Why you need a new network for the multi-cloud world

As enterprises expand to multiple cloud providers, the vanilla networking capabilities provided by the likes of AWS, Microsoft and Google may not cut it. IDG Enterprise Consulting Director John Gallant sits down with Steve Mullaney, CEO of Aviatrix, who pulls no punches on why current leaders in enterprise networks won’t be the leaders in cloud networking.

A network of clouds with binary code.

The future of IT is multi-cloud and the future of multi-cloud networking is Aviatrix. At least that’s the message from Steve Mullaney, CEO of the 7-year-old Santa Clara, Calif., company. Aviatrix has developed what it calls an enterprise multi-cloud network architecture  providing advanced networking, control and security functions across major cloud providers. Mullaney has a strong history of being right about next-gen networking. He was CEO of Nicira, the software-defined networking startup snagged by VMware for $1.26 billion, and was vice president, marketing and interim CEO at Palo Alto Networks, a leader in network security. Mullaney also served in top roles at Blue Coat Systems, Force10 Networks and Cisco.

But, wait, you’re saying, don’t the cloud companies already provide the network functions I need? Not even close, according to Mullaney. As enterprises commit more to the cloud and as their clouds expand to multiple providers, the vanilla networking capabilities provided by the likes of AWS, Microsoft and Google won’t cut it. Mullaney explained why to IDG Enterprise Consulting Director John Gallant, and pulled no punches in detailing why the current leader in enterprise networks won’t be the leader in cloud networking.

John Gallant: Let’s start off with a concise explanation of what problem you're trying to solve for enterprises. What are they struggling with today that you're helping them resolve?

steve mullaney aviatrix Aviatrix

Steve Mullaney, CEO of Aviatrix.

Steve Mullaney: Enterprises … move as a herd. Call it “crossing the chasm,” whatever you want, they decide on the same Tuesday morning that they're all going to do something. We've seen that over and over again with the adoption of technologies.

We've been talking about cloud for 12 years. Six years ago, enterprises said they were going to move to the cloud, but they didn't really mean it. Before that, they said they were never going to move to the cloud. It doesn’t have the security; it costs too much. I don't have control. About a year-and-a-half ago something changed. I don't know if it's just that they were talking about it for five years or they had more experience with it, but it finally got to the point where it became enterprise mission critical. 

[ Related: Cloud security: Inside the shared responsibility model ]

They said, ‘I'm now really going to move to the cloud.’ Before that, it was handled mostly by DevOps and the apps team. It wasn't IT. And they didn't care about security, they didn’t care about compliance, auditing, all the things that we know that enterprises care about. Then, it just flipped. That's the way the herd moves, they all decided on the same day. 

And here’s the issue. I’m Nike, I'm Amgen, I'm State Farm. I'm old-world, 50-year-old enterprises and I wasn't doing all the visibility and control things, the security, the compliance, the auditing, all that, for my own health. I had to because I'm an audited company and it’s our business. Now, we're going to move to the cloud. I want the simplicity and the automation of the cloud, but I also need to bring along visibility and the control. Enterprise IT is now in charge.  They’re told by their CEO and their board -- we are moving to the cloud and, by the way, COVID-19 is an accelerant to that movement. We’re moving and this is mission critical.

Guess what? It needs all the compliance and the security and the network visibility. Because when anything goes wrong, who's to blame? The network. Right? The first thing the network guy says is: I need visibility, and then I need control. AWS or Azure or Google say: No, you’re thinking about it all wrong. It’s a service. You don't need to know. Why do you care? Well, you say, when something goes wrong, I need to know. And they say: Nothing will go wrong. And you ask: When something goes wrong, what tools do I have to actually go in there and get visibility and then troubleshoot?

The cloud was really geared towards SMBs and DevOps who didn't want to know. I don't want to understand networking. I'm a cloud guy. I'm an app guy. I want to spin up my workload and be done with it. And that's where we come in. We bring along the visibility and control that IT demands. The cloud [companies] follow the 80/20 rule, which is that they'll build 80% of the functionality, and all the knobs and dials and all the extra, advanced stuff that every enterprise needs, we’ll use ISVs for that. We can give them that. 

The second thing is that every single enterprise I talk to knows they're going to be multi-cloud, and the network team doesn't decide what cloud you use. The business unit decides. All of a sudden, you win a big customer, you need to support another cloud. This just happened to one of our big customers. They had said ‘we're only going to be AWS. I said ‘You will be AWS until you're not. And it will happen. Trust me.’ Recently, I got an email. They said: ‘great news, we just landed a huge customer and they're forcing us to be on Google.’

What we provide is an architecture. Just like Cisco in the ’90s created the reference architecture for campus-to-WAN, and then, a collapsed backbone architecture, data center architectures, core / aggregation / access for the WAN.  IT cares about architecture, and they want an architecture that they can then stamp out everywhere. They want to know that they’re using the same architecture that every other enterprise is using. We're filling that void for them regardless of what public cloud they're using. One or many, it's the same architecture. You basically, almost in a pod-like way, stamp out our architecture to give you the advanced networking and network security and operational services, whether you're on AWS, Azure, Google, Oracle, or all of them. 

What [customers] don't want to do is hard code down to the lowest level into AWS and then guess what?  We need to move to Google next week. And they don't understand Google.  It's similar, but different. People think cloud networking is easy. It’s very complex. Our customer said to me: ‘Thank God we have you guys because now it's the same architectural and operational model. I now just deploy it on Google Cloud Platform (GCP).’

Gallant: You've used the term “enterprise multi-cloud network architecture.” Can you describe that?

cloud operations img1 Aviatrix

Inside cloud operations management.

Mullaney: As enterprise networking teams peel back the onion on cloud networking, it becomes clear the cloud providers only deliver basic network connectivity. More visibility, more control and advanced networking and security features are needed. A multi-cloud network architecture enables a cloud network platform that leverages cloud service APIs and adds advanced services to provide the capabilities network engineers expect.

This is exactly what we went through in the ’80s and early ’90s when we went from mainframe to client-server. We're now transforming to a cloud computing model. The center of gravity isn't in my on-premises data center anymore. It's in the cloud, and more importantly, across multiple clouds. So, No. 1, I need everything to work across clouds. I want to leverage that public cloud where there's been tens and tens of billions of dollars of infrastructure investment. In the ’90s, it took an enterprise a decade to build client server. Boxes and cables and power supplies and racks -- you've had to build out your whole infrastructure.

Now, you say: I'm going to move to cloud.  I just spun up 62 data centers around the world. I've got fiber, bandwidth, infrastructure all over the world in all these data centers. I can spin up data centers with a couple clicks of my computer mouse. Now I need the software on top of that and this is where Aviatrix delivers in an enterprise way. 

The first thing is access. I'm at home and I'm VPN’ing into cloud or I’m a site and I've got to connect my data center into the cloud. There's just an element of connecting into the cloud that, honestly, is one tenth of the value, but we do that. I would call it transit networking. It’s how I interconnect and do service insertion, all my Virtual Private Clouds (VPCs) in AWS and my Virtual Networks (VNets) in Azure and my VPCs in Google and Oracle, in a high-performance, most likely encrypted manner, with easy insertion of things like next-gen firewalls and other security functions. That could be thought of as your backbone, like in the old world, but it's really more of your transit network. How do I build a secure, high-performance, encrypted, service-rich transit, that is the same whether I'm leveraging Google or Azure or Oracle or AWS.

multi cloud img2 Aviatrix

Then you have security and operations that fit on top of that. Doing segmentation, network security. Being able to apply global segmentation, not just within a particular public cloud, but across public clouds, and have those big global abstractions of security. We don't use the words software-defined networking (SDN), but it is software-defined with a controller and distributed gateways. We have total knowledge of everything -- unlike the old on-premises world where you really didn't have knowledge of everything. We have global state knowledge -- not just of what's in a particular region or a particular cloud, but across clouds. There's anomaly detection. There are optimizations around performance, traffic engineering and cost that we can do. 

One of the things I like to say is: Day one is one day of your life. Day two and beyond is every day of your damn life. How do I operationalize this? This is what enterprises really worry about and where most of our value is. We enable you to deploy in a multi-cloud environment with one common architecture and one operational model that can roll out across all this. We have software called CoPilot that gives you way more visibility and granularity to be able to troubleshoot than you got on-premises. It's all APIs. It's a modern way of doing things.

Gallant: Steve, you're layering on top of the cloud networking capabilities. What are the shortcomings of those cloud networking capabilities? Why can’t I just rely on them?

Mullaney: We are we are layering on top, but we're actually also part of the fabric of the cloud.  We are cloud native, vs. cloud naïve. We are actually part of that fabric. We natively program AWS, Azure, Google. We leverage the native constructs that they have. We're not just sitting on top with no awareness. 

What are the things that they're missing? Enterprises need extreme visualization into what's going on to be able to troubleshoot. This is not fun and games. Then the second thing is encryption. If you encrypt inside the cloud, you're limited to 1.25 gigabits per second. We've architected a solution that can use multiple cores. We scale as the size of the instance scales. We can offer 70-80 gigabits per second of fully encrypted traffic and will scale linearly. Enterprises, government, why wouldn't you encrypt? Of course, you would encrypt everywhere, even if you don't need it, as long as there’s not a performance hit. 

Another thing is performance. In the software world, there's no such thing as a 12-port device or a 24-port line card. You can have thousands of ports. There’s no concept of a port and a wire.  You’re integrated into the cloud native fabric and you could have thousands of ports. Our architecture and our transit is fully meshed, active/active. We call it Active Mesh. Everything’s redundant, everything's high availability.

In the physical world, you can't really build something that's fully meshed because you run out of ports. In the cloud, we can build high-performance, encrypted, secure transits, that honestly the cloud providers don't want to do because of that 80/20 rule. We've had routing protocols for, what, 30 years? There's no concept like that in AWS. The distribution of routes is done manually. When you're only doing a couple of data centers or a couple of VPCs or VNets, it's not that big a deal. But an enterprise might have thousands of VPCs. I can't be doing things with scripts and manually changing things. That's where all the errors come from. I have to have more automation in my networking.

Gallant: At this point, in the way that enterprises are using cloud today, is there really a lot of east/west traffic between these VPCs and VNets that require that kind of transit capability?

Mullaney: Yes. These are microservices-type applications. Gone are the days when you can put the three tiers all in one VPC and they never go anywhere. They’re talking to the internet, you’ve got build packages, you're going to GitHub. It's an explosion in the amount of traffic that these apps are creating.

Gallant: Today, I have all kinds of tools to manage data center infrastructure. Now, you’re bringing up new tools in the cloud. How do those two worlds intersect? How does the Aviatrix world intersect with, say, the Cisco world in my data center?

Mullaney: You’ve got to be multilingual. You’ve got to understand the clouds, which we do, but you also have to understand BGP and the on-premises world because I'm going to connect from there into the cloud. Cisco did amazing things, as you know, for the last 30 years. They were the dominant networking player in the old, legacy on-premises client-server world. One of the great things they did was the Cisco Certified Internetwork Engineer (CCIE) program, which taught people about IP networking. But there was no multi-cloud network certification. That's what we created and called ACE, the Aviatrix Certified Engineer. Our classes are full. We’re going to be training thousands of people this year. We’re moving into the cloud, and you can't leave the human behind. I've got to bring these people into the new world. 

Gallant: I guess I'm trying to understand, though, as I'm monitoring and managing my own enterprise network, and now I've got the cloud component, am I using Cisco tools for part of that and then yours, or is there an integrated view of this?

Mullaney: No. What you have on-premises is what you do on-premises. Our connection point to on-premises would be a VPN to that router at the edge. We'll connect that data center, but we don't have anything that goes inside that data center. What you do on-premises, you use the tools you're going to use in there. But in the cloud, that's our world. You’re going to use our tools.  The funniest thing in the year that I've been here is that Cisco is not actually even in the conversation. I've competed with Cisco my entire career and the word Cisco is never used in cloud talks. Just like IBM or DEC wasn't in the conversation on client-server. Juniper is not in the conversation. VMware is not in the conversation. Palo Alto Networks is in the conversation, from a security perspective. That's the only legacy vendor I ever hear about.

Related interview:

Gallant: When does someone become an ideal customer for Aviatrix? What's the pain point that they hit?

Mullaney: The tipping point is once they really start digging in. A cloud provider will tell people: We will do everything and anything you will ever need from networking and security.  You don't need Palo Alto Networks. You don’t need Aviatrix. You don't need any vendor. And the customer says that's wonderful. The grass is so green over there and it's going to be so easy, all I have to do is go click, click, click, and it's done. Then they see the reality. They say: I didn't realize how complex this really was. I thought this was going to be really easy. I laid off half my IT staff because I thought we were moving to the cloud. Now, what the hell do I do? At that point they start searching for other things.

It's only as you start digging into the details that you really discover it. That's when we come into play. It's not a size thing. Obviously, the bigger they are, the more complex it is. We have 400 customers, and a lot of them are people we don't even know. They come in through the marketplaces and they download our product and they use us, and they pay a monthly bill. And lots of those people are actually single-cloud customers. 

Again, it's the simplicity and the automation and the things the public cloud providers don't provide. Now, when you then go multiple clouds, it gets even more valuable. But most of our customers are actually today still primarily single cloud and they know they're going to be moving into multiple cloud, so I want to build an architecture that allows me to go do that.

Gallant: Regarding Cisco not coming up in the conversation: Over the decades, whenever there was some technology shift like Fast Ethernet or Gigabit Ethernet or wireless LANs or SDN, that shift was the thing that was going to put a dent in Cisco. Why will this shift be the one?

Mullaney: That's what people ask me. They ask me about Nicira and this, that and the other thing. Nicira was great, but it was a transition. We had to get bought by VMware or Cisco or somebody like that, because it was a better way of doing on-prem networking. It was not a transformation. It was a transition, and incumbents are supposed to win transitions. You know, John Chambers pats himself on the back for winning all these transitions. Don't pat yourself on the back, you're supposed to win. Pat yourself on the back for becoming the dominant networking player, because once that happened, you were then, by default, going to win every transition.

IBM, DEC didn't win the move to IP networking. Just like Cisco and Arista are going to be left behind. It's the innovators dilemma. They're nowhere (in the cloud) and they're not in the conversation.

Gallant: And it's also a software play vs. a hardware play.

Mullaney: They're going to take Application Centric Infrastructure (ACI), they're going to take their existing stuff, they’re going to try to put a veneer of cloud around it and then they're going to jam it in the cloud and they're going to say it's cloud. I call that cloud naïve, not native. It looks the same, it's very similar. A one-letter difference, native vs. naive, but it makes all the difference in the world in the meaning. They're just taking their old operational model and old routers and putting them in a VM and jamming it into the cloud. They don't understand the native constructs. You still get the same horrible operational model of the ’90s. And that’s not what people want. I want it cloud native and I'm glad you're bringing the visibility and control, but I don't want to do it in an operationally complex way. That's why they’re looking for new platforms that are born in the cloud for the cloud, like Aviatrix.

Gallant: Steve, from a competitive standpoint though, who's out there that's talking about this?

Mullaney: Our competition right now is do-it-yourselfers within enterprises. They say: You know what, I actually like doing it myself. Going forward that's happening less and less because enterprises realize -- even the do-it-yourselfers realize -- I'm the only one in the company who actually knows what's going on. If I get hit by a bus or I want to go on vacation, nobody knows what's going on. Again, day-two operations. I’ve got operations people I’ve got to hand this to.  If I'm an engineer, and I've built this handcrafted thing that I'm the only one who knows how it works, it's kind of job security for me. But no enterprise is going to allow that to happen. That's typically been our competition. 

I believe the incumbents will cloudwash what they're doing. They’ll say they're doing what we're doing. But it won't be real competition. There will be, hopefully, other competitors, startups, that do what we do. Enterprises say this sounds really good. Who else does what you do? It's kind of like -- well, nobody. It's not a good answer. Gartner's not going to create a magic quadrant based on this, like there's no market if there's one vendor. I expect that the secret of what Aviatrix is doing is not going to be a secret for long and that there will be startups.

I think SD-WAN vendors will pivot towards this. You’re going to hear a lot of people talk about multi-cloud networking, cloud, cloud, cloud. I call it the cloud virus. It's over, John. The on-premises world -- done. Now, it'll be like mainframes. They didn't go away. Nothing ever goes away in networking. There are still shared media hubs out there. But the investment area and the center of gravity has shifted to the cloud and coronavirus has been an accelerant to that. If you're an on-premises vendor, you're screwed. You've got nothing in the cloud and you're just hoping that you can get cloud revenue up faster than on-premises revenue goes down. That’s like what Palo Alto Networks is trying to do. But, you know, the Cisco's, the Arista’s, companies like that, they don't have anything in the cloud. They're kind of screwed because -- I'm just going to ride my on-premises revenue down.

Related: How to get a handle on multicloud management

Gallant: Steve, some of these larger initiatives, like Kubernetes Federation or Google Anthos or Kabanero from IBM or even what IBM is doing with Red Hat, sort of these overlays around the whole container world, do those prove to be competitive in the long run because they're helping people manage similar issues? Or are they complementary?

Mullaney: They're very complementary. There are going to be new layers, horizontal layers in every architecture. It's the OSI model, right? At the lowest level is going to be the cloud service providers, AWS, Azure, Google. That's the infrastructure. At the network layer, that's going to be Aviatrix. We're going to become the cloud network platform. You're going to have people like Snowflake as the cloud data platform. You're going to have companies like HashiCorp, they’re going to be the cloud automation platform. That's the automation part of infrastructure that really didn't exist in client-server. At the application layer, people are excited about Kubernetes and containers. Can I have a platform upon which I'm abstracted away from whatever cloud I'm running on? Above all of us at the network layer, you have to interconnect all these things. They're not worried about that network infrastructure. They’re more about the application [infrastructure].

Gallant: You’ve brought Palo Alto Networks up a couple times. Can you talk a little bit more about how you’re bringing partners like that into the architecture?

Mullaney: We’ve been working with them for about nine months. When you talk to the customers, they say: You know, it's not clear exactly what I'm going to do in the cloud, but one thing is for sure, I want to bring my firewall with me. You've got to understand the psychology. Humans don't like that many things changed on them. It's like a four-legged stool. If you change two legs, the stool falls over. They only really like the one leg being changed. I may have to move to the cloud, but I'm going to try to bring some familiar things with me. It's my safety blanket.

AWS will say the same thing about Palo Alto that they say about us: You don't need firewalls.  You don't need Palo Alto in the cloud. Eventually, maybe I don't need that firewall. But you know what, customers are bringing them in. The problem is -- how do I plumb my next-gen firewall into the cloud because it doesn't understand cloud? The native constructs that the cloud providers give you are limited. It forces you to use IPsec. They don't have good load balancing. There's a lot of restrictions. There are performance hits, there's visibility hits. In order to do load balancing, they force you to use equal-cost, multi-path routing (ECMP), which means you have to use secure network address translation (SNAT), which then means you lose visibility of the source IP address, which is the whole purpose of having the firewall in the first place so you can track that.

We basically cloudified the vendors’ cloud firewalls. We said: We’ll take you under our arm.  We put our gateway in front of the firewalls. They connect to us and then, because we're cloud-native, we’ll handle all that for you and the distribution of routes and spinning up your appliance, making it easy, such that we’ll just allow you to do what you do. We don't hinder their performance, there's no SNAT’ing. The visibility's all fine. The operational complexity is way down. We'll handle the distribution of routes. You just are an appendage to us and do the firewalling. The security guy is happy -- I get my firewall deployed. The networking guy is happy because now it's done in a very cloud-native way.

And we do this for all of the major firewall vendors -- Palo Alto Networks, Check Point and Fortinet. We call it a firewall network service.

Related: The future isn't cloud. It's multi-cloud

Gallant: Give us a brief summary of why an enterprise absolutely should be considering Aviatrix today.

Mullaney: You know you're moving to the cloud. This isn't fun and games anymore. It’s mission critical and you need somebody that gives you the simplicity and the automation of a cloud-native solution, but with the visibility and control you demand as an enterprise. You want that to go across whatever cloud you’re running on. You want one architecture that runs regardless of any public cloud you’re leveraging.