Day Two Cloud 193: Should You Get A Cloud Networking Cert?

One appeal of public cloud is that some parts of the IT stack become someone else’s problem. Maybe you got into cloud with the hope that networking could be one of those parts.

But what if, now that you’re in the public cloud, you’ve realized that maybe networking should be your problem? On today’s Day Two Cloud we explore cloud networking certifications. Who do these certs make sense for? Which clouds should you focus on? What do certifications typically cover? Where do third-party devices such as firewalls and load balancers fit into the certification picture? If you’re an old-school CLI jockey coming into cloud networking, how should you approach concepts such as Infrastructure as Code (IaC)?

We discuss these and other cloud networking certification topics with Michael Levan. Michael is an engineer and consultant who focuses on cloud and Kubernetes. He is a DevOps pro, HashiCorp Ambassador, and AWS Community Builder. He also co-hosts the Kubernetes Unpacked podcast on the Packet Pushers network, and has created multiple instructional videos for the Packet Pushers’ YouTube channel.

Cloud Vendor Networking Certs (as of May 2023)

AWS

AWS Certified Advanced Networking – Specialty

Build up to this advanced cert with…

• AWS Certified Cloud Practitioner
• AWS Certified Solutions Architect – Associate
• AWS Certified Solutions Architect – Professional
• “To earn this certification, you’ll need to take and pass the AWS Certified Advanced Networking – Specialty exam (ANS-C01).”

Microsoft

Microsoft Certified: Azure Network Engineer Associate

Exam AZ-700: Designing and Implementing Microsoft Azure Networking Solutions

Google Cloud

GCP Professional Cloud Network Engineer

Google Cloud Network Engineer Learning Path

Show Links:

@TheNJDevOpsGuy – Michael Levan on Twitter

Michael’s Blog

Kubernetes Unpacked Podcast – Packet Pushers

Packet Pushers YouTube

Transcript:

[00:00:01.730] – Ethan
Welcome to day two cloud, you lucky human. We’re going to talk in roundtable format about cloud networking certifications, aren’t we, Ned? That was the topic for today.

[00:00:11.920] – Ned
We certainly are. And we got a lot more mileage out of it than I thought we would. Three podcasters on a mic. Who would have guessed it? But we really dig into not just what the cloud certifications are, but also what’s the utility behind getting any of them.

[00:00:26.760] – Ethan
Our guest today is Michael Levan. He is a known Kubernetes expert in the space. He’s a teacher, instructor, and consultant, and he joins Ned and I as the three of us go back and forth about cloud networking certs. Please enjoy our conversation. Michael Levon is joining us today for this discussion about cloud networking certifications. And Michael, I know a lot of people know you because as we just saw from that list that was published here recently, you’re very popular and a big influencer in the cloud space. But for those people who somehow don’t know who you are, would you tell all the nice people who you are and what you do?

[00:01:05.270] – Michael
Yeah. Thank you so much. Hopefully I can live up to those expectations. So my name is Michael Levan, and I do everything and anything in the Kubernetes space. So consulting, working in production level environments, live training courses, blogging, public speaking books, all that good stuff. I also have a podcast called Kubernetes Unpacked on the best Podcast Network in the universe, packet Pushers.

[00:01:34.110] – Ethan
Yes. If you weren’t aware of Michael’s podcast, kubernetes impact is indeed on the Packet Pushers podcast network. And it’s been growing rapidly with now you’re up to I forget how many thousands of subscribers, Michael? But it is growing rapidly and doing very well. Our topic today, gentlemen, this is going to be more of a roundtable format. We’re just going to chat about cloud networking certification. I thought I’d open up the discussion among the three of us with what sort of a professional does a certification like this make sense for? Who am I? And I’m taking a cloud networking certification?

[00:02:11.530] – Ned
Yeah, I feel like one potential approach is someone who’s already in the cloud to a certain degree. They’ve achieved the associate level certification for AWS or for Azure, and now they’re looking to branch out into more specialized roles or more complicated network setups that they weren’t trying to support before. Or something has come down from one high, hey, we need to integrate this new network thing into our cloud. All right, I better study up on that. Oh, there’s a specialty certification for my cloud of choice. Well, why don’t I pursue that to get bulked up on my network knowledge? But the thing about that is not all the certifications, but a lot of the ones that we’re going to talk about are really about how this cloud does it as opposed to networking fundamentals. And I think that’s an important distinction to make.

[00:03:01.930] – Ethan
Well, you see, it as you said, someone who’s in Cloud already, like someone who’s a Cloud practitioner. Maybe they’ve been building more on the infrastructure side of things, working with Is and doing that kind of stuff. And now they need to bulk up their skills in that networking specialty and add that skill set to their tool belt.

[00:03:18.820] – Ned
Yeah, I mean, that’s one possible path, but I think another path, and maybe you want to expound on this a little bit, is I’m a network engineer working on Prem and now I’m being tasked with managing some stuff in the cloud.

[00:03:29.730] – Ethan
Well, yeah, that’s how I think about it. Of course, that’s my perspective coming from all the years where I’ve been doing network engineering. And the cloud network approach is a different beast. There’s different constructs, there’s different constraints in how you build out those networks and different ways to think about how packets are flowing around through that environment. And to go from On Prem architecture and design where you’re very comfortable with switches and routers and firewalls, you kind of know how it all flows. You’re building out routing tables and thinking about it from a cloud perspective where it’s all been virtualized and yeah, it’s still packets and it’s still IP addressing, but it’s a bit of a different beast. Plus the way you configure things is different or can be different, as different as you want, whether you’re especially if you’re going to the infrastructure as code model and maybe you haven’t done that before in On Prem, you haven’t had a reason to. These cloud networking certs help you bridge that gap because there is a gap between how you do it on Prem and how you do it in cloud.

[00:04:30.710] – Michael
Yeah, I think I see it in three different lights in terms of what professional is this going to make, that type of thing. Number one, I see somebody that is just trying to get into it. So maybe they’re a sysadmin on Prem or maybe they’re just starting their tech career and they’re trying to get into the field that they want to get into at that point. Maybe they’re going to look at a couple of certifications. The second one is purely from a learning perspective. So maybe you’re in Azure and you want to learn AWS or maybe you have a job transition going from Azure to AWS, vice versa or whatever you want to just get up to speed with kind of what’s happening. And again, to your point how that cloud does the thing. And then the third is, depending on where you work, sometimes certifications are mandatory. So if you’re working at like a consultancy, for example, they may need X amount of people certified with this certification to keep some type of status.

[00:05:26.550] – Ned
The whole reason I have my AWS SA pro, or at least the first time I got it, was specifically because the consulting group I was with wanted to do well, architected framework reviews. And at the time, to be part of that program, you needed to have X number of SA Pro certified people on staff. So I might have gotten it anyway, but there was a big push, like anybody who thinks already, go sit that exam as quickly as they can. And I can see for a consulting group that specializes in more networking type engagements, having that specialty cert is a point of differentiation between your consulting group and other consulting groups out there. All of our engineers are all network specialty certified. You can advertise that, right?

[00:06:12.360] – Michael
Yeah, it’s a good check mark.

[00:06:17.510] – Ethan
Well, as you say about the status thing, back when I was doing VAR work, it’s been a while, but yeah, to maintain our relationship with a partner, we had to have a certain number of certified people on staff. And so I’d be working with the engineering team going, okay, guys, who’s going to step up and get whatever X certification is? Because I don’t know if it matters mathematically the same way it did. It impacted our profit margin for products to have those certified people on staff. The more people we did, the bigger the better the status was we’d get, and we get more discount from the vendor and the resell. You’re both nodding your head. So even though I’ve been out of the VAR game for a while, it sounds like it’s still the same.

[00:06:51.060] – Ned
It hasn’t changed.

[00:06:53.650] – Michael
You get like the Gold package if you have like five people certified in this or the Silver package if you have three. Forget the exact numbers, but it looks something like that.

[00:07:03.290] – Ned
And you might even get preferred deal registration too. And that’s a big deal. Yeah, see, I’m just bringing you back. I don’t want to make this all about VARs podcast because that’s a whole other episode. But yeah, there’s a whole deal registration thing where whoever registers the deal is the one who actually gets to sell it to the customer regardless of who they want to work with.

[00:07:25.300] – Ethan
Oh, man, you are bringing back memories. Because there was a time where it’s like we were this particular vendor’s go to partner for projects, and all of a sudden the deal started drying up, and I started digging around to figure out what was going on. Why aren’t they calling us? And there was another VAR that had started up and had the young and more certified than us group, and they started winning a lot of the deals. That’s the way it happens. And business started shifting away. Okay, let’s talk about career path. Let’s talk about career path. If I want to be a cloud networking specialist, is that a job? Is that like, all I do is cloud networking stuff and there’s enough there to keep me occupied and get paid?

[00:08:06.410] – Michael
I haven’t personally seen a specific role like that. I’m sure they do exist in either larger organizations or perhaps they aren’t on paper, but that person is the cloud networking person. Or maybe their title is Cloud Engineer, whatever, but they’re the cloud networking person. But I haven’t exactly seen that specialty in that fashion.

[00:08:32.130] – Ned
I would say it depends on the size of the organization you’re working with because the larger the usually the more specialized roles that exist. So in a small for a good chunk of my career, I was working at a 250 person company and there were three It people and we did everything, including handling the vending machines. So my title was Network Administrator. But that was just because they need to give me a new title every couple of years.

[00:09:00.100] – Michael
Right.

[00:09:01.950] – Ned
But in a large enough organization where you do have like a cloud center of Excellence or you just have this is our Azure team, you might have one or two people on that Azure team that are dedicated to building network templates and best practices and stuff that’s going to be adopted by the rest of the organization. So that person, or if that position is being developed, getting the certification might be the way that you move into that team under that role.

[00:09:31.110] – Ethan
Yeah, being specialized on a team. Right. It doesn’t mean that’s exclusively all you do, but you’re the go to person for that thing. A friend of mine that runs a fairly sizable team at a VAR was telling me that there are a couple of people on his team. They’re all cloud. All the stuff they build is cloud pipelines, everything’s been virtualized, et cetera, has a couple of experts on that team for networking stuff, but that’s not all they do. They’re expected to know a bunch of other things as well or they couldn’t really integrate all that well with what’s going on in the rest of the rest of the project. They couldn’t manage themselves very well if all they knew was like IP addressing and BGP and setting up gateway load balancers and whatever it was. So there is room for the specialty. I get what we call the T shaped engineer. You’re broad in a lot of areas and deep in at least one, maybe two areas. That’s a good fit. And I think that maps well from the silos we’ve had in organizations for a long time where there are people that are network engineers.

[00:10:35.670] – Ethan
Okay, you’re adding cloud networking to your network engineering skill set. It’s not going to be the only thing you do very probably unless you’re working in a very large organization, as you were saying, Ned, with a lot of need to be building out cloud networking architectures and then sure, you can specialize. Otherwise I think you’re going to need other stuff. Which really kind of leads us to another question. If all I do is focus on cloud networking, I don’t get any other cloud search because you can we were looking at cloud search from the big three and there’s no prerequisites you can rock up and take that exam or that specialty exam for cloud networking if you want. What are the holes that are going to be in my knowledge if I.

[00:11:15.320] – Ned
Take that approach well, so I put together a pluralsight course for the AWS networking specialty exam so I can speak to that. There is a presumption that you have the equivalent level of knowledge that someone who’s passed the essay associate or the sys admin associate exam, that you have that level of knowledge about what exists in AWS already, and then you’re layering on top of that the networking knowledge. And I don’t think that’s any different than a network certification, or really not a certification, but that’s not any different than any other networking position that you might find yourself in. Network administrators need to understand stuff that exists outside of the network if they want to be effective. And Ethan, you’ve talked about this before, how talking to application people and windows people and whatnot lets you understand how the network is being used and that informs how you design and secure it.

[00:12:17.550] – Michael
Yeah, I would say I haven’t personally seen that specific style of specialty because I’ve never seen anybody when they bring up their AWS console, they just have VPC pinned and that’s it. There’s always something else going on. And I think that kind of brings us to what the specialty is in today’s world, because 20 years ago you could be the exchange person, you could be the active directory person, and then you had your sysadmins that did a little bit of everything. Now it’s almost like if we think about it now versus then, the sysadmin before is like now what the specialty looks like in our world. So yeah, maybe you were a specialty in AWS networking, or Azure networking, or cloud networking in general, but you still understand the database pieces and the VMs and the instance pieces and how they kind of all tie together.

[00:13:15.150] – Ethan
Yeah, it’s my career. I started out on the system side of things. I was building Novell network servers and Windows and T servers, then it was Windows 2000 and so on. And my networking knowledge came in the early days from that. So I was building file and print and mailbox, or mail, surf mailboxes, mail surfers and all of that. And then the network went along part and parcel with it. I didn’t know too too much about the network itself, like switches and routers in the early days. But the systems I built, I had to have a certain amount of networking knowledge to stand those systems up. Had to understand addressing and had to understand segmentation pretty well and know a little bit about ethernet and what was going on there and related things. It was when I got into networking that I found out how deep does it go? Wow, it goes really deep. I had no idea. I was just plugging things in putting a dress on. Then they talked Woo. And then you can get really deep into it if you want. And it looks like, as I was parsing through all these cloud networking certs and their course blueprints and the learning tracks, it’s the same kind of thing.

[00:14:21.760] – Ethan
There’s a basic level that you’ve got to know as a systems administrator that is just required to be able to function in a cloud environment. And as you go into the specialties, these more advanced certifications, there’s an expectation that you already know all of that stuff and you know something about cloud and cloud infrastructure broadly already. You know a bit about the AWS world, if we’re there, what the products are, how they all fit together, some of the basic architecture. And now you want to go deeper down the well and start to learn some of the more advanced architectures and fancy things that you can do, and maybe get into security more specifically if you want, which is another good question. Cloud networking and cloud security, are those topics that overlap and if so, how do you think they intersect?

[00:15:10.870] – Ned
I can’t see how they don’t. It’s part of it. Your network is such a big part of how you approach security within the cloud, and you tend to have a lot more options when it comes to how you want to approach that security, because you’re not just dealing with perimeter security. It’s not just putting a big honk and firewall in front of your VPC and calling it good right within each VPC. And I’m using AWS as the example, but you can do this in all the cloud, so it doesn’t matter. Within the VPC, you have this concept of security groups, so you can control the flow of traffic between two different security groups. Within your VPC, you have the idea of being able to set up specific routing so you can black hole traffic if you want, or you can make certain subnets only able to send traffic out through a Nat gateway or a managed network device. So even though you might not be an infosec person or on the security team, they’re going to lean on you heavily to understand how security works in the cloud from a network flows and application flows perspective and get that security implemented properly based off the requirements that they’ve identified.

[00:16:22.490] – Michael
Yeah, and I would say even as you get into the cloud, and not to sound buzzworthy, but as you go down this cloud native path and you start to work with all of the different services inside of the cloud, things get vastly more complex from a network security perspective. So I wouldn’t be me if I didn’t bring it up. But let’s take Kubernetes as an example. You have the Kubernetes network itself, or where the clusters are running, right? And then inside you have that virtualized network where your pods are running, where your services are running, et cetera. So now you have to secure two different layers and they’re all flat by default, just like any other network. It’s a flat network. So you have to go in and you have to say, okay, I need network policies. Okay, now I need to think about this CNI, or I need to think about this service mesh. So I’d actually say taking on Prem networking versus trying to get network secure inside of the cloud. Depending on which services you’re using in the cloud, it’s vastly different and a little bit harder.

[00:17:30.670] – Ethan
It’s different because you’re stitching together services that have been distributed virtualized abstracted in some way. If you’re a network engineer, is used to thinking about things in terms of physical boxes, I’m going to stick a firewall here and bottleneck traffic through it so that it is inspected. That’s not what’s happening anymore. It’s more akin to when VMware NSX came out and it was a distributed firewall. You could punch it into virtual switches in different parts of the infrastructure wherever you needed it, run a centralized policy and send it out. And that feeling, if that was revolutionary to you at the time, it’s that plus now even more. And maybe Kubernetes is the ultimate example of what that architecture looks like these days. Michael but yeah, vastly more complicated now you’ve got all these choke points that you can put anywhere you need to do policy enforcement. And so the way you have to think about security and the network flows and so on is pretty different from the old school on Prem model. And that carries over into SaaS services as well. Because now you can do things like, I’ve got my software defined Wan, or now it’s a Sassy service that’s got security layered in and you can pick and choose which flows are going to be sent off to a third party security service like Zscaler, let’s say, to get inspected along the way.

[00:18:49.280] – Ethan
And so how you’re doing that is a different animal. And go back to your point very early on that I don’t see how you cannot have security as part and parcel of what you’re studying. If you’re getting into cloud networking, two.

[00:19:02.840] – Ned
Important things I want to raise, and one is that there’s a whole other layer of security you have to be mindful of in your networking, and that’s the control plane. So now that you’re working in the cloud, everything is configurable via the API, right? However you choose to consume that API, whether it’s through the console, in a browser, at the command line, et cetera. So you have to make sure that you’ve secured the permissions, the im roles and permissions for each of your network components so someone can’t just march in and make adjustments, add another network interface, turn off filtering or logging for a particular item. So you now not only have to deal with the security of your network, you have to deal with the security of the control plane for your network. Not that you didn’t have to before, but it’s a little bit simpler because the console for your firewall was probably on an internal managed network that only you and a handful of other people could get to, or you actually had to physically walk up and plug in a console cable, right? Yeah.

[00:20:05.300] – Michael
And let’s not forget the defaults out of the box, right? So again, talking about Kubernetes, when you use AKS EKSG key out of the box, if you just click Next, next, guess what? Your control plane is sitting publicly.

[00:20:20.170] – Ned
Yes.

[00:20:24.150] – Michael
So it’s not only do we have to configure, it’s that we now also must reconfigure, right?

[00:20:32.120] – Ethan
Yeah. Well, you guys are saying a control plane and network engineering purists would say, wait a minute, they’re talking about the management plane. That’s really what you’re getting at. You’re getting at the point of where you actually manage this, all of this, these security implements via API you need to be securing as well. And the defaults are open, not closed.

[00:20:54.330] – Ned
Right? You might not be responsible for some portions of that, but you need to be at least aware of what actions are available for some of the networking stuff you’re deploying and who needs what level of permissions on those things to get their work accomplished. Especially if you’re working with application developers that want to use cloud native services in any of the major public clouds. They might need some access to your network resources, but they certainly don’t need the God mode or modify everything level of access, which is sometimes the default. The other component I wanted to bring up is some of the really weird services that exist in the cloud that are also somewhat related to security stuff like Private Link. And this is the idea where you can take a network interface, create it in your VPC or your VNet, and then have it hook into one of the software as a service or platform as a service offerings through the cloud. And now all of your traffic that’s destined for your little segment of that platform goes through that Private Link. So again, you have to understand how it advertises itself via DNS, how it addresses itself within your subnet.

[00:22:09.290] – Ned
The network security group rules that you have to apply to it for it to function properly and you have to know it exists in the first place to suggest it.

[00:22:19.450] – Ethan
I love that stuff. The things like Private Link are analogous to what we would have done back in the day segmenting like building up VMware where you gave everybody dedicated interface, use your Vmotion interface, and here’s your et cetera. You build all that stuff out and you got to build out the routing and the addressing and the VLANs. That it’s. Just so you can get crazy and go with security if you want. Or building out other isolated networks that would have very specific functions. And those happen a private link functionality can happen even on just simple VPs offerings like Vulture. I’m a fan of vulture. I’ve got a bunch of VPs running in there. They’ll sell me, be happy to sell me a private link where I can connect multicloud instances VPs and connect them together on a private link on the back end for whatever reason. So I just find it funny that you call it weird. I mean, weird in the sense that it’s an unusual construct with unusual parameters.

[00:23:10.090] – Ned
Yes, and in the sense that it is something that just didn’t exist like three years ago in cloud programs. And then they’re like, oh, we have this new thing that you need to know everything about now. And also we had to build it using our existing tooling and concepts. So sometimes the implementation is a little funky.

[00:23:30.370] – Ethan
All right, guys, so here’s another kind of important one. Should I learn one cloud vendor’s networking stack? Just start with AWS, just learn that one and you’re fine. Is that good enough? Or should I also learn other people’s networking stacks? Or if I know AWS, do I kind of know Azure in Google cloud?

[00:23:46.870] – Michael
I would say so. In my opinion, all the service names may be slightly different, the way that it’s implemented may be slightly different. But at the end of the day, you’re peeling back the same onion more or less. You may just have to figure out, understand, hey, here’s how firewall rules work in Azure. And then when you go to AWS, they’re your security vROps. So it’s like there’s going to be differences in terms of the naming and where you’re going to find that information. But I would say, yeah, if you know one, you’re going to be able to figure out the other one without having to go like super crazy in depth.

[00:24:26.230] – Ned
Yeah, that’s been my experience as well. I got my start on AWS and then started doing some Azure work and I found a lot of the concepts transferred. Microsoft being Microsoft, they try to do a lot of stuff for you in the background, whereas AWS is like, no, go build it yourself. Here’s an Erector set, go put it together. And Microsoft is a little bit more like, oh, we’re going to give you a preassembled, prefabricated thing that you could swap some stuff out on. Google was closer to the AWS approach, but again, all the concepts I’d learned from Azure and AWS transferred for the most part, and the networking fundamentals transferred across all of them. So it was really just like you said, learn the new vocabulary, learn where things are a little bit different. So you have to take that into account and you’ll be all right. So learn one first and then you can spread out would be my advice.

[00:25:20.770] – Ethan
Does it matter which one? I mean, I would have said a year ago or more AWS, start there. Everybody’s in AWS. That’s the safe bet and now I don’t know anymore. Azure has made up so much ground, it feels like you could start there if your was a Microsoft shop. Just kind of pick the you’re in and what makes the most sense based on what your businesses you’re using.

[00:25:39.340] – Ned
Okay, Ray, for my hot take, go ahead. Don’t start with Google.

[00:25:45.070] – Ethan
Don’t start with Google. Okay.

[00:25:46.560] – Ned
Don’t start with Google. Start with AWS or Azure. Right now they are neck and neck in terms of market share. If you know your company is using one or the other, learn that one. But if you’re just in a vacuum and you’re not sure what your next job is going to be or where you’re going to land next, azure AWS are your two best bets. They have the largest market share by far. Google trails them by a significant margin. So I would want to go with one of those two first and then if I happen to land somewhere that’s a big Google cloud shop, fine, I can transfer that knowledge, but I’ll be a step ahead if I’ve gone with Azure or AWS.

[00:26:22.640] – Michael
I think, yeah, I would say in my opinion, because AWS is the hardest one to kind of get an understanding of. I always tell people to start with AWS simply because if you start with AWS and then you go to Azure, it’s going to feel a lot better than if you go from Azure to AWS.

[00:26:42.990] – Ned
It is much steeper learning curve with AWS than it is with Azure. So if you want that steep learning curve, if you’re the kind of person that really enjoys the challenge, AWS networking, start with that. If you’d like to ease into things a little bit more, have someone holding your hand a little bit, then yes, I would go with Azure in that case.

[00:27:03.510] – Ethan
Michael, from a Kubernetes perspective, is there anything like a networking specialty? I worked through some certified Kubernetes administrator course material a while back and there was a big section on networking. You park and start working through how packets flow through Kubernetes cluster, but it wasn’t a specialty, it was just part of the CKA course.

[00:27:23.470] – Michael
Yeah. So the CKA is going to be the closest that you’re going to get there. There’s a big portion of networking on there and then if you want to take it a little bit further, you can go for the Cks or the certified Kubernetes security administrator and there’s a little bit on there as well. But yeah, that’s going to be your best bets. It appears that they are starting to do more specialties. So, for example, they have the Cks for security and then they’re doing a beginner level security one, the KcsA, and that one’s I think in beta right now. So it looks like they are definitely working towards more of a specialty route. But yeah, if you want to learn Kubernetes networking inside and out, and if you want to bang. Your head against the wall a couple of times, go take a look at the CK, and you should be pretty good.

[00:28:08.030] – Ethan
There one thing we haven’t mentioned, because we’ve been talking about the Big Three, is that there are a number of third party networking solutions. Some of them have popped through the day two cloud show as sponsors. Along the way, they’re multi cloud networking solutions that are out there like Alkira and Prossimo and who am I thinking? Aviatrix is another one that pops to mind. There’s some other ones in this space as well. I would point out that those are different animals. Those are networking control planes that are meant to somewhat abstract the Big Three’s networking over the top. And so if you’re building a multi cloud network and you’re looking for a tool to make your life easier, you might pick one of those solutions. They have a lot of different advantages and different approaches that they take to delivering multicloud networking for you. Oftentimes there’s an SDWAN or SaaS component tied in there. Well, there may be their own training, let’s put it that way. Their own training, what they’re doing, aviatrix is big on this. I think they’ve got a bunch of their own training material that you can work through to become a certified Aviatrix, whatever their thing is.

[00:29:24.370] – Ethan
But that’s not cloud networking like we’re talking about. It where you’re dealing directly with the Big Three, with their constructs and their interfaces and the way they want you to build things. That would be, again, a third party solution that I’m not saying you wouldn’t be interested in, that you very well might be, depending on what your company is buying and what you’re interested in, learning those tools deeply and getting certified on it. But don’t confuse what those tools are doing with what learning networking specific to the Big Three and their cloud native constructs are all about. I would look at that as an add on, you know, AWS and you know, Azure, maybe you got certified in those things and now you’re moving to this multi cloud networking solution with Aviatrix, let’s say, and so you decide to go down their certification route and add that to the portfolio. I wouldn’t start there. I would add that as something you do later on would be my take. Now, maybe someone who’s worked on some of the training programs for these third parties I’m mentioning are going banks, you’re getting it all wrong, okay? You know how to get a hold of me, get a hold of me and we’ll talk about that.

[00:30:25.980] – Ethan
I don’t mean to dismiss it as unimportant, because I think it is important, but business driven. You need to have an organization that’s utilizing those tools. Okay, another questionnaire I have for you two guys that are big into this world is the whole infrastructure as code thing. If I’m learning cloud networking, it is all about infrastructure as code by and large if I’m coming from that old school networking perspective. I’ve been building stuff by hand at the CLI and by gosh, I love it. I’ve got to get a handle on infrastructure as code, do I not?

[00:31:01.890] – Michael
I would say so, yeah, you should definitely be. And we’re kind of seeing this even in the Cisco world, right, the DevNet. There’s a lot of developer focused networking stuff coming out more and more. So yeah, I would definitely say that the whole idea of automation and thinking about infrastructure as code or thinking about utilizing something like Python definitely makes sense. Not saying that you have to go build the next Instagram, you don’t have to be a principal developer, but you should understand it at that theoretical level. That’s not the right verbiage, but you should definitely understand it at the scripting and the automation level. And I would also say that a lot of network engineers, just like the OG network engineers, a lot of them would also use Bash as well. So there’s a fair amount of automation that’s already known. It’s really just thinking about it from a different language perspective.

[00:31:57.530] – Ethan
Well, it depends on how you define automation, I guess. Scripting some things and like you mentioned, Python, michael, I don’t know that I’d want to start with that. If I’m dealing with cloud, wouldn’t I want to start with cloud formation or TerraForm, something like that?

[00:32:11.210] – Ned
I would actually push back and say, if you’re a Python person, you already know how to use Python. You could be perfectly happy using some of the libraries that are available for the public clouds to do your infrastructure as code as opposed to learning a domain specific language like TerraForm or like cloud formation. It might actually be easier for you to make the transition. You’re not leaving the familiar language, you know, you’re just adding a new library and you’re going to need to understand what it’s actually doing.

[00:32:43.760] – Ethan
Right?

[00:32:44.130] – Ned
So you still need that fundamental understanding of whatever cloud you’re deploying to, but you’re not now layering, hey, learn this whole other language and process on top of it.

[00:32:54.710] – Ethan
I guess I’m saying if I am including infrastructure AWS code here, I guess I wouldn’t say it’s a requirement as such to learn cloud networking, but that to function effectively in your organization. I’m going to assume that your is doing infrastructure as code on some level and to fit in with the rest of the scheme and how things are being provisioned in the cloud, you probably want to fit into that world. And in my mind, that’s where you instead of clicky clicky through the AWS interface or I know there’s an AWS CLI as well and so on, but rather than doing things the way you did, this would be to me, especially if you’re new to it, an opportunity to learn modern infrastructure provisioning. Let’s put it that way.

[00:33:35.430] – Michael
Yeah, I would think that if we’re thinking about things from like a probability versus possibility perspective, going with something like TerraForm in today’s world makes sense. But then there’s also the one off where I have clients that instead of using TerraForm, they want to use Pulumi and write in Python or write and go because the engineers that are managing their cloud environment, that’s what they’re comfortable with. So they don’t want to go and learn TerraForm. They want to use what they’re ultimately comfortable with. But again, that’s the probability versus possibility. You’re going to be probably safer if you go TerraForm versus if you go a CDK or a cloud development kit.

[00:34:13.420] – Ethan
Route artisanal handcrafted. Yes. Well, let’s close off this conversation by talking through some of the certs that are available here. Let me give you a quick summary. As I was reviewing all the blueprints and the learning paths for the networking certification that the big three clouds offer, I can think, I can kind of summarize it this way. And Michael and Ned, you guys check me here. If I’m missing something important, I’m going to walk through these quick one thing are just the basics, boring stuff that you got to have IP addressing and name resolution. Those things are key name resolution, especially key because of service discovery. That’s a big function that you might not think of coming from old school networking where you know what DNS is and it matters, but it didn’t really affect your networking as such. All that much name resolution becomes more interesting and more important in the cloud for that service discovery aspect. Okay, so that’s one thing, just the basics. Another is cloud native networking constructs. Things like VPC and gateways and load balancers and firewalls and WAFs web application, firewalls, things like this that the different clouds offer in different capacities that are the building blocks of your architecture.

[00:35:21.490] – Ethan
Things that you are going to be stitching together in some way for traffic to flow through that application that’s being stood up in the cloud. That’s a different way of thinking about things, but something that you absolutely are going to need to understand and understand how to put them together. You’ll be looking at architecture plans that explain how to stitch together multiple VPCs to accomplish this particular kind of security paradigm. For instance, you’re going to learn that stuff. Another aspect then is connecting off premises. So you’ve got the cloud up there, but you’ve probably got some on prem data center that you want to stitch up to it or other premises that might need direct connectivity to the cloud or secure connectivity to the cloud, something like that. So now we’re talking about VPNs, direct connect circuits. Now you’re going to get into routing, perhaps you’re going to get into BGP border gateway protocol. And I even saw in the AWS blueprint, they think, yeah, MPLS, VPLs, those are architectures that they can support, which is a little bit advanced and I was surprised they offer that. But yeah, that’s something they want you to know as well for that connectivity.

[00:36:20.170] – Ethan
Another aspect that showed up in all of these blueprints was architecture and design. So you’ve got some specific business problem, some application scenario that you’re standing things up if you remember like two and three tier applications, or you remember hub and spoke architectures, or you remember anything like that from the days of your networking fundamental training as a network engineer back in the day. It’s kind of that, here’s some standard ways that you’re going to stitch all of these networking components together and build out your cloud network, and they’re going to want you to understand specific architectures and the problems that they solve and why you want to do it this way and not some other way. And then the last thing that I noticed was pretty universally and it was always just like a one sentence mention monitoring. Like, yeah, I guess you can monitor it fine. Yeah, we’ll show you how to monitor it. Okay. Which always phones me out because I love monitoring and observability is like one of my favorite things and it always seemed like an afterthought in these learning blueprints for the cloud networking certs. But that does come up and it is something that they expect you to know.

[00:37:20.560] – Ethan
How do I do? Michael? Annette. Am I good? High level summary?

[00:37:24.990] – Michael
Yeah, I would say definitely pretty spot on. The one thing that I haven’t seen pop up lately, or yet, perhaps I’m wrong here, but I would assume that is going to start to come up later on is the whole idea of connecting different clouds to this whole multi cloud approach. That’s definitely becoming something. Like, I’m getting asked more about it now this year than I did last year from clients. Last year it was like nobody cared. This year clients are like, hey, can we make it in an agnostic way that we can send data to this cloud or that cloud, et cetera. So I’d imagine at some point relatively soon, it’ll start coming up on the certifications.

[00:38:04.260] – Ethan
That’s where you need an extra, you need an economics specialty so you can talk about egress charges in gross detail.

[00:38:10.590] – Ned
Yeah, I really don’t think you’ll ever see on an AWS exam acknowledgment of another cloud.

[00:38:18.830] – Ethan
True.

[00:38:19.870] – Ned
I can’t speak to the Azure and the Google ones because they seem to be at least willing to acknowledge that other clouds exist. And they’ll certainly walk you through the details of how to configure their version of MPLS or their version of site to site VPN, but they’re not going to show you how to configure the corresponding side for the other cloud. That’s something you’re going to have to go a little outside of a particular vendor to do. And maybe one of those third party certifications Ethan that you mentioned or the third party vendors, they’re going to get into that. They’re going to talk about that type of experience where you are stitching multiple clouds together and they’re trying to sell you their products. So they’re happy to talk about all these different clouds that exist and how they can connect them all up for you.

[00:39:08.060] – Ethan
Connect them all up for you and make it easy for you to not have to care about the networking primitives that are unique to each environment because they’ll just deal with it for you. You deal with their control plane right.

[00:39:19.430] – Ned
Up until you do have to care.

[00:39:20.880] – Ethan
Right up until you do have to care. Exactly right. Well, okay, so let’s walk through just a quick overview of the big three networking specialties. I found three of them. Ned, the AWS certified Advanced networking specialty was one that you have some familiarity with. Can you walk us through that?

[00:39:39.000] – Ned
Yeah, like I said, I built not TerraForm, a plural site course. You can tell what I have on my brain right now. I built a whole plural site course around preparing you for the Advanced Networking Specialty exam, and it covers all the things that you mentioned previously, like all the different constructs that exist inside of AWS. Some specifics around configuring public versus private subnets, setting up proper security groups, doing things like setting up DHCP, which you might not think about, but hey, maybe you need to set some special DHCP options. Where would you even do that? And what does it mean to enable different kinds of DNS resolution inside of VPC? And then it does expand out to how to interconnect multicloud networks inside AWS, how to interconnect regions and take advantage of their most expensive options. Stuff like the transit gateway. Or if you want to do a direct link down to one of your on premises environments, you can do that too. What does that look like? How do you build more of a mesh style, large area wan deployment using all the AWS primitives?

[00:40:52.930] – Ethan
Now, you mentioned the most expensive option, kind of tongue in cheek in passing there. Do they highlight that some options and design choices are more costly than others?

[00:41:03.410] – Ned
They make very vague mention of it. So you are not required to understand the pricing model behind any of the networking choices you’re making by the certification. You should understand the pricing model behind it because when you actually do this in the real world, that’s going to become a concern quite quickly. And you’re like, oh, we need eight direct links going into this gateway. And they’re like, yeah, that’s going to be $40,000 a month. Do a little cheaper. Yeah, VPNs it is. So yeah, it doesn’t include that information. It’s really more the how and somewhat of the why, but not the cost is usually not a consideration in the design.

[00:41:48.760] – Ethan
Yeah, okay. Now I noticed that this exam has no prerequisites. You can just register and go, take this thing. 65 questions, $300. They give you almost 3 hours to take it. Multiple choice, multiple response sort of an exam. But as I looked at that course material, you mentioned it before, in that they kind of expect you to know stuff already about AWS. I would not. Looking at that blueprint to me is like, there’s no way I’m just going to start going through that course material, take that test. Colo I don’t know enough AWS stuff. And so I started looking back to what other AWS certs actually teach some networking. And I found in the Certified Cloud Practitioner, which is the very, very basic entry level one, also, the Solutions Architect Associate and the Solutions Architect Professional both have networking as part of their Blueprint. So if you want to ease into the networking specialty, I kind of think that’s what AWS assumes you’ve done already is you’ve walked through the certification path on those levels, and now you’re specializing because you wanted to go. Deeper down the rabbit hole of networking.

[00:42:48.960] – Ned
Or at least have that level of experience with AWS. Even if you haven’t taken the other certification. So that’s why it’s not a requirement, but it’s heavily implied that you’ll have an Associate level certification or that level of knowledge of AWS before you try to sit the specialty exam.

[00:43:06.090] – Ethan
Yeah, the specialty exam. Again, some of the items on there, like getting into MPLS and VPLs architectures, I’m like, Jeez, I would not want to go into that. Colo you’d want to really understand a lot of background material to understand how they’re applying those architectures to their network connectivity.

[00:43:19.960] – Michael
Yeah.

[00:43:21.090] – Ethan
Let’s move from there to Microsoft. Microsoft offers the Microsoft Certified Azure Network Engineer Associate Exam AZ 700. That’s another one. I didn’t see any prerequisites. You can just rock up and take it. It looked a little gentler than AWS, I guess. Either you guys have much experience with that one or know anything about it.

[00:43:41.510] – Michael
I personally have not taken this one.

[00:43:45.110] – Ned
I have not taken it. But I did look through the requirements for it and I would say if you have the knowledge from their Associate certification, which is the Azure Admin Associate, AZ 104, that’s a really good start. And then if you have sound network principles on top of that, you could probably sit this exam fairly easily. As Michael kind of said, the AWS is the hardest networking to learn and Azure is fundamentally easier to understand in Grok. So I don’t think you’d have to do as much preparation to sit the AZ 700 exam.

[00:44:22.130] – Ethan
I couldn’t find as many specifics about what the exam entailed other than cost. As I was clicking around, I found that it cost $165 to sit AZ 700. Again, I didn’t see any prerequisites, but I don’t know how many questions, how much time they give you. I don’t know if it’s maybe I just missed it and it’s out there.

[00:44:38.230] – Ned
Somewhere, but it was in one of the descriptions that I looked through and I of course, did not write it down. But it’s fairly the same. It’s all multiple choice or multiple response. You’re not doing any practical work. It’s just look at this scenario or look at this question and select the appropriate response for it.

[00:44:56.450] – Ethan
Okay.

[00:44:57.140] – Michael
I don’t know if they still have it or not. I’m just kind of looking through it right now myself. I remember with a lot of the AWS exams and even a lot of the Azure exams, it would say on there like, you should have a minimum of one year working in this environment or something like that. And I’m not seeing that in this one. I’m quickly looking through it. I could be missing it. But I think that’s also something else to definitely keep in mind for everybody that’s thinking about getting the certifications. I know that there’s a ton of people that go into certifications cold turkey and just kind of go do it without the job experience. But on the flip side, if you have the job experience, it’s actually what they recommend. They’re recommending you to work X amount of years, whether it’s six months or two years or whatever, in a specific role to be comfortable to take the certification.

[00:45:48.590] – Ethan
Yeah, I think that goes back to trying. They want that certification to be somewhat meaningful. And if you’re just certified on paper but you’ve never had any hands on, it is possible with the right study materials and some lab work to pass the exam. But if you have no practical experience, you will struggle at a client side or for your business to understand how to apply those things necessarily. That can be a lot tougher. I assume that that’s what they’re getting at. Not that you have to have been exposed to AWS for two years before you could possibly consider taking this specialty. I don’t think it’s that so much as the result that they hope that the person who takes that specialty has they got someone with some experience behind them, they’ve seen some stuff, and now they got the networking specialty, and I think it’s really where they want to go. All right, one more certification to talk about. GCP. Google Cloud? Was it Google Cloud platform? I think it was. Anyway. GCP, professional Cloud Network engineer. And they’ve got their Blueprints here. By the way, the Blueprints and some links to all this stuff all be in the Show [email protected] or Daytool IO, where we publish these podcasts, if you just want to click through.

[00:46:53.250] – Ethan
But, I mean, does anyone read show notes? I don’t know. It’s very easy to Google all this stuff and just get right into it. But just so you know, we’ve collected them for your convenience, if you care to visit the Show Notes, but GCP Professional Cloud Network Engineer. This looked, again, very similar in Blueprints and topics to the AWS and Azure certs that we just mentioned. You guys agree with me.

[00:47:15.710] – Ned
It’s almost like AWS came up with the specialty cert and everyone else is like, that’s a pretty good idea. How are you doing that? No prereqs. Okay, cool.

[00:47:29.950] – Ethan
Same thing, no prereqs. You can just rock on up and take it and they’ll be happy to take your money. Well, the testing center will be happy to take your money and give you a shot at passing the GCP Professional Cloud Network Engineer Certification. This one’s $200.50 to 60, multiple choice and multi select questions. They give you 2 hours go forth and conquer kind of thing. Now, I did want to follow one point on this exam, Ned, which was earlier in the podcast, you said if you’re going to pick one, don’t start with Google Cloud. Was that merely because of market share and stuff? Or was it also because of material and their approach to networking? Was that different enough that you don’t recommend starting there?

[00:48:08.430] – Ned
No, that’s purely market share. So just getting the bang for your buck, you’re probably going to go farther with the training and certification. One of the other clouds, there was this sort of feeling in the zeitgeist for a while that Google Cloud was growing and if you happened to get one of those certifications, you could get a job easier because people are looking for anyone certified in Google Cloud. I don’t think that really panned out after a year or two, and lots of folks are content to just stick with azure and AWS for their cloud needs.

[00:48:38.950] – Ethan
Michael GCP came or when I think of Google, I think of Kubernetes. Kubernetes came from Google in some way. Is there any tie in here with Google Cloud networking capes at all?

[00:48:50.570] – Michael
No, nothing that I’ve seen. From what I’m seeing right now, it looks like there is some tie in in terms of running GKE for some of the labs. So, like if you click on, there’s one called Create and Manage Cloud Resources under the networking piece, and there’s some labs here that go into it. And it does have a mention of GKE, but I haven’t personally seen anybody talking about Kubernetes being specifically on one of the networking certifications in GCP. It looks like it’s in the labs, but I’m not seeing it as something like you have to know how to troubleshoot Kubernetes. For example, to have the ability to get the Cloud Network Engineer certification.

[00:49:37.510] – Ethan
I will say looking at these certifications, 65, 60 ish questions. Let’s say it’s not a lot of questions and there’s a lot of material there. So it’d be pretty easy to come up with a massive data set of possible questions for exams like this. So I would think there’d be a lot of studying you’d need to do, a lot of lab work you’d need to do. Lot of just spending time hands on, standing up and tearing down the different architectures that you want to know and understand the capabilities of each and everything. Because, man, you don’t know what you’re going to get with that small of a selection. It’s not like you can say, I’m just going to focus on these three things and skip this other stuff. That’s not the way these small question exams tend to work. In my experience. You’re going to get something of everything and you just don’t know what it’s going to be. It could be some esoteric detail that they want to test you on, some bizarre and the questions are so often structured to make you really think where you can like, it’s crap. I can eliminate two of the four choices and now it’s between these two.

[00:50:34.030] – Ethan
What’s the keyword and the question that makes me think I got the oh, this is what they want me to say. Okay, that kind of stuff. I would imagine these exams are pretty challenging.

[00:50:44.670] – Michael
Yeah, it’s funny. I’m looking at the Network Engineer learning path right now for GCP and it actually looks very clean in my opinion, in terms of the UI, in terms of giving the full explanation. Like, you have this Start Lab button and you could go through your account or just do the lab. There’s these quests here. I don’t know what the difference is between a quest and a lab, but it tells you how many credits you’ll have to use in your GCP account, the amount, and then it goes through oh, I guess a quest is a plethora of labs from what I can have.

[00:51:20.570] – Ethan
I’m glad you brought all this up, Michael, because that is one thing that stuck out to me that was different from AWS and Microsoft Certified. The AWS and Microsoft Certified stuff, they’ll tell you courses and different ways that you can get a hold of all the training material to pass this exam. Google’s like, click through here and you can learn it. We have websites that are dedicated to helping you learn it. I don’t know if they were giving away all the training material that you’d need or exactly, but they just looked like they were trying to really make it easy for you to learn this material so you could get through the exam.

[00:51:52.880] – Michael
Yeah, it looks pretty clean from what I can see, to be honest. I might just go through it just for fun, just to kind of see what it’s like.

[00:51:59.750] – Ned
Microsoft has a full self paced learning path that you can go through for their Network specialty certification as well. So similar in nature to what Google is doing. I can’t speak to AWS, but I know they’ve been working on developing their internal training platform more rather than relying on external instructors. So your mileage may vary depending on which certification you’re going for. One other thing I do want to point out, I know we’re running a little long winded three podcasters on one show. Imagine that. One thing I want to mention is a certification that’s not specific to any of the clouds, but I think if you’re coming from a background that is not networking. You might want to go and sit the CCNA, maybe the network plus. But really, the one I have experience with is the CCNA, because, yes, it’s going to teach you some Cisco specific stuff, but it’s also going to teach you some networking fundamentals that are useful no matter what cloud you’re working in.

[00:53:04.350] – Ethan
I will just caution that is a robust certification, even though it’s an associate level, there is a lot of information that they want you to go through and study. But to speak to your point, Ned, I completely agree. You need networking fundamentals. That’s about the best thing going. Even though it is Cisco specific on some level. They are teaching you globally applicable networking fundamentals as well. You’re going to learn all kinds of key stuff that you use throughout your It career if you’re coming into this networking thing. Colo for sure.

[00:53:34.400] – Ned
Yeah. It was huge for me when I was early on in my career, just understanding how networking actually works versus the magic pixie dust that I thought it was using. I was like, oh, no.

[00:53:44.620] – Ethan
And there’s so much training material that’s at the CCNA level out there. I mean, you can go on Udemy and pick up a CCNA course that’s solid for really short money, like less than $100, but you will be into hours and hours and hours of study to prep for that thing. It’s a beastly amount of information. Just so you know what you’re getting into. If you’re thinking about it, it’s for reals.

[00:54:07.730] – Michael
Yeah, I think a lot of the big networking folks out there have free courses on it as well. Like Keith Barker, I think he always has stuff on his YouTube around, like free CCNA courses and stuff like that. So there’s like a plethora of information out there.

[00:54:26.550] – Ethan
Yeah. David bomball is another one. Lots and lots and lots of information, much of it free, coming from David. And if you pay some money for one of his courses, you would not be disappointed. He’s an excellent instructor. There’s a lot of people in this space that are very good. Honestly, we’d be remiss to try to name them all because we’re going to miss somebody. Well, guys, as Ned said a minute ago, we are going a little long. Three podcasters on the mic. Imagine that. We went a little long today. But real quick, let’s conclude the roundtable just going around, letting people know where they can get a hold of us. Michael, starting with you.

[00:54:57.310] – Michael
Sure. Yes. You could find me on LinkedIn. It’s probably my biggest platform right now. Twitter still a little bit. I’m kind of floating around around there to see what’s going to happen over there. But if you’d like to get in contact with me, definitely LinkedIn is the best place.

[00:55:13.350] – Ethan
And Ned, I know you and I are on this podcast all the time, but we don’t talk about ourselves too much. How do. You like people to get a hold of you these days.

[00:55:19.980] – Ned
How about that? I’m going to mirror what Michael said. Reach out to me on LinkedIn. Interestingly enough, Twitter is Twitter, but LinkedIn is where I’ve been putting more of my stuff or more of my effort into recently, because that seems to be where the more interesting interactions happen, or at least the more civil ones.

[00:55:39.610] – Ethan
Look for me on there.

[00:55:40.720] – Ned
Or you can always go to my website, Nedinthecloud.com, and find all the other things.

[00:55:46.400] – Ethan
And I’m Ethan Banks. I am occasionally on Twitter at Ecbanks. I have a large following there, even though I don’t tweet all that much anymore. You can also find me on LinkedIn. I am finding LinkedIn is where all of the interesting technology discussions are happening. Nice threaded conversations and a lot of good articles getting percolated up through the people that I follow on LinkedIn. I really find the quality these days is on LinkedIn as well. It’s funny you guys brought that up. We didn’t plan that, but it seems like we’ve all kind of come to the same conclusions on our own. You can find it pretty easily over there on LinkedIn as well. And I’ll connect with you. If you’re a network engineer, someone in the space, by all means send me a request. I’d be happy to connect with you and build our networks in that way. And if you made it all the way to the end, you’re still listening right now. Hey, virtual high fives, you awesome human. If you have suggestions for future shows, things you’d like Ned and I to talk about, or find guests for, we would love to hear your ideas.

[00:56:40.610] – Ethan
You can hit us up on Twitter or LinkedIn, apparently, or fill out the request form on Daytoolcloud IO. We got a real simple contact form there for you, if you prefer that. By the way, there’s more community stuff for you. You do not have to scream into the technology void alone. The Packet Pushers Podcast Network has a free Slack group that is open to everyone, and I do mean everyone. If you work for a vendor, that’s fine, just no marketing, that’s all we ask. But please jump on in and have a chat with everybody PacketPushers net Slack and you can join. What else? Well, how about we just close the podcast there for today? So until then, just remember, cloud is what happens while it is making other plans.