Platform Engineering at Palo Alto Networks : Part-1

I have been contemplating on what should be my first blog at Palo Alto Networks and when would be the right time to publish one. I felt this is the perfect time to reflect on my journey and experience leading cloud infrastructure and platform engineering.

I joined Palo Alto Networks in April, 2021 to lead the production engineering team for the Cloud Delivered Security Services organization within the Network Security organization speedboat and recently assumed an expanded role of leading infrastructure platforms for the whole NetSec organization. In this blog, I would like to talk about how we have transformed production engineering services into platforms. This is the start of our blog series wherein I provide a high level overview of our Internal Developer Platform(IDP) and we will be publishing separate blog posts for each of our IDP components in coming months.

Let’s start with a quick background behind PAN IDP inception. Primarily, the following two factors motivated us to embark on this journey —

1. Palo Alto Networks Platforming Approach: As you know, Palo Alto Networks is known as a cybersecurity leader and one of the main reasons for its success is its platforming approach towards cyber security solutions. We have internalized the same idea to build a platform for production engineering services such as infrastructure provisioning, cost management, observability and incident management rather than providing them as isolated automation solutions to engineering teams.
2. Self-service Developer Tooling — One of the major issue with legacy production engineering/DevOps/SRE practices is standalone automation scripts with associated documentation; one has to go through multi-page documentation to understand and run those tools or consult an subject matter expert.

Once we decided to go with a platform approach, the next challenge was to determine if we were to build something internally or buy. After detailed analysis, we have decided to build it considering Palo Alto Networks specific use cases. Since our philosophy is not to reinvent the wheel, rather try to leverage open source projects to leap forward, the team found an awesome open source project called backstage.io to kickstart our journey. We’ve forked out backstage OSS code and added required abstractions and named it as “Palo Alto Networks DevClues”.

The first use case we’ve implemented was “service catalog” to help developers or SREs to find out the details of a given production service easily and quickly. Now after 1.5 years into the journey, we have quite a few services in IDP (i.e. as shown below diagram) at various stages of adoption.

The platform consists of 4 categories — Resource Management, Infrastructure management, Production Management and Developer Portal. Developer portal(DevClues) is an entry point (one-stop-shop) for all of the services that the platform offers. For example — if any engineering team wants to onboard their services to observability then they can simply login to developer portal and use onboarding plugin(i.e. custom plugin contributed by observability team) to finish their observability integration.

Today, developer portal( DevClues) serves 12 plugins and tens of service templates that’d improve overall engineering efficiency. We continue to build more templates and plugins based on our engineering needs. I’d also like to point out that some of these are contributed by development teams(a.k.a our customers). So, we have embraced an internal open sourcing model (i.e. inner-sourcing) since day one.

In Part-2 , I will provide a sneak peek into each of the FOUR categories of Palo Alto Networks IDP and their capabilities in the context of 2022 gartner published report. As per this report, the IDP capabilities are categorized into the following three development lifecycle phases:

• Discover and Create
• Integrate and Deploy
• Operate and Improve

We’ll expand a bit on each of these phases and capabilities in part-2 blog post. If you are interested in knowing more you can reach out to me at rnampelly@paloaltonetworks.com.