A Conversation with Daniel Huenink

By Sherry Wei
Founder and CTO, Aviatrix
May 18, 2018

Working at Aviatrix gives me opportunities to meet many smart people, the practitioners and pioneers managing cloud infrastructure. I want to understand and document their cloud journey and perspectives.

Today is my first piece: A Conversation with Daniel Huenink.

Meet Daniel Huenink, Network Architect at Nelnet, a public company in the student loan and repayment business.

Daniel is one of those superstars when it comes to Cisco domain expertise. He has architected and managed networks with Cisco WAAS, VoIP, ASA and ASR. Daniel also has diverse experiences as a database programmer and sysadmin.

We met with Daniel recently, discussing at length a specific routing feature he requested. Afterward, my curiosity caught up with me, and we talked some more. Here is part of our extended conversation with Daniel’s permission.

Sherry: Why did Nelnet move to public cloud?

Daniel: The biggest factor is cost, trying to reduce cost. It enables us to do more with less money so that we can remain competitive with our products and services in the market.

Sherry: How did you learn about Aviatrix?

Daniel: I met you guys at AWS re:Invent, watched theThis is my architecturevideo, and attended one of your bootcamps.

Sherry: What did you like about our Aviatrix product?

Daniel: I like the security feature on Aviatrix Transit Network. The fact that a Spoke VPC does not have connectivity to another Spoke VPC unless specified provides the network isolation we need in our highly regulated industry.

In our environment, business units have their own AWS accounts and therefore VPCs. For the most part, they shouldn’t be talking to each other. But if the underlying infrastructure is a fully connected network, then we’ll have to setup VRF and policies to prevent cross talk, that added layer of complexity is not what we need.

Sherry: Did you not try Cisco CSR1000v?

Daniel: I did start the POC with CSR1000v, but for the reasons I mentioned above, we decided to not to deploy it. In addition to segmentation, adopting CSR1000v implies we would be managing hundreds of BGP sessions, which is a task no one has time to take on.

Sherry: What is your view of security and encryption?

Daniel: Our business requires us to comply to PCI, HIPPA and other government regulations. We get audited often. Encryption for data in transit is a requirement, and data leaving a facility must be encrypted.

Sherry: Where does data encryption happen?

Daniel: Well, data can be encrypted at application layer or it can be encrypted at infrastructure layer. We have many applications, some are home grown, and some are commercial off the shelf (COTS) apps of which may or may not natively encrypt, so we enforce it at infrastructure layer. That’s why we deploy encryption over Direct Connect.

Sherry: Do you have a large deployment?

Daniel: Our current deployment is small as we are just starting, but I expect it to grow significantly in the next 3–6 months. We typically like to do an annual contract, but since it’s difficult to predict the usage growth in this case, we switched to Aviatrix Metered AMI offering. I like the flexibility of cloud consumption model where you pay as you consume.

Sherry: How do you plan to manage a large deployment?

Daniel: Automation. We are going to try to automate as much as possible. I have looked at Aviatrix Python SDK and REST API. It is currently written with python 2.7. I updated in my own environment to 3.0. It seems to work fine.

Sherry: That’s awesome. Since these are just https calls, they should work with either python 2.7 or 3.0. We are short in SDK comparing to our REST APIs. You will be more than welcome to contribute to our SDK open source project!

Anything else you may be interested in looking into?

Daniel: We enabled NAT function on the Spoke gateway for Internet access. We may be looking into the FQDN function for egress control in the future.

Sherry: Sounds great. Let’s sync up again later, I would love to learn more as your deployment gets bigger.


Comments are closed for this post.

Latest Posts

Aviatrix Now Provides FIPS 140-2 Validated Encryption
By Sam Ghardashem, June 14, 2019

How Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway
By Sam Ghardashem, June 7, 2019

How to Use Aviatrix SD Cloud Routing to Build Azure Networks
By Karthik Balachandran, March 20, 2019

The Cloud in 2019 and Beyond: More of the Same, Only Better
By Steven Mih, December 6, 2018

Understanding AWS VPC Egress Filtering Methods
By Khash Nakhostin, November 14, 2018

Top Tags

Active Directory (AD)Amazon Partner Network (APN)Amazon Virtual Private Cloud (Amazon VPC)Amazon Web Services (AWS)Amazon WorkSpacesApplication VisibilityAviatrix Cloud InterconnectAviatrix ControllerAviatrix FireNetAviatrix Firewall Network ServiceAviatrix FlightPathAviatrix Hosted ServiceAWS Direct ConnectAWS Egress ControlAWS Transit Gateway (TGW)AWS VPNAzure ExpressRouteCasachekChefCiscoCisco Live 2018Cloud Architectscloud burstingCloud ComputingCloud Gatewaycloud governanceCloud MigrationCloud NetworkingCloudOpsCSRDevOpsEgress TrafficElon MuskEnterprise Strategy Group (ESG)FIPS 140-2GartnerGCP Next 16Google Cloud PlatformHub-and-Spoke NetworkHybrid CloudHyperFlex Multi-Cloud EcosystemInternational Data Corporation (IDC)Intrusion Detection System (IDS)Intrusion Preventions Systems (IPS)IPmotionJenkinsMalware DetectionMesh NetworkMicrosoft AzureMulticloudNetworking as a Servicenetworking infrastructureNext Generation Firewalls (NGFW)NiciraNoOpsNutanixNutanix CalmOpenVPN Access ServerPalo Alto NetworksPCI CompliancePci DssPublic CloudPublic Cloud NetworkingPuppetRemote AccessSafeLogicSD Cloud RouterSD-WANSoftware Defined Cloud RoutingSoftware-Defined Cloud RoutersSquidSSL VPN to AWSstorage and computeTransit DMZ Architecturetransit networkTransit VPCURL FilteringUse Casesvalidated encryptionVirtual Cloud NetworkVirtual Desktop Infrastructure (VDI)Virtual RoutersVMwareVNet ConnectivityVPCVPC PeeringVPN