Working at Aviatrix gives me opportunities to meet many smart people, the practitioners and pioneers managing cloud infrastructure. I want to understand and document their cloud journey and perspectives.
Today is my first piece: A Conversation with Daniel Huenink.
Daniel is one of those superstars when it comes to Cisco domain expertise. He has architected and managed networks with Cisco WAAS, VoIP, ASA and ASR. Daniel also has diverse experiences as a database programmer and sysadmin.
We met with Daniel recently, discussing at length a specific routing feature he requested. Afterward, my curiosity caught up with me, and we talked some more. Here is part of our extended conversation with Daniel’s permission.
Sherry: Why did Nelnet move to public cloud?
Daniel: The biggest factor is cost, trying to reduce cost. It enables us to do more with less money so that we can remain competitive with our products and services in the market.
Sherry: How did you learn about Aviatrix?
Sherry: What did you like about our Aviatrix product?
Daniel: I like the security feature on Aviatrix Transit Network. The fact that a Spoke VPC does not have connectivity to another Spoke VPC unless specified provides the network isolation we need in our highly regulated industry.
In our environment, business units have their own AWS accounts and therefore VPCs. For the most part, they shouldn’t be talking to each other. But if the underlying infrastructure is a fully connected network, then we’ll have to setup VRF and policies to prevent cross talk, that added layer of complexity is not what we need.
Sherry: Did you not try Cisco CSR1000v?
Daniel: I did start the POC with CSR1000v, but for the reasons I mentioned above, we decided to not to deploy it. In addition to segmentation, adopting CSR1000v implies we would be managing hundreds of BGP sessions, which is a task no one has time to take on.
Sherry: What is your view of security and encryption?
Daniel: Our business requires us to comply to PCI, HIPPA and other government regulations. We get audited often. Encryption for data in transit is a requirement, and data leaving a facility must be encrypted.
Sherry: Where does data encryption happen?
Daniel: Well, data can be encrypted at application layer or it can be encrypted at infrastructure layer. We have many applications, some are home grown, and some are commercial off the shelf (COTS) apps of which may or may not natively encrypt, so we enforce it at infrastructure layer. That’s why we deploy encryption over Direct Connect.
Sherry: Do you have a large deployment?
Daniel: Our current deployment is small as we are just starting, but I expect it to grow significantly in the next 3–6 months. We typically like to do an annual contract, but since it’s difficult to predict the usage growth in this case, we switched to Aviatrix Metered AMI offering. I like the flexibility of cloud consumption model where you pay as you consume.
Sherry: How do you plan to manage a large deployment?
Daniel: Automation. We are going to try to automate as much as possible. I have looked at Aviatrix Python SDK and REST API. It is currently written with python 2.7. I updated in my own environment to 3.0. It seems to work fine.
Sherry: That’s awesome. Since these are just https calls, they should work with either python 2.7 or 3.0. We are short in SDK comparing to our REST APIs. You will be more than welcome to contribute to our SDK open source project!
Anything else you may be interested in looking into?
Daniel: We enabled NAT function on the Spoke gateway for Internet access. We may be looking into the FQDN function for egress control in the future.
Sherry: Sounds great. Let’s sync up again later, I would love to learn more as your deployment gets bigger.