wwt
alkira-logo

WEBINAR ON-DEMAND

New Approaches to
Multi-Cloud Networking
& Security

New Approaches To Multi-Cloud Networking & Security

Alex Berger and Robin James

Jun 25 2020  | 54 mins

The cloud application transition has significantly challenged traditional network and network security IT architectures. In this joint webinar hosted by Palo Alto Networks and Alkira, we will look into how enterprises can move to the cloud with confidence by providing a consistent set of firewall security controls across on-premise, single cloud and multi-cloud environments.

Learn how to tackle the biggest cloud networking security challenges, including:

  • Choosing the right architecture for your Palo Alto firewall deployment in the cloud
  • Inserting and autoscaling your Palo Alto Firewalls in the cloud with intent-based policies
  • Ensuring symmetric traffic steering across globally deployed Palo Alto Firewalls in multi-region or multi-cloud environments

Speakers:
Alex Berger – Product Marketing, Palo Alto Networks
Robin James – Product Manager, Alkira

Webinar Transcript

David:
Hello, and welcome, everybody. I wanted to welcome you to this webinar. My name is David Klebanov. I’m leading product marketing for Alkira. Today we have a very exciting joint webinar between Alkira and Palo Alto Networks where we’re going to learn about building networks for the cloud area with integrated enterprise-grade firewall security. And we have two exciting speakers for you today. We have Alex Berger from Palo Alto Networks, and Robin James from Alkira. I’ll let you guys introduce yourselves.
Alex:
Thanks, David. So, hi, everybody. My name is Alex Berger. As David mentioned, I work with Palo Alto Networks. I lead product marketing for our software firewall, so those are our virtual and containerized firewalls.
Robin:
Thank you, David. My name is Robin James, and I’m a product manager at Alkira. I look at the different aspects of network connectivity and network services at Alkira.
David:
Alright. Well, thank you very much, guys. So, before we kick it off, just a couple of small housekeeping items. This webinar is being recorded. The recording is going to be available on the alkira.com website, and also you can watch this on the BrightTALK channel. Feel free to ask questions. We are going to take some questions at the end of the presentation. I’m going to be monitoring the chat and answering any questions that you have during the webinar. In the attachments and links section of your interface you can see a couple of useful links in there that you can reference. There is a Palo Alto recent blog by Mukesh Gupta, who is the Vice President at the Palo Alto Networks. You can get access to the recently published joint Solution Brief and Integration Guide between Palo Alto Network and Alkira, and you can also watch the Alkira Solution video in there. With that being said, I want to kick it back to you guys, and we will see you on the other end of the webinar.
Robin:

Thank you, David. Okay. So first off, I’m excited to announce this awesome technology partnership between Palo Alto Networks and Alkira. Palo Alto Networks, as you all know, is a global leader in cybersecurity, and Alkira is also a global leader in multi-cloud networking. We offer a transformational solution for multi-cloud networking for enterprises. With this technology partnership Alkira is now officially a partner on Palo Alto Networks NextWave Technology Partner Program. This collaboration has been going on between these two companies for a few months now, and it is also an outcome of a lot of customer feedback. With this partnership the VM-Series Next-Generation Firewall is available on the Alkira Cloud Service Exchange™. We’ll talk more about the Alkira Cloud Service Exchange in the latter half of the webinar.But on a high level, with this seamless integration what enterprises get is a global network connectivity to and between the clouds, and at the same time they have a consistent security posture, a uniformed, consistent security posture for their multi-cloud network. They do not have a different security posture for cloud network one, cloud network two, or a different region, and one for the on-prem. They have a single, unified, consistent security posture for their entire multi-cloud network. All of this is set up and up and running in a few clicks and within a few minutes, and with this you get complete visibility and control. And the other interesting thing is that you consume this as you would consume anything in the cloud. Like I would consume computer storage. It is delivered to you as-a-service, and you pay for what you use, and it grows as you expand on the platform. That’s how the solution works.

With that, I’m going to go forward and between Alex and I we’re going to touch upon a few topics today. First, we’re going to talk about the challenges that you have with the security constructs that you have in the cloud today. And then Alex is going to talk about VM-Series and how VM-Series Firewalls address those challenges. Then I’m going to speak about Alkira Cloud Services Exchange, what it is, how it is used, and how it benefits customers. And then we’re going to talk about the integration, the VM-Series integration with Alkira CSX, and the benefits that a customer can get from that. And before we end, we’re also going to talk about a case study, and if time permits, we’re going to have – take a few questions that we have. Yeah. Alex, over to you.

Alex:

Awesome. Thanks, Robin. Appreciate it. One of the first things we want to touch on – and if you haven’t already noticed – consistency is going to be a big theme of this presentation. And the reason for that is because most of our customers are actively using multi-cloud. As organizations look to embrace public cloud, on average organizations are using three and a half clouds and experimenting with another one and a half. This is an interesting study that was done by Flexera to come up with this data, but, you know, that stat is really salient for our customers. And the fact that as organizations move up into these cloud environments, they are less in this limbo of how do I manage particularly security, obviously, from a Palo Alto Network perspective – but it doesn’t just stop there. It’s even on the networking side – how do I manage all of these siloed environments?Generally, an organization will standardize on a single cloud provider, one of the big three, normally, AWS or Azure or Google, and then they’ll be playing around another two. And all of that is often in addition to their on-prem infrastructure. What we would refer to as a hybrid cloud modality is becoming the new normal. Becoming the new reality of most of our customers, and I think most organizations throughout the world. And it presents additional complexity, and, as anybody will tell you – perhaps this is an overused mantra, but it’s very true – complexity is ultimately the enemy of security. So, the question is: how do we overcome this? What do we do about this? Well, first of all, there’s a bit of a misnomer oftentimes when organizations start looking at public cloud environments that, oh, well, I don’t have to worry too much about security in the cloud. That’s part of the reason I’m adopting the cloud in the first place, and they’re going to secure my stuff for me.

And that is – like I said, that’s a misnomer. You know. Just because you move into a public cloud environment does not mean that you no longer have to worry about security. Public clouds function in a model that is referred to as the shared responsibility model where the public cloud provider is responsible for securing the underlying infrastructure of the cloud – that’s the compute, storage, networking, the physical infrastructure that supports their cloud environment – but it’s really up to the customer of the cloud service provider to secure everything that lives in the cloud. The applications, the data, managing identity, resource configurations, and of course the network traffic that is taking place within the cloud itself. As network security practitioners especially start to think about or be tasked with how are we going to architect security in the public cloud, how are we going to fold public cloud into our overall network security posture for our enterprise, it’s important to understand what’s your responsibility and what’s the cloud service provider’s responsibility.

And this shared responsibility model, you can define this for each of the individual cloud providers if you look for it – Azure’s got their version, AWS has theirs, GCP has theirs – and that’ll really give you a sense as to how your cloud service provider is approaching this. And I highly encourage, if you haven’t looked at that already, I highly encourage you to look at it for your cloud service providers, because it’s important that everybody understands and is on the same page when it comes to security of public cloud architectures. Now, the cloud service providers don’t leave you high and dry. They offer a bunch of native controls from a network security perspective, and we’re going to spend most of our time today talking about the network security component of a public cloud. There’s, of course, lots of other components as well. But from a network security perspective, the CXPs have done a pretty good job of providing some baseline security.

Generally, it’s rooted in the security groups, which offer layer 3, layer 4 protection, allow you to do some basic segmentation of resources, and things like that. Increasingly cloud providers are beginning to offer some application firewall type capabilities for edge protection. These are – the closest delineation or comparison, I think you could say, would be that these are kind of like a WAF. They are generally only focused on web applications. And then of course there’s some additional capabilities that they provide around content inspection. Now, this is a good foundational starting place from a security perspective. And we, actually, at Palo Alto Networks encourage our customers to use the foundational components of these clouds while they’re architecting their security postures. The problem with relying solely on these capabilities is that they are siloed. Right? The Azure security groups are only in Azure, and the GCP security groups are only in GCP and AWS, etcetera, which means that as a security architect or a security practitioner you are managing each environment on its own.

And it’s akin to almost a point – you get yourself into a point solution kind of problem. Even from a threat intelligence perspective, if the cloud offers a threat intelligence feed of some kind, that’s going to be unique and specific to that individual cloud. Now, this result, for network security teams and cloud security teams even, in these three main challenges. First of all, there is a lack of visibility and control. Especially if you’re talking about a team that is managing an on-prem environment where they have Next-Generation Firewalls deployed and are used to getting the full blown layer 7 visibility into all of their traffic that those firewalls provide. When you move into the public cloud, all of a sudden there’s a blind spot, and it becomes difficult to aggregate and see all of the traffic that you might want to provide.

Oftentimes when I’m talking to our customers and the network security teams, and I ask them, “Do you have an understanding of what traffic is even moving in your cloud environment?” they will give me that wry smile and say, “Not really. We sort of know. We have an idea. Maybe we do, but we don’t really have an understanding.” And, like I said, they may be relying on the individual cloud service provider’s technologies to do some basic security in each of those clouds. But that leads you into this inconsistency problem. If I’m managing an enterprise with an on-prem environment and multi-cloud environments, I now have to manage all of those in a siloed way using different tool sets. Which not only creates a management nightmare, but also probably going to require a bit of a learning curve. You know, you have to come up to speed with how Azure security principles work, and how AWS security principles work, and it’s not necessarily consistent, let alone I don’t have the ability to enforce one policy everywhere ubiquitously for my environment.

And then the third problem is one around automation and scalability. Of course, the reason why customers like yourselves are moving and embracing the cloud is to unshackle your ability to innovate, right? Unshackle your developers so that they can build at the speed that they want to be able to move at, and scale to the scales that they need to be able to scale to. And from a security perspective we as a security vendor have to be thinking about, well, how do we provide integrated security that can automate and scale just as seamlessly as cloud infrastructures can. And that’s no small feat. That’s something that requires a lot of thinking, a lot of engineering, and something that’s near and dear to our hearts at Palo Alto Networks. Now, I want to double down on this concept of visibility just for a second, just to illustrate the point of what I mean when I say there’s a difference in the level of visibility you get from the native tools versus something like a Next-Generation Firewall.

Generally, if you’re thinking about a layer 4 firewall this is the base information that you get. You get the source of the traffic, you get the destination where it’s headed, and you get the port that it’s traversing. You may get a little bit of additional information, especially – there’s a lot of people out there claiming layer 7 visibility, you might get the protocol, and a little bit of additional information. Now, if you think about this in the context of the on-prem world, this is where we were at 15 years ago, maybe, right? Layer 4 firewalls protecting our on-prem environments were giving you this amount of information. And 15 years ago, is about when Palo Alto Networks came on the scene and started introducing much more visibility with Next-Gen firewalling, giving you access to information like, well, who are the users? What groups do they belong to in the organization that are actually interacting with this traffic? Where are they located? What are the resources that the traffic is actually tied to? What are the files that are traversing the network?

What kind of files they are, and are they – and what kind of metadata do they have affiliated with them? So, this is the difference in the level of visibility. Obviously, I can as a security practitioner make a much more informed decision about the kinds of policies I want to write when I get this level of visibility. It also helps me understand when things start to go awry. I can write a policy based on certain behaviors – what I can allow from a behavioral perspective, but if I start to see changes in any of that – right? Instead of a PowerPoint it’s an executable, and it’s actually not coming from Joe in the finance department, but all of a sudden, it’s Jane in the IT department who seems to be downloading this executable. And not only that, but all of a sudden, the location has changed from – we don’t know where they’re connecting from, and it’s somewhere in China.

This starts to give me a better – a much better understanding of the control that I need in the environment, right? And allows me a much more granular ability to control the environment. This is why we introduced the VM-Series Firewall. The purpose of the VM-Series Virtual Firewall is to extend the same level of visibility and control that you get with a traditional Next-Generation Firewall, a hardware firewall that you might use on-prem, into the places in your environment where it would be impossible to deploy a hardware firewall. So those are public clouds. It’s also in on-prem situations when you have a virtualized data center and traffic traversing virtualized infrastructure. And we also see a number of customers deploy these firewalls in their branch locations as organizations start to embrace software-defined branches.

So, the VM-Series Firewall, in a nutshell, is all of the core capabilities of our Palo Alto Networks hardware firewalls, our PAN-OS, which is at the core of giving you the level of visibility that I was just showing you on the slide before. As well as user identity, content inspection, all of these great capabilities, as well as the advanced security subscriptions that we offer that you can deploy on top of the firewalls. Things like intrusion prevention and URL filtering and things like that. So when you compare what is offered from a native cloud perspective and the VM-Series perspective, is pretty stark. We will give you not just layer 7 visibility into your web applications, but also extend that to all your applications, your non-web apps. We’ll allow you to create those user-based policies, geographically based policies. We can offer you the ability to inspect encrypted traffic with SSL decryption, things like that.

From a content inspection perspective, we go beyond just FQDN filtering to full blown URL filtering, which, as you’ll see in a couple of minutes when you talk about the use cases, is critical for ensuring that your users, and especially your application teams, are getting access to the right resources, and not mistakenly connecting to malicious code repositories or malicious websites, things like that. We can offer you a tremendous amount of protection in the form of threat prevention – web-based attacks, file-based attacks, etcetera. And of course, you get to leverage our Palo Alto Networks Threat Intelligence Cloud, which can be ubiquitous across all of your environments, taking feeds from all of the environments and aggregating rather than having to rely on specific threat feeds in each environment. And like I said at the beginning, consistency and centralization is a theme throughout this presentation. From a management perspective, you can manage all of this from our Panorama management solution.

So, one place to manage your network security posture across multi-cloud environments, as well as on-prem. So that’s really the power of how VM-Series can augment the native controls in the public cloud. I mentioned use cases. There are three main use cases that we see customers use VM-Series Firewalls to solve in the public cloud. The first one is the perimeter use case. Preventing inbound threats coming from the internet targeted to your cloud deployments, and your cloud hosted applications. And this is where capabilities like our Malware Analysis solution, WildFire, comes into play, and our threat prevention service comes into play, to be able to detect, and react to, and prevent both known threats with signatures and unknown threats that we might have never seen before.

In fact, just last week we introduced some machine learning capabilities into our WildFire Malware Analysis solution that reduced the amount of time it takes for us to identify zero-day threats to basically real-time, and distribute that to all of our firewalls and our networks so that you can get the information you need to keep you safe from a zero-day threat pretty much instantaneously, and keep yourself protected from that. The other key part of perimeter protection – I think oftentimes people think about perimeter protection from the perspective of inbound threats, and people trying to gain access to the environment. But just as important, especially in public cloud environments, is the outbound use case, and the ability to protect outbound traffic from the environment. The reason this is important in public cloud is because of the fact that more and more customers are developing applications in public cloud environments.

And modern-day application development really hinges on the ability to connect to things like code repositories and developer resources that live outside of the environment on websites like GitHub. One of the major attack vectors these days that we’re seeing is attackers will actually host malicious code repositories in GitHub and other places like that in the hopes of getting unsuspecting developers to connect to those repos, pull down that malicious code, and instantaneously gain access to the environment. So, it’s just as important to protect your outbound traffic as it is to protect your inbound traffic. I mentioned before that we go beyond fully qualified domain names filtering with the VM-Series to give you full blown URL filtering. And in case you’re not quite clear on what the difference between those capabilities is, an easy way to think about it is with FQDN you would be able to say I don’t want my developers to be able to access GitHub, period. Right? The entire domain.

With URL filtering, we can get much more granular and much more specific about what we give people access to. So rather than I’m going to cut my developers off from GitHub, which, of course, is something that we would never want to do, we can say I’m only going to grant access to my development teams to the GitHub/Palo Alto Networks code repository. And now we’ve limited the number of places that they can connect to and put some guardrails in place to keep our development teams and applications teams, and therefore our applications and our data safe. The other big use case is DNS security. Very closely related to that URL filtering use case, we want to make sure that your organization’s identity, their do – you know, your domain is protected. And our DNS security services are specifically designed to do just this and ensure that as DNS becomes a much more popular attack vector, we can keep your organization safe from that perspective. Now, those are our perimeter use cases.

The other major use case that we’re seeing in public cloud environments is the use of VM-Series Firewalls to segment between VPCs or vNets, or whichever cloud you’re talking about. Compartmentalize and build trust zones within those environments. Typically, we see customers deploy Next-Generation Firewalls at the subnet level, the VPC or the vNet level, because that’s a good boundary for many customers. Generally, you’ll have an application living within a VPC and you want to maybe segment between applications, insert additional protections, like IPS, or just make sure that the application that’s traversing that boundary is what you expect it to be, and you’re okay with. So, this segmentation use case is becoming increasingly popular, particularly as our environments become more and more complex, and all of our applications are more and more interconnected to each other. We never necessarily know that everything we’re connecting to is adequately protected, particularly when those resources are not under our control.

Segmentation is the way we can prevent threats from moving laterally throughout the environment. The third component of this is multi-cloud security, and this of course has already come up multiple times, and Robin is going to expand on this point. But again, it’s important to be able to maintain a consistent security posture across all of your different environments and all of your different siloes. And with VM-Series and our Panorama Management solution, you can do exactly that. Not just between your different public cloud environments, but also between your on-prem environment and any physical firewalls that you might be managing in your data center, alongside your virtual environments and cloud environments where you might be deploying virtual firewalls. Being able to consistently manage all of this from a single location allows you to reduce the number of tools that you have to rely on.

It also allows you to maintain a consistent policy model across the entire enterprise, or the entire organization’s environment. One policy can be written and distributed or enforced across every component of the environment, rather than having to write a single policy three times in different locations. And this is a massive value add to our customers. In a lot of cases, this is actually the reason why customers end up going with us, is simply this reduction in the time it takes, the management overhead, and the complexity of your policy model when you’re dealing with these hybrid cloud or multi-cloud environments. At this point I want to go ahead and hand the reins back over to Robin, who’s going to talk about how Alkira can make deploying these firewalls in these multi-cloud situations all that much easier from a networking perspective. Robin, all you.

Robin:

Thank you, Alex. Actually, I like the last part of having a uniformed security posture for your multi-cloud network, and that is very important. As we go into the Alkira solution, we’ll understand how the integrated solution offers that. Let me first quickly introduce Alkira. So Alkira was founded in May 2018. It’s a little over two years now. The vision that Alkira has is to reinvent networking for the cloud, and this vision came about by talking to a lot of customers. As we spoke to these customers, we found a common theme, right? Most of these customers are embracing the cloud, but the challenges that they are facing are, one, they find it too costly. They say that they have a lot of upfront costs, and it’s a high TCO, and their cloud option is not going at the pace that they want. They’re either doing data center backhaul or they’re using multiple transit architectures.And one other pain point that we heard is that quite often the IT network and security teams, they say that it’s far too slow. The rest of the business is adopting compute and storage in the cloud quickly, and at a rapid pace, but the networking teams and the security teams are not able to keep up with that pace. It’s a lot of tedious do-it-yourself configurations. And one other recurring theme was it’s too complex. Each of the clouds has different constructs and different intricacies, and the network and security teams don’t always have the deep expertise needed for each cloud. So that’s how Alkira’s vision is found. Is to solve that problem and is to actually reinvent networking for the cloud and make it easy for those enterprises as they grow in the cloud. And as part of this vision, it quickly resonated with the VCs, and we were funded within six weeks of the company being founded. Our funders are Sequoia Capital, Kleiner Perkins and GV, which was formerly Google Ventures.

Early in the stage of the company, the beginning of the company itself, we were fortunate to have a lot of engagement with customers, and a lot of these customers provided us feedback in designing the product into what it is today. So, as we were trying to reinvent networking for the cloud, we had valuable insights from a lot of these customers who are already in the cloud and have seen the pain points that I mentioned earlier. And early in April this year, April 15, we launched publicly, and our website went live, and our customers can go to alkira.com and register and start using the service. With that, I’m going to go in to quickly introduce what is the solution that Alkira is offering, and what it can do, and how it is done. The solution that Alkira is offering is called the Alkira Cloud Services Exchange™. It is a unified multi-cloud network which is delivered as-a-service. As a customer, you would consume it like you would consume anything on any of the public clouds. It’s consumed as-a-service, there’s no software to download, there is no infrastructure that you need to build up ahead in your premise, none of that.

It’s consumed as-a-service, and that’s how you do it. The core of the Alkira Cloud Services Exchange is what we call the Alkira Cloud Exchange Points™, CXPs, you can think of them as virtual points of presence that have a full routing stack and networking services and are globally distributed. As a customer, you would connect your remote sites and remote users to the closest CXP, even your data centers and colocations if you have them. And there are many ways to connect them to the CXP. You would either use standard based IPsec, encrypted IPsec tunnels, or you could extend your SD-WAN network. If you have Cisco SD-WAN, you could extend them to the Alkira CXP. Or if you are a customer which has a requirement for high throughput and private connectivity, you could even bring your AWS connected directly to CXP.

So maybe you have cloud workloads in AWS, Azure or GCP in a single region or in multiple regions, you would just connect them to the nearest CXP. Now, I mentioned that the CXPs are globally distributed, and they are fully meshed at the same time. As a customer, you instantly get a global transit network connecting multiple clouds and sites together. In a sense you are having optimal routing to and between the clouds without any data center backhaul or infrastructure. There are a few key elements of this solution that I want to touch upon. First and foremost is the design canvas where you can actually pick and drop whatever you want. Like you want to connect a remote site, you want to connect remote users, you want to connect different cloud networks, you would actually, on the design canvas, drag and drop them and connect them. In fact, one of our customers described this as being easier than a Visio.

Similar to that, you have a services marketplace where you can have different kinds of services like firewalls, and you just drag and drop them into your topology, and Alkira takes care of the life cycle of that service. Alkira takes care of sending the traffic to those services as you use them. You have intent-based policies which you can specify, so-and-so traffic needs to be steered to the server. End-to-end segmentation is inherent in the solution. Every aspect of the solution from the get-go has network segmentation built into it. If you have segmentation on your corporate network, you can extend that into the cloud. You don’t need to flatten it when you come to the cloud, you can have the same segmentation that you have in your wide area network in the cloud as well. And all of this comes with operational visibility and complete control.

Now, I mentioned that this is delivered as-a-service, so in full transparency we will show you how much you’re charged for the different services you are consuming. You will pay only for what services you consume. And as an IT team or a network security team you have the ability to also charge back to the different lines of business that are using this. As an IT team you don’t have to bear the complete cost of the multi-cloud adoption, you have an ability to charge back the different lines of business that you’re supporting. In a nutshell, that is the Alkira Cloud Services Exchange and the CXPs. Let’s go forward. So, this is the awesome technology partnership that we have, and the integration. Now you have the VM-Series Firewall on what we call the Alkira Network Services Marketplace. Like you have other services in the marketplace, you have the VM-Series Firewall.

With this you get all the richness of the VM-Series in the Alkira CXP, so you as the customer would simply select the VM-Series from the Network Service Marketplace, and you will deploy it in your CXP. It’s done in a few clicks, it’s up and running in a few minutes. Alkira takes care of the full process of deploying the VM-Series, integrating it with the CXP, and you have Alkira policies to decide which traffic goes to which VM-Series. You can say that traffic between cloud network one and cloud network two would go to the VM-Series, but traffic within cloud network one will not go to the VM-Series. You have flexibility through Alkira intent-based policies to dictate that, and you get complete visibility into the VM-Series. You see the health of the VM-Series, you actually control in dictating what traffic is inspected by the VM-Series.

You have one of two ways in deploying this VM-Series. Either you have a pay-as-you-go model in which you will just consume the VM-Series from Alkira. The other alternative is if you are an existing customer of Palo Alto Networks, you would use the same license that you have to use on the VM-Series in the CXP. Or you could do a mix of both, as you’d like. Now with that out of the way, I want to talk more about the functionality and the benefit that you get with the integration with the Alkira CSX. I mentioned segmentation earlier, but now I’m going to talk about micro-segmentation. As an enterprise you often have requirements where you have a network segment where you have different kinds of workloads or different kinds of users and sites connecting to it. However, you may have business requirements in which you need to have connectivity between the different types of workloads.

However, you want to restrict it to limited connectivity, and so you need a firewall to limit the amount of connectivity. Alkira makes it possible through micro-segmentation, essentially. So what you will do is let’s say you had a certain set of workloads in AWS, and a certain set of workloads in GCP, you want to have limited connectivity with them, what you will do is group those workloads in AWS into something called groups in Alkira. And similarly, you will group the GCP workloads into another group. You would map these groups to zones on the VM-Series Firewalls. This way you are able to micro-segment within the same network segments, and now, on the VM-Series, like what Alex mentioned, you are able to do inter-zone policies or intra-zone policies to limit the connectivity between the different zones.

Now, it’s quite often that in an enterprise you have not just two zones, you have multiple zones. So as in my slide here, you can have different kinds of zones. Something that is intranet, something that is going to extranet that is a cost network segment, if need be, or something that’s going to the intranet or coming from the intranet. There are various use cases here. You could have cloud to cloud, cloud to the intranet, intranet to the cloud, even on-prem to the cloud. You have different kinds of zones that you can create, and you can have policies to limit the kind of traffic between the different zones. And again, as I mentioned, the Alkira intent-based policies are what drives the traffic into the zones. If there is a certain category of traffic that you don’t want to inspect and you trust it, you could also exclude it from sending it to the firewall.

I mentioned the policies which will dictate what kind of traffic to send to the firewall, but there is another concept that quite often we see in the traditional architectures – some of these architectures have different kinds of transit networks. You have one transit network in cloud one, you have another transit network in the cloud provider two. And quite often when traffic goes from one transit network to the other transit network it’s inspected by the firewall two times. And this kind of affects the performance of the application, and it introduces latency as well into the application. With Alkira, you avoid that, because Alkira has certain proprietary technology in which we do intelligent firewall insertion, essentially. So, let’s say you have traffic going from cloud region one to cloud region two. Since Alkira is a globally distributed network, Alkira is familiar that this, let’s say, traffic has been inspected by the firewall in region one and does not have to be inspected by the firewall in region two.

By doing this, what you get is you have optimum application performance, and at the same time you have increased capacity for your firewalls, and you don’t have to over-provision your firewalls. So that is what we mean by intelligent service insertion. I mentioned the ability to intelligently insert the firewall, but now we also have the ability to have autoscaling. There is zero-touch autoscaling. As a customer you do not need to learn CloudFormation templates and you do not need to figure out any of that. Alkira offers this to you as-a-service. You as a customer would just say that I would need a minimum of let’s say two firewalls, and a maximum of eight firewalls. Maybe you have a requirement in which you have peaks, times of the day in which you have peak traffic, and the rest of the day that you don’t have peak traffic. You could set it up in such a way that when there is peak traffic the autoscale will trigger, and this would spin up the necessary firewalls to handle the real-time capacity demand.

But as a customer you don’t need to figure out any of this, you just need to mention a minimum of two and a max of whatever number it is and Alkira will take care of that. Since there are many firewalls, Alkira also makes sure that we have symmetric load distribution, in the sense we will make sure that the traffic always goes to the same firewall, no matter where it is going from the source to the destination it will always go to the same firewall. So symmetric traffic handling is inherent in the solution. Okay. And, yeah, as I mentioned earlier, all of this comes with complete operational visibility and control. As a customer you get to see the health of the infrastructure. You get to see the different VM-Series that are running in your CXP. You get to see what the throughput zone consumes. So maybe you have admin 1 to visualize how much traffic is going through a zone. Is this reasonable? Is this unreasonable?

Through the Alkira portal you can see how much traffic there is for a zone. Maybe your intranet traffic is seeing an unusual amount of traffic than normal. You have the ability to visualize on the Alkira monitoring page, and you also get to see the session counts. So maybe this will help you in network planning. If you want to maybe, let’s say, tweak your autoscale numbers based on what you see, you could do that as well. You also get to see what kind of applications are going in. Alkira has an engine which will analyze the traffic and tell you what kind of applications are seen between the different workloads in your network. You’ll get to see a clear idea of when these autoscales were triggered at what point in time, and maybe you want to plan accordingly. Okay.

So that comes to the very end of the presentation, but I would like to spend some time to talk about a case study. This is one of our customers who was evaluating Alkira for a certain specific use case. They wanted to deploy VDI infrastructure, but they were in a situation in which they did not want to invest more in their data center. They wanted to reduce the dependency on the data center. They wanted to move their VDI infrastructure into the cloud, and they wanted to do this to support their suddenly large number of remote employees that they had. To do that, they were not able to do their existing network because they did not have the agility that they wanted in the cloud, and at the same time they had different kinds of segments in the network which they wanted to extend to the cloud.

And along with all of this obviously they have a security requirement. The cloud, they want to secure the east-west traffic and the outbound traffic from the VDI. And all along they need to have good experience for users of the VDI. So that’s where an integrated solution helped this particular customer. With Alkira they were able to get an instant multi-cloud network. Like I said, it’s delivered as-a-service, and they had to just do – register on the Alkira portal, sign up, connect the remote sites and branches, and their public clouds, and deploy these VDI infrastructure in the public clouds. Within a few minutes they were up and running, and this is something that they saw a lot of value in. If they were to do it in their data center, this will have taken them months to get there. And all of this comes at a lot of cost benefit.

If they were to do it in the data center, they realized they had a lot of upfront costs. They needed to invest in security infrastructure, they needed to invest in all the networking equipment. But when it came to the cloud, they had to pay only for what they use, and they needed to increase that only as they grew. This was easy for them. The TCO was highly favorable for them, and the VM-Series gave them the security they were looking for. They wanted to have, like I said, east-west traffic to be inspected by the firewall, and at the same time even the outbound traffic from the VDIs to be inspected by the firewall. The VM-Series is what they used to do that. And like I said, they wanted to have autoscale as well, because not all remote employees are working at the same time. What they did, is they provisioned it for the stable capacity, the number of firewalls, and they enabled autoscale to scale the number of VM-Series to meet the peak demand. And they were able to achieve their business needs with this.

David:
Thank you very much, guys. It was very, very insightful. We had a lot of questions coming in. We obviously don’t have enough time to take all the questions, so we’re just going to take a couple of samples. And we will make sure to follow up with each one of you who asked a question online and clarify. The questions were very diverse, so obviously some of those require a little bit of deeper conversations. Let me get a couple of questions for you guys. I think this one’s for you, Alex. It is an existing Palo Alto Networks customer, and the question is, is the same Panorama can be used for applying a security policy for both in on-premise firewalls as well as the cloud firewalls hosted within the Alkira environment?
Alex:
I love that question. So the short answer is yes. The same Panorama can be used for on-prem and public cloud deployments. And frankly, that’s really the beauty of this solution from a security perspective, because that’s what enables that consistent visibility and enforcement across these hybrid cloud environments. So, yeah, absolutely. In fact, that’s kind of at the crux of the value prop here.
David:
All right. Yeah, absolutely. Same security policy domain across the on-premise firewalls in data centers and as well as the VM-Series Firewalls deployed within the Alkira multi-cloud network solution. The beauty of it is the uniformity of the security domain. The next question, I’m not sure, maybe it’s for Robin. It’s, again, possibly an existing Palo Alto Networks customer. It’s about a support model. So obviously now we’ve spent time talking about the integrated solution where Alkira provides the multi-cloud networking foundation and all the traffic steering capabilities towards the Palo Alto VM-Series Firewalls with the security policies, but what about the support model? How is the support being handled across now basically two entities that are in the play here, which is the Palo Alto Networks and Alkira? I’m not sure, maybe Robin, you want to take that one.
Robin:
That’s a good question. As part of the partnership we have a process in place. There is a platform called CSANet, both Alkira and Palo Alto are part of the CSANet, and this platform allows us to quickly inform the partner that there is a customer escalation. So there is a support model and there is an SLA for this integrated solution. As a customer you wouldn’t see the difference, whether you contact Palo Alto Networks or Alkira, you will have the same level of service.
David:
Right. And I think this is also a quick question to ask, in regard to the life cycle management you mentioned. Can you talk a little bit about how that VM life cycle management is done as far as maybe software upgrades or anything that you feel is important for the life cycle management?
Robin:

Sure. The beauty of it, since this solution is delivered as-a-service, you, as the customer, do not have to take the trouble of bringing up the VM-Series or any of that. Alkira takes care of that. Alkira takes care of VM-Series, brings up the VM-Series, makes sure it has the right signatures, the right software version, the right files. You as a customer would only specify what kind of throughput you need, and which network segment, if at all, you need this firewall. And Alkira takes care of everything else for you. Spinning up the right VM-Series with the right capacity needed to handle the load that you specify, and having the latest signatures, the image software version that you specified. Now, let’s say you as a customer, during the life of the product you want to upgrade the VM-Series software image.You can upgrade the VM-Series software image, and Alkira will make sure that for the high availability or for the autoscale any new VM-Series that are sent are in alignment with the software version that is there on the first VM-Series, let’s say on the initial VM-Series. Alkira takes care of that. So as a customer you don’t have to worry about it, Alkira takes care of the life cycle. All you need to do is let’s say from your Panorama specify the security policy as per your business intent. The networking and the life cycle are taken care of by Alkira.

David:
All right. That’s great. So maybe we’ll take one more question. And that one is interesting. I know, Robin, when you presented the Alkira solution in the beginning you mentioned a chargeback, right? The question is a little bit bigger, a little bit more encompassing, in regard to cost savings in general, and possibly talking about the CAPEX and OPEX savings in regard to this joint solution. I think it’s maybe the question for both of you, so you can share your insight as far as what are the cost saving elements that you can see in this joint solution.
Robin:

Sure. There are different kinds of cost factors – cost savings, actually. In the traditional architectures you would have different kinds of transit networks and you would have firewalls, and you would need to do an operation – I mean, you have an operation and management cost of these different transit networks that you have. With Alkira, you have a unified, multi-cloud network, and you’re managing as a single point. There itself you have the operational and management cost simplification there.Because Alkira has an autoscale and so on, you don’t need to provision for your five-year plan. You pay for what you only use today, and the solution gives you the flexibility to extend it as your cloud adoption grows. That is another cost saving. And I mentioned there is intelligent service insertion and traffic symmetry, so you get better utilization of your VM-Series capacity as well. There are cost savings in multiple angles. I would encourage whoever asked that question to contact us, and we could go into a more detailed discussion on that.

David:

Right, yeah, that makes sense, right? The autoscaling, the ability to right-size your Palo Alto VM-Series deployments and not over-provision for the peak. There’s a lot of elements of cost savings that come in that question. As you’ve seen, building a global multi-cloud network, that happens using the intuitive digital design canvas where you drag and drop your entire network and provision that within minutes. We talked about the enterprise-grade security which is provided by the integration of the Palo Alto VM-Series Firewalls into the Alkira Cloud Service Exchange solution, and you’ve seen the benefits of that. I think we’ve spoken at length about the benefits of the joint solution.The delivery mechanism of as-a-service as opposed to do-it-yourself, or an alternated way. It’s really groundbreaking to think about that the networks and the networks for the cloud with integrated firewall security can really be delivered as-a-service without any need to procure additional hardware, download additional software. It’s literally offered as a service. Just like the clouds themselves, right? One-click provisioning and operational excellence, these are all the points that have all been mentioned when you presented Alkira solution. This has been great. You are more than welcome to read the blog that was published by the VP of Product Management at the Palo Alto Networks. You’re more than welcome to download the Solution Brief and the Integration Guide, which will reemphasize many of the points that we’ve made today.

We also encourage all of you to navigate to alkira.com website where you can request a demo, and register for Alkira service and get all of this goodness that Alex and Robin talked about for your own multi-cloud deployment with integrated Palo Alto VM-Series security. With that being said, I wanted to thank everybody for attending this webinar. We are looking forward to seeing you in our upcoming webinars. This is going to be a regular cadence, so please tune in. Follow us on Twitter and on LinkedIn. We would love to get your feedback, so at the end of this webinar we encourage you to rate this webinar, so we can deliver more of this quality content to you. I wanted to thank the presenters, Alex, Robin, thank you very much for the great job, and have a good day, everybody.