DGTL Brkaci 2683 PDF

#CiscoLive
ACI Cloud First

An ACI Fabric without an on-premises DC
Lionel Hercot, Technical Marketing Engineer, IBNG

@LHercot
DGTL-BRKACI-2683
#CiscoLive
Agenda
• Introduction
• AWS Cloud 101
• Azure Cloud 101
• Cloud ACI Architecture

• Use Cases
• Demo
• Conclusion
#CiscoLive DGTL-BRKACI-2683 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Chapter 1: Introduction
ACI Anywhere
Edge / Remote Core Data Centers Multicloud
Virtual ACI IP WAN ACI IP WAN Cloud ACI
ACI ACI ACI Virtual Cloud

Multi-POD Multisite Remote Leaf ACI ACI
ACI 2.0 ACI 3.0 ACI 3.1 ACI 4.0 ACI 4.1 | ACI 4.2
Challenges in building a Multi Cloud environment
• Building an automated and • Maintain consistent policy, • Requires a single pane of

secure interconnect security and analytics for glass to manage policies
between On Premises and workloads deployed across on-premises and
Cloud datacenters with across on-premises and cloud locations
ease of provisioning and cloud locations
monitoring at scale
Cloud ACI
Multi-Site Orchestrator (MSO)
VM VM VM
VM VM VM
VM VM VM
Cloud Region(s) On-Premises Cloud Region(s)
Cloud First
MSO
Cloud ACI
EPG EPG EPG
Contract Contract
Web APP DB
IP
ASG
Web
NSG
ASG
APP
NSG
ASG
DB
Network SG
Web
SG Rule
SG
APP
SG Rule
SG
DB
Azure Region AWS Region
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
Why does this matter?
Why does this matter?
Chapter 2:
Azure/AWS Networking 101
AWS Cloud 101
AWS Fundamentals
• Regions Region
Multiple data centers with more than one physical location. Pod or site
equivalent in ACI
Subnet
• Availability Zones (AZ) Availability Zone 1 Availability Zone 2
Set of buildings, Internet uplinks and power. Data center but may contains
more than one physical location. Path or node attachment equivalent in ACI
• Virtual Private Cloud (VPC) ACI

Set of subnets with one ore more CIDR blocks running in a single region across Pod
multiple data centers (AZ). Similar to VRF VRF
• Subnet BD
Range of IP addresses. Each subnet must reside within one AZ and can’t span Subnet Path Node Attachment
zones. Minimum subnet size is /28. BD Subnet
AWS Fundamentals (Cont.) Route
table Router
Route
table
Network ACL Network ACL
• Security Group
Security Security
Act as a firewall for associated EC2 instance (VM), controlling both inbound and Security Group
Group Group
outbound traffic at network interface (EP) level. Equivalent to EPG with white-list
• Security Group Rule

Rules applied to inbound traffic (ingress) or outbound traffic (egress). Combination Subnet 1 Subnet 2
of contracts and filters in ACI
L3out
VRF
• Network ACL
Used to deny / permit select traffic at a subnet level. Network ACLs are stateless. In
Routes Routes
ACI, it is similar to taboo and grey-list contracts PSVI
• Route Table Taboo Taboo
Can be associated with multiple subnets. Acts like a source-based policy-based

routing (PBR) rule. EPG EPG EPG
BD Subnet 1 BD Subnet 2
Connectivity Terms
AWS Only – External Connectivity
• Internet Gateway (IGW)
• Horizontally scaled, redundant and highly available VPC component that allows communication between instances in your VPC and the
Internet
• NAT Gateway
• Acts like an ECMP route to a set of NAT devices
• Virtual Private Gateway (VGW)

• is the VPN concentrator. It terminates VPN and AWS Direct Connect. Also provides BGP control plane for route-exchange
• Virtual Private Network (VPN)

• comes in two flavors: VPNs provided through VGW and instances running VPN software
• Direct Connect (DX)

• Private dedicated link to an AWS region (not encrypted). Used for speed and throughput.
• In ACI, IGW / VGW / DX are equivalent to L3out.
AWS Transit Gateway (TGW)
VPN Attachments
(IPsec/BGP) High Bandwidth Router (Inter-VPC)
Burst to 50Gbps / VPC, DX or TGW peering
Region - 1 Direct Connect GW TGW Peering
(Inter-Region)
Regional Construct
Attachment
Same feature-set as VGW
TGW
VPN, BGP, Static routing
VPC Attachments VGW is limited to 1.25G / tunnel
TGW too.
ENI ENI ENI ENI
ECMP support on BGP over VPN
VPC-1 Subnet-1 Subnet-2 VPC-2 Subnet-1 Subnet-2
Caveats:
No overlapping IP space (not a VRF)
No Security Group referencing
AZ-1 AZ-2 AZ-1 AZ-2
No propagation from TGW to VPC
No propagation from TGW to TGW
One ENI per Availability Zone (subnet)
Best practice to dedicate those subnets
AWS Transit Gateway (TGW) Overview (Cont.)
TGW for Inter-VPC connectivity Example:
TGW Route Table:
Destination Target
TGW
10.0/16 vpc-att-1
20.0/16 vpc-att-2
VPC-1 VPC-2
CIDR: 10.0/16 CIDR: 20.0/16
VPC-1 Route Table: VPC-2 Route Table:
Destination Target Destination Target
10.0/16 local 20.0/16 local
20.0/16 TGW 10.0/16 TGW
Azure Cloud 101
Azure Fundamentals
Subscription: Customer’s agreement with Microsoft to obtain Azure services. ~= Azure account. One user can have multiple subscriptions.
Create one or more resource groups in the subscription.
Directory: This is Azure Active Directory used for access control management. For example lhercot@cisco.com belongs to directory cisco.com
and directory Cisco-INSBU-ACI so lhercot@cisco.com can access resources in directories cisco.com and Cisco-INSBU-ACI.
Access control (IAM): Used for defining and assigning Roles. Azure has multiple built-in Roles with different permission levels. Cisco cAPIC must
have at least Contributor Role for Read/write access to the account (subscription)
Azure Fundamentals (Cont. 1)
Region
• Regions
Resource Group
• Multiple data center with more than one physical location in large
geographic location.
VNET
• Resource Group Subnet 1 Subnet 2
• A container in Resource Manager that holds related resources for

an application or a subset of one.
ACI
• Virtual Network (VNET) Pod
VRF
• Network construct with a set of subnets from an Address Space
running in a single region across multiple data centers. Similar to
VRF BD
Subnet Path Node Attachment
• Subnet
• Range of IP addresses. Each subnet can span a complete region.
Minimum subnet size is /28. BD Subnet
Gateway
Azure Fundamentals (Cont. 3) VNET
Route
Router
table
• Application Security Group (ASG) NSG
Group virtual machines together. Allow to apply Network Security
Group (rules) at scale between Application Security Group. Equivalent ASG ASG
to EPG.
• Network Security Group (NSG)

Subnet 1 Subnet 1
Contains security rules that allow or deny inbound network traffic to,
or outbound network traffic from, several types of Azure resources.
NSG can be applied between ASGs. Combination of contracts and VRF L3out
filters in ACI.
• Route Table Routes

SVI
Routes
Can be associated with multiple subnets. Allow to modify the routing

behavior in a set of subnets. EPG EPG EPG
BD Subnet 1 BD Subnet 2
Connectivity Terms
Azure Only – External Connectivity
• Outbound connections
• Azure automatically do PAT for traffic generated by VMs with internal IP addresses. VMs can be assigned
Instance-Level Public IP addresses to achieve NAT.
• VPN Gateway (VNG)

• Virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an
on-premises location over the public Internet. Each virtual network can have only one VPN gateway.
Support BGP to exchange routes with peer router.
• ExpressRoute
• Private dedicated link to an Azure region (not encrypted). Used for speed and throughput. Support BGP to
exchange routes with peer router.
• In ACI, Outbound connections / VNG / ExpressRoute are equivalent to L3out
Chapter 3:
Cloud ACI Architecture
Cloud APIC Architecture
• Virtual Form Factor of APIC
• Automates / Manages Cloud Routers
Web Server (NGINX)
• Translates ACI Policy to cloud native constructs
Policy Distributor (PD)
• Deploys cloud resources and infrastructure
Policy Manager (PM) components
Cloud Policy Cloud Policy • Intuitive GUI and Similar ACI UI look and feel
Element Element
….
Connector Connector
• REST API North Bound Interface
API (AWS, Azure...) • cAPIC manages 1 or more regions

NetConf (CSR1000v)
Policy Mapping - Azure
Resource Group Tenant
Virtual Network VRF
Subnet BD Subnet
Application Security Group (ASG) EPG
Network Security Group (NSG) Filters
Outbound rule Consumed contracts

Source/Destination: ASG or Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts

Virtual Machine
Network Adapter End Point (fvCEp)
Policy Mapping - AWS
User Account Tenant
Virtual Private Cloud VRF
VPC subnet BD Subnet
Tag / Label EP to EPG Mapping
Security Group EPG
Security Group Rule Contracts, Filters

Outbound rule Consumed contracts
Source/Destination: Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts
A
EC2 Instance
Network Adapter End Point (fvCEp)
Topology Health
• Network connectivity and Health
Endpoints in an EPGs
Statistics
• We will show multiple
statistics:
• Inter-site
• Inter-region
• Inter-VPC
• Cloud EPG
• Cloud Routers
Dashboard
Dashboard brings overall Cloud site information
Object Topology
Display different options views: VPC, AZ, VRF...
VRF Stats
CSR Stats
AWS Transit Gateway Stats
End Point Learning in Cloud
Cloud APIC Infra VNET Cloud APIC

Infra VPC
AWS config Azure Alerts

services
CSR CSR CSR CSR
AZ-1 AZ-2 AZ-1 AZ-2
VGW VNG
SG-1 ASG-1
User VPC -1 User VNET -1

Region 1 Region 1
Security Group (SG) Availability Zone (AZ)
Cloud EPG
Mapping Endpoints by IP, Subnet, Region, AZ or Tags
WEB EPG DB EPG
Site B
Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24
Subnet-S2 – 10.1.2.0/24 Subnet-S4 – 10.1.4.0/24
US-East-1 US-West-1
Transit VPC/VNET Architecture
Region - 1 Region - 1
Infra VNET Infra VPC
CSR1kv CSR1kv CSR1kv CSR1kv
IPSec Tunnel IPSec Tunnel
VNG VNG VGW VGW
User VNET 1 User VNET 2 User VPC 1 User VPC 2
Transit VPC/VNET Architecture across regions
Region - 1
Infra VNET
CSR1kv CSR1kv
IPSec Tunnel
VNG
User VNET 1
Infra VNET Infra VNET
VNG VNG
User VNET 1 User VNET 2
Region - 1 Region - 2 Region - 3

IPSec Tunnel
VNG VNG VNG
User VNET 1 User VNET 2 User VNET 3
Region - 1 Region - 2 Region - 3

Infra VPC Infra VPC
IPSec Tunnel
VGW VGW VGW
User VPC 1 User VPC 2 User VPC 3
New architectural options inside a Region
Infra VPC Infra VNET
CSR1kv CSR1kv
CSR1kv CSR1kv
VNG
User VPC 1 User VPC 2 User VNET 1 User VNET 2
Transit Gateway (TGW) VNET Peering

Available in 5.0(1) Available in 5.0(2)
Hub Networks
• VRFs can have overlapping IP spaces
• VRF are mapped to a VPC in a specific Region
• VNET Peering and Transit Gateway (TGW) do not support overlapping IP
spaces
• A Hub Network represent a group of non-overlapping VRF

• => Transit Gateways (TGWs) or a series of VNET Peering
• No communication between two hub networks
VNET Peering Architecture across regions
VNG VNG
Global VNET Peering
User VNET 1 User VNET 2 User VNET 3 User VNET 4
Transit Gateway Architecture across regions
Region 1 Region 2
Infra VPC Infra VPC

CSR1kv-0 CSR1kv-1 CSR1kv-0 CSR1kv-1
TGW Peering
TGW-1 TGW-2 TGW-3 TGW-4

Infra Tenant Infra Tenant
User VPC-1 User VPC-2 User VPC-3 User VPC-4
EPG-1 EPG-2 EPG-3 EPG-4 EPG-5 EPG-6 EPG-7 EPG-8
A B C D E F G H
User Tenant-1 User Tenant-1
Chapter 4: Multi-Cloud ACI
Let’s Multi-Cloud
ACI Multi-Cloud First
VM VM VM VM VM VM
Cloud Region(s) Cloud Region(s)
MSO Form Factors
Hardware Appliance VMware OVA Cloud MSO for AWS

KVM QCOW Image
All are based on Application Service Engine (ASE)
Multi-Cloud Architecture
Infra VNET IPSec VPN Tunnel (Underlay) Infra VPC
BGP-EVPN Session (Control Plane)
VXLAN Tunnel (Data Plane)
IPSec Tunnel
Internet IPSec Tunnel
VNG VNG VGW VGW
User VNET 1 User VNET 2 User VPC 1 User VPC 2
Infra VNET IPSec VPN Tunnel (Underlay)
Infra VPC
CSR1kv CSR1kv CSR1kv-0 CSR1kv-1
IPSec Tunnel
Internet TGW-1 TGW-2
VNG VNG
User VPC-1 User VPC-2

Infra VNET IPSec VPN Tunnel (Underlay)
Infra VPC
CSR1kv CSR1kv CSR1kv-0 CSR1kv-1
VNG
Internet TGW-1 TGW-2
User VPC-1 User VPC-2

Use Cases
Application Stretch
Multi-Site Orchestrator
• Stretch tenant/VRF across cloud sites

Cloud APIC Cloud APIC
• During peak times easily deploy application
Tenant Cloud APIC tiers and resources in the cloud site
VRF • Consistent segmentation policy and

BD1/Subnet CIDR 2
1Web-EPG1 Web-EPG2
enforcement within and across cloud sites
• Application stack failover between sites

HTTPs HTTPs
(active/disaster recovery)
BD3/Subnet3 CIDR 4
App-EPG1 App-EPG2
Stretched EPG with Consistent Segmentation

• Web Tier and App Tier are stretched and
Tenant securely segmented across public cloud
sites
VRF
CIDR 2
BD/Subnet1
• Consistent segmentation policy and
EPG - Web
enforcement for endpoints of Web/App Tier
are independent of location
HTTPs, redis
BD3/Subnet3 CIDR 4
EPG - App
Shared Services for Multi-Cloud
• Provides a capability to
deploy shared service
Tenant 1 Tenant 2 Tenant 3 across clouds
Route
Leaking
VRF1 VRF2 VRF3 • Shared Service deployed in

CIDR 2 CIDR 4 1 Site can be consumed by
DNS Web-EPG Web-EPG endpoints across other
sites
BD/Subnet1
HTTPs HTTPs, redis
DNS-EPG • Contract will leak subnet
CIDR 3 CIDR 5
between VRFs for
App-EPG App-EPG
reachability
Cloud L3outs Site A Site B
Infra VNET Infra VPC

Region 1 Region 1
CSR CSR CSR CSR
AZ-1 AZ-2 AZ-1 AZ-2
IPSec Tunnel VNG VNG IPSec Tunnel IPSec Tunnel VGW VGW IPSec Tunnel
User VNET - 1 User VNET -2 User VPC - 1 User VPC -2
EPG-1 EPG-1 EPG-2 EPG-3 EPG-1 EPG-1 EPG-2 EPG-3

Outbound
L3out L3out
SG-1 SG-1 SG-2 SG-3 SG-1 SG-1 SG-2 SG-3
Instance 01 Instance 02 Instance 03 Instance 04 Instance 01 Instance 02 Instance 03 Instance 04
IGW
Outbound
L3out
L3out
BRKACI-2683
Deploying Cloud APIC
Cloud APIC in Cloud Marketplaces
http://cs.co/capic-azure http://cs.co/capic-aws
MSO App on CASE in AWS Marketplace
Demo
Demo #1 - Setup: Web in Azure / DB in AWS
Multi-Site
Site A Site B
Internet gateway
WoS-VRF VPC Infra VPC CSR1000V WoS-VRF VPC
Web DB
CSR1000V IPsec VPN
EPG Web EPG DB
10.101.200.5 10.101.100.148
VNG VGW Internet
gateway
Infra VPC
Demo #1 - Logical View
Web-to-DB
Internet C Web C DB
Web-to-Internet
Demo #1 - Logical View
Web-to-DB
Internet C Web C DB
Web-to-Internet
ACI Cloud First
Recap
You do not need an On-premises ACI Fabric to start with Cloud ACI
MSO
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
Thank you
#CiscoLive
#CiscoLive

DGTL Brkaci 2683 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DGTL Brkaci 2683 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

#CiscoLive

ACI Cloud First

Lionel Hercot, Technical Marketing Engineer, IBNG

• Cloud ACI Architecture

Edge / Remote Core Data Centers Multicloud

Virtual ACI IP WAN ACI IP WAN Cloud ACI

ACI ACI ACI Virtual Cloud

• Building an automated and • Maintain consistent policy, • Requires a single pane of

Cloud Region(s) On-Premises Cloud Region(s)

Multi-Site Orchestrator (MSO)

Azure Region AWS Region

Consistent Policy Enforcement Automated Inter-connect Simplified Operations

• Virtual Private Cloud (VPC) ACI

Network ACL Network ACL

• Security Group Rule

• Route Table Taboo Taboo

Can be associated with multiple subnets. Acts like a source-based policy-based

• Virtual Private Gateway (VGW)

• Virtual Private Network (VPN)

• Direct Connect (DX)

• In ACI, IGW / VGW / DX are equivalent to L3out.

TGW Route Table:

VPC-1 Route Table: VPC-2 Route Table:

Destination Target Destination Target

10.0/16 local 20.0/16 local

20.0/16 TGW 10.0/16 TGW

• A container in Resource Manager that holds related resources for

Azure Fundamentals (Cont. 3) VNET

• Network Security Group (NSG)

• Route Table Routes

Can be associated with multiple subnets. Allow to modify the routing

• VPN Gateway (VNG)

• In ACI, Outbound connections / VNG / ExpressRoute are equivalent to L3out

API (AWS, Azure...) • cAPIC manages 1 or more regions

Application Security Group (ASG) EPG

Network Security Group (NSG) Filters

Outbound rule Consumed contracts

Inbound rule Provided contracts

Network Adapter End Point (fvCEp)

VPC subnet BD Subnet

Tag / Label EP to EPG Mapping

Security Group EPG

Security Group Rule Contracts, Filters

Network Adapter End Point (fvCEp)

• Network connectivity and Health

Dashboard brings overall Cloud site information

Display different options views: VPC, AZ, VRF...

Cloud APIC Infra VNET Cloud APIC

AWS config Azure Alerts

AZ-1 AZ-2 AZ-1 AZ-2

User VPC -1 User VNET -1

Security Group (SG) Availability Zone (AZ)

Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24

Subnet-S2 – 10.1.2.0/24 Subnet-S4 – 10.1.4.0/24

CSR1kv CSR1kv CSR1kv CSR1kv

IPSec Tunnel IPSec Tunnel

VNG VNG VGW VGW

User VNET 1 User VNET 2 User VPC 1 User VPC 2

CSR1kv CSR1kv CSR1kv CSR1kv

IPSec Tunnel IPSec Tunnel

User VNET 1 User VNET 2

Region - 1 Region - 2 Region - 3

CSR1kv CSR1kv CSR1kv CSR1kv