Professional Documents
Culture Documents
BRKACI-2690-How To Extend Your ACI Fabric To Amazon AWS
BRKACI-2690-How To Extend Your ACI Fabric To Amazon AWS
• Introduction
• Architecture
• Demo
• Use Cases
• References
• Q&A
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Cloud Core
Infrastructure & Services
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
ACI Multi-Site
Multi-Site Orchestrator Site N
(MSO)
3 VM Cluster
VM VM VM VM VM VM VM
Any Routed IP Network
Site1 Site 2
VM VM VM VM VM VM VM VM VM VM VM VM VM VM
No Multicast <= 1s RTT Required (MSO APIC) Single central management (MSO)
Phased Changes (Zones) Up to 12 Sites, distributed gateway Automated L2 DCI VXLAN extension
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
ACI Multi-Site
Software and Hardware Requirements
• Support all ACI leaf switches (1st Gen, EX, FX, FX2) Any Routed Network
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
ACI Extensions to Multi-Cloud
Multi-Site Orchestrator
VM VM VM
VM VM VM
VM VM VM
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Fundamentals
Region
• Regions – Think of it as multiple data center with more than
one physical location. Pod or site could be used for ACI
• Availability Zones (AZ) – Set of buildings, Internet uplinks Subnet
and power. Think of it as a data center but may contains Availability Zone 1 Availability Zone 2
more than one physical location. Path or node attachment
could be used in ACI
• Virtual Private Cloud (VPC) – Set of subnets with one ore ACI
more CIDR blocks running in a single region across multiple Pod
data centers (AZ). Similar to VRF VRF
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Fundamentals (Cont.) Route
table Router
Route
table
white-list
• Security Group Rule – Rules applied to inbound traffic Subnet 1 Subnet 2
(ingress) or outbound traffic (egress). Combination of
contracts and filters in ACI VRF
L3out
BD Subnet 1 BD Subnet 2
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Connectivity Terms
For your info
& reference
• Internet Gateway (IGW) – Horizontally scaled, redundant and highly available VPC component
that allows communication between instances in your VPC and the Internet
• Virtual Private Network (VPN) – comes in two flavors: VPNs provided through VGW and
instances running VPN software
• Direct Connect (DX) – Private dedicated link to an AWS region (not encrypted). Used for
speed and throughout.
• In ACI, IGW / VGW / DX is equivalent to L3out
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
For your info
& reference
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Challenges in building a Multi Cloud environment
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ACI Extensions to AWS Multi-Site
IP
EPG
Contract
EPG
Contract
EPG Network
Web APP DB
SG SG SG
SG Rule SG Rule
Web APP DB
VM VM VM AWS Region
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Architecture
ACI 4.1
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cloud APIC Resources
• m4.2xlarge EC2 Instance type
• 2.3-2.4 GHz Intel Xeon E5-2686/2676 v4/v3 processors
• Balance of compute, memory and networking resources
Network
vCPU Mem (GiB) Storage Network
Performance
8 32 100Gig –300 Gig 2xvNIC High
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cloud EPG and Cloud ExtEPG
• Cloud EPG:
A collection of network interfaces on the cloud provider, which will share the same
security policy. Can have endpoints in one or more subnets as well as can span across
regions. Tied to a VRF
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cloud Endpoint (EP) Classification
• Set of rules run against the cloud instances, once there is a match the endpoint (NIC)
is assigned to the Cloud EPG
• 4 classifier for endpoint assignment to Cloud EPG
a. Predefined
1. IP Address / Subnet
2. Region
3. Zone
b. Custom
1. Tags / label
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cloud EP Classification
Operators
Has key
Custom Application web, db
Doesn’t have key
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cloud EP Classification
Microsegmentation
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cloud Infra
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
Region - 1
Infra VPC
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VGW VGW
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Infra VPC
Multisite Orchestrator
• Infra VPC will be used as transit VPC
to connect between on-premises
ACI DC ACI Fabric and AWS region or
On-Premises Public Cloud
connect one AWS region with
another AWS region
Infra VPC
• You would need an AWS account
AZ-1 AZ-2
which will act similar to Fabric admin
VM VM VM
Region • Need to have proper IP subnet
planned ahead of the deployment
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
User VPC
Multisite Orchestrator
• User VPC will be created by Cloud
ACI DC APIC where all application policy
On-Premises Public Cloud
will be enforced
• Need an AWS account which will
Infra VPC
act as Tenant admin before
AZ-1 AZ-2 creating user VPC
Customer App
VM VM VM
Region User VPC • IP subnets need to be unique
within a User VPC
• User VPC communicates with
another User VPC through the Infra
VPC
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Infra VPC
Multisite Orchestrator
ACI DC
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Infra VPC
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
Infra VPC
AZ-1 AZ-2
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
User VPC
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Roles of MSO and Cloud APIC
Multisite Orchestrator Cloud APIC
Packaging Deployed On-Premise and not in Cloud Deployed only in Cloud Infra-VPC
Virtual Appliance (e.g. OVA) (e.g. AMI)
Deployment Models Hybrid-Cloud and Multi-Cloud Cloud-First
Inter-Connect On-Premise ACI to Cloud and Cloud to Intra-Region and Inter-Region
Cloud
Segmentation Deploys segmentation policies On- Deploys segmentation policies in
premise/Cloud and Cloud/Cloud Intra-Region and Inter-Region
L4-L7 and Cloud Services L4-L7 Services Only Cloud Native Services
APIs Consumed ACI APIs Mapping ACI to Cloud Native APIs
Scale Many 100s of Cloud Sites All regions of a public cloud provider
Authentication & RBAC Only ACI AUTH and RBAC Manages ACI users and Cloud local
accounts
Operations Inter-Site Health and Operations Dashboard Cloud Health and Operations
Dashboard
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Demo
Quick Teaser
Instances within a VPC
AWS Cloud
AWS Region
Infra VPC
• All traffic between instances
within the same VPC, can
CSR1000V CSR1000V directly communicate to each
IPSec Tunnel
other based on the respective
security group policies
User VPC-1 VGW User VPC-2 VGW programmed by Cloud APIC
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Packet Walk
-EC2 instances in Same EPG, Same Region
AWS Cloud
AWS Region
Infra VPC • Instance-1 &
Instance-2 are
CSR1000V CSR1000V part of same EPG
IPSec Tunnel
Route table
Security group has a rule to allow
The
all traffic within theroute
Inbound
same table
rule shows that the
in the Destination
security
group (intra-EPG destination
Security group has
traffic) is local
allow all within
the same Security Group (Intra-
Instance-1 sends a packet EPGto traffic)
Instance-1 Traffic reaches Instance-2 Instance-2
Instance-2 in same EPG
Epg-1 (same Security Group) Epg-1
SG-1 SG-1
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Instances across VPC
AWS Cloud
• For instances in two different VPC’s
AWS Region
communicating to each other, the
Infra VPC
traffic has to exit the VPC either via
VGW of the user VPC and reach
CSR in infra VPC.
CSR1000V CSR1000V
• Once the traffic reaches the
IPSec Tunnel
CSR1000v in infra VPC, packets are
User VPC-1 User VPC-2
routed to the destination based on
VGW VGW
the configured policies
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Instance-1 & Instance-2 are
Packet Walk
part of two EPGs in two VRFs
CSR1000V CSR1000V
The route table shows that the
IPSec Tunnel IPSec Tunnel destination is reachable via VGW
User VPC-1 VGW User VPC-2 VGW VGW Sends the packet to the
CSR via the tunnel
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Instances in a VPCs and on-Premises
Multi-Site Orchestrator
On-Premise Public Cloud
Site A Site B
Region 1
Infra VPC • For traffic from Instances in
VXLAN TUNNEL
(DATA PLANE) a VPC to on-premise,
traffic reaches CSR in Infra
BGP EVPN
Control Plane CSR1000v CSR1000v
VPC and over the VXLAN
tunnel to the ACI Spines
AZ-1 AZ-2 on-premise
IPSec IPSec Tunnel
CSR VGW
• Spine forwards the traffic
User VPC - 1 User VPC -2
to the corresponding leaf
VM
EPG-1 EPG-1 EPG-2 EPG-3 on which the EP is located
EPG-1 Security Group (SG) Availability Zone (AZ)
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Packet Walk Instance-1 & Instance-2 are
part of two EPGs in two VRFs
Instances in AWS to On-premise EPGs are translated to Security
Multi-Site Orchestrator Public Cloud Group’s and attached to
AWS Cloud Network interfaces
On-Premise
AWS Region Site B Instance-1 sends a packet to
Instance-2
Infra VPC
IPSec VPN Tunnel (Underlay) Based on contract between EPG-
1 & EPG-2, the rules are
CSR1000V CSR1000V programmed on security groups
Route table
VM CSR sends packet via tunnel to
on-Premises Leaf
EPG-1 Instance-1
Epg-1
Traffic is permitted based on the
SG-1 contract to EPG1’s (EP`) at the
destination leaf
Customer
Premise AWS
AWS Instances
Internet
Router Internet
Gateway
VM VM VM
AWS Instances
Multisite Orchestrator
On-Premise
Site A Public Cloud Site B
User VPC-1
VXLAN VGW
BGP-EVPN
Direct Connect (DX) / BGP Underlay CSR1000V AWS Instances
Border Amazon
ACI Leaf DGW/
VGW Infra VPC
VM VM VM
• BGP-EVPN and VXLAN over Direct Connect ACI fabric to User VPC-2
CSR 1000v
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Targeted
ACI 4.x
3 DMZ with Firewall
Multisite Orchestrator
ACI DC On-Premises Public Cloud
ACI Mini
VM VM VM
Amazon
VGW Infra VPC Customer App
DMZ FW Region
VM VM
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Segmentation
Supported
ACI 4.1
1 Application Stretch
Multi-Site Orchestrator
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Demo
How to consume it!
Supported
ACI 4.1
3 Shared Services for Hybrid-Cloud
Multi-Site Orchestrator
CSR CSR
• On-Prem local L3out
Site A
AZ-1 AZ-2
• On-Prem site
IPSec Tunnel
VGW VGW IPSec Tunnel endpoints cannot use
User VPC - 1 User VPC -2 Cloud L3out
EPG-1 EPG-1 EPG-2 EPG-3
IGW • Shared On-Prem L3out
L3out L3out for Cloud VPCs *
IGW
SG-1 SG-1 SG-2 SG-3
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Future
5 Cloud First (Cont.)
• Cloud APIC only without on-
premises ACI or MSO
• Abstract AWS networking
constructs from user that is familiar
with ACI, delivering ACI-consistent
policy and operational model
• Deploy EPG and contracts on top of
AWS public cloud
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Future
5 Cloud First (Cont.)
• Cloud APIC only without on-
premises ACI
• Abstract AWS networking
constructs from user that is
familiar with ACI, delivering ACI-
consistent policy and operational
model
• Deploy EPG and contracts on
top of AWS public cloud
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Services
BRKACI-2690
Supported
ACI 4.1
1 AWS Application Load Balancer
User VPC-1
CSR1000v VGW AWS 2 Packet Flows
Internet
L3 Out Gateway
(0.0.0.0/0) 1. Packet arrives from IGW
EC2 Instances AZ-1
L3out is sent to ALB
Infra VPC
AWS Region
3 ALB Scenarios:
1. Intra-VPC – ACI 4.1
2. Inter-VPC – Future
3. Inter VPC and On-Premise - Future
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Instance-1 is part of EPG-1 & Supported
ALB distributes the traffic to
Instance-2 and Instance-3 are ACIin4.1
various instance EPG2
part of EPG-2 in same VRFs
Intra-VPC Application Load Balancer EPGs are translated to Security
Group’s and attached to
Network interfaces
Contract exist between EPG-1
and EPG-2
EPG-1 Service-EPG
Endpoint
SG-1 SG-2
User VPC - 1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo
Bring it up!
Cloud APIC Infra steps
• Deploy Cloud APIC using Cloud Formation Template
• Cloud APIC setup wizard (automated)
• AWS regions managed by Cloud APIC
• CSR1000v bring up and connectivity
• IPSec tunnel creation
• Inter-site connectivity to on-premises
• Inter-region
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cloud APIC – Bring Up
• Cloud APIC AMI will be available from AWS
marketplace
• Cloud Formation Template does:
• Launch Cloud APIC EC2 Instance
• Create management and Infra Interface with IP address
from Infra VPC pool
• Assign elastic IP to the management interface to enable
communication with the Internet
• Create Internet Gateway on the Infra VPC and setup the
route table to point to Internet Gateway
• Program security group rules on management interface
to allow https / ssh access from configured external
networks
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Deployment Steps
• Multisite Orchestrator
• Site registration
• Configure Infra – BGP EVPN Session is up
• Create Tenant
• Create Schema
• Add Sites to Schema
• Site local properties
• Deploy the Schema
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Operations
BRKACI-2690
Operations
• We have covered multiple aspects of operation lifecycle:
• Visore object browser
• Firmware Management
• Tech Support
• Statistics
• Event Analytics
• Active Sessions
• Backup & Restore
• Remote Locations
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Visore – Web Base MO Query and Browser Tool
https://<IP address>/visore.html
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
APIC Management Information Model Reference
https://<IP address>/doc/html
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Policy based upgrade
• Similar steps as APIC
• Under Firmware
Management select
image location
• Schedule a time to
upgrade
• Once done, it will show
upgrade got completed
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Tech Support
• We will collect the following:
• CSR1kv
• Logs
• Cloud APIC
• Configuration
• Logs
• Core Files
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Statistics
• We will show multiple
statistics:
• Inter-site
• Inter-region
• Inter-VPC
• Cloud EPG
• Cloud Routers
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Topology Health
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Best Practices
• One account per Tenant
• AWS ALB is within a single VPC
• Shared service provider on-premise and consumer in one or more cloud is
supported
• All the child objects must be deleted before parent
• Example: cannot delete a VRF without deleting all VPC context profiles deployed
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
References
References
• Cisco ACI
https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-
infrastructure/index.html#~stickynav=1
• Cloud ACI
https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-
centric-infrastructure/solution-overview-c22-741802.pdf
• AWS
https://aws.amazon.com/console/
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2690
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Continue Your Education
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Thank you