5 IT pros on joining enterprise and cloud provider DNS

Networking pros explore integrating enterprise and cloud DNS during the fifth Critical Conversation on Critical Infrastructure hosted in Network VIP.

Last updated on September 13, 2021.

Critical Conversations on Critical Infrastructure Ep. 5: “Cloud provider DNS: what should architects know?”

Cloud service providers do a great job of abstracting the complexity that is inherent in DNS. While this breaks barriers to innovation, it also breaks architectures. As enterprises lean further into their cloud adoption, what should architects know about working with cloud service provider (CSP) DNS services in a hybrid cloud environment?

CSP DNS is a different beast than enterprise DNS. And whether Microsoft Azure, Amazon Web Services (AWS), or Google Cloud, each of the cloud DNS services they provide comes with its own set of capabilities and limitations to understand and consider.

This roundtable of networking and cloud experts explored the challenges around getting CSP and enterprise DNS to work together effectively.

Moderator: Andrew Wertkin [LinkedIn | Twitter], Chief Strategy Officer, BlueCat, and host of Network Disrupted podcast

Panelist: Padraig O’Connor [LinkedIn | Twitter], Cloud Network Platform Engineer, Zurich Insurance

Panelist: Chris Swinford [LinkedIn | Twitter], Cloud Network Architect, Kroger

Panelist: Eyvonne Sharp [LinkedIn | Twitter], Customer Engineer, Google Cloud

Panelist: Scott Penney [LinkedIn], VP of Strategy, BlueCat

Critical Conversations on Critical Infrastructure. To continue the conversation, follow up with panelists, and see what others have said about the roundtable, join Network VIP—our Slack community where IT pros connect and share their expertise on all things networking.


Speaker 1: Hey, good morning. Good afternoon. Good evening. Wherever you are. Um, really appreciate everybody joining us today. Uh, for another one of our cloud series on all things cloud computing with Aycock group, I’m drew Fairmont I’m SVP of cloud transformation at Aycock group. Um, and we’ve got a couple of great guest speakers here today. I’m very excited to talk about, uh, networking in, in the cloud, uh, before we make the introductions. Just a couple of quick housekeeping items, if that’s okay. Um, so first, yes, this session is being recorded. So, uh, and a copy of this is going to be available on demand and it’s going to be in your inbox. So, um, you should be getting the email on Friday. So look, no worries. If you have to drop off at any point, you will be getting a copy of this recording sent to you, uh, afterwards.

Speaker 1: So, um, feel free to just sit back, enjoy, and just follow along with us live at this point. Um, also the second point is we want to keep this as interactive as possible. There’s actually a chat feature available to you to ask some, some questions. Um, we will have some time for Q and a. I have a lot of questions on, on, on networking as well. So, uh, you know, please bring your questions, um, and, and drop them in there. Um, it’s located in your, your, your go-to webinar, uh, pop-up box there. So I will be monitoring some of those questions throughout the session. Um, and then I’ll share with our experts here we have on, on, on the panel to answer them. So, uh, so listen up. Uh Pauric uh O’Connor and, uh, and Chris Swin Swinford um, I want to go ahead and turn it over to you all, uh, real quick here, just to do a quick bit of introductions, uh, lay some groundwork before we get started. So, uh, Parekh, we’ll go ahead and start off with you.

Speaker 2: Uh, yeah, so as the slide says, my name is park O’Connor and I work for Zurich insurance. Um, it’s B I’m actually quite, quite neat, quite, I suppose, compared to most of their network and professionals, I’m actually quite new to the field. I’m only ended about 10 years. Um, I started out in an ISP on the fire side of the world in New Zealand. Uh, I decided to go watch a rugby world cup, and then I ended up staying for two or three years, a little bit longer than planned, but, uh, that gave me a bit of, a bit of a taste for, for infrastructure and for networking on an ISP level, on a level where you are managing the global gateway for the country, uh, that, that, that kind of a, uh, a, uh, an area, uh, I kinda hit the limitation that my career path was going to get me in New Zealand.

Speaker 2: And I returned back to Ireland, worked a couple of contracts around the country, doing random, as we all have done a bit of it support here and there. And then I took up a contract and Zurich insurance was supposed to be a three month gig. And here I am seven months later or seven years later, rather some months I wish. Um, so through my time in Zurich, I started out in the cyber ops team, um, managing the kind of network related cyber operations side of things, your, your security toolkit based around DNS and DHCP and IP address management, but a device access control your firewalls, your proxies, basically anything that needs to talk to the internet or the users use to get to the internet. That was what we were responsible for over my time at Zurich, I moved on then into service delivery as part of as security network engineering, and most recently into my current role as a network platform engineer in our cloud center of excellence based out of Dublin.

Speaker 1: I mean, I got, I got so many questions for you when I come back. Um, the, the, the rugby one I’m going to have to hold off till until later cause, uh, I really do enjoy that, but I’m still trying to figure it, figure it all out, to be honest with you. So, uh, uh, we, we can come back, come back to that later, but, um, yeah, a lot of really interesting experiences. One of the things I’m going to come back to later is this intersection of security and networking, right? It’s everything is so blurred. Um, you know, at this point. So I really want to kind of, uh, talk a little bit about that. Um, you know, in a bit, um, in the meantime, Chris, if you don’t mind taking a few minutes to go ahead and introduce yourself to everybody as well, that’d be great.

Speaker 3: Sure. Yeah. So I’m Chris Winford, I’m a cloud network architect with the technology and digital teams at Kroger. So, um, I started in, I guess it, in general, back in the Y2K remediation days, um, kind of on the help desk side of a, uh, remote office of a fortune 100, um, from there and went into network engineering, um, again kind of like remote office, uh, subsidiary kind of world, uh, telephony as well. Right? So like networking and telephony engineering. Um, but, but because we were remote office, I got to wear a lot of hats, kind of a generalist plus network engineer. Uh, then my career kind of shifted into network security and application delivery controllers and, uh, VPN firewall, remote access, all that fun, um, got into consulting for a few years on network security and the next space firewalling, um, and then landed on a role on the cloud team at, at Kroger and, um, kind of bringing a network focus to the cloud enablement team here. So

Speaker 1: Yeah, it’s um, both of your organizations, uh, Zurich insurance, as well as Kroger, or are doing a tremendous amount. I mean, they’re, they’re, they’re sort of all in and committed to the cloud, uh, which is, you know, um, really interesting to see, and we’ll be coming back and talking about that and specifically the role of the networking team in that. Um, it was interesting, Chris, you mentioned, uh, you know, it, um, you know, help desk, I think that, uh, that career path, um, you know, that that role has probably launched the career of, of a million tech professionals, right? As, as your, your, your launch pad for getting into technology, I kind of wanted to start there, um, cause there’s probably a lot of folks on the phone that are trying to figure out, uh, you know, how to get from where they are, you know, into cloud or into networking.

Speaker 1: Um, I think networking is, uh, basically I think it underpins the majority of these transformations that these organizations are going through. I mean, it’s, it’s the plumbing, uh, that exists within the houses that’s being architect within all these enterprises and, you know, while you don’t necessarily see it, um, you certainly do when, you know, there’s a catastrophic when the roof falls down or there’s a catastrophic failure, it becomes very apparent, but if you do it right, you know, uh, things are working well. So there’s a lot of heavy lifting that goes on. Um, and I kind of interested in your, your path from like, how did you get from, you know, WTF to DNS, right? And then from like DNS to the cloud, right. Cause there’s a couple of steps there. I mean, one is understanding, you know, IP addressing and subnetting and just the underlying, you know, the, the, the layers of, of networking and then be able to then take that knowledge and then work towards this, this paradigm shift that’s going on. Um, park, I’ll kind of start, start off with you. What, what does your path look like?

Speaker 2: Um, my path was pretty was, was basically into security. So I took a move that, that the primary reason I wants to move from New Zealand back to Dublin was because there was no path for me to get into security in New Zealand. It’s not a very big, um, it’s, it’s not, it wasn’t a very big industry 10 years ago, we’ll say, uh, when I was there. So my only option was to go home. So I moved on then into security at took up this project to deploy this wonderful new IP address manager that was being deployed in Zurich. It’s going to be my responsibility to install it in Europe on, and I could move on into the cyber team and I can forget it ever happens. Um, um, that, as I said, that didn’t quite materialize, but that’s actually been for the better, because as everyone on this call knows the majority of all of our networks depend heavily and leveraged heavily the DNS protocol.

Speaker 2: Um, it, uh, the majority of our users don’t know what happens on the network in association to layer three or layer four. All they know is they put in this URL into the browser bar on the web application, suddenly magically appears, um, except for when it does something, then we all end up on major instant calls for three days, but that’s all part of the format that, that became part of the attraction for me to stay in, in, in the environment, because it meant that not only was I going to be able to deliver the service, I could actually try and grow and mature the service to try and meet the customer’s needs and more efficient than more effective architectural, um, ways. Because as most people do, when you do the at DNS migration in your environment, you do a like for like you have a windows DNS server here.

Speaker 2: Cool. That’s now a BlueCat server. You have another one here, that’s now a BlueCat server. However, when you get into this position, especially if you migrate, like we migrated, which is, which was on a BU by BU level, you then find that you had a whole load of DNS service data services to use, to reference each other that are now all in one large orchestrated environments, ensure we like any other provider in that scenario. We go, well, we want one IP for our DNS service. Let’s do any cost. Great. No one thought to think that doing any casts in a star network seemed a bit redundant because the shortest path is always going to be straight in the middle. So it’s little caveats like that and little cost savings like that. We, as a business, we’re paying for far more licensing than we realistically should have been to provide the same service because everyone was going through the center. Anyway, we were dropping the NS servers in offices equivalent to our core data centers for 50 people.

Speaker 1: So DNS for you was really the, the core of your, your learning experience, where you started from a kind of cut your teeth, right. Was really sort of like embracing that particular service kind of getting really just your hands on with it. And then now everything that your, your, that was your wedge into networking, right. It was really kind of getting familiar with VNS. And as you mentioned, a lot of people relying on it, so it’s a good, good place to start. Right. But that was kind of where, where you anchored on when you were first, first starting off. And then, um, you know, just, just kind of a, a little bit like, so you actually did go from WTF to DNS, right. From a networking perspective. If you got familiar with that, there you go. And then, um, from, from DNS and from your work, sort of in the, I call it the traditional or legacy, you know, uh, networking, um, to now this cloud environment, right. Um, where, you know, you’ve got the software defined networks, you’ve got a lot of these services that you’re able to, you know, uh, even a femoral, uh, you know, networks, you know, building your, your subnets and your, your, your VPCs and all that sort of thing. Um, you know, what did, what did that look like and how much of that translated from what you learned from, uh, you know, legacy to now what you’re doing in the cloud?

Speaker 2: So, yeah, the, the, the, the DMS we’ll call it beachhead, uh, brought me into the firewall team or not that whole side of the organization, from our perspective, our network out in all of our clouds leverage heavily on the corporate firewall implementation. We have an ELA with, uh, with a large third party. That basically means all of our, all of our networking kits out in that cloud, out in any of the clouds out in all three CSPs leverages one firewall vendor. Now, whether it be true transit gateways across VPNs over the edge, um, all of that leverage is heavily on those boxes sitting in the middle of routing traffic, managing access, um, um, all of the other associated toolkit, um, someone, uh, COE one day decided that they needed someone in their business or in their org that was knowledgeable about all of this stuff. So the first party people they went to was the team that was managing it all on prem. And that’s how I ended up in, in my current role.

Speaker 1: Yeah, I’m going to come. I want to come back to that after I have a chance to kind of hear from Chris on, on his, but, um, I think that that’s, uh, uh, I would love to see more of that in organizations. I want to talk with you a little bit about that from a best practice perspective and, and Chris, for, for you, um, I mean, you were, you know, you’re at a help desk, right? People were calling you up with all sorts of questions, and then you, you started moving into networking somehow. So what, you know, what was your move from WTF to DNS? What did that look like for you?

Speaker 3: So I wouldn’t say it was WTF to DNS so much as WTF, straight to cloud. Um, the benefit, like my background definitely benefited me because of, um, you know, network engineers and that were security engineers. There’s always that meantime to innocence that’s thrown out there, right? Like something’s going wrong. How long does it take the network team or the network security team who owns the firewall or the load balancer to prove that it’s not them, or to find that it is and fix it. Um, but because of both the help desk experience, the CIS admin experience and that time troubleshooting connectivity between various types of applications, various verticals, you learn more about just are more than just networking. Right. I know I learned more about HTTP, you know, managing [inaudible] NetScalers and such. Uh, you learn, uh, the different load balancing methods and session versus stunts and all that.

Speaker 3: And all that translates over to the cloud because the cloud is, is really just, you know, an abstracted data center living on top of a real data center. It’s kind of like the matrix where you’ve got the real world and then this virtual world. And the cool thing about the matrix is you can bend the rules in that virtual world, and that’s what they do in the cloud too. Right. They’ll um, they throw out layer one layer two, because it’s all virtual. Um, they do some, some trickery in the SDN to, uh, the software defined network that manages the traffic between things to, uh, you know, abstract things away, make things easier. And sometimes it hurts. Like you, you take your legacy legacy data center knowledge, and you go over to the cloud and it mostly translates. And then the cloud provider cloud provider a might twist a bit here that makes things a little different and cloud provider GE might change things a little differently.

Speaker 3: But yeah, so my journey was really strictly network guy. Um, I had automation experience in the past, um, you know, shell scripting and some, a little bit of Ansible, um, some rest based, uh, like automation where you called to a particular vendor’s API and make some changes. Um, but I was stuck in like the infrastructure world. So coming over to the cloud side, I really just drank from the fire hose, right. So I joined a cloud team pre COVID. So we were all still in an office environment, um, tagged along with some folks, working on, say infrastructure things, and just listened to what was happening. Um, and at the same time started to get a feel for what are the challenges, what big things are coming down and, you know, what are the connectivity needs, and then starting to kind of be the bridge between the teams that are building applications in the cloud and building infrastructure in the cloud and the on-prem, uh, like traditional network engineering teams and network security teams. So, uh, they still focused on providing circuits to something and the, the teams in the cloud would still focus on building their things. And I was really trying to bridge the two and bring them all together. So if you

Speaker 1: Get, um, you know, it’s, it’s interesting, cause there’s, there’s, uh, there’s an element of, of kind of playing a CSI right. Crime, crime scene investigating skills when it comes to networking and security, um, and having a lot of those different, you know, tools to understand, you know, how to start eliminating things by a biologic or investigation. Um, it seems like you do a lot of that, uh, in networking. Again, we talked about the overlap of security as well. Um, but I, I heard from you all earlier, um, I kind of have there’s this mindset when you’re going into networking, right. And especially as you’re starting to move into cloud, there’s, there’s a shift in a mindset. Cause we talk about this legacy and then there’s sort of this new paradigm shift to how you approach things in the cloud. Um, but it sounds like there’s a little bit of, uh, of a division within the networking professional too. And I think the way Chris and park, you all described it as Chris, you’re the, uh, the fun hammer and park, you’re the fun hater. Right. So, so, uh, what, what are you, what do you all mean by that?

Speaker 3: Yeah, so I picked that up from some coworkers at my last job. Um, they, you know, I love that description. You’ve for the network engineering side, you want packets to flow. You want things to get from here to there. You, you want the fund to go and then I dunno, Parikh, uh, you know, as the fun hating security side.

Speaker 2: Yeah, yeah. Very much so. Um, no, uh, we are, so I come out of the firewall team. So obviously if, uh, if you want to have fun on your, on your network, that’s all well, and good. As long as I can see your foot, I’m uncomfortable. And that’s generally not something that is too, um, appetizing to application owners. They, they don’t like those boundaries that we need to put in place to secure the network. But unfortunately that becomes that, that is our priority when we move out into something like the cloud, because yeah, you have own control E uh, in grasses and in that scenario.

Speaker 1: So that makes sense. I mean, a little bit of the ying and yang of networking, right? You want things to flow, uh, but you also got to understand, you know, it’s the right things that are flowing. So, uh, you, you know, what, you, you know, what you’re dealing with. Right. So, um, yeah, I mean that, uh, things, things are different in the cloud. Right. Um, I kind of want to talk a little bit about the transition to the cloud, because like, I remember my experience, uh, that even, um, you know, a femoral IP addresses, right. That’s a different, much different mindset than sort of the fixed IP addresses of the past. Right. So what are some examples of that paradigm shift? It’s like, yeah, this is how we were thinking about it. And this is how in traditional on-prem data centers, you know, look at networking, but there’s a, there’s a shift that mentally you need to make, uh, you know, w w what’s that, what does that bridge look like? And what is, what are some of those, those, uh, sort of things that you need to de-mystify and, and people are a little bit shook as they move into the cloud, especially from a networking profession.

Speaker 3: You know, we live in the, um, everything’s an IP, right? So layer three, either IP before B six and address talking to an address, even if you’re using host names, you still resolve that down to an IP. And those things talk, um, zero trust is a big phrase. That’s thrown around a lot now. Um, and really that wraps itself or that’s used by identity. So now a lot of what we do is not based on IP addresses so much as identity or, um, something else is tagging, right? So labels or tags, or some sort of metadata, in addition to your, your actual IP addresses, instead of saying this IP or this set of IPS can talk to this thing, um, your firewalls or your security policies may instead say these things that are run by this identity, this service account, um, can talk to these other things or things that are labeled with can get to get hub.

Speaker 3: Those things can get to get up, but everything that doesn’t have that label can’t. So there, there are new ways for us to enforce policy and, you know, to, to route traffic, to, because any, any of that metadata that you can get about something, whether it’s identity, labels, names, location, um, we start to build automation around all that gather that information. And then we start to build our networks based on that. So whether the platform gives you that ability to say things with this identity can go here, but can’t go here. Or if you write it yourself with, you know, power you’ve mentioned having,

Speaker 1: Uh, seeing that with, you know, with AWS, right? They, they have their, their load balance over there. They came out with the application load balancer. So you can start shaping traffic based upon, you know, things other than just pure IP. That, that is an example of, of, I think what you’re talking about. There’s a lot of different ways you could shape traffic identity, you know, being another one. So, uh, certainly opens up a lot of possibilities. And I think it requires that cross-discipline, so now you’re, you know, not only is traditional security is tied to network, and we, now you’re looking at, you know, identity and access management components of, of what that, what that looks like tied to networking. So, um, you know, the, those worlds are colliding pretty quickly park. Um, you’ll have, how about for you? Um, what, what, what, what’s your thoughts?

Speaker 2: So this is kind of where I’m going to put the full on hate or hop back on, um, these, this new approach is it, it is really exciting. It is really good to have all of these, uh, new, um, new patterns to connectivity. However, when you were coming from an established network, I would enter the cloud. When you’re migrating, when you’re hitting a hybrid, a hybrid cloud, kind of a, a vironment into a full cloud environment, there is going to be, um, structural, uh, blockers on utilizing say, role-based access, for example, uh, your, your core, um, cyber team may have a whole load of monitoring platforms that are dependent on that unique source IP for, for our tracking down a malware infection or for, uh, blocking connectivity on Samba or, and, and any one of these wonderful things where I was in the cloud. It’s all lovely, but the minute you have a direct connector and express ruse between the cloud on your on-prem, those IPS become super important because if traffic comes in across those IPS, that is protected by role-based access out in the cloud, and we just allow us on the, on the corporate network, you’re, you’re opening up more vectors for attack.

Speaker 2: So it is, it is really good to have that kind of a networking playground, especially one that you can, you can build and burn in seconds using Terraform or whatever else you like to use for your own orchestration. However, if you don’t wrap that in guardrails from an as a, as an existing company, a new company that’s built in the cloud, I N V a, I want to be you, but unfortunately I’m not, I have a, I have data centers on prem that I need to be concerned about. Um, uh, we, while we, while we do our level best to give our application owners as free and access, as they can to utilize the CSPs to the fullest of their potential, we can’t give them full access for obvious reasons.

Speaker 1: Yeah. That, um, yeah, if I got a question here, I kind of, I think this kind of ties into this as we transitioned from, you know, individuals to, to organizations. Um, I mean, it’s a pretty broad, uh, topic, you know, networking and networking in the cloud. Right. And it’s a little overwhelming when people are trying to get started or transition, whether they’re already in tech and they want to transition to networking or their insecurity, and they want to learn more about networking or, you know, they’re looking to get started and they see a lot of opportunities here to kind of roll up their sleeves and get in. I think that there’s a, you know, a couple of things, right. Then when folks are asking about, you know, you know, where do you kind of start there, there’s really this balance between reading and, and getting a certification and then kind of getting your hands dirty and trying to build something.

Speaker 1: Right. Um, and, you know, I was looking at, you know, like, I think all of the major cloud providers all have a networking certification. I know AWS has their advanced networking, you know, certification. Um, and it’s, it’s, there’s, it covers a lot, right. I mean, I think going through something like that is probably a good place to start, because it gives you the, the, the, um, you know, the, the, the framework to be able to start to start learning and some examples. Right. Um, and it was very interesting when I looked at their guide for the certification. One of the first domains was hybrid, right. It’s not like, they’re like, oh, you know, we’re just going to ignore everything, uh, that existed previously. But the very first domain that you’re going to be, uh, tested on is designing and implemented a hybrid network architecture at scale. Right. Um, which I found very interesting based upon our conversation. So, um, I’m kind of curious with you all, did you, have you gone through like a, uh, a cloud certification and you find that that was a good way to, um, be able to orient yourself to some of these conversations as you’re also getting your hands dirty on these projects and implement it. What’s, what’s your take on that?

Speaker 3: So, in my case, I have one certification that’s cloud-related. Um, so I have like the Azure 900, which is very fundamentals. Um, you know, you have a little bit of, of it knowledge and then do a little bit of studying, and you can, it’s very high level concepts of, you know, availability zones and regions and SAS versus pass versus that sort of thing. Um, otherwise for me, it’s been a lot of hands-on. Um, and I don’t know if you want to go to power and then we can talk about like, uh, possible hands-on options, but

Speaker 2: Yep. Um, so I, I, on my first day of my new role, I said, Hey, I’d love to do all of these certs, and then never found the time to actually do the certs, because we’re, w we’re sitting in the middle of COVID and we’re trying to migrate applications into the cloud. Um, you go to your manager, you’re like, Hey, I need a little bit of time off because I have to go and disinfect a lecture hall somewhere. It’s like, oh, no, no, no, no time for that. However I have actually done. So I’m, I, um, we’ll say lessened up, I don’t know, what’s the word for it? I’ve, I’ve done that. I’ve done the coursework for the AWS architecture and for the Azure security, as well as the foundations in both. Um, however, some, one day soon when I’m able to walk into a test center, I might actually sit the certifications.

Speaker 1: Hey, look, the L the, the last thing I want to do is put pressure on anybody these days with, with that, I think we need to be a little bit kinder to ourselves and provide ourselves some, some latitude with everything that’s going on in this, in this world. Right. Uh, you know, the fact that we’re, we’re able to continue to, to push through and, and, and act like there’s some sense of normalcy with work. I think we should all have sort of a, you know, a gold star with that, the fact that you’re even less sitting up, uh, with some of those, um, you know, you should be commended for it. Um, I do think it makes sense that, you know, to your point, Chris, just the fundamentals of, um, the liberal arts education of cloud computing and having some of the, you know, the basics with, what do you mean by a femoral workload, the shared responsibility model, you know, things like that that are new concepts, I think are so fundamental where you could learn all about IP and DNS and load balancing, but kind of miss out on some of the, you know, uh, broader conversations, which is why people are moving to the cloud and the real strategic and business advantage, you know, associated with that.

Speaker 1: Right. And of course, I think we’re going to kind of mention, um, I’m a big proponent of hands-on learning. We have these, you know, hands-on playground that people could spin up and basically break things and learn that way and start building stuff. Do you know, be a doer, right. Um, I think you were going to, uh, mention something about that, Chris.

Speaker 3: Yeah. And that’s it, it’s the whole, like, you know, do I certify, is it certification versus experience, right. And both have their place. And certainly if you only go experience, you might not learn the vendor way, whether that’s the right way or not, you know, there’s the Cisco way on the right way, or, you know, that sort of thing. Um, but the things that, whether you’re learning the right way or not hands-on is certainly good. Um, before the call, I was looking at hands-on guides and I’ve found that at least the big three for us here, like AWS, GCP and Azure, if you look for their name and QuickStarts so like search Google or being, or whatever, for AWS QuickStarts or Azure, QuickStarts, they’re self guided tours for build a VM bill, a VPC, um, all the cloud providers give you a free trial. If you know, your, your employer may have a lab environment that they can, you can build in as well.

Speaker 3: Um, but I found value really in treating it like a home lab, right? So if we have a lot of network engineers and network security engineers on here, like if you were from the late nineties and early two thousands, you probably had physical equipment with serial cables, running everywhere and all sorts of stuff. So you can build a router here and a router here connect them, but a host on each one get routing up so they can talk across them and ping from one machine to the other. Well, that there’s value in doing that exact same thing. But in the cloud build a VPC network, put a VM on it, build another VPC network with different IVs, but another VM on it, connect them or peer them, can you ping the crossover? And then you start working from there, like, can I block certain traffic, but allow others. Right. Um, and it gives you that starting point of, okay, I followed the guide and it told me to create a project in GCP or to create a resource group. What is that thing in? And you start building out from tearing apart, those individual things. So it’s a home lab, but in the, yeah, I

Speaker 1: Think that that’s, uh, you’re, you’re spot on. I just think, you know, you got to break through the glass, you got to log in, you got to build something, you know, build a VPC with a Nat gateway, uh, ITW and, and a couple of VMs and try to build a sub-net, you know, fail, fail forward, you know, uh, tear it down, build it again, then you know, all the instructions and then do without the instructions a few times until you kind of get comfortable with tearing it down and building it back up again. I think that that’s just sort of the way you, you have to be able to experiment. And then you also get used to the, the, um, the pets versus cattle kind of conversation, right. You’re not going to treat your, your infrastructure as something you’re going to constantly care and heat and keep up. It’s sort of disposable in, in that, in that sense, but, uh, and build a project, you know, maybe to try to build like a web server or something like that. So you can kind of, you know, uh, have something to point out and to share, share with others, but kind of work, work towards something park, uh, you know, what’s, what’s your, what’s your thoughts on, on that?

Speaker 2: Um, kind of a contrasting part? I think, um, I would be R would have been right up until very recently in favor of the experience approach over, over actually learning, but I spent, and I’m sure Chris, as well, like we’ve all been on calls with, with CSP support where you, you’re on a call for three months trying to figure out what’s, what’s wrong with this, this basic system. And then you go back to your fundamentals back to your on-prem networking and you’re able to solve the problem because that’s CSP and those experts in the CSP, it’s unlikely that they have ever had to deal with like an MTU or anything in the, in that general region, because it’s not it’s it’s outside of the wheelhouse completely. However, in contrast, I picked up far more when it came to understanding the networking in Azore, by sitting through the AC 500 learning materials on if you’re going to be doing, uh, networking in the cloud.

Speaker 2: My recommendation is actually to go and aim for the security certs because the security certs are all are all about role-based access all about how, uh, network security groups, block traffic here and how, um, how the user defined routing works and why you need to go to this service tag over dots, service tag. Whereas I found the network, um, learning material was more based around, um, I think we’ve all been there, a sales pitch. Um, it’s, it’s, it’s an, it’s an elaborate sales pitch. You should use this to make your network look better. Whereas on the security side of things, you actually have to know how to tell the works in order to do your job.

Speaker 1: Oh, no, that’s interesting. And, you know, um, I think that kinda is a good transition to, you know, as we talked about sort of the individual experience as we start to move into the organizational conversation, right. Um, the, the moving from, from an organization from WTF to, you know, this, this cloud adoption, digital transformation, cloud transformation, whatever it is that you want to call it. I mean, when I was at cap, once it was eight years journey, right. Um, you know, it, it’s nothing that’s going to happen overnight, right? It’s not just sort of a, you know, throw up a meme and, you know, uh, put a vision out there and you’re good to go. There is a lot of heavy lifting. Um, and I grew up in data centers. Uh, so I, you know, have affinity towards, you know, operations and, um, you know, a lot of the folks that grew up with, you know, Unix admins, database administrators, system, administrators, you know, my, my take was that those folks that they know where the skeletons are hidden within the organization, right.

Speaker 1: And they also have the skills, you hired them for a reason. It’s providing them a little bit of that Dakota ring and be able to say, Hey, you know, this is what it is in a legacy world, but here’s sort of the new way of doing it. Let me kind of bring you along. Um, and I see this anti-pattern in these organizations where they create a little bit more of a bi-modal approach. They’re like, okay, you know, you keep managing the data centers. Don’t worry your pretty little head about what we’re doing over here in the cloud. Just keep the lights on. We’re going to go ahead and hire, you know, these, these, you know, uh, new, you know, whatever hires that are over here that are cloud data, and they’re going to build this new cloud thing for us. And then when we’re ready, we’ll sort of deprecate.

Speaker 1: You we’ll move forward. Well, I mean, that’s asinine, right? I mean, you know, cause it, it, there’s a lot of this hybrid connectivity you have to do. Um, but organizationally is kind of keep this bi-modal approach, right? It’s like, oh, well we have the, you know, the legacy. Then we have these cloud, uh, excellence, you know, and, uh, program office and there’s no connective tissue. Um, and so I think one of the things, part of you were kind of talking about with the cloud center of excellence, which is, you know, how do you bridge that gap and how do you bring in folks that, you know, from, uh, that, that have that legacy experience, right? That are, that are living the reality of the traffic that’s currently flowing through your data center are both from a networking and a security perspective and bring them into the fold of the cloud center of excellence. Right. Um, and, and then help to bridge that gap. Like talk to me a little bit about that first steps, because I think if you don’t do that, I just don’t think you’re going to be able to pass, go and collect $200 to be able to move very far with, with your, with your transformation.

Speaker 2: Uh, yeah. So it’s it, it’s an interesting, um, it’s an interesting approach that needs to be taken on. It’s a hard, it’s a hard approach because, you know, I don’t mean to typecast myself and Chris here, but like legacy networking, people are bearded guys sitting in a corner, usually with a title of chief wizard or something along those lines because they can just make it all work. But that in itself is a comfort zone. And, um, those, those engineers that ended up in those positions and they’ve been there for 20 years and they know how everything connects to everything they are inside their comfort zone. They’re not going to move even if, even if there is a desire to move, they’re going to try and stay where they are. And I was in that position and I was very hesitant about making the move because I was very well tied into my, the core networking piece. However, I also had a good bit of influence when it came to the cloud because I was the DVI SME for the company. So if we wanted to deploy DDI out into the cloud, now the firewall SME was a teammate,

Speaker 1: Oh, second acronym alert because DDI, uh, I’ve heard this a few times and I think that’s the, as you put it, the wizards kind of know this one, but I just want to make sure. So what, what, uh, DDI, what was it? Go ahead.

Speaker 2: Uh, DNS DHCP and IP address management. Okay, perfect. Thank you. Basic basically. BlueCat um, but as the, as the BlueCat SME, let’s make life easier as the Buka SME, I was responsible for all of that infrastructure. I’m deploying it out into the cloud, into the VPCs, into the v-necks while I was still in the legacy team, I was doing those implementations. And that’s where you have a cloud team that will realize they’re not necessarily the most skilled at something. So they’re going to go and outsource internally. Usually that effort. Um, my teammates, uh, on, on the team was also our Palo Alto expert. So he was responsible for building all the Palo Altos of the environment. And obviously there was a good bit of crosstalk. So when it came down to, oh, we need a network guy. It’s like, oh, well, we have a team of people here who are responsible for the firewalls that are cloud networks, hang off on all of the IP address management that our cloud networks hang off. Surely we should get one of those guys and Fairplay to the cloud team because an awful lot of people would just go on and hire externally for that role. But they acknowledged that we were involved in the build-out of their environment and they prefer to bring in the people that built it rather than going and getting someone that we would then have to train for six months for them.

Speaker 1: Yeah, I think you’re spot on. I’ve never, uh, when I was in the cloud center of excellence, right. Uh, Danny was the networking person they pulled in and he has utmost respect for him and his knowledge of how we built things and then being able to, to, to take that knowledge and move us forward. And then Mike was the security person again, had all the expertise for how we did it in the, in the, you know, the old world. But then he had a vision of where things were going and the two of them from between a networking and security, having them being part of that cloud center of excellence team, um, not only helped to move us forward with an understanding of, you know, not getting out over our skis and, and, and trying to do too much. Cause there’s the reality of some of the, you know, we’re still pulling a little bit of the anchor law, but not only that, it also helped to connect the dots to the actual individuals and teams that were still working in the data centers and made them feel like, Hey, there is a path forward, you know, we’re gonna bring you along.

Speaker 1: You are valued, your skills are valued, but you’re going to need to go ahead. And to your point, you know, get a certification or do something that tries to connect what, you know, to, to the new world, you know, Chris, you know, what does that look like for you programmatically within, you know, Kroger in terms of trying to connect, you know, void this, you know, have, and have not, or bi-modal, and be able to bring in some of those folks with that prior experience into that, uh, you know, under the umbrella Brella that, that cloud center of excellence.

Speaker 3: Yeah. It’s, it’s a very intentional inclusion of those traditional teams, right? Like when I started, I, I came from outside the organization and started on the cloud team. And when, when I started there was already, you know, a, a chosen cloud service provider and a pattern for deploying applications within it. Um, I just, I happened to be joining and have network experience. Um, we had H like for Kroger, we had a shift soon after I started a pivot to include additional cloud providers. And that was like, it was fortuitous timing, right? Like new providers means new connectivity needed. Um, they, the existing team had already been working with our network engineering that were security and network operations teams. Um, I don’t know how much those teams were involved other than the occasional, Hey, I need a firewall rule or, Hey, I need a circuit stood up for new, you know, to a new region.

Speaker 3: Um, but as we started to go more and more into the cloud, either, you know, new development or lift and shift or hybrid, it’s been very intentional include the network security team because they own a lot of those operators or those functions like DNS and security include engineering because, um, now we have multiple providers, we use a single circuit to a single CSB. Doesn’t cut it anymore. What is our multi-cloud connectivity strategy? So they’re not necessarily on the cloud team, but they all have a seat at the table. Um, and again, it’s, it’s an inclusive, it’s an intentional inclusive process.

Speaker 1: I love the intentional inclusion. I love, I love that term. Um, and I love it more broadly as well as to be intentional about it. Um, so I, I do appreciate that. I think the, um, the do not pass go and collect $200 without a cloud center of excellence, right. As a good starting point, but who you include in that cloud center of excellence is just as important, right? Uh, it could be a, uh, an echo chamber of a bunch of folks pontificating about cloud native architecture without the reality of, of the hybrid world. Uh, especially I think that networking and security, those two things will specifically, I think, um, you know, hit you smack, smack dab in the face there, if you’re, if you’re not, uh, you know, careful about it. Um, and I do think it’s, it sounds like with both Zurich and Kroger, that they’re not only part of it, but they’re a strategic part of it. Um, you know, right. Uh, of that, that program office,

Speaker 2: It’s a complicated relationship. Um, we’ll put it that way because yes, it is useful. It is again, I was, I was there when CCO was born and it was born the same way as it is most places, a C level exact stands up in front of everyone and goes, we’re starting a cloud center of excellence. Everyone goes where, when, how, um, and for years we always wondered if we were going to be succonded in, or if there was going to be new hires by 18 months later, I was hired in, but now we’re actually starting to succumbed, which is what we should have done from the start. So we have people coming in, my former colleague in the security delivery team is now working with me in the CCOs as part of a succumbent. He still works for core networks and still has a role there both.

Speaker 2: He is part of the decision-making around how the, of our network is however you weren’t going to have, whether we like it or not, because this is the nature of the cloud. The cloud has changed. And I, I I’m in that position where I’m trying to say, oh, well, we can’t do it this way. And we can’t do it that way. And everyone in the bed is saying, well, why like Zuora does it this way? And AWS does it that way. And I’m like, that’s great for Azure, but Zuora isn’t Zurich. Um, I really wish it was, but you’re, you’re going to find yourself in as a network engineer, especially if you’re coming out of legacy out of on-prem, you’re going to find yourself in a lot of very awkward conversations about how do we get around this, uh, this compliance policy. And it’s

Speaker 1: This conversation you’re, you’re spot on with that. As a quick point, you mentioned the cloud center of excellence. Um, and for those folks that are listening to the panel, we actually did a really interesting webinar recently with Jonathan Allen and Thomas blood who wrote a really good book, um, reaching cloud velocity, which is tied to basically building a cloud center of excellence and some of the it’s a very pragmatic approach. Um, and then we kind of broke that down into, into a few things. So it was, it was really, uh, I thought very straightforward and very thoughtful and how they’re doing it. So, so that’s out there. Um, but I, I, you know, like, I, I, I agree with you park. I mean, it’s, it’s, um, you gotta be intentional about it. There’s no easy way around it. Um, at Chris you’re, you, you had a quick thought on that. I saw you were leaning in there.

Speaker 3: No, like it’s you get some new hires, um, you get the app teams, the 10 X engineers, and they’re great. And if they, I think pardon mentioned this earlier, like if you are cloud native, if you’re a startup and you don’t have, you know, a hundred years of, of legacy behind you that you need to tie into, that’s great. But when you’ve got PCI and HIPAA and all these other things that you need to worry about, um, it’s, it’s less about this new, um, shiny thing that I can quickly deploy into and more about this is another data center that just so happens to have a lot of tools that I can use, but I still have to live within my compliance-based world.

Speaker 1: Um, the, um, the way I, I used to, um, try to work through those conversations at the enterprise was, um, you’re learning the cloud native sort of horizontally, right. The out of the box, but then vertically, as you were learning, I I’d have to drop in the bastardization or the isms of the enterprise. Right. So, yeah, sure. You’re learning how to use virtual machines, but oh, by the way, here’s what our image looks like. Here’s our tagging policy for it, you know, oh, you want to set up, you know, networking. Well, here’s how you do it out of the box, but then, oh, here’s our isms associated with it. Right. And you start collecting those and they become sort of your, your architectural implementation guides. And it becomes pretty complex because ideally the, um, the, the, the CSPs or the cloud providers will, at some point, realize that you’re having to make changes to accommodate for their either shortcomings or things that you have to work around.

Speaker 1: And maybe eventually they’ll sort of, you know, include them in as part of that service out of the box. So you can start removing those levels of abstraction, but that requires you to be constantly on top of all of those services all the time. Because the last thing you want to do is, is keep on building those levels of abstraction. So I think that that’s kind of, unfortunately where we are right now in a state of maturity. We’re still so early on, to be honest with you, it seems like we’re far ahead of cloud computing, but I still think we’re in the very, very early innings, um, in terms of not only adoption, but you know, uh, still a lot of friction between what’s being offered and how it’s being consumed, especially at the, at the enterprise level. I mean, there’s certainly, uh, introducing a lot of changes to make that go away park. Does that resonate with you?

Speaker 2: Um, yes. To a point. Um, and I think the other th that there is another key piece that we need to consider as well, the cloud, and it’s in its essence. So every CSP has built their, their products to be a deliverable for a company to just pick up and run with. However, when you are looking at a multi account environments inside of a hybrid network, everything just kind of starts to fall apart. And I, I, I don’t want to jump too much back into the DNS conversation, but if we use something as simple as DNS, and you look at Azure, so you want to use a private link or private endpoint in Azure, uh, Zuora’s recommendation is that you wrote your corporate DMS out true. The Zuora DNS instance in that subscription, which is fine. As long as you only have one subscription, the minute you have more than one subscription, everything just falls apart because you can’t route your corporate DNS true, your 80 subscriptions.

Speaker 2: No, no one will ever resolve at DNS record it. Everything will just fall over and die. And then on the flip side, when we start looking at the unique selling points of the cloud, where like the CSP will say, oh, we do URL based filtering on our firewalls. They don’t, they do DNS lookups every 15 seconds on the URL to get the IP address, to do the filtering. It just so happens that that 15 seconds is below the 62nd TTL on the DNS record. Um, the main issue that most of the Cisco’s and Palo’s of this world have is their URL filtering. A lockup time is five minutes. So in order like, there’s, there is a lot of selling points and there’s a lot of, uh, what’s, what’s the right word. There’s a lot of, um, perception that this is new and fancy. I’m great, but it’s not, it’s just more optimized. Yeah. It’s the same stuff. Just slightly better.

Speaker 1: Yeah. I think from a networking is I think, I think you’re right from, from that perspective. I mean, look, I don’t think there’s any way through this than, than education. The more you’re educated and both of you are very educated on networking and security, so you can kind of see through some of the BS associated with, you know, like, you know, is it, Hey, is this marketing, uh, is this a real service, is this value or is this just sort of a level of abstraction that, you know, I’m already doing? And it’s really not a pain for me. Right. And I think just getting educated on that and then getting your hands dirty and kind of experiencing it is going to allow you to kind of cut through that, um, you know, uh, pretty quickly. And I don’t think it gets any easier when you go multi-cloud right.

Speaker 1: I mean, you know, you’re, you’re, um, you know, right. I mean, it’s one thing if you’re just all in, on a preferred provider and at your that’s all you’re working with, but I think in, in both of your cases, you’re, you’re, you’re, you’re both multicloud, right? I mean, can you talk a little bit, uh, to that, there’s actually a question, um, related to multi-cloud. Uh, so as you can see, I’m going to, I’m going to ask the question and then you can kind of weave it into your response. And, uh, the question was for those with hybrid networks and multicloud, how are IPS used in the DPCs and DNS being managed? Who has that role? Is it the cloud team, or is it done by the networking team? Do both teams have their own IP addressing management tools? So not only, you know, the question is related to hybrid and legacy, and then the, uh, you know, particular, you know, cloud, but then you have multiple clouds, you have multiple clouds center of actions. Like, what does that look like for you all?

Speaker 2: Um, so I dunno, this might be a bit of a sales pitch for BlueCat I’m sorry, but this is kind of where we’ve gotten to. I have, when it comes to IP address management in a multicloud environment, what we all we’ve done is we’ve assigned out slash fifteens to each CSP. And we’ve given the cloud center of excellence rights to reserve as sub sub-net blocks to associate the v-necks. And VPCs while also working on automation, using blue cat’s integrity gateway to put the DNS records in as part of the pie that the build pipeline for a VM coming open into, into any of those environments. Now, we’re still very early in our path to maturity. We we’re still working on our, our automation of firewalling and more detailed automation of that DNS stuff, but that gives us, uh, that product gives us a great degree of freedom because we can literally give the CCO team access to only the area of the network that we want them to manage. They don’t need to see anything else, and they get programmatic API access to that same area based on the, exactly the same permission set exactly the same core management infrastructure, which is, as you would imagine that

Speaker 1: It sounds like you’ve been very, yeah, I’ve been very thoughtful about that, Chris what’s, what’s your thoughts on, on the multicloud, uh, complexity,

Speaker 3: The, um, I feel like the question was a plant from that’s that’s, uh, cause we’ve been talking about this internally. Um, so we worked like we I’m I’m on the cloud team, so I work with network engineering to get allocations for a particular purpose, either a cloud or a region or what have you. Right. And then, um, VPCs and v-necks and such if they’re part of the corporate network, right? So this is a things that actually talk back to us. Uh, we create them on the cloud team and then hand those particular VPCs or V nets over to the application teams for subnetting and such. Um, you know, so pre we negotiate with the team, uh, what their expected usage is just to see how big of a network they expect to have, because we don’t have one service or one application runtime pattern. Uh, so some teams may need a lot of IPS to scale out others may not, but it is a very, uh, uh, cumbersome is not the right word, but it’s a, it’s a process. And, um, so we get large allocations per cloud, per region for traffic engineering purposes. Um, you know, so that we have optimal routes from on-prem to a particular region and carve those up the cloud team creates the v-necks or VPCs and delegates access through our back so that teams can, can create with them.

Speaker 3: Yeah. That, that, um,

Speaker 1: You got a lot of complexity that you’re dealing with, right. Uh, with that. So you have to be very, very thoughtful about that. And it’s interesting too. Right. So, um, you know, a little bit of the mindset here, especially as, as your, this network, your network professional, and you’re working with security professionals, right. And the business is driving towards the cloud, not because of the networking, not because of infrastructure as code, they got dragon circling their castle, right. Competitive pressure, time to market innovation, remote work, whatever it is, the situation they’re trying to pivot all sorts of stuff. Um, and that’s generally why they’re doing it right. They’re, they’re doing it as a strategic business reason, right? Uh, both CRO Kroger and Zurich have strategic business reasons that they’re doing that. And a lot of the apps are actually what’s driving that, right? Whether it’s new application, new innovation, whatever it happens to be.

Speaker 1: Right. So there’s this shift. It seems to be going on to a very app centric world, uh, versus like, Hey, this is the network and the security world that we have and you’re going to in it. And you’re going to figure out how to sort of live within my world now it’s, Hey, we got to get this to market. This is where we’re kind of breaking a bunch of rules. You all need to figure out how I can get this to market because we have a lot of dollars to claim before our competitors go ahead and do that. So I think it’s one thing to say as a networking, a security professional, Hey, it used to be my way or the highway, you know, I’m just filtering this and there’s no way you’re going to be able to, to get it, uh, get it out the door, you know, work around me now, you know, there’s a little bit, um, you know, on the other side of like, Hey, we have to figure out how to be more, more responsive and flexible for this. Like, are you feeling that? And if so, what, what does that do to your approach, to your design and your architecture of the conversations with the business?

Speaker 3: So two main topics, automation, and self-service right. How can I make a process that I’m going to do over and over? Um, how can I automate it? And then how can I get out of the way and get a team, the ability to do it on their own? Like, they may still need to ask for permission once or twice, get your, your service account or principle into a particular group to, to be authorized to do it. But then once we do get out of the way and enable, so, you know, it used to be, oh, enter a ticket. Well, let’s replace the ticket and the human with something. Scriptable, if we can

Speaker 1: Love it park, uh, you, you might have the response that, I think you had a question for Chris as well, if it’s still relevant.

Speaker 2: Uh, yeah. I’ll, I’ll ask the question after I give the response. So yet I think, um, I think w w we’re in a very similar scenario where once we provisioned the account, uh, or the subscription, we go completely hands off, uh, with regards to, uh, anything that goes on inside that account or subscription. However, we’re not quite at the same majority level as Kroger where Kroger seems to be able to, um, allow programmatic changes, say for access. We’re not quite there yet, actually just before this call, I was trying to deliver something, uh, for that. Um, I fully believe that will be most of tomorrow. Uh, but that’s kind of where we are. That’s, it’s it, again, ties back into, I’m trying to take the cloud approach and apply it to the legacy systems with the work that I’m doing right now, but literally this week in Zurich, just, um, um, the question, uh, just on the previous question and it’s quite relevant to anyone working in networking, um, one of the biggest constraints that we have, and we find we have is if you look at something like Zuora data lake, or any of those other environments, they come in and they go rice as Zuora say, this is a minimum spec subnets size of a slash 26.

Speaker 2: Mm that’s fine. Again, back if you’re at that startup where you have an entire slash eight to work with, but I was just interested to know crisis approach or how Chris would approach this from a large organization like Kroger. I’m sure you will understand that the same issue that we have, we have a slash 15 for this CSP on every data lake that comes up, takes a large chunk of that.

Speaker 3: Yeah. And it’s, um, there’s a twofold, twofold approach, right? It’s if, if, if I have a data analytics, um, process, right? Like, I don’t know. Some, like I take Azure, you have sent apps, you have, uh, data breaks. You got, you can do something in EKS, whatever, something that scales out, if your data sources aren’t on prem, do you have the ability to put your data, your analytics, things into an Island’s network, something disconnected from your, your corporate network. Um, and then you, you need to wrap all your security around that. Otherwise, um, yeah. Kroger has 2,800 plus stores, I think, and then distribution centers and whatever. We use a lot of IPS and we don’t want to overlap with any of them. So, uh, it’s a dance that we do with our data management team and our, you know, our data scientists of how widely do you think you really need to scale? And you know, what, if we were wrong initially. Okay, great. Let’s call that tech debt and let’s dress that and reclaim those IPS later, if we can, because there is a lot of guessing and, um, educated, guessing about consumption of things. And, um, sometimes you get it wrong and you just, you know, you move on and try to do things in a way that you can change later.

Speaker 1: Yeah. Last question.

Speaker 2: Um, just, just to finish the point, that was kind of making the point in general to the call before I joined COE, like the legacy network guide you’re put into the cloud, um, the default first subscription or an account was a slash 24 because they did not have the perception of what that actually meant on a wider scale in the environment. Whereas right now, in, in, just even on that very base thing, uh, again, you can expand dramatically in the cloud, but the minute you run out, round-table IPS. No one’s expanding anywhere because if the business can communicate with the, with the service, no one’s going to be consuming it. So it’s just not going to work. I’d say at a point now where at least from my perspective, part of the process that I brought in was if you want to consume more than a slash 26, I need a detailed analysis of every host that you plan on putting into that environment and your, and your expansion projections for the coming two to three years, because we’re not going to give, uh, an apple owner a slash 26, if they only anticipate having three IPS to two private links that a VM like that, that doesn’t need the slash 24 that they were getting before I joined, or two slash 26, that they can now get without having to go through me.

Speaker 1: Well, like I, I learned a lot today. I mean, I think that there’s, uh, just a tremendous amount of opportunities for individuals and organizations that are doing their, their transformation. Right. Uh, I learned a lot from, from both of you. Um, I think it’s a matter of rolling up your sleeves on, on both, uh, both accounts, right. And, uh, you know, going after some formal studies, getting your hands dirty, started countering some problems, work through it. And, and I think where I’m, um, you know, w where I see the, uh, the, the, the, uh, very optimistic is having individuals like you, that are part of the community that are willing to share. Cause I think that that’s how, uh, us as professionals are going to be able to move forward. So I sincerely appreciate the opportunity for, for both of you to, to be on the call and to share some of your learnings individually and from an organization.

Speaker 1: I know, uh, I’ve connected with both of you on LinkedIn. I know there was some other questions. Maybe somebody can post something, you know, a DMU on LinkedIn to kind of follow up and they asked them about some other questions. Um, but I really appreciate, uh, the opportunity, uh, for, for sharing today for the folks that are joined us on, on the webinar today, um, we will be sending out, uh, on demand, a copy of this video, I believe on Friday. So you can always go back and rewatch the conversation at any point, uh, you know, pass along to your colleagues as well. Um, we do have a quick survey. That’s going to be popping up at the conclusion of the webinar. Your feedback is always greatly appreciated. Love to hear anything you have to say, um, regarding what you liked. Didn’t like, and what you want to hear more of to help improve our webinars and stay focused on things that, you know, ultimately that you all care about.

Speaker 1: Um, we do have another webinar that’s coming up, uh, in a couple of weeks on September 8th. I’m personally very excited about this one as well. It’s with a good friend, uh, and, and thought leader in the industry, Simon Wardley about mapping your cloud journey. Um, so a lot of, uh, very interesting, uh, strategic conversation, a ton to learn from, from Simon on how to lead cloud transformations and kind of discussing the benefits of he does value chain mapping, uh, which is just an absolutely fascinating tool. If you’re looking at, uh, leveraging it from a strategic, um, uh, for first strategic asset within your organization. So that session is also going to be recorded so you can tune in, but if you can’t make the live webinar, obviously you can still register. Then you get the recording as well. So, um, again, Parekh Chris, thank you so very much appreciate it. Uh, everybody that joined the call today, uh, really, really sincerely appreciate it. Um, and, uh, until next time keep being awesome. Cheers. Thanks.

On-premises and CSP DNS are not either/or

Wertkin set the stage by asking why it’s inevitable that companies will need to use both traditional and CSP DNS.

Often a company gets into the public cloud through shadow IT, Swinford observed. Somebody gets some credits, starts to build something, and it accidentally becomes a production application. And that triggers the need for security and governance, and for hooking it up to the corporate network.

“We need all this other reachback to our on-prem things in our data centers,” he said. “And that’s when cloud-native starts to become a little less native.”

At first, many companies believe that they can just use their internal corporate DNS alongside the CSP. However, Sharp pointed out that that’s not a good idea. Just as enterprise DNS is tightly integrated into internal systems, CSP DNS is integrated into the provider’s systems.

(Customers) go into their cloud systems, they change the DNS, and then some sort of cloud-native service breaks,” she said.

Even BlueCat came to that realization, Wertkin said. Although its original goal was to replace every other kind of DNS, reality intruded. There are cloud services that are tightly bound to and require the use of the CSP’s DNS.

But, he cautioned, that doesn’t mean you should deploy everything in CSP DNS. The challenge is to figure out how to integrate internal DNS with CSP DNS.

The importance of intentional DNS architecture

Panelists ticked off a list of the chaos that a wild west approach can cause: duplicated zones for no good reason, copied and pasted records, troublesome conditional forwarding rules, and an impossible-to-monitor network. Since DNS is an important tool in network protection and threat hunting, it can also impact security.

You have to think about a global DNS strategy, Sharp said. It’s not just names and IP addresses anymore. “It’s also, how do you incorporate that service into your overall security program?” she said. “And that’s just not something that you can overlook.”

It doesn’t help that each CSP has very different capabilities around DNS. There’s no single way to approach it. For example, O’Connor pointed out that  Azure and AWS have different requirements around Active Directory. There is no way to hybridize that kind of approach, he added.

“If it’s routable on the network, and if it has a security toolkit on it, it requires authentication. You need to be able to resolve against an on-prem DNS server one way or the other,” he said.

Added Swinford, “We found that if we try to architect everything ahead of time, we’re going to get something wrong. So we just try to design in a way that allows us to just switch paths later. Because developers can build something quickly and then tear it down and rebuild.”

When she’s working with customers who are building foundational environments, Sharp said she has to learn not only about the technical environment on premises, but their organizational structure as well. “There’s a lot to think through and talk through,” she said. “This is a key part of that conversation from the networking side. What are you doing today? How does that integrate? What are you doing in other cloud providers?”

Architect for flexibility and change

Panelists agreed that, whatever you start with, it’s not engraved in stone. It will change. It must change. And it must be designed so it can change.

Swinford’s approach moved from simple forwarding to a more advanced architecture, and it’s still evolving. “It’s really driven by need,” he said, noting that the cloud platform lets developers rebuild quickly. But, he added, “With DNS, everyone’s relying on it as soon as you stand it up. So you don’t necessarily get that second chance. You need to build in that ability to change later.”

O’Connor agreed. When he started, the cloud team didn’t have the technical capability to architect DNS, so the design in place was his. The architecture document is a working document that can be adjusted to accommodate changes caused by things like new CSP capabilities.

“Unlike network architectures in the past, where you get it right and you’re good for a few years, we need to make sure [DNS] continues to allow for change, to facilitate the application, which is what the cloud is really about,” Wertkin noted. “That’s the other shift here, from ‘applications need to meet the needs of the network’ standpoint to ‘the application is king’. And the rest of the infrastructure needs to be able to flex to allow for it.”

Plan for connectivity failures

It doesn’t matter how well the DNS servers are running. In a hybrid environment, if you lose connectivity, you’re dead in the water.

“One of the key pieces for us has been, what if we lose connectivity to on-prem? Because it’s all well and good to set forwarders up and forward to DNS traffic from a Route 53 instance or an Azure DNS instance across the direct connect or express route to on premises. But the minute you lose that connection, you lose all the capability in the cloud,” O’Connor said.

A caching DNS server placed in the cloud can save the day by holding records until connectivity is restored, he said.

Dependency mapping is key, said Sharp. You have to know what is running where, and how each service interconnects with services everywhere else.

“DNS is a perfect example of that,” she said. “What happens if I lose access? My cloud resources may not be down, but if I can’t do name resolution, I’m still dead in the water.”

Wertkin agreed, saying it needs to go both ways. We like to think that cloud services don’t go down, but it happens. Understanding fault domains is critical. As is extending on-premises DNS into the cloud, ensuring local resolution there, and in turn ensuring that required names created in CSP DNS are exposed to the enterprise.

It’s all about governance

Governance no longer just applies to connectivity or name resolution, Swinford said. Now, it includes role-based access control, identity, and permissions.

Kroger has found ways to allow application teams to configure and populate CSP DNS zones with their application names while maintaining good governance. On the other hand, O’Connor said Zurich hasn’t yet done so because of the risk.

“Certain parts of our application stack rely heavily on the zurich.com DNS name. And that’s where a .com DNS name also happens to be an Active Directory domain name,” he said. “If we start to give people access in there, there could be an awful lot of problems around their authentication.”

Advice from the experts

The panelists offered advice for enterprises looking to integrate DNS as part of their cloud strategy.

Both Sharp and Swinford suggested asking these questions:

  • Who are your clients?
  • What services are you providing?
  • How do you connect them up?
  • Where do the clients live?
  • How do they need to consume these services?
  • How do your application teams need to publish those services?

Sharp added that application teams can’t assume that the services they will use in the cloud work the same way they do on premises or the way they did with another cloud provider.

“Something that we’re learning the hard way is, as the subject matter expert for your DDI environments, you need to go and you need to look at what it’s like to walk into a greenfield CSP, and all of the capability that you can have as an application owner in the greenfield CSP,” O’Connor said. “Because when they come to you looking to deploy DNS, they’re looking for that capability. They’re not looking for the corporate DNS to be put out in the cloud.”

Read more

Products and Services

From core network services to multi-cloud management, BlueCat has everything to build the network you need.

Learn more