Brkaci 2683

ACI Cloud First
An ACI Fabric without an on-premises DC
Lionel Hercot, Technical Marketing Engineer, IBNG

@LHercot
BRKACI-2683
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKACI-2683 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• AWS Cloud 101
• Azure Cloud 101
• Cloud ACI Architecture

• Use Cases
• Demo
• Conclusion
ACI Anywhere
Edge / Remote Core Data Centers Multicloud
Virtual ACI IP WAN ACI IP WAN Cloud ACI
ACI ACI ACI Virtual Cloud

Multi-POD Multisite Remote Leaf ACI ACI
ACI 2.0 ACI 3.0 ACI 3.1 ACI 4.0 ACI 4.1 | ACI 4.2
Challenges in building a Multi Cloud environment
• Building an automated and • Maintain consistent policy, • Requires a single pane of

secure interconnect security and analytics for glass to manage policies
between On Premises and workloads deployed across on-premises and
Cloud datacenters with across on-premises and cloud locations
ease of provisioning and cloud locations
monitoring at scale
Cloud ACI
Multi-Site Orchestrator (MSO)
VM VM VM
VM VM VM
VM VM VM
Cloud Region(s) On-Premises Cloud Region(s)
Cloud First
MSO
Cloud ACI
EPG EPG EPG
Contract Contract
Web APP DB
IP
ASG
Web
NSG
ASG
APP
NSG
ASG
DB
Network SG
Web
SG Rule
SG
APP
SG Rule
SG
DB
Azure Region AWS Region
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
Why does this matter?
Why does this matter?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWS Cloud 101
AWS Fundamentals
• Regions Region
Multiple data centers with more than one physical location. Pod or
site equivalent in ACI
Subnet
• Availability Zones (AZ) Availability Zone 1 Availability Zone 2
Set of buildings, Internet uplinks and power. Data center but may
contains more than one physical location. Path or node attachment
equivalent in ACI
ACI
• Virtual Private Cloud (VPC) Pod
VRF
Set of subnets with one ore more CIDR blocks running in a single
region across multiple data centers (AZ). Similar to VRF
BD
• Subnet Subnet Path Node Attachment
Range of IP addresses. Each subnet must reside within one AZ and
can’t span zones. Minimum subnet size is /28. BD Subnet
AWS Fundamentals (Cont.) Route Route
table Router table
• Security Group Network ACL Network ACL
Act as a firewall for associated EC2 instance (VM), controlling both

inbound and outbound traffic at network interface (EP) level. Equivalent to Security Group Security Security
Group Group
EPG with white-list
• Security Group Rule

Rules applied to inbound traffic (ingress) or outbound traffic (egress). Subnet 1 Subnet 2
Combination of contracts and filters in ACI
L3out
VRF
• Network ACL
Used to deny / permit select traffic at a subnet level. Network ACLs are Routes Routes
stateless. In ACI, it is similar to taboo and grey-list contracts PSVI
Route Table
Taboo Taboo
•
Can be associated with multiple subnets. Acts like a source-based

EPG
policy-based routing (PBR) rule. EPG EPG
BD Subnet 1 BD Subnet 2
Connectivity Terms
AWS Only – External Connectivity
• Internet Gateway (IGW)
Horizontally scaled, redundant and highly available VPC component that allows communication between
instances in your VPC and the Internet
• NAT Gateway
Acts like an ECMP route to a set of NAT devices
• Virtual Private Gateway (VGW)

is the VPN concentrator. It terminates VPN and AWS Direct Connect. Also provides BGP control plane for route-
exchange
• Virtual Private Network (VPN)

comes in two flavors: VPNs provided through VGW and instances running VPN software
• Direct Connect (DX)

Private dedicated link to an AWS region (not encrypted). Used for speed and throughput.
• In ACI, IGW / VGW / DX are equivalent to L3out.

Azure Cloud 101
Azure Fundamentals
Subscription: Customer’s agreement with Microsoft to obtain Azure services. ~= Azure account. One user can have multiple
subscriptions. Create one or more resource groups in the subscription.
Directory: This is Azure Active Directory used for access control management. For example lhercot@cisco.com belongs to
directory cisco.com and directory Cisco-INSBU-ACI so lhercot@cisco.com can access resources in directories cisco.com and
Cisco-INSBU-ACI.
Access control (IAM): Used for defining and assigning Roles. Azure has multiple built-in Roles with different permission levels.
Cisco cAPIC must have at least Contributor Role for Read/write access to the account (subscription)
Azure Fundamentals (Cont. 1)
• Regions Region
Multiple data center with more than one physical location in large Resource Group
geographic location.
• Resource Group VNET

Subnet 2
A container in Resource Manager that holds related resources for an Subnet 1
application or a subset of one.
• Virtual Network (VNET)

ACI
Network construct with a set of subnets from an Address Space Pod
running in a single region across multiple data centers. Similar to VRF VRF
• Subnet BD
Range of IP addresses. Each subnet can span a complete region. Subnet Path Node Attachment
Minimum subnet size is /28. BD Subnet
Azure Fundamentals (Cont. 3) VNET
Gateway
Route
Router
table
• Application Security Group (ASG) NSG
Group virtual machines together. Allow to apply Network Security Group
(rules) at scale between Application Security Group. Equivalent to EPG. ASG
ASG
• Network Security Group (NSG)

Contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources. NSG Subnet 1 Subnet 1
can be applied between ASGs. Combination of contracts and filters in
ACI. VRF L3out
• Route Table
Routes Routes
Can be associated with multiple subnets. Allow to modify the routing SVI
behavior in a set of subnets.
EPG EPG EPG
BD Subnet 1 BD Subnet 2
Connectivity Terms
Azure Only – External Connectivity
• Outbound connections
Azure automatically do PAT for traffic generated by VMs with internal IP addresses. VMs can be assigned
Instance-Level Public IP addresses to achieve NAT.
• VPN Gateway (VNG)

Virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-
premises location over the public Internet. Each virtual network can have only one VPN gateway. Support BGP to
exchange routes with peer router.
• ExpressRoute
Private dedicated link to an Azure region (not encrypted). Used for speed and throughput. Support BGP to
exchange routes with peer router.
• In ACI, Outbound connections / VNG / ExpressRoute are equivalent to L3out
Architecture
Cloud APIC Architecture
• Virtual Form Factor of APIC

• Automates / Manages Cloud Routers
Web Server (NGINX)
• Translates ACI Policy to cloud native constructs
Policy Distributor (PD)
• Deploys cloud resources and infrastructure
Policy Manager (PM) components
Cloud Policy Cloud Policy • Intuitive GUI and Similar ACI UI look and feel
Element Element
….
Connector Connector
• REST API North Bound Interface
API (AWS, Azure...) • cAPIC manages 1 or more regions

NetConf (CSR1000v)
Policy Mapping - Azure
Resource Group Tenant
Virtual Network VRF
Subnet BD Subnet
Application Security Group (ASG) EPG
Network Security Group (NSG) Filters
Outbound rule Consumed contracts

Source/Destination: ASG or Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts

Virtual Machine
Network Adapter End Point (fvCEp)
Policy Mapping - AWS
User Account Tenant
Virtual Private Cloud VRF
VPC subnet BD Subnet
Tag / Label EP to EPG Mapping
Security Group EPG
Security Group Rule Contracts, Filters

Outbound rule Consumed contracts
Source/Destination: Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts
EC2 Instance
Network Adapter End Point (fvCEp)
Topology Health
• Network connectivity and Health
Endpoints in an EPGs
Statistics
• We will show multiple

statistics:
• Inter-site
• Inter-region
• Inter-VPC
• Cloud EPG
• Cloud Routers
End Point Learning in Cloud
Cloud APIC Infra VNET Cloud APIC

Infra VPC
AWS config Azure Alerts

services
CSR CSR CSR CSR
AZ-1 AZ-2 AZ-1 AZ-2
VGW VNG
SG-1 ASG-1
User VPC -1 User VNET -1

Region 1 Region 1
Security Group (SG) Availability Zone (AZ)
Cloud EPG
Mapping Endpoints by Tags WEB EPG DB EPG
Site B
Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24
Subnet-S2 – 10.1.2.0/24 Subnet-S4 – 10.1.4.0/24
US-East-1 US-West-1
Cloud ACI Architecture
Region - 1 Region - 1
Infra VNET Infra VPC
CSR1kv CSR1kv CSR1kv CSR1kv
IPSec Tunnel IPSec Tunnel
VNG VNG VGW VGW
User VPC 1 User VPC 1 User VPC 1 User VPC 2
Architecture across regions
Region - 1 Region - 2 Region - 3

Infra VNET Infra VNET
IPSec Tunnel
IPSec Tunnel IPSec Tunnel
VNG VNG VNG
User VNET 1 User VNET 2 User VNET 3
Let’s Multi-Cloud
ACI Multi-Cloud First
VM VM VM VM VM VM
Cloud Region(s) Cloud Region(s)
MSO Form Factor
Hardware Appliance VMware OVA Cloud MSO for AWS

(based on SE)
Multi-Cloud Architecture
Region - 1 Region - 1
Infra VNET IPSec VPN Tunnel (Underlay) Infra VPC
BGP-EVPN Session (Control Plane)
VXLAN Tunnel (Data Plane)
IPSec Tunnel
Internet IPSec Tunnel
VNG VNG VGW VGW
User VPC 1 User VPC 1 User VPC 1 User VPC 2
Use Cases
Application Stretch
Multi-Site Orchestrator
• Stretch tenant/VRF across cloud sites

Cloud APIC Cloud APIC
• During peak times easily deploy
Tenant Cloud APIC application tiers and resources in the
cloud site
VRF
BD1/Subnet CIDR 2
1Web-EPG1 Web-EPG2 • Consistent segmentation policy and
enforcement within and across cloud
sites
HTTPs HTTPs
• Application stack failover between

BD3/Subnet3 CIDR 4
App-EPG1 App-EPG2 sites (active/disaster recovery)
Stretched EPG with Consistent Segmentation
• Web Tier and App Tier are stretched

and securely segmented across
Tenant public cloud sites
VRF
BD/Subnet1 CIDR 2
• Consistent segmentation policy and
EPG - Web enforcement for endpoints of
Web/App Tier are independent of
location
HTTPs, redis
BD3/Subnet3 CIDR 4
EPG - App
Shared Services for Multi-Cloud
• Provides a capability to
deploy shared service
across clouds
Tenant 1 Route Tenant 2 Tenant 3
Leaking
• Shared Service
VRF2 VRF3
VRF1 deployed in 1 Site can
CIDR 2 CIDR 4
Web-EPG Web-EPG
be consumed by
DNS
endpoints across other
BD/Subnet1
sites
HTTPs HTTPs, redis
DNS-EPG
• Contract will leak
CIDR 3 CIDR 5
subnet between VRFs
App-EPG App-EPG
for reachability
Cloud L3outs
Site A Site B
Infra VNET Infra VPC

Region 1 Region 1
CSR CSR CSR CSR
AZ-1 AZ-2 AZ-1 AZ-2
IPSec Tunnel VNG VNG IPSec Tunnel IPSec Tunnel VGW VGW IPSec Tunnel
User VNET - 1 User VNET -2 User VPC - 1 User VPC -2
EPG-1 EPG-1 EPG-2 EPG-3 EPG-1 EPG-1 EPG-2 EPG-3

Outbound
L3out L3out
SG-1 SG-1 SG-2 SG-3 SG-1 SG-1 SG-2 SG-3
Instance 01 Instance 02 Instance 03 Instance 04 Instance 01 Instance 02 Instance 03 Instance 04
IGW
Outbound
L3out
L3out
BRKACI-2683
Deploying Cloud APIC
Cloud APIC in Cloud Marketplaces
http://cs.co/capic-azure http://cs.co/capic-aws
Demo
Demo #1 - Setup: Web in Azure / DB in AWS
Multi-Site
Site A Site B
Internet gateway
WoS-VRF VPC Infra VPC CSR1000V WoS-VRF VPC
Web DB
CSR1000V IPsec VPN
EPG Web EPG DB
10.101.200.5 10.101.100.148
VNG VGW Internet
Infra VPC gateway
Demo #1 - Logical View
Web-to-DB
Internet C Web C DB
Web-to-Internet
Demo #1 - Logical View
Web-to-DB
Internet C Web C DB
Web-to-Internet
ACI Cloud First
Recap
You do not need an On-premises ACI Fabric to start with Cloud ACI
MSO
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
ACI Anywhere
Edge / Remote Core Data Centers Multicloud
Virtual ACI IP WAN ACI IP WAN Cloud ACI
ACI ACI ACI Virtual Cloud

Multi-POD Multisite Remote Leaf ACI ACI
ACI 2.0 ACI 3.0 ACI 3.1 ACI 4.0 ACI 4.1 | ACI 4.2
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Brkaci 2683

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 2683

Uploaded by

Copyright:

Available Formats

ACI Cloud First

An ACI Fabric without an on-premises DC

Lionel Hercot, Technical Marketing Engineer, IBNG

• Cloud ACI Architecture

Edge / Remote Core Data Centers Multicloud

Virtual ACI IP WAN ACI IP WAN Cloud ACI

ACI ACI ACI Virtual Cloud

• Building an automated and • Maintain consistent policy, • Requires a single pane of

Multi-Site Orchestrator (MSO)

Cloud Region(s) On-Premises Cloud Region(s)

Multi-Site Orchestrator (MSO)

Azure Region AWS Region

Consistent Policy Enforcement Automated Inter-connect Simplified Operations

• Security Group Network ACL Network ACL

Act as a firewall for associated EC2 instance (VM), controlling both

• Security Group Rule

Can be associated with multiple subnets. Acts like a source-based

• Virtual Private Gateway (VGW)

• Virtual Private Network (VPN)

• Direct Connect (DX)

• In ACI, IGW / VGW / DX are equivalent to L3out.

• Resource Group VNET

application or a subset of one.

• Virtual Network (VNET)

• Network Security Group (NSG)

• VPN Gateway (VNG)

• In ACI, Outbound connections / VNG / ExpressRoute are equivalent to L3out

• Virtual Form Factor of APIC

API (AWS, Azure...) • cAPIC manages 1 or more regions

Application Security Group (ASG) EPG

Network Security Group (NSG) Filters

Outbound rule Consumed contracts

Inbound rule Provided contracts

Network Adapter End Point (fvCEp)

VPC subnet BD Subnet

Tag / Label EP to EPG Mapping

Security Group EPG

Security Group Rule Contracts, Filters

Network Adapter End Point (fvCEp)

• Network connectivity and Health

• We will show multiple

Cloud APIC Infra VNET Cloud APIC

AWS config Azure Alerts

AZ-1 AZ-2 AZ-1 AZ-2

User VPC -1 User VNET -1

Security Group (SG) Availability Zone (AZ)

Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24

Subnet-S2 – 10.1.2.0/24 Subnet-S4 – 10.1.4.0/24

CSR1kv CSR1kv CSR1kv CSR1kv

IPSec Tunnel IPSec Tunnel

VNG VNG VGW VGW

User VPC 1 User VPC 1 User VPC 1 User VPC 2

Region - 1 Region - 2 Region - 3

CSR1kv CSR1kv CSR1kv CSR1kv

VNG VNG VNG

User VNET 1 User VNET 2 User VNET 3

Multi-Site Orchestrator (MSO)

Cloud Region(s) Cloud Region(s)

Hardware Appliance VMware OVA Cloud MSO for AWS

VNG VNG VGW VGW

User VPC 1 User VPC 1 User VPC 1 User VPC 2

• Stretch tenant/VRF across cloud sites

• Application stack failover between