(upbeat music) >> Hello, everyone. Welcome to theCUBE Studios here in Palo Alto. We're here for our next segment, The future of networking. And we're going to experience the future of networking through a demo of SD-WAN in action with Riverbed. I'm here with Josh Dobie, the Vice President of Product Marketing, and Vivek Ganti, Senior Technical Marketing Engineer. We're going to give a demo of SteelConnect in action. Guys, thanks for joining me on this segment. Let's get into it. What are we going to show here? Showing SD-WAN in action. This is experiencing the future of networking. >> Thanks, John. So what's exciting about this next wave of networking is just how much you can do with minimal effort in a short amount of time. So in this segment, we're actually going to show typical transformation of a company that's going from a traditional 100% on-premises world. Into something that's going to be going into the cloud. And so we're going to kind of basically go in time lapse fashion through those phases that a company will go to to bring the internet closer to their business. >> Okay, Vivek, you're going to show a demo. Set up the demo, what is the state? It's a real demo? Is it a canned demo? What's going on under the hood? Tell us through what's going to happen. >> It's an absolutely real demo. Everything you'll see in today's demo is going to be the real appliances. The links you'll see are going to be real. The traffic is going to be real. And it's going to be a fund demo. >> Well, the future networking and experiencing it is going to be exciting. Let's get through the demo. I'll just say as someone who's looking at all the complexity out there, people want to be agile, just so much complexity with IoT and AI, and all this network connections. People want simplicity. So you need to show simplicity and ease of use and value. I'm all interested. >> That's exactly it. Step one is we have to get out of the world of managing boxes. And we have to get into a software-defined world that's based on policy. So one of the first things that a company needs to do to start realizing these benefits of efficiency is to get away from the provisioning work that's involved in bringing up a new site. So that's the first thing that Vivek's going to show right now. >> John: Jump into it. Show us the demo. >> Vivek: Absolutely, so what you're looking at right now is the web console of SteelConnect Manager. This is Riverbed's SD-WAN solution. You're looking at a bunch of sites, a file company called Global Retail, which is spread all over the world. What I'm going to do now is bring up a new site, really zero touch provisioning, in Dallas, sitting here in Palo Alto. So let's get started. I'm going to jump right into Network Design and look at sites. I'll click here on Add Sites, and really just enter a few physical location details for my site in Dallas. And the moment I click here on Submit, not only is a pointer being created on the map for me, but there's a lot of automation and orchestration happening in the backend. What I mean by that is that there's a default uplink created for my Dallas site. And there's also a VLAN created for my site in Dallas. Of course, I can go and add more uplinks and VLANs for my site. But then a lot of this heavy lifting in terms of creating days is automatically done for me by SteelConnect. But right now it's just a pointer on the map, it's not a real site, we don't have an appliance. But that's the beauty of it, John. What SteelConnect let's me do is it gives me the flexibility and the freedom to deploy my entire site from ground up, my entire network from ground up, before I deploy the first piece of hardware. The way I'm able to do that is with this concept called shadow appliance, which is really a cardboard cutout of what will be once I have the hardware appliance. So I'm going to click here on Add Appliances. I'm going to say Create Shadow Appliance-- >> So shadow appliance, the customer knows the appliance. It might have the serial number. >> Yeah. >> But it's not connected, it's not even there yet. >> No, it's not even there yet. >> They're doing all the heavy lifting preparing for the drop in. >> Yeah, think of it as just designing it or drawing it on a white paper, except you get to see what your network's going to look like before you deploy anything. So I'm going to drop, let's say, and SDI-130 gateway, add my site in Dallas, which I just created. And click here on Submit. And that's the beauty of this, that now with this Shadow Appliance, I can click on this and really configure everything right down to the very port level. And once I do have the hardware, which I ship to someone and have someone plug it in. >> So now you configure, now the appliance could ship there. It could be anybody, it could be a non-employee, just says instruction, plug it in, and put this ethernet cable in. >> I'm sitting here in Palo Alto, I'm entering my appliance serial number. Click here on Submit. And now that the appliance is connected to the internet, it knows to contact Core Services in the cloud, download its configuration, it knows what organization it belongs to. And it comes online in a matter of seconds, really. You'll see that it's already online as I was talking to you. >> John: Let's just look at that, hold on, Dallas right there. >> Vivek: Yeah. >> John: Online, okay. >> Vivek: And when it says Pending, it means that it's actually downloading its current configuration. It's going to be up-to-date in less than a minute. And once it does that, when I look at the dashboard, this check mark will be green and it's going to start forming all its Ipsec VPN tunnels. >> It just turned green. >> Vivek: There you go. It's going to now start forming all those IPsec VPN tunnels to all my other existing sites automatically for me so that I don't have to do any of the heavy lifting. >> John: So does the self-discovery of the network, it just went red there real quick. >> Josh: That's okay, this is where it's going to start creating the VPN tunnels. >> Vivek: Right, it's basically associating all those, it's negotiating all the security associations with all my other appliances. >> So no one's involved? No humans involved. This is the machine, get plugged in, downloads the code. Then goes out and says where do I got to connect to my other networks? >> Yeah, the power of this is what you're not doing. So you could do all this by hand. And this is the way that legacy networks are configured, if you're still in a hardware-based approach. You have to go in and really think hard about the IP addresses, the subnets for each individual box, if you're going to create that full mesh connectivity, you're going to have to do that at an exponential level every time you deploy a new piece of hardware. So with this approach, with the design first, you don't have to do any staging. And when you deploy, the connectivity's going to happen for you automatically. >> John: Let's take a look at the sites, see if it turned green. >> Vivek: It's right now, if I click on it, you'll see that my appliance is online. But right now all the lines are red because it's still in the process of creating those IPsec VPN tunnels. But you'll see that in the next couple of minutes or so, all these lights will turn green. And what that means is now I have a single unified fabric of my entire network. But while we're waiting on that, let's actually move ahead and do something even cooler. Let's say our company called Global Retail wants to transition some of its applications to the cloud, because as we know, John, a lot of companies want to do that. For a few pennies on the dollar, you can make a lot of things somebody else's problem. So we've worked really hard with AWS and Microsoft to make that integration really work well. What I mean by that is when I click here on Network Design and EWS, I have a cross account access going between my SteelConnect Manager and AWS Marketplace so that I don't ever have to log back in to the AWS Marketplace again. Once I do that, I can see all of my VPCs across all of my regions, so that with a single click, and that's what I'm going to do here, I'm going to say connect to all my subnets in Frankfurt. I can choose to deploy a gateway instance of my choice in the Frankfurt site. So what I'm going to do now-- >> John: So you're essentially is telling Frankfurt, connect to my Amazon. And I'm going to set up some cloud stuff for you to work with. >> Vivek: So you already have your VPC infrastructure, or your VNET infrastructure in AWS or Azure. What I'm doing is I'm providing optimized automated connectivity for you. So I can choose to-- >> John: All with just one click of the button. >> Vivek: All with one click of a button. So you see that I can choose an EC2 and it's my choice. For the gateway I'm going to leave it to t2 medium. And then SteelHead, because WAN optimization, because the moment we start migrating huge datasets to the cloud in Frankfurt or say Ireland in Azure, latency becomes a real issue. So we want to be sure that we're also optimizing the traffic end-to-end. I'm going to leave redundancy to On so that there's high availability. And I'll leave AWS Routing to Auto. And I'll talk about that in just a bit. So when I click here on Submit, what's happening is SteelConnect is logging into my AWS account. It's looking at all my VPCs, it knows what subnets it has to connect to. It's going to plop a gateway appliance as well as a WAN optimization appliance, do all the plumbing between those appliances, and make sure that all the traffic is routed through the SteelHeads for WAN optimization. And it creates all the styles for me automatically. And the beauty of this solution, again, is that not only does it provide automated connectivity for me between say different regions of AWS, but also between AWS and Azure. We have suddenly become the cloud brokers of the world. We can provide automated optimized connectivity between AWS and Azure. So let me show that to you also. >> John: Yeah, show me the Azure integration. >> Vivek: So I'm going to search for maybe subnets in Europe, Ireland, I'm going to connect to that. The workflow is exactly the same. Once I do Connect, it gives me the option to deploy an instance of my gateway and my SteelHead. So I'm going to select that and then click on Submit. So now when I go back to my dashboard. You'll see that, oh, by the way, my Dallas site is now online and when I click on it, you'll see that all my tunnels have also come online. >> John: Beautiful. And Frankfurt and Ireland are up and running, 'cause you have the Amazon and Azure piece there. >> Vivek: It does take about four or seven minutes for those appliances to come online. They download their latest firmware, but that's not-- >> John: Minutes aren't hours, and that's not days. >> Vivek: Exactly, not hours, not days, not weeks. >> Right, I mean, a key use case here, when you think about cloud connectivity today, it's still rather tedious to connect your on-premise location into these cloud-based virtual environments. And so what network operators do is they do that in as few locations as possibly, typically in a data center. And what that means is now you're limited, because all the traffic that you need to go into those environments has to get back-called into your data center before going there. So, now, because this is automated, and it's all part of that same secure VPN, if you have some developers that are working on an app and they're using infrastructure as a service as part of their work, they can do that from whichever remote office they're sitting at, or their home office, or at a coffee shop. And there's no need to create that additional latency by back-calling them to the data center before going to the cloud. >> So all that stuff gets done automatically on the networking side with you guys. >> Exactly, exactly. So step one is really creating this easy button to have connectivity, both on-premises and in the cloud. >> Connectivity with all those benefits of the tunneling, and stuff that's either preexisting, or has been set up by (drowned by Josh). >> Exactly. Secure VPN, full mesh connectivity, across all the places where you're doing business or you need assets to run the cloud. Then the second phase is, okay, how do you want to dictate which applications are running over which circuits in this environment. And this is where, again, with a legacy approach, it's been really tedious to define which applications should be steered across one link, if you can identify those applications at all. So what Vivek's going to show next is the power of policy, and how you can make it easy to do some things that are very common, steering video, steering voice, and dealing with SaaS applications in the cloud. So you want to give 'em (mumbles) that? >> Vivek: Absolutely. So let's go to Rules and let's create a new traffic rule, say, I want to make sure that across all my sites for my organization, I want video, which is a bandwidth intensive application, as we all know. Doesn't really choke up my MPLS link, which is my most precious link across all my sites. I should be able to configure that with as much ease, as I just said it. So let's do that. We can do that with software defining intelligence of SteelConnect. I can apply that rule to all my sites, all my users, and I'm going to select applicationS where I search for video. There's already a pre-configured application group. For video, I'm going to select Online Collaboration and Video. And under Path Preference, I'm going to say that for this application, don't use my MPLS as my primary, >> John: And the reason for that is to split traffic between the value of the links cost or importance. >> Vivek: Exactly. Load balancing is really important. So I'm just going to save that is my primary-- >> John: Applying people that are watching YouTube videos or-- = (laughs) Yeah. Exactly, exactly. >> Video is one of the biggest hogs of balance. It's basically creating an insatiable demand. So you definitely need to look for your best option in terms of capacity. And with the internet broadband, maybe you're going to sacrifice a little bit on quality, but video deals with that pretty well. But it's just hard to configure that at each and every single box where you're trying to do that. >> Vivek: Yeah. As opposed to configuring that on each and every individual box, or individual site I'm creating that's globally applying rule to all my sites. And I'm going to select MPLS as a secondary. I'm going to set a path quality profile, which means that if there's some severe degradation in my internet link, go ahead and use my MPLS link. So I'm going to say latency sensitive metrics. And I'm going to apply a DSCP type of high. Click here on Subnet. And the moment I turn this rule on, it automatically updates all of the IPs, all of the uplinks, all of the routes across my entire organization. >> John: So you're paying the quality of service, concepts, to all dimensions of apps. >> Absolutely, whether it's from video-- >> Video, Snapchat, live streaming to downloading, uploading. >> Vivek: Yeah, and I can create the same kind of rule, even for voice where maybe I have my MPLS, since that's my primary and most precious link available for all my sites. Have as a primary in my secondary as my route VPN, which is my-- >> John: If you're a call center, you want to have, probably go with the best links, right? >> Vivek: Exactly, and assign it to DSCP type of urgent so that that traffic is set at the expense of all my other traffic. >> John: Awesome. That's great suff. Policy is great for cloud, what about security? Take us through a demo of security. >> So that's a really good question. I mean, as soon as you're starting to use internet broadband connectivity in these remote locations. One of the first things you think about is security. With the secure VPN connectivity, you're assuring that that traffics encrypted, end to end, if it's going from branch to data center, even branch into cloud. And that was really step one that Vivek showed earlier. Step two is when you realize, you know what? There's certain applications that are living in the cloud, things like Office 365, or Salesforce.com that truly are a trusted extension of our business. So let's turn that spigot up a little bit and let's steer those applications that we trust direct from branch to the internet. And by doing that, we can avoid, again, that back-call into the data center. And with an application-defined approach, this becomes really easy. >> Vivek: Yeah, and I can do that with a very simple rule here, too. I'm going to apply that rule to all my sites. I'm going to say for application, let's say, trusted SaaS apps, like Salesforce, Dropbox and Box. I'm going to select a group called Trusted SaaS apps. And now under Path Preference I'm going to say for these applications, I know that I've said on organization default, that for all my traffic, go over my MPLS link, and break out the internet that way, but for some applications that I've defined as trusted SaaS apps, break out to the internet directly. >> John: Those are apps that they basically say are part of our business operations, Salesforce, WorkDay, whatever they might be. >> Vivek: Absolutely. So you're opening that spigot just a little bit, as Josh was talking about. And I can choose to apply a path quality profile so that there's a dynamic path quality based path selection, and apply, of course, priority. I'm going to leave it to high and Submit. And the powerful thing about this is even though I've applied this to all my sites, I can choose to apply this to individual sites, or maybe individual VLAN in a site, or an individual user group, or even a single user for follow the user policies. And that's the entire essence of the software-defined intelligence of SteelConnect. The ease with which we can deploy these rules across our entire organization or go as granular to a single user is a very powerful concept. >> Josh: One of the things, too, John, in terms of security, which you were asking about earlier is that not only is a policy-base approach helping you be efficient, how you configure this, but it's also helping you be efficient in how you audit, that your security policies are in place. Because if you were doing this on a box-by-box basis, if you really truly wanted to do an audit with a security team, you're going to have to look at every single box, make sure there's no typo whatsoever in any of those commands. But, here, we've just made a policy within the company that there are certain applications that are trusted. We have one policy, we see that it's on, and we know that our default is to back-call everything else. And so that becomes the extent of the audit. The other thing that's interesting is that by just turning off this policy, that becomes your rollback. The other thing that's really hard about configuring boxes with lots of commands is that it's almost sometimes impossible to roll things back. So here you have a really easy button on a policy-by-policy basis to rollback if you need to. >> John: And just go clean sheet. But this path-based steering is an interesting concept. You go global across all devices. He has a rollback and go in individually to devices as well. >> Josh: That's right, that's right. Now this next click of bringing that internet closer to you is where you say, "You know what? "In addition to trusted SaaS applications, "let's go ahead and half even recreational "internet traffic, go straight from the branch out to the internet at large. >> John: Love that term recreational internet. (Josh laughs) I's just like the playground, go play out there in the wild. (all laughing) There's bad guys out there. But that's what you mean, there's traffic that's essentially, you're basically saying this is classified as assume the worst, hope for the best. >> Right, exactly, and that's where you do have to protect yourself from a network security standpoint. So that next step is to say, okay, well, instead of back-calling all of that recreational dangerous internet traffic, what if we could put some more powerful IDS/IPS capabilities out there at the edge. And you can do that by deploying traditional firewall, more hardware at those edge devices. But there's also cloud-based approaches to security today. So what Vivek is going to show next is some of the power of automation and policy that we've integrated with one cloud security broker named named Zscaler. >> Vivek: Zcaler, yes. >> John: Jump into it. >> Vivek: Our engineers have been working very closely with engineers from Zscaler. And really the end result is this. Where we do a lot of the heavy lifting in terms of connecting to the Zscaler cloud. What I mean by that is what you're looking at on the SteelConnect interface, going back to that entire concept of a single pane of glass is that you can see all your Zscaler nodes from SteelConnect right here. And on a side-by-side basis, we will automatically select for you what Zscaler nodes are the closest to you based on minimum latency. And we select a primary and a secondary. We also give you the option of manually selecting that. But, by default, we'll select that for you. So that any traffic that you want to break out to the internet will go to the Zscaler cloud like it's a WAN cloud by itself. So I can go to my organization and networking default and say that, hey, you know what? For all my traffic break out, by default, to the Zscaler crowd as the primary, so that it's all additionally inspected over there for all those IDS and IPS capabilities that Josh was talking about. And then break out to the internet from there. And that's, again, a very powerful concept. And just to remind you, though, the traffic patrol that we just created for trusted SaaS apps will still bypass the Zscaler cloud, because we've asked those applications to go directly out the internet. >> John: Because of the path information. But Zscaler about how that works, because you mentioned it's a cloud. >> Vivek: Yes. >> John: Is it truly a cloud? Is it always on? Whats' the relationships? >> I mean, this is what's interesting. And the cloud is basically a collection of data centers that are all connected together. And so some of the complexity and effort involved in integrating a cloud-based security solution like Zscaler is still often very manual. So without this type of integration, this collaboration we've done with them, you would still have to go into each box and basically manually select and choose which data center of Zscaler's should we be directing to. And if they add a new data center that's closer, you would have to go and reconfigure it. So there's a lot of automation here where the system is just checking what's my best access into Zscaler's cloud, over and over again. And making sure that traffic is going to be routed (drowned by John). >> And so Zscaler's always on, has like always on security model. >> Active, backup, exactly, there's many of those locations (drowned by John) as well >> All right, so visibility now as the internet connections are key to the zero-touch provisioning you guys demoed earlier. IoT is coming around the corner and it's bringing new devices to the network. That's more network connections. So we're usually there, who was that person out there? Who was that device? A lot of unknown autonomous... So how do I use the visibility of all this data? >> Yeah, visibility's important to every organization. And once we start talking about autonomous networks, it becomes even more important for us to dive deeper and make sure that our networks are performing the way we want them to perform. It goes back to that entire concept of trust but verified. So I'm creating all these policy rules, but how do I know that it's actually working? So if you look at my interface now. Actually, let's pause for a second and just enjoy what we've done so far. (John and Josh laugh) You'll see that my-- >> A lot of green. >> Vivek: A lot of green and a lot of green lines. So this is my site in AWS, which I just brought up and this is my site in Ireland. So if I click on the tunnel between-- >> John: Are those the only two cloud sites or the rest on-premise? >> Vivek: The rest are all on-premise, exactly. So if I want to, say, click on the tunnel over here between my Azure site and my AWS site, which I just brought up. It gives me some basic visibility parameters like what's my outbound and inbound true port, what's my latency jitter and packet laws? We don't see any real values here because we're not sending any data right now. >> John: Well, if you would, you would see full connection points. You can make decisions, or like workloads to be there. So as you look at connection to cloud-- >> Vivek: It's all real-time data, but if you want to dive in deeper, we can look at what we call SteelCentral Insights for SteelConnect. So you can look at-- >> Whoa, you're going too fast. Back up for a second. This is an insights dashboard powered by what data? >> Vivek: Powered By the data that is being pulled from all of those gateways. >> Those green, all those points. >> Vivek: All those green points. >> John: So this is where the visualizaiton of the data gives the user some information to act on, understand, make course corrections, understanding success. >> Exactly. >> John: Okay, now take us through this again, please. >> Vivek: So you can look at what your top uplinks. Also I'm looking at my site in New York City, so I can look at what my top uplinks are, what my top applications are, who are my top users. Who's using BitTorrent? I can see here that Nancy Clark is using BitTorrent, so I might have to go ahead and create a rule to block that. >> Talking about what movies she's got. >> Or have a chat with her. Yeah. >> What kind of movies she just downloaded, music. So you can actually look at the application type. So you mentioned BitTorrent. So same with the video, even though you're passed steering, you still see everything for this? >> Vivek: Absolutely. >> Exactly, I mean, this is application-defined networking in action, where the new primitives that network administrators and architects are now able to use are things like application, user, location, performance SLA, like the priority of that application, any security constraint. And that's very much aligned to the natural language of business. When the business is talking about which users are really important for which applications that they're sending, to which locations. I mean, now you have a pane of glass, that you can interact with that is basically aligned to that. And that's some of the power there. >> John: All right, so what are you showing here now? Back to the demo. >> Vivek: Back to the demo. The next part of the demo is actually a bonus segment. We're going to talk about integration with Xirrus Wifi. We recently announced that we are working with Xirrus. We bought them. And we're really excited to show how these two products, Xirrus Access Point, Xirrus Wifi and SteelConnect can work hand in glove with each other, because this goes back to the entire concept of not just SD-WAN, but SD-LAN for an end-to-end software-defined network. So what I want to show you next is really hot off the pressess-- >> John: And this is new tech you're showing? New technology? >> Vivek: Yes. >> Josh: So when SteelConnect was launched last year, there are wifi capabilities in the gateways that Vivek showed during the zero touch provisioning part. Xirrus is well regarded as having some of the most dense capabilities for access hundreds-- >> John: Like stadiums, well, we all know that, we all live that nightmare. I've got all these bars on wifi but no connectivity. >> Exactly, so stadiums, conventions. When you think about the world of IoT that's coming, and just how many devices are going to be vying for that local area wifi bandwidth. You need to have an architecture like Xirrus that has multiple radios that can service all those things. And so what we've been doing is taking the steps as quickly as possible to bring the Xirrus Wifi in addition with the wifi that SteelConnect already had into the same policy framework. 'Cause you don't want to manage those things necessarily going forward as different and distinct entities. >> So SteelConnect has the wifi, let's see the demo. >> Exactly. So I'm now moving to a different overview where we have about four or five sites. And I'm going to go ahead and add an appliance. And I'm going to add the Xirrus access point, and deploy it in my site at Chicago. So I just click here on Submit and you'll see that the access point will come online in less than a minute. And once it does come online, I can actually start controlling the Xirrus access point, not just from the XMS cloud, which is the Xirrus dashboard, but also from SteelConnect Manager. Going back to that concept of single pane of glass. So-- >> John: We have another example of zero-touch provisioning. Scan the device, someone just plugs it in and installs it. Doesn't have to be an expert, could be the UPS guy. Could be anybody. >> Vivek: Anybody. Just connect it to the right port, and you're done. And that's what it is here, so you'll see that this appliance in Chicago, which is a Xirrus Access Point, is online. And now I can go ahead and play with it. I can choose to deploy an SSID and broadcast it at my site in Chicago. You see that I'm already broadcasting Riverbed-2. And when I go to my XMS dashboard, I can see that one access point is actually op. This is the same access point that we just deployed in the Chicago site. And that profile called Chicago is already configured. So when I click on it, I can see that my SSID is also displaying over here. And I can do so much more with this interface. >> John: It really brings network management into the operational realm of networking. Future experience of networking is not making it as a separate function, but making it integral part of deploying, provisioning, configuring. >> Exactly, and the policies to automate how it's all used. So if we just take a step back. What we literally did in just a few minutes, we deployed a new location in Dallas without anybody needing to be there other than to plug in the box. We extended the connectivity from on-premises, not only into one cloud, but two clouds, AWS and Azure. We started leveraging public internet in these remote sites to offload our MPLS for video. We steered SaaS applications that were trusted out there directly to the internet. And then we pulled in a third-party capability of Zscaler to do additional security scrubbing in these remote locations. That applies to every single site that's in this environment. And we literally did it while we were talking about the value and the use cases. >> Great demo, great SD-WAN in action. Josh, Vivek, thanks for taking the time to give the demo. Experiencing the future of networking in real time, thanks for the demo, great stuff. >> Thanks, John. >> This is theCube watching special SD-WAN in action with Riverbed. Thanks for watching, I'm John Furrier. (electronic music)

>> Announcer: Live from Washington DC, it's CUBE Conversations with John Furrier. >> Well, welcome to a special CUBE conversation here at Amazon Web Services headquarters in public sector, in Washington DC, actually, in Arlington, Virginia. It's a CUBE coverage on the ground in Washington DC. Our next guest is Shannon Kellogg, who's the Director of AWS Public Policy in Americas, here, joining us. Thanks for spending the time with us. >> It's a pleasure to be here. >> So obviously, public policy is a big part of public sector, hence the success you guys have had. Amazon's had great success. I mean, you go back four years ago, the shock heard all around the cloud was the CIA deal. >> Shannon: Indeed. >> And since then, there's been this gestation period of innovation. You guys have been penetrating, doing a lot of hard work. I know how hard it is. And kind of knowing the DC culture, how hard was it, and hard is it for you guys now? Is it getting easier? I mean, policies, got a lot of education involved, a lot of moving parts. >> Yeah, well, I joined over five years ago. And when I joined, there was very little understanding that Amazon was even in the cloud computing business. And so we really had to start from scratch. And so it was just basic education and awareness work. And I wouldn't call that easy, but it certainly was in a different time where people were curious about Amazon, AWS, and cloud. What is cloud computing? The cloud computing directive of the Federal Government, Cloud First Policy, had just come out a year prior, and so there was a lot of curiosity. So people were willing to talk. People were curious, but they didn't really understand what cloud computing was. And again, they didn't even realize AWS was in that business. >> And back at that time, and I know you have a tech history over at EMC before and RSA. You know the tech game. You've seen many waves of >> Shannon: I have. >> innovation, and it's almost a time where you saw some interesting shadow IT developing. Shadow IT term referred to kind of a in-the-shadows experiment. You put your credit card down and get some Amazon, get some cloud, and test, kick the tires, if you will, kind of, without anyone seeing you, called shadow IT. That became a big part of the growth. How much shadow IT has been involved to kind of force Amazon to the table? Did that help? Was that a help-driver for you guys? Was it going on? >> Yeah. Well, it's interesting, because when you look back four or five years ago, there were a lot of first movers in departments and agencies, folks in little units that I had actually even never heard of in some of the big agencies, customers that I would speak to that were experimenting with AWS and commercial cloud. In those days, they were able to take out their credit card and experiment a little bit with it and discover what was possible. And we saw a lot of uptake in interest as a result of some of that experimentation. But really, things started to change in a big way when AWS won the contract to build the community cloud for the intelligence community. And following that win, and as that project was implemented, and in the six months to a year after that award, we saw a lot more interest by agencies to not just experiment, but to go bigger. >> I couldn't get Amazon to confirm. I've tried many times on the CUBE, Jassy and Teresa, to get them to confirm that that was certainly a shadow IT effort, that someone within the CIA came out of the woodwork and said, "Hold on IBM, we have an alternative." >> Yeah, well I can't-- >> (laughing) Conferment denied. I can't comment on that either, but I can tell you that it was a very open, competitive process that we won. And it was a very big deal for the community and a very big deal for us. And that's when we really started to see a number of other agencies and organizations, really, not just experiment with cloud, but how can we leverage this to get the same benefits that the intel community needs? >> And IBM didn't help either. They got cocky. They figured they're going to sue you guys and ended up amplifying it, where the judge actually said on the ruling, "Amazon is a better service." >> Shannon: Yeah. >> I mean, you couldn't get a better testimony. But let's talk about that move. >> There was a resounding public, or resounding legal opinion, and I would encourage your viewers who haven't read it to read it. >> It's well doc, but at SiliconANGLE. Search SiliconANGLE, AWS, IBM, CIA deal, you'll find it. But I think what's notable about that is it's kind of cocky, because the old way of doing things was schmooze, win the ivory tower, have that relationship, lean on that relationship. And the IT just, they were just like going through security at the airport, just whatever, right? >> Shannon: Right. They just checked the boxes. You got to win the C level. That now has changed, where not only at the buying and evaluation process bottoms up, there's a lot of consensus involved. There's now new stakeholders. >> You bet. >> Talk about that new dynamic, because this is a modern trend. It's not just send it to the department for a check box, it's truly agile. Talk about this new, modern procurement process that people are going through. >> You bet, and it's still evolving. But over the last few years, we've seen a lot of interest by federal organizations to shift from what is traditionally a capital expense model to an operational expense model. And you'll probably laugh at me that I actually even remember this. But in the 2015 budget, with the previous administration, President Obama's budget request in 2015, there was, actually, on page 41 of that budget, a line, or actually a paragraph, that talked about how the Federal Government would need to continue to move to commercial cloud services. And in the language, in the budget, it actually talked about the consumption model, the operational expense model versus the traditional capex model. >> Shannon, what is commercial cloud, because, I mean, again, back to the old days, kind of back in my days when I was growing with the industry, you had a federal division that managed all the government stuff, sometimes separate products, right, I mean, absolutely different, unique features >> Yeah, you bet. >> in the government. Now with the cloud, I'm I hearing that this is the same cloud that Amazon runs? Is it a different product. I know there's different private clouds. >> Certainly, our cloud >> But what is the commercial cloud? >> is one option. >> Explain what the commercial cloud is. >> Yeah, our cloud is one option in this area of commercial cloud services. And we think it's a great option. But if you look at the different types of solutions, NIST actually talked about this when they put out the definition on what cloud computing should be described as several years ago. I think the final definition came out in 2011. And at the time, they called public cloud, which we in federal agencies, now, really refer to as commercial cloud, as one of the deployment models. But it also is really emphasizing commercial solutions and commerciality, versus having an agency go out and try to build its own cloud, or to issue a special contract that is controlled by that agency, that does a traditional private-cloud type of build, like for example, California did with CalCloud several years ago. We're seeing more and more agencies move away from that model and into procuring-- >> Why is that? Why are they moving, costly? >> Well, because, yeah, it's-- >> Just like HP and everyone else backed out of the cloud, same reason? >> It's costly, and one thing, looking at CalCloud, and if you haven't sort of looked at what they did with their policy, in 2014 they issued a policy, California did, which basically created a preference for CalCloud. And by August of 2017, they moved away from that preference reversing the policy and then doing sort of a about-face and saying not only is there not a preference for CalCloud, this privately built cloud, anymore in California, but there's going to be a preference for commercial cloud services and leveraging commercial solutions and technologies. >> Is that, again, the same reasons why a lot of commercial vendors like HP, even VMware, and others who kind of backed out of the cloud. It's expensive, it's complicated, right? I mean, is that main driver, or is it of talent? I mean, why did CalCloud move from that to the (mumbles). >> Yeah, I mean, I obviously can't speak for what other >> Well generally speaking. >> companies have done, but I think, based on our observations at the federal level, at the state level, and even internationally, we're seeing more and more governments in their cloud policies focus on how to leverage commercial cloud services, versus build their own, or go out and spend a billion dollars in trying to build their own through a contractor or traditional contractor. >> I talked to Teresa Carlson. >> And by the way, just for the record, in California, it was IBM who actually ended up building CalCloud. >> Nice dig on IBM there, good one. >> So I just talked to Teresa Carlson, and she and I, we talked about the notion of commercializing ecosystem, to bring in tech in with government kind of the mash up or integration culturally among other things, technology. I had an interview with an executive of New Relic, one of Amazon's top customers. I think they were saying they were getting FedRAMP certified. But there's a variety of certifications that you guys offer, essentially, people in the ecosystem, non-governmental, but they can come in and provide solutions. Can you talk about that dynamic, because we're seeing that become a trend now, where folks in the Amazon, or in general tech ecosystems, that says, "Hey, you know what? "I can go in through Amazon and do some business "with the public sector." >> Sure. >> What do you guys offer? Is there a playbook? Is there a roadmap? Is there check boxes? What's the playbook? >> Well, first of all, if you don't, if your viewers don't know what FedRAMP is, it's a Federal Government security evaluation process for cloud computing providers and service providers who want to sell to the US Federal Government. And the framework itself was created on international security standards as well as existing, and evolving in some cases, NIST security standards. And so it's a common security framework that any company of any size can align to. And AWS, because we believe so strongly in security, and because we had a lot of first-mover customers in the Federal Government marketplace, we really invested in that process early. And as a result of that, we meet the FedRAMP requirements at the different security levels that exist. And we were one of the first providers to actually do that. And then partners started working with us and leveraging that. And not just-- >> So what does that mean to the partner? >> resellers or systems integrators. >> They piggyback on your certification, or they have to do some modifications? It's like the stamp of approval. You can't get into the party without it, right? >> Yeah, you have to have FedRAMP certification in order to provide certain types of services to the US government. A lot of agencies now require some type of FedRAMP certification to do business with them. It's very common now. >> Any other certifications that they need? >> Well, that's the most common one at the federal level. But there are some department-specific requirements too. So for example, when you look at the Defense Department, they've added additional requirements on top of FedRAMP. And providers like us have to go through those additional processes, and then again, if you're partnering with an AWS, and we've gone through that process, and we made the investments, and you have some software that's based on AWS, that's going to be favorable for you in order to sell to that market segment. >> Take a step back and zoom out, and talk about the big landscape in DC. Obviously, DC's the center of the action for policy and this, obviously, public sector all around the world, as well in the United States. What's the trend that you're seeing? I mean, obviously Amazon is kind of like its own black swan. If you think about it, lowering prices, increasing functionality on a daily basis is the business model of Amazon. They win on scale. Customers are happy with that, and government seems to be happy. Yet, the competitive landscape couldn't have been at an all-time high, certainly Oracle, IBM, Microsoft, the others are competing for the same dollars, potentially. So you have the old guard, as Andy Jassy would say, and you guys, self-described, new guard. What's the landscape look like? How are you guys competing? What observations can you share and the role of policy makers in the middle of it? Are they stuck between all this? >> Well, it's been quite a ride over the last seven or eight years. Again, going back to when the First Cloud Policy was issued by the Federal Government CIO at the time, Vivek Kundra. Very early days, they talked about each agency trying to move three applications to the cloud. And so we're in a much different time now. And there a lot of agencies who are going all in on cloud services. That's actually been really fast forward and emphasized even more over the last couple years, starting with the previous administration and the emphasis that they had. I talked about the 2015 budget, but we also saw a number of other policy initiatives in the previous administration during President Obama's eight years. And then you had the new administration come in and really emphasize this early too. And one of the cornerstone things that's happened by the new administration over the last year has been the development and then the release of the President's report on IT modernization. And they set up a new Office of American Innovation and a new tech council to advise on the development of that report. And they went out, the administration did, and got a lot of input from the industry. And then they came out with a final report of recommendations in December. And they're already moving to actually implement a number of those recommendations and pilot a number of recommendations in agencies. And they're really emphasizing shared services and commercial cloud services as a key part of that effort. And then in tandem with that, and this is probably going to shock you, but in tandem with that, Congress actually worked with the administration to also make a number of changes to law, including in December of 2017, a really important piece of legislation called, The Modernizing Government Technology Act. And that was added to the Defense Authorization Bill for 2018. You know in this town, that's often how legislation moves at the end of the year is through the Defense Authorization Bill. So that legislation was passed, and it really is focused on helping agencies in their IT modernization efforts move again from legacy IT systems to the cloud. And they're not doing that just because it lowers cost, and it's a good thing to do. They're actually doing that as part of a way to improve the Federal Government cyber security posture. And that's the last thing I'll talk about that's happened in the last year is I mentioned what the administration did about its IT Modernization Report. I mentioned also what Congress did with the Modernizing Government Technology Act. Well, there was also a new cyber security executive order that was issued during the year by the President that married those two things. And basically, it made very clear that there's very little possibility to actually improve the security of federal systems without moving forward with the IT modernization efforts and moving to cloud. >> And the cyber warfare we're living in it truly is a cyber war. This is not just hand-waving, IT modernization. It's beyond that, because it's critical infrastructure now being compromised. This is our security, right? It's the state of the security of our people. >> You bet, and quite frankly, we're seeing this trend internationally too. You see more and more governments making this link between IT modernization and improving the country's cyber security posture. We've seen that in the UK. We've seen that in Australia. >> It takes cyber war to fix IT. I mean, is that what we're coming to? Okay, final point is obviously IT modernization is key. I love that that's driving it. We need to go faster. Question for you, Cloud First, certainly a big, initial orientation from the government to go Cloud First. Question for you is do you see the expectations yet in the agencies and throughout public sector for cloud speed, meaning not only like speed in feeds, like moving to an agile outcome, faster delivery, under budget, on time, lower prices. Is that expectation now set, or is it still getting there? >> No, we believe it is being set. And if you look at developments over the last six months I mean, you now have the Department of Defense that has come out with changes to policy to move faster to the cloud. And if you look at the Secretary, I'm sorry, the Deputy Secretary of Defense's memorandum in September of last year, he talked a lot about leveraging cloud computing as part of a way to make improvements in the implementation of technology, such as artificial intelligence and machine learning. And in that memo they talked about that's a national security imperative to do that. And so they're seeing technology, not as the end result, but as a way to enable a lot of these developments and changes. And we've already seen many of those steps forward in the intelligence community. So it's very encouraging to us that we're also seeing now the Department of Defense move in this direction. >> So they're running towards the cloud. They're running towards AI. >> Shannon: They're trying to. >> They're going as fast as they can, because they need to. >> They're trying to. >> Final word on security. What do you hope to have happen in our government in America to really crack the code on cyber security and surveillance all these holes? Especially with IoT, their surface area couldn't be bigger. >> So before I answer that question, one thing I did want to say, because we were talking about the Department of Defense. And you had added a question in earlier about what some of the legacy proprietors may or may not be doing. Well, these two things are married. What we're seeing at the Department of Defense is that they really do want to move faster to the cloud. But you probably noticed in the press that there are many different legacy providers out there. And as our boss would say, Andy Jassy, a lot of the old-guard community, who want to try to slow that transition down. And so that is really something that's going on right now. There's a lot of effort out there to pursue the status quo, to continue to keep the lights on. And if you look at what amount of the federal budget that is being spent on keeping the lights on in IT, it's over 80% is what the number is commonly referred to. And so a lot of companies are making traditional companies, old-guard companies, as Andy Jassy would say, are making a lot of money following that same path. And you know what? The taxpayer can't afford that anymore. The mission owners can't afford that anymore. And so it's really time to move forward into the 21st century and leverage commercial cloud technology and some of these advanced capabilities, like artificial intelligence and machine learning. And then to answer your final question-- >> Hold on, on the DoD thing, because I did see that in the news. It's obviously clearly FUD, fear, uncertainty, and doubt, as they said, in the industry from the old guards to slow down the process. That's classic move, right? Hey, slow down. >> It is. >> We're going to lose this thing. If we don't put the brakes on-- >> It's a classic move that some companies have been practicing for a few decades. >> Decades, decades, we all know that, I mean, it's called Selling 101 when you want to secure the ivory tower. Okay, so papa, this is the tactic, and I want to get your opinion. This is a policy question. It's not in the best interest of the users, and the society, and the citizens to have a policy injection for political warfare on deal selling. So that's, essentially, what I see happening. >> Yeah, we agree. >> I want to get your comments on this, because it comes up to a very political topic, technically, multi-cloud. >> Shannon: Right. So the move is, whoa, you can't go to one cloud. We're putting all our eggs in one basket, so we have to spec it to be multi-cloud. That's the policy injection. What's the impact of that in your opinion? Does it matter? Does the government say, "Hey, we should do multi-cloud"? You actually want to have one cloud. That's what Andy Jassy >> Well, actually... >> wants, right? >> you know, that's not true. What I'll say, and take a step back here, is that what we want is what the customer wants. And a lot of companies are forgetting the customer in this debate about multi-cloud versus single cloud. >> So you're jump ball. Your philosophy is to say jump ball. >> We welcome open competition. >> So multi-cloud, >> We want to serve the customer. >> and single cloud. >> What happened with the intelligence community is they had an open competition for a single-cloud approach. One thing that's happening right now as part of this broader discussion is some of the old-guard companies are spreading a lot of misinformation about-- >> John: Like what? >> the different types of contracts, and so there's been a lot of misinformation about DoD trying to pursue a sole-source contract for this JEDI program that they're trying to do to implement cloud. And what DoD has said in the stories that I've read on the record is that they want to have an open competition. And whether or not they choose a single award, which is different than a sole source that's not competed, if they choose a single award that's competed like the intelligence community did, or they choose a multi-award, it's going to be their preference. And let me tell you something, the policy space, what we've heard consistently from members of Congress and other policy makers is they don't want to be in the business of telling the Department of Defense or any other federal agency, specifically, what they should do or shouldn't do in a technology procurement. What they want is an open competition. And I'll tell you on the record, we embrace an open competition, and that will serve the customers well. But don't tell the customer if you're an old-guard company what they should or shouldn't do. And don't ignore the customer. >> Well, I would, from just a personal standpoint, industry participant, I would say that that's going backwards. If you have the companies doing old-guard tactics injecting policy and FUD to slow a deal down just to save it, that's really bad, bad form. >> Yeah, it's- >> That's going backwards. >> It's bad policy, but it's also bad for the taxpayer, and it's bad for the mission owner. So let there be open competition. Let the customers, like DoD, make the decisions that they're going to make, which is going to be best for their mission. >> Well, Shannon, as Teresa, a basketball fan, would say, "Jump ball," make it fair. >> Let's do it. >> Let the chips fall where they may. >> Let's do it. >> All right. Open competition, that is Amazon's position here in DC. Policy, no problem, we can play that game, but it's all about the customers. Shannon, thanks for your insight and observations. >> You bet. >> Shannon Kellogg, who's in charge of policy at Americas for AWS. This is CUBE Conversations. I'm John Furrier, thanks for watching. (rhythmic electronic music)

(bright music) >> Hello, everyone. Welcome to theCUBE Studio here in Palo Alto. We're here for our next segment, The Future of Networking. We're going to experience the future of networking through a demo of SD-WAN in action with Riverbed. I'm here with Josh Dobies, the vice president of product marketing, and Vivek Ganti, senior technical marketing engineer. We're going to give a demo of SteelConnect in action. Guys, thanks for joining me on this segment. Let's get into what are we going to show here, showing SD-WAN in action. This is experiencing the future of networking. >> Thanks, John. So what's exciting about this next wave of networking is just how much you can do with minimal effort in a short amount of time. So in this segment, we're actually going to show a typical transformation of a company that's going from a traditional, 100% on-premises world into something that's going to be going into the cloud. And so we're going to kind of basically go in timelapse fashion through those phases that a company will go through to bring the internet closer to their business. >> Great, Vivek, you're going to show a demo, set up the demo, what is the state? It's a real demo, is it a canned demo, what's going on under the hood? Tell us through what's going to happen. >> It's an absolutely real demo. Everything you'll see in today's demo is going to be real, the real appliances, the links you'll see are going to be real. The traffic is going to be real. And it's going to be a fun demo. >> Well the future of networking, and experiencing it is going to be exciting. Let's get through in the demo. I'll just say, as someone who's looking at all the complexity out there, people want to be agile. There's so much complexity with IoT and AI and all this network connections, people want simplicity. >> Right. >> So you can show simplicity and ease of use and value, I'm all interested. >> That's exactly it. Step one is we have to get out of the world of managing boxes. And we have to get into a software-defined world that's based on policies. So one of the first things that a company needs to do to start realizing these benefits of efficiency is to get away from the provisioning work that's involved in bringing up a new site. So that's the first thing that Vivek's going to show right now. >> John: Vivek, jump into it, show us the demo. >> Absolutely, so what you're looking at right now is the web console of SteelConnect manager. This Riverbed's SD-WAN solution. You're looking at a bunch of sites for a company called Global Retail, which is spread all over the world. What I'm going to do now is bring up a new site, really zero touch provisioning in Dallas, sitting here in Palo Alto. So let's get started. I'm going to jump right into network design and look at sites. I'll click here on add sites and really just enter a few physical location details for my site in Dallas. And the moment I click here on submit, not only is a pointer being created on the map for me, but there's a lot of automation and orchestration happening in the backend. What I mean by that is that there's a default uplink created for my Dallas site, and there's also a VLAN created for my site in Dallas. Of course I can go and add more uplinks and VLANS for my site, but then a lot of this heavy lifting in terms of creating these is automatically done for me by SteelConnect. But right now it's just a pointer on the map. It's not a real site. We don't have an appliance. But that's the beauty of it, John. What SteelConnect lets me do is it gives me the flexibility and the freedom to deploy my entire site from ground up, my entire network from ground up, before I deploy the first piece of hardware. The way I'm able to do that is with this concept called shadow appliance, which is really a cardboard cutout of what will be once I have the hardware appliance. So I'm going to click here on add appliances. I'm going to say create shadow appliance. >> So shadow appliance, the customer knows the appliance, they might have the serial number. >> Yeah. >> But it's not connected, it's not even there yet. >> No, it's not even there yet. >> They're doing all the heavy lifting, preparing for it to drop in. >> Yeah, think of it as just designing it or drawing it on white paper, except you get to see what your network's going to look like before you deploy anything. So I'm going to drop, let's say an SDI-130 gateway, add my site in Dallas, which I just created, and click here on submit. And that's the beauty of this, that now with this shadow appliance, I can click on this and really configure everything, right down to the very port level. And once I do have the hardware, which I ship to someone and have someone plug it in. >> So now you're configured. Now the appliance gets shipped there, someone, it could be anybody, could be a non-employee, just says, instructions: plug it in and put this ethernet cable in. >> Yeah, and sitting here in Palo Alto, I'm entering my appliance serial number. Click here on submit, and now that the appliance is connected to the internet, it knows to contact core services in the cloud, download its configuration, it knows what organization it belongs to, and it comes online in a matter of seconds, really. You'll see that it's already online as I was talking to you. >> John: Let's look at that, hold on. Dallas, right there, online, okay. >> Vivek: Yeah, and when it says pending, it means that it's actually downloading its current configuration. It's going to be up to date in less than a minute. And once it does that, when I look at the dashboard, this checkmark will be green, and it's going to start forming all those IPSec VPN tunnels, there you go. It's going to now start forming all those IPSec VPN tunnels to all my other existing sites, automatically forming so that I don't have to do any of the heavy lifting. >> John: So it does a self-discovery of the network. It just went red there, real quick. >> Josh: That's okay, this is where it's going to start creating the VPN tunnels. >> Vivek: Right, it's basically associating all those, it's negotiating all the security associations with all my other appliances. >> So no one's involved? No humans involved, this is the machine, get plugged in, downloads the code, then goes out and says where do I got to connect to my other networks. >> Yeah, the power of this is what you're not doing, right? So you could do all this by hand. And this is the way that legacy networks are configured, if you're still, you know, hardware-based approach. You have to go in and really think hard about the IP addresses, the subnets for each individual box, if you're going to create that full mesh connectivity, you're going to have to do that at an exponential level every time you deploy a new piece of hardware. So with this approach, with the design first, you don't have to do any staging. And when you deploy, the connectivity is going to happen, you know, for you automatically. >> John: Let's take a look at the site, see if it turned green. >> Vivek: Yeah, it's right now, if I click on it, you'll see that my appliance is online, but right now all the lines are red because it's still in the process of creating those IPSec VPN tunnels. But you'll see that in the next couple of minutes or so, all these lights will turn green, and what that means is now I have a single unified fabric of my entire network. But while we're waiting on that, let's actually move ahead and do something even cooler. Let's say our company called Global Network, Global Retail, wants to transition some of its applications to the cloud, because as we know, John, a lot of companies want to do that. For a few pennies on the dollar, you can make a lot of things somebody else's problem. So we've worked really hard with AWS and Microsoft to make that integration really work well. What I mean by that is when I click here on network design and AWS, I have a cross-account access going between my SteelConnect manager and AWS Marketplace so that I don't ever have to log back into the AWS Marketplace again. Once I do that, I can see all of my VPCs across all of my regions so that with a single click, and that's what I'm going to do here, I'm going to say connect to all my subnets in Frankfurt, I can choose to deploy a gateway of instance of my choice in the Frankfurt site. So what I'm going to do now- >> John: So you're essentially telling Frankfurt, connect to my Amazon. >> Vivek: Yes. >> John: And I'm going to set up some cloud stuff for you to work with. >> Vivek: So you already have your VPC infrastructure or your VNet infrastructure on AWS or Azure. What I'm doing is I'm providing optimized, automated connectivity for you. So I can choose to deploy- [John] All with just one click of the button. >> Vivek: All with one click of the button. So you see that I can choose an EC2 instance of my choice for the gateway. I'm going to leave it to t2.medium, and then SteelHead, because, WAN optimization because the moment we start migrating huge data sets to the cloud in Frankfurt or, say, Ireland in Azure, latency becomes a real issue. So we want to be sure that we're also optimizing the traffic end to end. I'm going to leave redundancy to on so that there's high availability, and I'll leave AWS routing to auto, and I'll talk about that in just a bit. So when I click here on subnet, what's happening is SteelConnect is logging into my AWS account. It's looking at all my VPCs, it knows what subnets it has to connect to, it's going to plop a gateway appliance as well as a WAN optimization appliance, do all the plumbing between those appliances, and make sure that all traffic is routed through the SteelHeads for WAN optimization, and it creates all those downloads for me automatically. And the beauty of this solution, again, is that not only does it provide automated connectivity for me between, say, different regions of AWS but also between AWS and Azure. We've suddenly become the cloud brokers of the world. We can provide automated, optimized connectivity between AWS and Azure. So let me show that to you also. >> John: Yeah, show me the Azure integration. >> Vivek: So I'm going to search for maybe subnets in Europe, Ireland, I'm going to connect to that. The workflow is exactly the same. Once I do connect, it gives me the option to deploy an instance of my gateway and my SteelHead. So I'm going to select that and then click on submit. So now when I go back to my dashboard, you'll see that, oh by the way, my Dallas site is now online. And when I click on it, you'll see all my tunnels have also come online. >> John: Beautiful. >> Vivek: Going back to what we just talked about- >> John: Frankfurt and Ireland are up an running. >> Vivek: Exactly. >> John: With Amazon and Azure piece there. >> Vivek: Yeah, it does take about four or seven minutes for those appliances to come online, they download their latest firmware, but that's nothing- >> John: Minutes aren't hours, and that's not days. >> Vivek: Exactly, not hours, not days, not weeks. >> Right, I mean a key use case here, when you think about cloud connectivity today, it's still rather tedious to connect your on-premise location into these cloud-based, virtual environments. And so what network operators do is they do that in as few locations as possible, typically in a data center. And what that means is now you're limited, because all the traffic that you need to go into those environments has to get backhauled into your data center before going there. So now, because this is automated, and it's all part of that same secure VPN, if you have some developers that are working on an app and they're using infrastructure as a service, you know, as part of their work, they can do that from whichever remote office they're sitting at or their home office or at a coffee shop. And there's no need to create that additional latency by backhauling them to the data center before going to the cloud. >> So all that stuff gets done automatically, on the networking side, with you guys. >> Exactly, exactly. So step one is really creating this easy button to have connectivity, both on premises and in the cloud. >> Connectivity with all those benefits of the tunneling and stuff, that's either pre-existing or that's been set up by an instance. >> Exactly, secure VPN, full mesh connectivity across all the places where you're doing business or you need assets to run in the cloud. Then the second phase is, okay, how do you want to dictate which applications are running over which circuits in this environment? And this is where, again, with a legacy approach, it's been really tedious to define which applications should be steered across one link, if you can identify those applications at all. So what Vivek's going to show next is the power of policy and how you can make it easy to do some things that are very common: steering video, steering voice and dealing with, you know, SaaS applications in the cloud. So you want to give them a taste of that? >> Vivek: Absolutely. So let's go to rules, and let's create a new traffic rule, say, I want to make sure that across all my sites for my organization, I want video, which is a bandwidth-intensive application, as you all know, doesn't really choke up my MPLS link, which is my most precious link across all my sites. I should be able to configure that with as much ease as I just said it. So let's do that. We can do that with the software defined intelligence of SteelConnect. I can apply that rule to all my sites, all my users, and I'm going to select applications, where I search for video. There's already a pre-configured application group for video. I'm going to select online collaboration and video. And under path preference, I'm going to say that for this application, don't use my MPLS as my primary, but use my internet link as the primary. >> John: And the reason for that is to split traffic between the value of the link's cost or >> Vivek: Exactly. >> John: Importance. >> Vivek: Exactly. Load balance gets really important. So I'm going to save that as my primary- >> John: So plenty of people that are watching YouTube videos or, you know. >> Vivek: (laughs) Right, exactly. >> Exactly, video is one of the biggest hogs of bandwidth. It's basically creating an insatiable demand, right, so you definitely need to look for your best option in terms of capacity. And with internet broadband, maybe you're going to sacrifice a little bit on quality, but video, you know, deals with that pretty well. But it's just hard to configure that at each and every single box where you're trying to do that, so. >> Vivek: Yeah, as opposed to configuring that on each and every individual box or every individual site, I'm creating this globally applied rule to all my sites. And I'm going to select MPLS as a secondary. I'm going to select a path quality profile, which means that if there's some severe degradation in my internet link, go ahead and use my MPLS link. So I'm going to say latency sensitive metrics, and I'm going to apply a DSCP tag of high, click here on submit, and the moment I turn this rule on, it automatically updates all of the IPs, all of the uplinks, all of the routes across my entire organization. >> John: So you're paying the quality of service concept to all dimensions of apps. >> Vivek: Absolutely, whether it's video- >> John: Video, Snapchat, livestreaming, to downloading, uploading. >> Vivek: Yeah, and I can create the same kind of rule even for voice, where maybe I have my MPLS, since that's my primary and most precious link available for all my sites, have that as a primary and my secondary as my route VPN, which is my- [John] If you're a call center, you want to have it probably go over the best links, right? >> Vivek: Exactly. And assign it the DSCP tag of urgent so that that traffic gets sent at the expense of all my other traffic. >> John: Awesome, that's great stuff. Policy is great for cloud. What about security? Take us through a demo of security. >> So that's a really good question. I mean, as soon as you're starting to use internet broadband connectivity in these remote locations, one of the first things you think about is security. With the secure VPN connectivity, you're assuring that that traffic is encrypted, you know, end to end, if it's going from branch to data center or even branch into cloud. And that was really step one that Vivek showed earlier. Step two is when you realize, you know what, there are certain applications that are living in the cloud, things like Office 365 or Salesforce.com that truly are a trusted extension of your business. So let's turn that spigot up a little bit, and let's steer those applications that we trust direct from branch to the internet, and by doing that we can avoid, again, that backhaul into the data center. And with an application-defined approach, this becomes really easy. >> Vivek: Yeah, and I can do that with a very simple rule here, too. I'm going to apply that rule to all my sites. I'm going to say for applications, let's say trusted SaaS apps like Salesforce, Dropbox, and Box, I'm going to select a group called trusted SaaS apps, and now under path preference, I'm going to say for these applications, I know that I've set an organizational default that for all my traffic, go over my MPLS link and break out to the internet that way, but for some applications that I've defined as trusted SaaS apps, break out to the internet directly. >> John: Those are apps that they basically say are part of our business operation. >> Vivek: Yeah. >> John: Salesforce, Workday, whatever they might be. >> Vivek: Absolutely. So you're opening that spigot just a little bit, as Josh was talking about. And I can choose to apply a path quality profile so that there's a dynamic path quality-based path selection and apply a QoS priority. I'm going to leave it to high and submit. And the powerful thing about this is even though I've applied this to all my sites, I can choose to apply this to individual sites or maybe an individual VLAN in a site or an individual user group or even a single user for follow the user policies. And that's the entire essence of the software-defined intelligence of SteelConnect. The ease with which we can deploy these rules across our entire organization or go as granular to a single user is a very powerful concept. >> Josh: One of the things too, John, in terms of security, which you were asking about earlier, is that not only is a policy-based approach helping you be efficient at how you configure this but it's also helping you be efficient in how you audit that your security policies are in place because if you were doing this on a box-by-box basis, if you really, truly wanted to do an audit with the security team, you're going to have to look at every single box, make sure there's no typo whatsoever in any of those commands. But here we've just made a policy within the company that there are certain applications that are trusted. We have one policy, we see that it's on, and we know that our default is to backhaul everything else. And so that becomes the extent of the audit. The other thing that's interesting is that by just turning off this policy, that becomes your roll back, right? The other thing that's really hard about configuring boxes with lots of commands is that it's almost sometimes impossible to roll things back. So here you have a really easy button on a policy-by-policy basis to roll back if you need to. >> John: And just go, you know, clean sheet. But this path-based steering is an interesting concept. You go global, across all devices, you have the roll back, and go in individually to devices as well. >> Josh: That's right, that's right. Now, this next click of bringing that internet closer to you, is where you say, you know what? In addition to trusted SaaS applications, let's go ahead and have even recreational internet traffic go straight from the branch out to the internet at large. >> John: Love that term, recreational internet. (laughing) It's basically the playground, go play out there in the wild. (laughing) >> Josh: Exactly. >> John: There's bad guys out there. But that's what you mean, is traffic that's essentially, you're basically saying, this is classified as, assume the worst, hope for the best. >> Right, exactly. And that's where you do have to protect yourself from a network security standpoint. So that next step is to say okay, well instead of backhauling all of that recreational, dangerous internet traffic, what if we could put some more powerful IDS, IPS capabilities out there at the edge? And you can do that by deploying traditional firewall, more hardware, at those edge devices. But there's also cloud-based approaches to security today. So what Vivek is going to show next is some of the power of automation and policy that we've integrated with one cloud security broker named Zscaler. >> Vivek: Zscaler, yeah, so- >> John: Jump into it. >> Vivek: Our engineers have been working very closely with engineers from Zscaler, and really the end result is this, where we do a lot of the heavy lifting in terms of connecting to the Zscaler cloud. What I mean by that is what you're looking at on the SteelConnect interface, going back to that entire concept of single pane of glass, is that you can see all your Zscaler nodes from SteelConnect right here. And on a site-by-site basis, we will automatically select for you what Zscaler nodes are the closest to you based on minimum latency. And we select a primary and a secondary. We also give you the option of manually selecting that, but by default, we'll select that for you so that any traffic that you want to break out to the internet will go to the Zscaler cloud like it's a WAN cloud by itself. So I can go to my organization and networking default and say that hey, you know what, for all of my traffic, break out by default to the Zscaler cloud as the primary so that it's all additionally inspected over there for all those IDS and IPS capabilities that Josh was talking about. And then break out to the internet from there. And that's, again, a very powerful concept. And just to remind you though, the traffic path rule that we just created for trusted SaaS apps will still bypass the Zscaler cloud because we've asked those applications to go directly out to the internet. >> John: Because of the path information. But Zscaler, talk about how that works because you mentioned it's a cloud. >> Vivek: Yes. >> John: Is it truly a cloud, is it always on? What's the relationship with- >> I mean, this is what's interesting. And the cloud is basically a collection of, you know, data centers that are all connected together. And so some of the complexity and effort involved in integrating a cloud-based security solution like Zscaler is still often very manual. So without this type of integration, this collaboration we've done with them, you would still have to go into each box and basically manually select and choose which, you know, data center of Zscaler's should we be redirecting to. And you know, if they add a new data center that's closer, you would have to go and reconfigure it. So there's a lot of automation here where the system is just checking, what's my best access into Zscaler's cloud, over and over again and making sure that traffic is going to be routed that way. >> John: And Zscaler's always on, is an always-on security model. >> Yeah, active backup, exactly. There's many of those locations. >> Alright, so visibility. Now, as the internet connections are key to the, you know, zero touch provisioning you guys demoed earlier, IoT is coming around the corner, and it's bringing new devices to the network. That's more network connections. >> Josh: Right. >> Usually they're who is that person out there, what's that device, a lot of unknown, autonomous, so how do I use the visibility of all this data? >> Yeah, visibility's important to every organization, and once we start talking about autonomous networks, it becomes even more important for us to dive deeper and make sure that our networks are performing the way we want them to perform. It goes back to that entire concept of trust but verify. So I'm creating all these policy rules, but how do I know that it's actually working? So if you look at my interface now, actually, let's pause for a second and just enjoy what we've done so far. (laughing) >> John: A lot of green. >> Vivek: You'll see that my, a lot of green, and a lot of green lines. So this is my site in AWS, which I just brought up, and this is my site in Ireland. So if I click on the tunnel between- >> John: Are those the only two cloud sites? Are the rest on premise? >> Vivek: The rest are all on premise, exactly. So if I want to, say, click on the tunnel over here between my Azure site and my AWS site, which I just brought up, it gives me some basic visibility parameters, like what's my outbound and inbound throughput, what's my latency and packet loss. We don't see any real values here because we're not sending any data right now. >> John: But if you would, you would see full connection points so you can make decisions or like, workloads to be there, so as you look at- >> Vivek: Absolutely. >> John: Connection to the cloud. >> Vivek: It's all real time data. But if you want to dive in deeper, we can look at what we call SteelCentral Insights for SteelConnect so you can look at- >> John: Hold on, you're going too fast. Back up for a second. This is an Insight's dashboard. >> Vivek: Yes. >> John: Powered by what data? >> Vivek: Powered by the data that is being pulled from all of those- >> John: Those green- >> Vivek: All those gateways. >> John: All those points. >> Vivek: All those green points. >> John: So this is where the visualization of the data gives the user some information to act on, understand, make course corrections. >> Vivek: Exactly. >> John: Okay, now take us through this again. >> Vivek: So you can look at what your top uplinks are. So I'm looking at my site in New York City. So I can look at what my top uplinks are, what my top applications are, who are my top users? Who's using BitTorrent? I can see here that Nancy Clark is using the BitTorrent. So I might have to go ahead and create a rule to block that. >> John: You know what kind of movie she just downloaded, you know, music? >> Josh: Exactly, exactly. >> John: So you can actually look at the application type. So you mentioned BitTorrent. So same with the video, even though you're path steering, you still see everything through this? >> Vivek: Absolutely. >> Exactly, I mean this is application defined networking in action, where, you know, the new primitives that network administrators and architects are now able to use are things like application, user, location, you know, performance SLA, like the priority of that application, any security constraint. And that's very much aligned to the natural language of business. You know, when the business is talking about, you know, which users are really important for which applications that they're sending to which locations, I mean, now you have a pane of glass that you can interact with that is basically aligned to that. And that's some of the power there. >> John: Alright, so what are you showing here now? Back to the demo. >> Vivek: Back to the demo. The next part of the demo is, it's actually a bonus segment. We're going to talk about our integration with Xirrus Wifi. We recently announced that we are working with Xirrus. We bought them, and we're really excited to show how these two products, Xirrus access points, Xirrus wifi, and SteelConnect, can work hand in glove with each other. Because this goes back to the entire concept of not just SD-WAN but SD-LAN for an end-to-end software-defined network. So what I want to show you next is really hot off the presses. >> John: This is new tech you're showing, new technology? >> Vivek: Yes. >> Josh: So when SteelConnect was launched last year, there are wifi capabilities in the gateways that Vivek showed during the zero touch provisioning part. Xirrus is well regarded as having some of the, you know, most dense capabilities for accessing- >> John: Like stadiums, we all know that, we all lived that nightmare. >> Josh: Exactly. >> John: I got all these bars on wifi but no connectivity. >> Josh: Exactly, so stadiums, conventions, you know, when you think about the world of IoT that's coming and just how many devices are going to be vying for that local area wifi bandwidth, you need to have an architecture like Xirrus that has multiple radios that can service all of those things. And so what we've been doing is taking, you know, the steps as quickly as possible to bring the Xirrus wifi, in addition with the wifi that SteelConnect already had, into the same policy framework, right? Cause you don't want to manage those things, necessarily, going forward as different and distinct entities. >> John: So SteelConnect has the wifi in the demo. >> Exactly, so I'm now moving to a different org, where we have about four or five sites, and I'm going to go ahead and add an appliance. And I'm going to add this Xirrus access point and deploy it in my site at Chicago. So I just click here on submit, and you'll see that the access point will come online within, in less than a minute. And once it does come online, I can actually start controlling this Xirrus access point, not just from the XMS cloud, which is the Xirrus dashboard, but also from SteelConnect manager, going back to that concept of single pane of glass, so- >> John: So we have another example of zero touch provisioning. >> Vivek: Zero touch provisioning. >> John: Send the device, and someone just plugs it in and installs it, doesn't have to be an expert. Could be the UPS guy, could be anybody. >> Vivek: Yeah, anybody. Just connect it to the right port and you're done. And that's what it is here, so you see that this appliance in Chicago, which is a Xirrus access point, is online. And now I can go ahead and play with it. I can choose to deploy an SSID and broadcast it at my site in Chicago. You see that I'm only broadcasting Riverbed dash two, and when I go to my XMS dashboard, and can see that one access point is actually up. This is the same access point that we just deployed in the Chicago site, and that profile called Chicago is already configured. So when I click on it, I can see that my SSID is also displaying over here, and I can do so much more with this interface. >> John: It really brings network management into the operational realm of networking. >> Vivek: Absolutely. >> John: Future experience of networking is not making it as a separate function, but making it an integral part of deploying, provisioning, configuring. >> Exactly, and the policies to automate how it's all used, right, so if we just take a step back, what we literally did in just a few minutes, we deployed a new location in Dallas without anybody needing to be there other than to plug in the box. We extended the connectivity from on premises, not only into one cloud but two clouds, AWS and Azure. We started leveraging public internet in these remote sites to offload our MPLS for video. We steered SaaS applications that were trusted out there directly to the internet. And then we pulled in a third-party capability of Zscaler to do additional security scrubbing in these remote locations. That applies to every single site that's in this environment. And we literally did it while we were talking about the value in the use cases, you know? >> Great demo, great SD-WAN in action. Josh, Vivek, thanks for taking the time to give the demo. Experiencing the future of networking in real time, thanks for the demo, great stuff. >> Thanks, John. >> This is theCUBE, watching special SD-WAN in action with Riverbed, thanks for watching. I'm John Furrier. (bright music)