Connecting to the MulticloudConsistent Policies Across Multicloud
Prastowo Yuliarso
DC Technical Solutions Architect
Moving to Cloud is real…
“Over the next few years, we will begin to migrate some systems onto the cloud, gain experience in this mode of operation, and take bolder steps in light of what we can learn,”
..Singapore prime minister Lee Hsien Loong
Cisco Multicloud Portfolio — Objectives
MulticloudPortfolio
CloudConnect
CloudProtect
CloudAdvisory
CloudConsume
Design, plan, accelerate,and de-risk your multicloud migrations
Deploy, monitor and optimize applications in multicloud and container environments
Securely extend your private networks into public clouds and ensure the application experience
Protect multicloud identities, direct-to-cloud connectivity, data, and applications including SaaS
FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC quickly contains/quarantines the infected App1 workload into an isolated
uSeg EPG
Step 1: Infected End Point launches an attack that NGFW(v), FirePOWER Services in ASA, or
FirePOWER appliance blocks inline
Step 2: Intrusion event is generated and sent to FMC revealing information about the infected host
Step 3: Attack event is configured to trigger remediation module for APIC that uses NB APIC to
contain the infected host in ACI fabric
1
FMC
App2
2
34
Virtual ACIVirtual POD extends an
Availability Zone (Fabric) to remote locations on
standard VMs
ACI 4.0
Cloud ACIACI Extensions to AWS and Azure
Public Cloud
ACI 4.1
ACI Multi-POD
Multiple Networks (Pods) in a single Availability
Zone (Fabric)
ACI 2.0
ACI Remote-Leaf
Physical Remote Leaf extends an Availability
Zone (Fabric) to remote locations
ACI 3.1ACI Multi-SiteMultiple Availability Zones (Fabrics) in a Single Region ’and’ Multi-Region Policy
Management
ACI 3.0
NEW !
ACI Anywhere – Accelerate Multicloud“Evolving our multicloud journey by extending ACI everywhere”
Accelerates Journey to Multicloud
Inter-Pod IP Network
ACI MultiPodSingle APIC Cluster Extends Network Virtualization, Policy, Services to Multiple PODs
Site A Site B
Active-Active Datacenters
Virtual Metro Clusters
Stretch VRF, EPG, BD Across PoDs with VXLAN
Up to 50ms Latency
Site A
Site B
Site C
Site D
ACI Multi-Site Multi-SiteConsistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
VMVMVM
Geographically Dispersed Active/Active Data Centers
Active/Standby Data Centers For Disaster Recovery
Stretch VRF, EPG, BD Across Sites with VXLAN
Up to One sec Latency
VMVMVM
VMVMVM
VMVMVM
IP Network
ACI: Physical Remote Leaf Extend ACI to Satellite Data Centers
Site A Remote Location
Zero Touch Auto Discovery of Remote Leaf
Two Remote Leafs Up To 20 Remote Locations
Stretch EPG, BD, VRF, Tenant, Contract
Health Scores, EPG Stats
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Cisco ACI Virtual EdgeDecoupled From Hypervisor Kernel API Dependencies
Maintain Existing Operational Models
Simple Transition/Migration AVS => AVE
Policy Consistency Across Multiple Hypervisors
AVS/AVE Feature Parity
Q2 FY18Q1 CY18
Policy Enforcement, Services, Telemetry
ACI Virtual Edge
VMVMVM VMVMVMVM
ACI Virtual Edge (AVE)
vSpine
vLeafvLeaf
ACI Virtual Edge
IP Network
ACI: Virtual PoDExtend ACI To Bare-metal Cloud
On-Premise Remote Location
Bare Metal Clouds (IBM BlueMix, AWS Elastic Metal etc.)
Remote Data Centers Colo Facilities (Equinix, CoreSite etc.)
BrownFieldDeployments
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Virtual Pod
Hypervisor
Logical Connection To Spine
(BGP-EVPN/ VXLAN)
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
ACI Extensions To Multicloud
ACI Multi-Site Appliance
Consistent Network and Policy across clouds
Common Governance
Single Point of Orchestration
Secure Automated Connectivity
Extending ACI to the Cloud
IP Network
AWS RegionEPG
Web
EPG
APPContract Contract
EPG
DB
SG
Web
SG
APPSG Rule SG Rule
SG
DB
ACI for On-Premise
VMVMVM
Cloud ACI for Public Cloud
Monitoring & Troubleshooting
Common Governance
Operational Consistency
Single Point Of Orchestration
Discovery & Visibility
Policy Translation
Azure Region
ASG
Web
ASG
APPNSG NSG
ASG
DB
IP Network
ACI Multisite Orchestrator
Cloud APIC (cAPIC)
cAPIC
Virtual Form Factor of APIC
Translates ACI Policy to Cloud Native Policy Constructs
Automates the deployment and configuration of Infrastructure components in the Cloud
North Bound Rest Interface to configure cloud deployments
Similar look and feel as APIC
cAPIC cluster can manage one or more regions
Security Group
Virtual Private Cloud
Security Group Rule
Outbound rule
Inbound rule
User Account
Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort
Network Adapter
Tenant
VRF
BD Subnet
EP to EPG Mapping
Contracts, Filters
Consumed contracts
Provided contracts
EC2 Instance
VPC subnet
EPG
Tag / Label
End Point (fvCEp)
Network Access List Taboo
Policy Mapping - AWSFor your info & reference
On-Premises
Multi-Site Orchestrator (MSO)
Public Cloud
Site B
Infra VPC
User VPC -2
AZ-1 AZ-2
VGW
User VPC - 1
VGW
IPSec Tunnel
AWS config services
IPSec Tunnel
SG-1
Region 1
CSR-1000V AWS Internet Gateway (IGW)
Cloud APIC
Security Group (SG)
CSR CSR
Availability Zone (AZ)
AWS Virtual Private Gateway (VGW)
• INFRA Tenant
• cAPIC
• CSR
• Based on the policies (EPG’s and Contracts) the correct security group (SG) is attached to the instance
• User Tenants
• Workload
• VPC, Subnets provisioned by cAPIC
cAPIC Building Blocks
Site A
Cloud EPGMapping Endpoints by Tags
Site B
US-East-1 US-West-1
Subnet-S1 – 10.1.1.0/24
Subnet-S2 – 10.1.2.0/24
Subnet-S3 – 10.1.3.0/24
Subnet-S4 – 10.1.4.0/24
• Web-EPG associated to tag: “EPG: WEB”
• DB-EPG associated to tag: “EPG:DB”
• Web-EPG has endpoints across Us-East-1 & Us-West-1 regions and multiple subnets
• DB-EPG has endpoints across Us-East-1 & Us-West-1 regions and multiple subnets
WEB EPG DB EPG
On-PremisesSite A
Multi-Site Orchestrator (MSO)
Public Cloud
AWS Region 1
Site B
Internet
Infra VPC
AZ-1 AZ-2
CSR CSRIGW
BGP EVPN Control Plane
VXLAN TUNNEL (DATA PLANE)
Simple Extension to AWS Cloud Infrastructure
SG Web SG APPSG Rule SG Rule SG DB
ACI Extensions to AWSOn Premises Connectivity to AWS VPC Through IPSec VPN
33
On-Premise Public Cloud
Site BSite A
Multisite
Orchestrator
VMVMVM
ACI – On PremiseVMVMVM
InternetCustomer
Premise
Router
CSR
1000v
IPSec VPN Tunnel (Underlay)
BGP-EVPN
VXLAN
Cisco Tetration : A better way to know the network
Analytics engine
Third-party sources (configuration data)
Web GUI REST APIEvent
notificationCisco
Tetration apps
Cisco Tetration
Data collection layer
Software sensor and enforcement(Virtual/Bare metal/Containers)
Embedded network sensors(telemetry only)
ERSPAN sensors(telemetry only)
Netflow sensors(Augmentation for telemetry)
Cisco Anyconnect NVM(Endpoint visibility)
Provides correlation of data sources across entire application infrastructure
Enables identification of point events and provides insight into overall systems behavior
Monitors end-to-end lifecycle of application connectivity
Application Discovery with Cisco Tetration
Cisco Tetration™
Application workspaces
ApplicationDiscovery
Public cloud
Private cloud
On-premise
Cisco Data Center Reference Architecture
Infra. Manager
Infra. ops
Developer
Cloud Admin
LOB/IT Apps
Security Admin
Tetr
atio
nan
alyt
ics
Cis
co s
ecu
rity
po
rtfo
lio
Ap
pD
ynam
ics
Cis
co w
ork
load
o
pti
miz
atio
n m
anag
erU
CS
per
form
ance
M
anag
erApplication and business performance monitoring
Workload optimization and placement
Infrastructure health and performance monitoring
CiscoCloudCenter
Nexus UCS HyperFlex
ACI Cisco Intersight
Cisco Prime ServiceCatalog (PSC/CPO)
3rd Party ITSM
Find out more
• Full Day Business Outcome Workshop
• DC Security
• Network Analytics
• Business Continuity/Disaster Recovery
• MultiCloud