller and that is essentially if you deploy inside AWS or Azure doesn't matter it's a server with our software on top of it and that will be your central orchestration point that you will manage your clouds from and what you get from there is automation operation of control and to point out here this is not a SAS our managed Services when you deploy this from the marketplace it is your software sitting on top of the Native constructs and so you run and operate we have no visibility or anything into that software so if you own operate and manage this entire architecture in the cloud then the what the controller does and that's really nice it's something we call multilingual use that term a lot around here but it can do API calls to the native platform so we're going to update Route tables ACLS and things like that for you so you just go to the controller and say for my production environment I want to update the security policy to not allow Port 443 it'll go out and configure all your prod environments whether regardless of what cloud it's in or if it's an equinix Data Center and it will configure that for you and prevent Port 443 from Talking anywhere that that workloads in so um how is this done we also have what's called aviatrics gateways sorry gateways are just server instances ec2 instances inside the cloud that sit within the vpcs this is your data plane this is where all the traffic is going to go on when it leaves the VPC and it traverses whether it's going out of a VPC to another VPC or it's going out of VPC to the internet or it's transiting to on-prem or to an echo next facility are even to a native CSP service in the cloud all that traffic is going to go through that data plane and the reason that that's important is you're going to be able to have complete control of the data plane and you'll have all the rich netflow traffic the operation of visibility the analysis and the topology mapping that will be fed into what we call Aviation co-pilot which is a ec2 instance in the cloud as well um what you can also do with API calls is you can do service chaining so if you have a firewall that you need deployed in the cloud you want to make sure that traffic and that layer of security is there or if you want to do um SSL encryption on our decryption in the cloud with F5 you can definitely service chain that and do an API calls and and deploy those things so think about how you deploy uh Palo Alto or checkpoint in the cloud today it's very hard to do programmatically with avatrix controller you simply go to the controller you say on the transit inside of AWS and US west region one I need a Palo Alto so the aviation controller will do an API calls it'll deploy the Palo alto's for you it'll do all the plumbing all the routing and switching will be done to make sure the packets get to the Palo Alto and out of the Palo Alto where it needs to go you don't have to worry about any of those things and manage this and configure those independently outside of the software that's deployed in there um do you want to add anything here uh Luke no I think I think you pretty much covered it uh yeah okay cool I'm going a little fast because I know we got a limited time so I want to make sure we get through there um I want to note to you up there if you saw those two things pop up we can also integrate with servicenow and everything that you see on our platform we're going to talk about today can all be done programmatically through terraform we are a terraform provider so you can go to Terror you can go to hashicorp and look at our terraform provider information and see everything that's in there so let's go and build this out real quick and show you what that looks like if you if you think about how you deploy your Cloud Network you choose a cloud you went to a region and you deployed that vnet and you need connectivity right and so and failover in disaster recovery so you deploy those constructs you deploy another region you instantiate another vnet and then you build this out and you have more v-nets and you continue to build this out multi-clouds and this is essentially where people are today with their Network architectures right some people have multi-clouds for requirements around apps some people do mergers and Acquisitions and uh so depending on where you are in your Cloud Journey you either have one Cloud multiple regions or one Cloud multiple regions and uh multiple clouds and across there okay so what we want to do with avatrix is we want to deploy the controller and then what we do is we deploy what's called a hub and Sport architecture from inside the cloud from on-prem into the cloud we want to provide connectivity in there so you're going to have everything that we deployed today even though it doesn't necessarily show it is deployed with high availability active active gateways inside those vpcs and everything is deployed via ipsec tunnel so day one encryption end-to-end encrypted tunnels are built across there to provide that layer of secure Cloud networking then the next thing is you'll see as far as Enterprise operational visibility is the co-pilot all that traffic will be fed through there and then you can start deploying and rinse and repeat this architecture across the different regions and also across the different clouds so very easy to maintain and operate very repeatable across the clouds regardless of what cloud you're in you can even do this inside of Alibaba although it's not shown on here it's the same Concepts and we can do API calls and deploy this and set this up for you and even connect to on-prem now one thing I'll point out here if you see number five you saw some of these white lines colored in as far as orange goes we can also do what's called high performance encryption so we do full line rate encryption from VPC to VPC across transits and even to on-prem so if you have a 10 gig connection to on-prem or to an equinox facility we can do high performance encryption and do that full line rate encrypted tunnels down to on-prem and do full 10 gig connections there's a pan that aviatrix has on that and we can talk about that more in depth if you guys have a follow-up and what that looks like but um essentially you can choose between standard encryption or high performance encryption depending on the links that you want the next thing think about Network segmentation so this is where the repeatable architecture comes in handy and the secure consistent policies that are enforced across there as far as Network segmentation right so if you had a production environment in Azure and you had a security policy and you wanted to segment that out think about how you would do that with Native constructs today very challenging with aviatrix you simply just label a VPC and you say this VPC is prod and this security policy will follow it regardless of what region it's in or what cloud it's in and then that segmentation policy is pushed out no matter where that workload is and then you can service chain that what the Palo alto's are the checkpoints are a firewall of your choice and then you can also provide secure Cloud access into the cloud from users coming into the cloud from remote Branch offices other houses and we can also do secure Ingress and aggressive traffic coming out of there and give you complete invisibility of all your traffic coming across there into co-pilot and lastly I'll point out here that we also provide services to Cloud native constructs that you have so if you have autonomous database and you want traffic to go to an autonomous database in Oracle you can have your traffic from AWS gcp flow through the transit connectivity that you do here over to the autonomous database inside of oci I'll stop there real quick look do you have anything you want to throw in before I hand the ball over to you um yeah I mean I think a couple of things one you know obviously what what we're showing here is if our Gateway is everywhere right and the most important thing is is most of our customers that we talk to have reached a pain Point by doing something either native or using some of the on-prem vendors and trying to fit those in the cloud the main thing is is architecturally you know we have a large number of features and functions and and sort of places where we fit in uh really one of the the main point I'm trying to make here is is we start small we don't to get value and to actually you know kind to value is can be very small and usually start with two two sort of patterns right one is either at the edge and kind of working our way into your existing architecture or start with a backbone to interconnect regions together interconnect clouds together really starting in one place and then incrementally adding value there and then growing into your into your environment right the main thing here is is to actually see value and the time to Value doesn't require us to be everywhere right away um that could you know talking to some you know customers they have hundreds or even thousands of vpcs and v-nets the most important thing is we can start small and incrementally add value and and and work with you on on reaching your goals as well of of getting that visibility that repeatability and in that similar architecture across a single region or single cloud or multiple clouds yeah and I'll say something based on the question that I saw someone asked about um you know do you deploy a controller for each of these clouds No so if I deployed my One controller inside my AWS environment that one controller will now be able to deploy and do API calls to gcp Azure oci and all my AWS environments so I only need one controller to manage and centrally orchestrate my whole environment across here and that that's the value of having that Central orchestration of aviatrix in there and from that you'll also be able to go into one Aviator scopilot and see all the traffic flows and have visibility of your architecture uh if you deployed an AWS or Oracle doesn't matter where you deploy it to us you're going to be able to see everything on your network architecture all right yeah so I think sort of the next part of this right is I want you know there's a lot of features and functions right we've been a six-year-old company uh We've we've had a lot of uh development of features that have you know foreign exceeded the the native CSP um constructs um what I what I really want to focus on next is just our secure egress so you see number nine uh you see what number Nine's doing number nine is basically your egressing either centrally or in those spokes to the internet I wanted to um just go into that specific use case and kind of dive into that each one of these 10 you know functions or features has a backstory behind it has use cases when we can you know at a later time dig into if you're interested in specific use cases that are of interest to you right um but given uh some of the hype and interest around egress and our distributed Cloud firewall I wanted to focus on number nine in the next sort of segment of this the of this talk so with that let's uh kick it over to distributed Cloud firewall so it's all about regaining control of your perimeter right and improving your security posture as well as saving money right and and really what what the cloud has brought is the fact that you know the adoption of cloud is very has been very quick because things are very easy it's very easy to deploy a VM it's very easy to click a button and and put it on the public internet to download the software it needs to to to manage it to do that but what has ended up happening is in the cloud there effectively is no longer a perimeter right if you remember data center constructs you have your moat you have your you know dmz's you have you know layers of security for both Ingress and for egress and those were very clearly defined on-prem right um but what has happened is you know and I kind of go through these slides here is there's been you know this idea of lifting and shifting what you have on-prem so what what have people done as a design pattern is they've taken their firewalls because they the idea is okay I have my perimeter in the on-prem I have a firewall between me and the outside which is the bat bad bad people live right and I want to now lift and put this into the cloud and essentially take some a virtual instance of what you have already and put it in the cloud and there's nothing wrong with that right there's people have been we've been doing this for six seven years one of our main primary use cases is our fire net use case and that is essentially deploying as as Ron mentioned deploying and managing the networking aspects of a firewall right we can either do that um with directly to the firewall itself or we can do Integrations with the management systems of those firewalls Panorama for example so uh what has ended up happening is when you architect now in the cloud the intent is to have that firewall as your perimeter right as your Edge so you can see here excuse me um getting out to the internet you go through a firewall on this on the top left here if you want to egress out to the internet you have a firewall there what ends up happening though in reality is that it's very very easy to then to to actually get out to the internet you know you having those controls and excuse me the ability to steer traffic and to make sure all of your traffic into and out of the internet goes through the spiral it's very hard to manage that um there's the you know lack of controls with regards to security policy with rights and credentials typically vpcs are tied to a separate in a separate organization that has different controls and and um and abilities to get out to the Internet so it's very hard to actually control that perimeter and be able to Define that right so you know this is an example of a very large income yeah real quick I was just going to throw something in there you know also the the workloads we were used to on-prem are all Central right and this is where we get into the cloud and uh quickly people realize that the workloads in the cloud are distributed right and our security policy is not distributed it becomes a very challenging to manage that so think about that you know it's either distributed in different regions in a cloud or it's attributed in different clouds if you have different clouds too so that that workload distribution becomes very challenging to manage in a security policy across there so we gotta we gotta so the solution is something that's better than a central uh firewall right exactly yeah yeah and you know an example of well it's this perception thing too right the perimeter is again not very defined well in the cloud and just because you're allowed to go out to the internet you know uh you you don't think that you necessarily need security to go out to the internet you only need to security to to determine what type of traffic comes in but if you look at you know log4j you look at Apache struts you look at these well-known um you know vulnerabilities that have been out there that have really burned a lot of people it's really um being able to go it's really going out and downloading a payload when to a seemingly enough you know assuming you didn't you trusted you know everything going out um it it's it's a different model uh that that really if you you know for example um log4j or Apache struts for example that that actually made call outs um to three 389 out to the Internet so if you it was very easy to prevent that in on in the data center because all you had to do is why am I doing ldap out to the internet it doesn't make any sense it just blocked that but in the cloud with things being distributed and access to the internet is everywhere and there is no perimeter it's very easy to go talk to Bad actors download payloads and then do you know lateral movements which which really can get you in trouble so the idea here is is what if essentially you can embed firewalling into the network right so instead of having firewalling being a point in time or a place how how about it's embedded into the network so that the network and the security the firewalling are the same and that's really the the essence of what we're talking about here is is that it's centrally managed the inspection and enforcement is done in a distributed Manner and the policies are defined in a central location right so again we have that controller hierarchy controller copilot hierarchy and then you have a distributed data plane and really the essence of this is these gateways these distributed firewalls now have an ability to do not only distributed firewalling IDs IPS Advanced Nat decryption you know uh layer 7 decryption URL filtering micro segmentation where it makes sense threat prevention right so the idea here is is that you have all these tools now in your toolbox in the data plane and you can then centrally Define a policy that then takes your intent and enforces it where it needs to make sense an example of of having something Central I I send something distributed is you can have very small instances that can burst up to two three five gig say you have a hundred vpcs that's 500 gig of firewalling right if you try to take 500 gig of firewalling and put it into a pair of centralized firewalls you're going to need to have a lot of firewalls very large instances and you have to steer traffic you know from these various locations where the applications live to a central location but what if you just had that right within the VPC or v-net leveraging both native constructs where it makes sense like micro segmentation and firewalling as well as IDs and IPS so that's essentially the essence of of this Central policy creation and distributed enforcement yeah one thing I'd say there Luke that I really thought that was really key that you said was the intent right and you know some customers think about when we talked about you know being able to have a consistent policy so whenever we set an IDs IPS r at threat prevention rule for production those rules and those consistent policy will be enforced wherever those workloads are so we're not talking about setting that policy for everything in the network everywhere production is located in the network and the system's intelligent enough to know that security policy would be enforced at that point in the network distribution across there so if production has an IDs IPS rule the and your development does not have it that enforcement will only happen at the production gateways and so you can pick and choose what which of these functions you want and where to enforce them at each layer or process you don't have to turn them all on and enforce everything yep exactly right so I think this is sort of just another way another way of articulating what Ron and I have been talking about is essentially where and how policies are enforced is abstracted and essentially it's pushed to these various layers and again I talked about this in in the beginning earlier when we talked about you know the the use cases we always start with a non-disruptive um you know you implementation of our solution right so in this case starting with a non you know a way of taking these gateways and putting them in your existing infrastructure say you have a tgw or a dwan or NCC you know inserting these gateways and then you know uh adding adding the the the features and functions you could also as a step two replace both the edges and your your your tgw your bun or your NCC and have a complete uh you know end-to-end aviatric solution as well but to start with you know just with just that uh just as an enforcement point you can just focus on egress right so typically a pattern of our deployment is egress you know security East West as phase two and then Ingress as phase three so that's kind of how we phase in uh distributed uh Cloud firewall solution so you know again breaking this down you have that distributed infection and policy enforcement uh with at every hop so again ever you know where that enforcement takes place is right at the edge where the traffic comes in these firewall rules are not if you create a policy and you create an intent again the firewall rules are not put in all the firewalls they're put in only the the controller and copilot are intelligent enough to know okay I see the traffic I'm in the network path I know where to put the firewall rule where it makes sense so again it's like a legacy routing systems right the very first routers you know always push um route tables to all the line cards right and then but then what did we run into we ran into limitations with tcam in these routers right uh then we got more intelligent and said well this interface and this route only has connectivity from here to here since this interface I know the destination because that's what it's connected to I only need to push the route table and therefore that that to certain line cards as opposed to all of them and you got to have more efficiencies with your tcam and therefore we're able to scale this is exactly the same concept with with our firewall rules uh and our ability to to do that enforcement hey Luke real quick if you uh go back to that I'll talk to uh a little bit about that and enforcement point right I think you know when you talked about enforcement right this is where we talked about what the cloud native does versus what we do in the value would be around proof point right they use proof points database we use proof Point database for True for intrusion detection correct and so whenever that intrusion detection say if someone's coming in with a bad known IP address um and they do a database lookup on a native uh you know construct the the native csps are just going to notify you saying hey there's an intrusion you need to do something about it so now the security team has to be deployed they have to go find out where that intrusion is and then they have to do active remediation and control that traffic whereas with avatrix being that layer of security there monitoring that traffic we will look up the database and we will see the intrusion section and then we actually take action on that and then notify you hey there was intrusion we took action and we blocked that intrusion from come in or maybe from your server going out and talking to that so that's kind of one of those key use cases there and that's you know from the central point when you set that control policy for all your egress inside of your architecture no matter where the workload is you have that layer of security and that Central visibility and control easily pushed out across your distributed workloads across there right yeah yeah definitely and then and then we can tie in the API or you know web hooks or or whatever tie into your sim or sore and give you that notification tie into servicenow to say Hey you know let's generate a ticket because we just you know mitigated uh an attack you know these types of things all this tied into your existing um you know uh Management Systems as well so this is kind of gonna giving you an example of our of egress right so say for example in AWS right obviously and with uh with with AWS you have a Nat Gateway and and really you know this is a cloud workload going out to the internet right it's on a private subnet it needs a net gateway then to take you out to the take you out uh to fetch a workload so this is an example too of like downloading something malicious right the NAT Gateway is not going to give you a security posture right and with once you know you download a payload this lateral movement um just essentially propagates the infection of the malware that was downloaded right so essentially very easily I mean one button replacing a net Gateway with Avio tricks and then from there it's really from there really it's blocked right so since you're going out and talking to a well-known malicious IP you can uh you then block that here rather than again the continual horizontal movement of these things what's also interesting too is you know you we with with our ability to have the Telemetry to see your traffic with our ability to tie in to um to well-known Bad actors as well as the IDS IPS components of our of the platform too looking at signatures you can also look at threats and do threat hunting and look at you know patterns of conversations who am I talking to who are these applications supposed to be talking to these applications so you can actually create your own sort of zero day threat hunting and be able to say Okay this may not be a well-known bad actor but they really shouldn't be talking to them I want to go investigate and then I can block or or steer it to another another destination to do further analysis so you have a lot of control built into this also to not only stop you know well-known bad IPS but also zero days and and and be capable of doing threat hunting as well very easily hey Luke can you talk about the reduced costs real quick um yeah so reduce costs in in regards to like the nag gateways you know um as far as chart yeah yeah no definitely so so yeah this is also you know can be a significant cost saver right so um Nat gateways you know they charge you for not only the usage but the data egress charges right um and and there's you know we can save you on average talking to our customers we can save you on average 25 on your egress charges right um and that really you know in this in this market uh can be very valuable right uh it could be a million dollars it could be you know uh more than that right we're talking to we've spoken to and are working with some some large um uh manufacturers that that it ends up being in you know five six million dollars that we're saving annually uh where you're replacing no security not only with the NAT service but then the security built in right so uh there was a question how much latency there's minimal latency you know less than a millisecond one or two milliseconds to insert this uh to insert the gateways and you're actually removing you know Nat Gateway which is what is it behind the scenes it's it's it's ec2 instances that is invisible to you so essentially net net you're not you're not even in CR you know the the additional latency is is very very minimal yeah I would say quite a few of our customers if you saw that list that we had earlier they have very latency sensitive applications and um they have you know they have not no impact to their uh Mission critical applications that are out there that has concerned them as far as deploying aviatrics and the value they get out of it so cool thing that's awesome hey Luke hey sorry my Elite Studio crashed on me so I was going through that no worries good uh you were finishing up on uh latency sensitive application oh that's all I was saying yeah that you know we we had some customers on that list that had some latency um sensitive applications and we discussed it you know and it's it's interesting I would just say this within you know people concerned like hey when you do ipsec you know you know once we explain high performance encryption stuff like that you know with the tgw in place and between the tgw between two vpcs in a region you're gonna get like 40 gigs of throughput even with and that's unencrypted so with avatrix and encrypted traffic throughput we're going to get you 90 gigs of throughput across there so we're actually you know can increase throughput even with encrypted tunnels across there so I'll just do that out there talk about that too affiliate so I think we wanted to spend the balance of this time talking about automation right so it's it's we talked about you know building it and and and and and the components of it and what's repeatable and sort of the the features and functions and how to build it here is how to automate it right so automation is all about a repeatable architecture right it's all about these building blocks uh being able to take these building blocks and being able to actually uh repeat what you're building right we showed you visually those building blocks but then how do you actually uh how do you actually do this in an automated fashion right let's kind of go through let's kind of go through that here so really when you when you look at you know these the different drivers right of this you know you have the intelligent Cloud you know secure Cloud networking that that has hand handles and and configurations into native constructs as well as the dynamic Behavior right uh when you look at then uh this our platform obviously being multi-cloud and multi-account now with the terraform right it's all about abstraction right it's about taking these modules these building blocks that you see visually and actually creating um this hierarchy rather than this flatness that is not only in your architecture right in this network architecture but also in your automation right how do you create this uh hierarchy where each module can contain its own resource and and and possibly you know have its child modules under it right so then you can kind of create this deep sort of tree of resource configurations uh to build these these environments right so it's all about reusing these modules and reusing this code across and I'll kind of go through a couple examples to show you like when you know Ron Ron and I were talking about earlier native you have to learn the native so you not only have to learn the native and click Ops but you have to learn the native in the Automation and part of our value again is that reusable code across the clouds to abstract you know this and I'll show you what that looks like as well um we're also going to include with the links with our terraform provider so obviously High maturity if you look at you know the number of downloads and you look at you know how those are consumed you could see that it's there but again going back to resources right and multiplying these resources across and then taking that and building it into modules right so the idea here is again you're creating a hierarchy rather than a flat structure right so you you you are able to then with this you're able to then reuse these modules and only change the variables within them and not have to go and and copy and paste and do repeat and then just make a huge code path right so what you'll see here is with these modules things are a lot more collapsed um and with that you know you're able to take these multiple building blocks and sort of assemble them together into a system right so instead of um you know embedding the the dependencies on these you're actually creating and managing your own copy and then you kind of build the hierarchy that way right so if you want to create a Transit you know you have one module for this if you want to create a spoke you have another module for that but you kind of build a Transit and then multiple Spokes and you can reuse these so we have about a total of 30 modules makes them super easy to consume you don't have to write them yourself you're just basically taking these Lego pieces and building them and putting them together so here's an example of of AWS uh you know if you look at that Transit module what you're building to the right literally these five lines of code build what's to the right here and and see basically you pick the cloud you pick the region you pick the cider the account and then if you want to enable segmentation there's a bunch of other options enable segmentation is an example of an option but essentially it builds what you have to the right and if you compare that with azure what did you see different the only thing different is cloud is equal to Azure rather than AWS and it builds the exact same service in the constructs within what Azure has and uses right so you talk about subnets availability zones these types of things and then here we you know we have controller and copies deployments you have ways of deploying the even the controller and co-pilot across these clouds right so it's all off-the-shelf modules and then other modules are available as well including those 30 here are some other common ones that that are available with hyperlinks to them yeah what real quick uh Luke you know one of the questions we always get you know you're familiar can this integrate with my IAC can integrate my CI CD pipeline yeah yeah no that's that's a very common question and and usually what we see as a pattern with our customers is the the sort of delineation of tying the VPC into the application and then tying that spoke uh the spoke module into that uh VPC or v-net as well so that MC spoke module can be tied into your existing CI CD Pipeline and then then you then you just it's a matter of taking that spoke then attaching it to the transit and that's usually left with the network team so you have a separation of Duties and usually from a cicd platform process for application deployment we see most commonly customers using the MCU spoke module and then for the network security team they typically use the MC Transit MC fire net and then MC peering to kind of glue that glue it all together cool um I think that just two other thing uh we wanted to just drop a plug for our um our learning path so we have you know industry first uh standard passive learning about Cloud where you go and you learn about all the various clouds um you know AWS Azure gcp you learn the native constructs and how they work and then you have the ace professional and Ace design expert you also have these optional uh specialty trainings as well uh sap automation if you're interested in infrastructure as code operation how do you troubleshoot and manage a real world Network there's a there's a plug there for for those classes um we also um in your in your view um have access to or see other types of learning as well and I believe there is a survey uh that that is uh that is there too that we encourage you to take as well yep and then obviously joining the ace Community right so this is where every you know folks that are that have these certifications that go and ask questions not only about Native but also about aviatrics here you can go and and uh and share and learn from others through the community.avatrix.com that sounds good and so um we can spend the last uh 45 minutes answering questions and I'll kind of open up co-pilot and show you guys some visibility of copilot and what you get out of having the avatrix architecture deployed across your Cloud environment and um and show you what that looks like so if you have questions uh feel free to post them in and we'll be monitoring and answer them I'll share out a visual of what I hope it looks like real quick um so standby all right so you should get a pop-up that shows you a copilot if you guys see that uh Luke can you everyone's good to see that uh yeah yeah so when you deploy you know you think about all the architecture we just talked about and the gateways and everything's all that data netflow traffic all the logs and everything are are being fed up into a co-pilot and co-pilot's presenting that information to you so you can utilize it and actually do something with it for troubleshooting uh for visibility aspects and for digging in and understanding what's talking on your network right so this is the dashboard you're going to get you'll see how many avh's gateways how many instances your connection statuses regions and all these things are pushed on here you'll see the total threats you know using the all our egress control and visibility across there you'll see how many accounts have been onboarded and all that information across there um if you come to Cloud fabric this is your topology you're going to see so this is going to be um you know think about how you would see your topology today if you would have the capability to do that you could see it in one Cloud Network analyzer and for instance an oci has that but Network analyzer and oci doesn't provide you anything inside of azure or AWS and looks like I'm having terrible uh network connectivity at my house so I apologize for some of the delay and the visibility of the traffic on here um so one thing that co-pilot can do while we're waiting for this to populate is it collects the metadata and it provides it to you in here so to highlighting and easier to click on them you can see all the metadata will be collected over here and you can see the instance the IP addressing the public and private IPS of those instances you can run security scanner on those and all that information is here provided for you right if someone says hey I'm having a problem on server you can come up here and you can search for those and say we know where are these instances in the network and you can do searches and I'll show you where they are so right now what you're seeing is your AWS your oci gcp Azure connectivities these are my transits these are my vpcs up here and these are the hosts that are inside my vpcs across my architecture um one thing that's cool too on here if you click on some of these devices you can easily see the tools right so you can do Gateway Diagnostics there and run troubleshooting tools and so um you think about today as well one thing you know how would you do uh things you're used to doing pings Trace routes and stuff like that so because you own the data plane you can do those things in the network too so you can go to diagnostic tools and you can run your Trace routes your pings packet captures active sessions to your interface stats and all those things will be here so you can do all your connectivity you can do bgp diagnostics controller Diagnostics things like that um one thing too we have a a tool called app IQ and it's called flight path so if you come to flight path and this is what's going to give your visibility and troubleshooting so um this is where it comes in uh really handy you know I before I came to avatrix I was at oracles on the oci engineering team and customers are calling so hey you know I have a two endpoints that that can't communicate and you know what's going on so with an oci I had to go through every route table I had a if it was different accounts I had to open different accounts different route tables different ACLS different security groups I had to go to the drg how to look at the route tables in the drg the VPC drg and all those things it was it took a lot of time then I had to go in and make all these hlds of showing what they looked like here I can simply click two endpoints and say run a test I want to check for you know whatever you want 8080 443 name your report that you want and run a run app IQ so what it's going to do is you're going to run a test across that it's going to look at the route tables the security groups the ACLS the transits that are in the path everything that's in the pathway that it hits it's going to check that and make sure those two endpoints can communicate so the report looks like this avatrix engineering AWS spoke QA goes across this pathway this is the latency that it's seeing as a trans fers across the path and this is the other endpoint so this showing you the link that it would take if it's allowed to communicate and if you come down here on the report you can see the latency across those gateways you can look all the performance monitoring data on the gateways and then the important piece that you guys would see you see that it hit the ACL there's a rule allowing the traffic on that ACL Security Group there's a rule there's on the aviatric spoke Gateway route table here's the route table it's hitting it's allowing it and you just go down here and see okay well let's preventing these two from communicating so I see that there's a specific Security Group in engineering AWS spoke QA that has no rule to allow this communication and so I can easily click on this hyperlink it'll take me that security group and I can update it and push out a policy to allow communication and then rerun my test So within 15 seconds I troubleshot my network connectivity between two endpoints in different regions of my network or even different clouds if you wanted to um any questions about that so far we're still monitoring our q a so if you have questions feel free to put them out there and if you uh I think Bill you said our free training promo ended August 31st the Davina are you going to have um some more free training offered for the people I've attended the webinar yeah we will send that out to everybody in the post event email okay cool um so the network segmentation policy is one of the things that we touched on as well so you can see in here here's our different network domains we have Azure Dev Edge on-prem prod QA and you can highlight to see who's allowed to where you know this is bespoke and as part of this network domain this is a segmentation policy that's following here if you want to see high level who's allowed to talk to who so who can prod if you're in the prod domain who can you talk to you can talk to Azure shared and Edge if you're in Dev you can talk to on-prem you can talk to Azure share it in Edge so you can see the policy that's pushed out if it's actually working and it's actually intending the intentions of your network domain is actually doing what you said it was going to do quick and easy you can look at the you can create the network domains in here and the overview here you can see a physical View and a regional view as well in there and you can even say I just want to see specific filters on here I just want to see my Dev environment in there and what spokes are in there um let's see it come down to security I'll show you guys what the thread IQ piece is we talked about that as well too so the visibility and so if you remember right we talked about proof point right we we partnered with proof point we use the database like the csps utilize for threats that are coming in or maybe one of our servers going out and talking to it so you can see what's going on in your network where the threats are coming from or they're going to how many threats are and things like that so if you come down here you can see the severity levels right here and you can see what's going on so what's the threat domain the severity the classifications Source the destination and you can even click on view if you wanted to see what that traffic looked like so you can see the topology for that traffic in here and you can break it out and start you know looking into it and see what it looks like in your topology you can see the the flow data so the general flow data the goip destination the source and the net flow traffic right here and then you can also see the threat summary what's going on and what that was and why it alerted us in there um anything so far on that look do you want to add any color to this no no it looks great I think a lot there's a lot of data here uh everyone so I know I know also we've thrown a lot at you but um you know also if you have specific questions again use cases that uh that sort of pop out you know uh Davina is going to be sending out an email of how to follow up and get in touch with um with uh your local SC um and and account executive and we can dig in from there but uh no I think this is great cool um we also have the ability to do geo blocking as well so if you wanted to see you know let's Geo block somebody and say you know there's we we don't want anybody in our region to talk to anybody going in Antarctica right so no traffic should go to Antarctica and no traffic from Antarctica should be a lot of number so we can usually just click this button and all traffic to Antarctica will be blocked and prevent it from communicating to that country of Antarctica um you can do anomaly detection too so if you wanted to do a fingerprint of your VPC so all the workloads inside this PPC should only be talking on Port 443 and you can monitor that and if they say alert me if anything in this DPC communicates outside of the norm or the fingerprint that I created for it and so as soon as those servers start talking on a different port other than what you've allowed them to communicate or maybe another IP address or maybe started talking to another server that shouldn't be talking to it will do an alert and it will it will show you say hey these servers are communicating and um there's somebody needs to do something about that and so those will be monitoring those vpcs and v-nets inside of your architectures um one thing too I'll show in here uh let's see cost IQ is something we really didn't talk a lot about in there so some of the value you get from the visibility of your network you can create these shared services so think about what you have shared services your direct connects your firewalls or anything that's shared you know a database the shared service on there so you can create this shared service and say today you know maybe you just do a peanut butter spread of those costs of that shared service you say you know the database is 100 a month I have five units they're 20 charging 20 bucks each however not everybody's using those Services as much as somebody else is within your organization so if you wanted to create these cost centers and they share Services you can see who's using what services in your environment so you can see the operations you can see what traffic they're using and how they're going to cross their income here and see shared services and let's just look at a database real quick across there so here's my data prod and I can see marketing is using 36 percent of the traffic going to that cost center is is marketing engineering's 33 accounting 29 I could essentially just come up here and say you know it's a thousand dollars to that time period and it'll tell me you need to bill each one of these uh cost centers accordingly to how much they're using now so you can do accurate uh costing and Analysis so think about for your fin Ops teams that are trying to assess and how do we build back to these units for using the cloud more appropriately this is how you could use avatrix to do that as well um all right so I will wrap up here we're at um about three minutes left in the conversation two minutes left and um you know so we went over a lot of stuff uh how to build a secure Cloud Network we talked about all the constructs how to build it or you know about being uh not a SAS or network as a service or managed services that your architecture do you own and operate it um uh you know it works in all the different Cloud providers that are out there and we talked about distributed Cloud firewall the value it provides and the you know providing Central orchestration Central control Central visibility and those components of building a network architecture is consistent in a hub and spoke architecture across all the clouds so I'll wrap up Davina is there anything else that we need to cover to make sure we finish on time um nope I think that was great thank you guys um I did pop up a survey so if you guys can please uh fill that out it'll be really helpful to continue um building out these conversations for you guys that are meaningful to you guys so thank you again no no I enjoy this thank you thank you everyone for for taking the time and um I think we pretty much answered most of the QA questions as well um so uh thank you and uh appreciate it thank you everybody