Aporeto: How Reliable Infrastructure Enables More Reliable Software
Over the past few years, the landscape for creating software has been influenced dramatically by two things: the popularity of the public cloud, and the shift from monolithic application structures to microservices and distributed architectures. But with those trends came new challenges.
“Existing security approaches simply didn’t work,” says Amir Sharif, Aporeto’s Co-Founder and VP of Marketing and Business Development. “There was a need in the market to bring comprehensive and operationally simple security to workload that was not only distributed, but running on somebody else’s infrastructure.”
In fact, before he became Co-Founder and VP of Engineering at Aporeto, Satyam Sinha says, “I was building networking infrastructure, and one of the things that we were trying to attack was security in the modern cloud environment. None of the networking approaches were working very well. They only provided a partial level of security.”
Sinha was researching these issues when he met Dimitri Stiliadis, who would become Aporeto’s co-founder and CTO. “He was talking about a very similar kind of work,” says Sinha. “The three of us quickly came together with our different strengths in technology, product, and business. But most importantly, we agreed this was a problem that was worth solving.”
Building the Product
And so Aporeto was formed to create a next-generation application identity-powered security product. “We see microservice protection in layers,” says Sharif. “We see it at run-time protection, we see it with network connections, and we see it at the API-level interactions. And only by providing this rich, layered approach can you ensure that software is protected when it’s running in the wild, wild world of the public cloud.”
From the beginning, the founders were determined to lay a groundwork that was built to last. For Sinha, that means not just using innovative technology, but also “the right engineering practices to make sure that the quality of the product is high.” This was all about planning for scale and success: “When your product gets adopted widely, suddenly the engineering team comes under tremendous pressure.”
One of the most important practices in any software company is testing, so the team built a CI/CD pipeline to run on different cloud providers. “The SaaS service that we run needs x amount of compute resources, and our test infrastructure takes about 20x,” says Sinha. “The thing is, we’re a 100% cloud-based company—we don’t own any infrastructure at all.”
While this was the right model for their agile, cloud-native business, it presented a problem when testing at scale. “One of the challenges that we repeatedly ran into was: is it our product where we’re finding a bug, or is it related to the infrastructure?” More often than not, it would turn out that the cloud provider had vacated a VM on which Aporeto was running tests, moving things around without Aporeto ever knowing about it (until later!).
At most public clouds, this happens all the time. And for a lot of workloads, it’s not a problem. But this kind of volatility makes serious testing a huge challenge. “With all of these infrastructure dependencies coming in, I couldn’t figure out if I was testing the infrastructure or testing our application.”
Seeking Reliable Infrastructure for Testing
The team needed to find a different infrastructure solution for its testing, and found it with Packet. “At Packet, the focus is on single-tenancy, so I could absolutely control my environment—no vacating VM’s, and no noisy neighbors.” After testing against various instances sizes, Sinha found the ideal setup. Working with a single large dedicated bare metal machine, he was able to deploy all of Aporeto’s microservices and its caching products in a single node. “That removed all of the dependencies, leaving aside the interactions of the networking stack and the rest of the things that the cloud provider is doing, to make sure that we get a stable baseline.”
We’re able to get very high density on Packet’s Arm-based hardware. We can easily fire up 128 or more VMs on a single server.
And that brings great value. “When you’re striving to take testing and stability to a very high level, having the least number of unknowns brings in a lot of dependability and reliability,” says Sinha. The bottom line, says Sharif, is that “Packet’s infrastructure reliability allows the creation of higher-quality, more reliable software.”
Packet’s hardware is also particularly well-suited for Aporeto’s needs. To test how software engagements work with the Aporeto product, Sinha needed very lightweight VMs. “We’re able to get very high density on Packet’s Arm-based hardware,” he says. “We can easily fire up 128 or more VMs on a single server.” (Aporeto deploys its microservices in Kubernetes clusters on top of Packet’s bare metal.)
To build the enterprise security product that was released in late 2017, Aporeto created a dedicated test infrastructure that runs on Packet. The automation work took about a month—“It’s the overhead of going to any cloud provider,” Sinha says—and today, Aporeto’s workloads run across AWS, GCP and Packet with no problems. Packet’s hands-on support team was a big help. “When something’s not working, I can just get onto their community Slack channel, get support and whatever I need, and resolve any issues,” says Sinha.
“Packet introduced a very interesting test framework that we used initially in the building of the product, and that’s where we will continue to use it,” he adds. “Being a startup and having limited engineering resources, I’d rather be testing our product than the infrastructure. And we got it at a very good price for sure. That’s one of the things that helped us release a good quality product in the first year and a half of the company.”
A Repeatable Use Case
Given Aporeto’s success with its infrastructure strategy, Sinha has advice for other software companies. “In the initial phase of the product release cycle, make sure that your product is actually working the way you think it is,” he says. “If you look at our product, it’s a SaaS-based deployment. We also support on-prem deployments. But for any SaaS company that’s building software and wants to test it before they actually bring in all the unknowns from a particular cloud provider, this could be an interesting infrastructure. We obviously have a unique way of utilizing it. But I think there are other people who might be interested in following this pattern.”
Eventually, Sinha says, there may be another Packet use case for Aporeto. “Once our SaaS service gets to a good level of scale, we will have to re-evaluate where it makes sense for us to deploy the service in different locations, or in different cloud providers,” he says.
For now, the Aporeto team is continuing to improve its product, always with the end customer in mind. “We are passionate about security,” says Sharif. “We believe that you own your data, and only you should decide who gets to see your data and for how long. The partnership with Packet is all about ensuring higher product quality—and therefore, better security for the end customer.”