Why I left Azure for Aviatrix: Confessions of a Global Black Belt.

?A lot my friends and colleagues were curious as to why I would leave a massively successful company like Microsoft for a?Cloud networking and security start-up called Aviatrix. The Microsoft of today is the perfect package for many - it has a great culture, brilliant leaders, a soulful vision (at last!), and killer products. Plus, I enjoyed my role and was part of a fabulous team. What gives? Well I'm here to bury the hatchet and talk about why I left. This is not going to be a short exercise, because the real reasons are not simple. If you're interested, grab your favorite beverage, buckle up, and join me on this ride.

By the way, this story will not feature major technicals, dazzling take-aparts, or deep dives into the Aviatrix platform. There is already a solid body of work here and it is all just a click away if you thirst for it. I've been at Aviatrix for a grand total of two weeks, so I'm hardly the right person to lead this type of discussion anyway. Instead, I want to pan the camera back and talk about emerging trends in the industry, and what role Aviatrix will play in our shared Cloud future. Let us begin. <Queue soft dramatic music>?

CSPs and the Resort Effect

Cloud Service Providers (CSPs) are good at a great many things, but they have a massive surface area to cover. They provide an impressive portfolio of services across three key spectrums: IaaS, PaaS, and SaaS. To make things even more complicated, they often have to offer a service in at least two of these spectrums at once.

A good analogy would be a large vacation resort that provides a wide array of services for its guests, such as dining, entertainment, spa treatments, day care, fitness, conference space, and so forth. While the resort does a respectable job of executing across all these spaces, they do so at the expense of not mastering any of them.

For example, when you crave unique entrees and an unforgettable dining experience, you don't go to a resort, do you??Do your little ones really love the day care at the resort and beg for more? Is the gym at the resort a place you would want a year-round membership? Hardly. But it is this combined experience, this ability to get all these things together in a single convenient package, that makes resorts so successful.

The Resort Effect, as I call it, rings especially true in the Cloud infrastructure space. CSPs are heavily focused on apps and workload innovation and offer unparalleled "combined experiences" for their customers here. Simply put, Cloud has commoditized the dark art of data science. This startling capability may be Cloud's single greatest gift to the world. This is the true profit center and beating heart of the CSPs.?

Infrastructure, on the other hand, is something the CSPs are forced to do because those massive and lucrative brownfield projects demand it. Remember back in 2015, when the promise of Cloud was to swipe a credit card and stage a web app or spin up a storage instance? Not a shred of decent infrastructure back then. CSPs didn't predict that brownfield and IaaS would win with Enterprise back then. But boy howdy, did it ever, and the CSPs had to quickly pivot or loose the market.

Even today, nobody migrates to Cloud to make their networks more secure, or their firewalls more intelligent, or their big iron databases more performant, right? To try and make amends here, CSPs ingeniously focused on delivering table-stakes features while yielding high-end capabilities and functions to either integrated partnerships (like Azure + SAP) or to marketplace offerings (like Palo Alto and F5).?This bought them the time they needed to pivot and provided a bigger menu of choices for lift-and-shift projects.

But it's not all good news. Enterprise IT quickly finds themselves in a serious bind when they experience the Resort Effect for the first time.?I have witnessed this hundreds of times as a Global Black Belt who specialized in networking and security. Once the decision to move the app and/or its data is made, Enterprise IT is left to pick up all the supporting pieces and deal with making them fit in a new landscape full of pitfalls and challenges.

For example, CISOs and CIOs are rightfully demanding equal compliance, governance and security for their new Cloud apps, so IT must either lift and shift all the supporting infrastructure that affords them these capabilities (read: crazy expensive and brittle) or navigate an alien world full of feature gaps and foreign toolsets (read: massive sales drag and skillset gaps).?Damned if you do and damned if you don't.

To make matters worse for IT, Enterprise is going full on Multi-cloud now, in large part because of the Resort Effect and it's compounding aftershocks.?Application owners are doing what they do best, which is to embrace digital diversity, resist lock-in, ensure resilience, and explore the new multiverse to find those sweet spots where their workload runs the best. If you are an IT pro who is reading this, and saying, "Well, my shop will only be in one Cloud ever, amen.", I have three words for you: Brace. For. Impact.?It is coming, oh my brothers and sisters, and the Light will be ever so blinding.

Finally, every time an application platform changes hands, the new owners bring with them their own mix of proclivities, skill sets, and dispositions for Cloud. One time, while working with a major financial customer, I watched an application leave on-prem for Azure, then move kit-and-kaboodle to AWS after three months, only to have half of it return to Azure less than a year later. And my poor IT friends at the other end of the line were slowly losing their minds.

Half of my job as GBB was as a Cloud Therapist, I swear. Hell, I should have put that title in my signature line. And the ever-present topic of distress was networking and security. Funny thing, 9 times out of 10, everyone on the call already knew the answer. They just needed to hear it from me to make sure they weren't half-crazy: Yep, this is how we do it now. Nope, don't do it that way, your failover time will be 90 seconds. Yes, yes…that's right, 90. Or another classic one: That's true, you can only forward just 1000 routes out if you want to use that pattern…Yep that’s just three zeros…Then I would wait in silence for the words to sink in. Tick, tock, tick, tock.

So where does all of this leave us??Let's take a breath and summarize before moving on:

1. The Resort Effect means that CSPs are good at doing many things at once, but they struggle to be deep experts in any one thing, especially within a single spectrum.
2. This is more obvious at the infra level because most CSP revenue and talent comes from the app and data science levels.
3. To try and close this gap, CSPs have turned to partnerships and ISVs in the marketplace.
4. Enterprise is embracing multi-cloud as a necessity to optimize against cost, uptime, features, and internal politics.
5. IT teams are now doubly challenged. They must try and balance a lack of features and tools against the cost and complexity of maintaining their traditional approach, all while living in the on-prem world and in multiple Clouds at the same time.
6. The most important thing that Enterprise IT needs right now is a comprehensive solution to Multi-cloud networking and security. They need what we at Aviatrix call Secure Cloud Networking.

Enter Aviatrix, the House of Secure Cloud Networking

After 5 years and 3000+ (yes) design sessions later at Azure, I had completely absorbed the six points above. It was like a crystal vision in my mind; a voice in my head that would not go away. I was so sure of it that I would end up betting my career on it. I discussed this quickly emerging trend with other thought leaders at Azure. And to various degrees, they understood it too and knew it was important to address.

Yet, CSPs are large, complex entities with hundreds of teams and dozens of product lines. BIG ship, -little- rudder. I knew Azure couldn’t move fast enough to deliver on what was happening right now. Also, in their defense, CSPs are purely responsible for the health and well-being of their own platform, and not that of their competition.?It's not really Azure's job to solve for multi-cloud networking, it's Azure's job to make their Cloud #1. Same for AWS, GCP, OCI, and so on.

And really, at the end of the day, CSPs are not run by networking engineers and architects. They are run by executives, data scientists, and developers, who above all else, focus on AI, big data, and the application. Networking and security is just not their bailiwick, and folks, it pains me to say this, but it probably never will be.?If you insist on waiting for the CSPs to deliver here, dress warm my brothers and sisters. For the Wind will be cold.

Thus, I knew at a deep level that no single CSP was going to fill this massive need for a uniform networking and security platform that united all Clouds, the One Ring to rule them all. It was going to be someone or something else, and I spent a good deal of time thinking about all this. Would it be the SD-WAN crew? The firewall crew? The edge connectivity crew? No one really seemed to have the perfect solution yet, so I waited and watched as the slow-motion train wreck continued.

I first became aware of Aviatrix back in 2018, when I met the founder and CTO Sherry Wei on a partnership call. At that time, Aviatrix was mostly centered around solutioning in AWS but Sherry made it clear that she had plans to go beyond just one Cloud. I saw a demo of their product and was impressed (okay shocked) by the fact that Aviatrix could do line-rate encryption from on-prem to Cloud at 10 Gbps per IPsec tunnel, which was unheard of at the time, and is frankly something the CSPs still cannot deliver on.?But the product was young and there wasn't any way to position it in Azure, so I moved on.

Then, about 3 months later, two of my teammates left for Aviatrix, saying it was going to lead the way into the future. I was skeptical. Wow, off they go to start up land! Good luck and Godspeed! And I still didn't pay attention. At the time, I was guessing this space would fall to the SD-WAN vendors in partnership with the CSPs. But now I think much differently. We'll get to that.

Then, in late 2021, another one of my teammates left for Aviatrix, and I become very curious indeed. Something was going on here. And by this time, I was totally confident about the direction the industry was moving. Enticed, I revisited their product in earnest and was floored.?I saw it all immediately, how their approach and vision was headed exactly where the industry was going, and how they addressed the same challenges and trends that I had seen build up over the last three years. And all that boils down to three simple principles. <Dramatic music swells>

The Right Leadership

Steve Mullaney, a 30-year veteran of Enterprise networking and security, predicted the direction of the industry well in advance of his peers.?He knew, at least as early as 2018, that Enterprise was going to embrace Multi-cloud and that they would need a uniform data plane as the foundation on which to integrate critical functions, security being paramount.?Check out this quote from August of 2019, before COVID triggered the furious expansion into Multi-cloud as remote productivity exploded into life.

"The corporate data center is essentially dead. Enterprises have made the decision that they are 'all in' on the cloud, which means it’s no longer just 'fun and games' for them. It’s serious business. Cloud is where they are putting their strategic investments going forward, while the legacy data center is now an expense. And, with the cloud being the new enterprise compute model, it requires the right network and security architecture to be successful.”

From <https://www.channelfutures.com/sdn-sd-wan/7-minutes-with-aviatrix-ceo-steve-mullaney>

In the vast, convoluted space of Multi-cloud, Steve knew Enterprise would fall prey to digital sprawl, shadow IT, skill gaps, lack of visibility, lack of operational consistency, and most importantly, lack of a unified network architecture that was purpose build for Cloud.?He also knew that the traditional players were ill-equipped to dominate here, because their Cloud code is identical to the on-prem version; it has no idea that it is running in a VM, or that it was living in an SDN fabric. Right now, as we approach 2022, all these virtual routers and firewalls running in the Cloud still believe they are connected to wires. Let that sink in for a moment.

Then I had the pleasure of meeting John Jendricks (JJ), who ran Nicira with Steve, and I instantly knew he was blessed with the same gift of telepathy. He told me about how he predicted Cloud was going to own the data space, and the domino effect that this would create in terms of repositioning both modern workloads and global connectivity. To articulate this simply, he calls CSPs "Centers of Data" as opposed to "Data Centers", and it's accurate. JJ knew early on that IT was going to get sucked into this new world like so many birds in front of a jet engine, and he grasped not only the complexity and cost associated with trying to lift and shift, but also the compromises necessary to make Hybrid work. In fact, he first turned me on the resort analogy, so now in turn I artfully borrow it from him, as I couldn't have created a more fitting example.

The Right Platform

Because Steve and JJ led Nicira, they helped shape and define the fundamentals of Software Defined Networking for Enterprise, the very same networking technology that CSPs use in their own fabrics. While SDN comes in a variety of shapes and flavors, all permutations share the same fundamentals:?1) A distributed architecture where the intelligence lives in a controller system that is separate from the data plane 2) A "thin and wide" application of data plane compute to maximize efficiency within economies of scale, and 3) The ability to embed higher-level functions within the network, as the network is now intelligent, programmable, and modular.

It comes as no surprise then that these are the guiding principles of our platform. Aviatrix features a distributed systems architecture where intelligent controllers push policy via APIs down to the data plane gateways which dovetail into the Cloud fabrics. The gateways aren't looking for wires to learn about their world. Instead, their world is based on information fed to them from the controller about the Cloud fabric itself. In addition to the Cloud fabric, the controller can receive API updates from programmable input (like Terraform) and human input (shell or GUI).

The controller can be deployed in AWS, Azure, GCP, OCI, and AliCloud. Because the controller queries the fabrics directly, it automatically learns about all your networking and policy objects within yours Clouds, such as VPCs, subnets, IP CIDRs, peerings, resource groups, and regions. You now have these Multi-cloud Native constructs at your fingertips and can use this information to create an impressive array of architectures for different outcomes: intra-Cloud, inter-Cloud, Cloud to on-prem, or any combination of these things.?Once your gateways are deployed in the correct places via the controller, you can create (or even destroy) a consistent, uniform multi-cloud backbone within just a few minutes.

Aviatrix does one more ingenious thing here. We have a product called Co-Pilot which is the visibility and analytics companion to the controller. It provides you with all the visibility, all the analytics, and all the NetFlow and topology data that you're going to want to leverage in an Enterprise-class Cloud network.?It is sexy, stunning, and downright fun to use. There are several good demos that showcase its capabilities, but this one is my absolute favorite.

The Right Approach

All this being said, what matters the most is having a solid foundation that can be leveraged to nurture and grow a product. This brings us to that third fundamental of SDN - having an extensible, programmable network.?Aviatrix begins with this as the high ground, and from there, we add in an integrated, intelligent security engine within your data plane. Thus, network security resides where it should: not within a superimposed set of virtual firewalls, but within the distributed data plane itself.

Furthermore, because networking and security are two halves of the same brain, segmentation is now an inherent function of your network architecture - if you need to create or restrict access across lines of business or application tiers, you can quickly choose which network segments can route to each other, and which cannot, via security domains. On top of this, the gateways perform a variety of critical security functions, such as stateful 5-tuple inspection, outbound fqdn filtering, and real-time threat intelligence, called ThreatIQ. If you want to integrate your Palos, Checkpoints, Fortigates, or F5s into our security engine, we support this with our FireNet capability.

CSP fabrics integrate security into their SDN stacks as well, but they lack the ability to orchestrate and manage this embedded capability effectively at scale.?For example, managing one NSG in Azure is simple. But managing hundreds or even thousands of them? There is no such ecosystem, no such pane of glass, no such feedback system. Aviatrix smashes this barrier, and does so not only for a single Cloud, but for all the major Clouds.?No more lift and shift of firewalls, no more struggling with fragile HA architectures, no more terrible convergence times, no more hair-pining back to your on-prem DMZ. The Aviatrix data plane is your security engine, and it works the same way everywhere. This is what we call Secure Cloud Networking, and it’s going to be absolutely transformative to the industry.

There is not a single traditional network or security vendor anywhere that is doing this, not because they don’t want to, but because they simply can’t – their products are not built on top of SDN fundamentals, and their code knows absolutely nothing of Cloud. I assure you, oh my brothers and sisters, this is where the puck is going to be, and Aviatrix is currently the only team skating to it.?And I am absolutely thrilled to be skating with them.