 Welcome to theCUBE's coverage of KubeCon EU 2024, live from Paris, France. Join hosts Savannah Peterson, Dustin Kirkland, and Rob Stratche, as they interview some of the brightest minds in cloud-native computing. Coverage of KubeCon cloud-native con is brought to you by Red Hat, CNCF, and its ecosystem partners. The CUBE's coverage of KubeCon EU 2024 begins right now. And welcome back to KubeCon cloud-native con EU here in Paris, live all week long. We're unpacking what's going on in cloud-native Kubernetes and really one of the sticking points that as somebody who was a former Amazonian and I always knew one of the big pinch points was always networking. And there's things like service mesh here and we're going to kind of jump into that with Mitch Connors from AVA Tricks who also does double-duty working with Istio. And also joined by Dustin Kirkland, thank you for coming on board and helping me unpack this because I think this stuff is just so interesting how bringing it all together is just like that, like literally the service mesh brings it all together. And I think that, you know, for cloud-native. So, you know, what's new with Istio? I know there was an announcement this week and there's a lot of stuff going on. Yes, so we've been working for a long time towards boringness in the project. And we've got some announcements that I think are both very exciting and very boring at the same time. Boring by design. And the big one of course is that the ambient mode, which is a side carless service mesh we've been working on for the last two years is finally moving forward to beta in our next release. We took a long time in alpha. We learned a lot of lessons as we heard from users about it. And we think at this point that it's going to be ready for primetime use come May. So we're very excited about that development. Well, that's pretty soon. I, May, going, so how long has it been in alpha? I went to alpha at KubeCon.edu last year. So it'll have been 12 months. Wow, that's excellent. I think, again, when you look at Istio and you look at, there's a number of different companies that are built on top of Istio and they solve part of the problem, I would say. And I think it's, again, for Kubernetes, they're solving the problem. But AVA Tricks, you guys had an announcement this week as well, and bringing Kubernetes to your product. Yeah, we did. I think something that you don't really realize at a conference like this is that only 10% of enterprise apps have migrated to containers today. So this is what KubeCon's been going now for eight to 10 years, and we're still day zero. We're only at 10% completion of sort of what we've set out to do. And what that means is that a Kubernetes-only solution for networking solves 10% of your problem as a large enterprise. So my move to AVA Tricks was very strategic. I wanted to work on the 90% problem and then also serve the 10% problem, and that's what our announcement this week is all about. Our customers have trusted us for years with their Layer 3 networks, with VMs and VPCs. We have a great reputation in that space, and today we're announcing that our features are going to be extending to Kubernetes services with our distributed cloud firewall for Kubernetes. Tell us a little bit more about that. What's a distributed cloud firewall for Kubernetes? So a distributed cloud firewall is pretty cool. You get to write your firewall rules, but you don't ever think about where they're going to run because they run everywhere. Anywhere there is a gateway, moving traffic from one subnet to another will enforce that firewall rule. So we've done that for a year now. It's pretty well proven out. If you have things like auto-scaling groups in your VMs, you don't need to worry about the fact that you're getting new IP addresses added all the time to that ASG. It's going to be automatically updated and forced across the board. So I got to Aviatrix and started looking at the technology and went, well, auto-scaling groups, that's Kubernetes. That auto-scaling is precisely what Kubernetes is built to solve. So it was really just a very small engineering effort to go that last mile and say, well, now we support it for auto-scaling groups, VMs, VPCs, but also Kubernetes services and pods. So let's take a step back because I think that anytime that I get into this conversation, people are like, well, Service Mesh does that. And I'm like, well, not really. I mean, being a networking guy from way back in the day, there's a whole, the stack that you look at, the OSI stack and all the way up to layer seven, which is really where Service Mesh is playing, right? Is more at layer seven. Help people understand what the differences are between traditional networking and Service Mesh. So traditional layer three networks are going to be based on IP address as a form of identity. So if you want to talk about, do I have a right to get from one place to another? It's always about IP addresses. Service Mesh really advanced the state of the art by saying we can make identity irrelevant to IP address. So you take your app, you move it from Amazon to Microsoft to somewhere else. The identity is actually cryptographic and moves with the application and you don't need to worry about location. However, that problem is solved uniquely for Kubernetes using the magic of automatically being able to control your orchestration. Because we don't have those same controls for VMs in place today, VM based applications or hybrid, which is the case for most enterprises, needs a better solution. One that can bridge the gap from those layer three centric world to those layer four and seven centric worlds. Yeah, and I'm guessing this is a scale problem, right? I mean, the scale of VMs multiplied how many physical machines that were out there, but now we do that exponentially more with containers, right? Like give us some sense of the scale of the complexity of this problem. Yeah, I had to go through this with my engineering team because of course distributed cloud firewall was built for VMs. And so it's built to watch collections of VMs and they'll change over time and update IP addresses. And they said, you know, we really built this thing for a lot of change. We're expecting a new IP address every hour. Okay, well, so now we got to talk about a new IP address every five to 10 seconds in a large enough cluster. And you've got about five seconds to propagate that change out to all the gateways that need to enforce those firewall rules. So realistically, it's not a solution you couldn't do by hand. You could have someone watch those IP addresses change over time and key them into your firewall rules and have exactly the same functionality. I think it's a little bit easier to use AV atrix. Yeah, I think automating it is, I think, again, this is one of those things, you know, when we look at it and you had, you know, people like Isovalent being bought by Cisco kind of bringing the security, going into their security business unit and bringing that security in there. And you have a number of other companies actually being bought like Cloudflare going out and buying a Nefli or Nefli or whatever. I can't even- Nefli. Nefli? I think it was Nefli, but- I think those might be two separate places. Oh. Yes, they may be, but anyway, it started with an N. And when you started to look at, you know, I hate to say it this way, but networking used to be boring. Like before, I mean, it was difficult, but it was boring. Now it seems in a multi, we're big believers in a multi-cloud world that's hybrid and things are living everywhere. Are you seeing that applications are actually certain pieces of logic are in Kolo, certain pieces of logic are on-premise, like databases tied to mainframes or something of that nature with Kubernetes front-ends up in the cloud. Is that really how people are building these applications? That's not just the current state because that's true currently. That's the permanent state of enterprise networking. My first engineering job was at a software, financial services company. This was in the late 2000s. And the main thing that I was doing was tying their web applications to their mainframe applications. And those mainframes are still running today at most financial services companies. So when you talk about VMs going away, I'll say, well, yeah, as soon as the mainframe goes away, we can get to getting rid of VMs. Well, I think that's a funny thing because OpenShift actually runs on a version of ZOS on mainframes. So you can actually run Kubernetes on a mainframe. Oh, I have to try that. That sounds like a lot of fun. It's very interesting because then you're, you can bring different components there. And I think it's, again, one of these, the circular economy and being sustainable, it's a big server. But at the same time, it's highly redundant. It has some really good efforts to it. But to your point, just the traditional apps are not going away. Yeah, a service mesh that does not address the need for VMs and VMs at scale, not just a handful here or there is not going to be viable for the enterprise for a number of years to come. Now I'm being able to treat hardware VMs and containers all as first class citizens within the same logical language and frameworks. I mean, that's powerful from a developer and a platform engineer's perspective. We need to get back to being boring. We lost sight of it for a while, but we're working on it. Yeah, I was saying that it's always interesting when it seems like each cloud vendor is coming out with a new networking term. And then you have the Colos, which have their own networking. And then you have people who are buying fiber and putting it and deploying it and having other networks. It seems like there's just so many opportunities for chaos in the network. Do you see organizations really trying to wrap their hands around it and centralize that process? Is that a big piece of it? And not only that, but to secure it. Because the securing it is the great, I can connect it up, I put a VPC here. But how do I transit those different networks? Yeah, I do think enterprises are trying to do that. I don't think that they're seeing a lot of products on the market that fit terribly well today. And so the area where that tends to land is within platform engineering. Platform engineers take on the responsibility of understanding the layer three network, the layer four network, the layer seven, they'll bring in some SecOps people who understand the security tooling both from a network perspective and from a software supply chain perspective. They put all that together into one package so that the rest of the enterprise doesn't need to be actively aware of which service mesh am I using? Which region am I running in? They can just get back to writing software that works well while the platform engineers solve that problem. But I do see these platform engineering teams, they're being really constrained. They're quite small compared to the number of developers that they serve and the number of technologies that they need deep expertise in is quite long. So I think the market is ripe for a solution that instead of requiring them to learn their network twice and to build their network twice allows them to define it once for everywhere that they run and that's the bet that Aviatrix is making. Yeah, can you talk just a little bit about some of the security concerns there, the threat and the risk management that goes into, we started with firewalls, but firewalls plus plus, how are we thinking about that today? Yeah, I think it's important to remember that you cannot secure what you do not understand. And the state of the art today in most enterprises is that they do not understand which services they own, what their dependencies are, which direction those dependencies flow in. And so while I want to get to talking about security and certainly distributed cloud firewall is all about security, at Aviatrix we like to start with telemetry and monitoring. How do you know what policies to write if you have no idea what services are running or where they are? So our customers will come to us for security but they wind up using the monitoring features first to get an idea of overall what they own, what it's doing, which of these pieces of traffic looks appropriate? Are there any that maybe stand out as concerning to us? And then from there they're able to iterate towards a default deny security posture where all traffic is explicitly permitted before it can go through. So I think that's the journey that they're on. We've talked a lot about S-bombs here, software, bill of materials. It sounds like translating that concept to networks. A network goal. N-bombs, yeah. We're going to be dropping N-bombs now? I don't know that I want to go down that road. I really don't. But it was Nefeli, I got it right once out of the 13 times I tried to remember their name. But I think, again, there seems to be consolidation and people are trying really to understand and make this simpler. And I think to your point, it seems like you're right in the eye of the storm here. I mean, because Istio and Service Mesh is really about making container communications for those applications easy and Aviatrix really aims to do that at the multi-cloud networking perspective and security perspective. How do you see the next year playing out for this? How do you see Istio going further into that and Service Mesh coming up as it meets kind of things like Aviatrix? Yeah, I do think you're going to see a lot more integrations as these technologies meet in the middle. For a long time, we thought about these technologies as competing with one another. And I think really what we're doing now is we're thinking of them as complementary. They each serve their own purpose, they work together really well and solutions that address security at every layer in the stack are what customers should be expecting. You should never answer the question, what do you want to secure? Layer seven or layer three? That's a sucker's choice. You should have those sorts of security policies at all layers of the stack and that's going to be accomplished through technologies that work as well at layer three as they do at layer seven. Yeah, I mean, it was amusing because somebody was like, okay, well, if you just do layer seven, encryption up at layer seven, you're all set or layer four. And I'm like, you really want to do it below there and really have that because you want encryption on encryption because are you seeing more threats now as organizations build out these applications, especially with GenAI being turned on everywhere and they're putting, hey, we're going to put our LLM, we're going to build it in bedrock or something like that or in Google on Gemini or wherever. Are you seeing people really trying to delve into the security aspects of how their data gets between these different places, these different clouds because a lot of the data is on-prem still. Yeah, I think that what the LLM trend and the AI trend has really done for us is that now the key value, companies have come to understand their key value is the data that they can train their models on. It's not the models themselves. It's the data that trains the models and that data in order to train on it has to be perpetually moving across the network. Not just locally on-prem, but from on-prem to cloud to edge, they've got to be transferring data almost constantly. And so there's a whole new level of security that they need to apply to that because it's no longer, well, we'll lose a little bit of customer trust if we lose this data. If we lose this data, we've lost the company's entire value statement. I totally agree. And I think that's actually a really good place for us to end, I think, because again, if we hadn't talked about AI, I think we would have gotten pushed off stage. But thank you for coming on, Mitch, and kind of giving us the update on Istio. Again, I think that it's technology that I love. It's definitely bringing together, and I agree with you wholeheartedly, that it's complementary with what ABA Tricks is doing and others out there, and really bringing that together. So thank you for coming on board today. Rob, Dustin, thanks a lot. And thank you, Dustin, as well. You got it, Rob. Awesome. Back at the bar. Back at the bar. Back at the bar. Well, thank you for watching this episode. Stay tuned for more from KubeCon, CloudNativeCon, EU here in Paris. We'll be back shortly.