BRKACI-2690-How To Extend Your ACI Fabric To Amazon AWS

BRKACI-2690
How to extend your ACI

Fabric to Amazon AWS
Azeem Suleman, Principal Engineer

Lilian Quan, Principal Engineer
Agenda
• Introduction
• Architecture
• Demo
• Use Cases
• References
• Q&A
BRKACI-2690 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Cloud Core
Infrastructure & Services
Traditional Data Center AWS

Firewall Security Groups
Access Control Lists (ACLs) Security Network ACLs (NACL)
Administrators Identity and Access Management (IAM)
Router / Host Routers (CSR1kv) Virtual Private Cloud (VPC)

Switch Networking Gateways (VGW,IGW, TGW)
Load Balancer Elastic Load Balancing (ELB)
On-Premise Servers Amazon Machine Image (AMI)

Virtual Machines (VM)
Servers /
Amazon EC2 Instances
Containers Compute Elastic Container Service (EKS)
SAN Elastic Block Store (EBS),

Storage &
NAS, NFS Elastic File System (EFS), S3
RDBMS Databases Amazon RDS
ACI Multi-Site
Multi-Site Orchestrator Site N
(MSO)
3 VM Cluster
VM VM VM VM VM VM VM
Any Routed IP Network
Site1 Site 2
VM VM VM VM VM VM VM VM VM VM VM VM VM VM
No Multicast <= 1s RTT Required (MSO  APIC) Single central management (MSO)
Phased Changes (Zones) Up to 12 Sites, distributed gateway Automated L2 DCI VXLAN extension
ACI Multi-Site
Software and Hardware Requirements
• Support all ACI leaf switches (1st Gen, EX, FX, FX2) Any Routed Network
• Modular Spine with EX/FX line card to

connect to the inter-site network
Can have only a subset
1st Gen 1st Gen -EX -EX of spines connecting to
• 9364c or 9332x fixed spine supported for the IP network
Multi-Site from ACI 3.1 release (shipping)
• 1st generation spines (including 9336PQ)
not supported
• Can still leverage those for intra-site leaf
to leaf communication
ACI Extensions to Multi-Cloud
Multi-Site Orchestrator
VM VM VM
VM VM VM
VM VM VM
Cloud Region(s) On-Premises Cloud Region(s)
Fundamentals
Region
• Regions – Think of it as multiple data center with more than
one physical location. Pod or site could be used for ACI
• Availability Zones (AZ) – Set of buildings, Internet uplinks Subnet
and power. Think of it as a data center but may contains Availability Zone 1 Availability Zone 2
more than one physical location. Path or node attachment
could be used in ACI
• Virtual Private Cloud (VPC) – Set of subnets with one ore ACI
more CIDR blocks running in a single region across multiple Pod
data centers (AZ). Similar to VRF VRF
• Subnet – Range of IP addresses. Each subnet must reside BD

within one AZ and can’t span zones. Minimum subnet size Subnet Path Node Attachment
is /28. BD Subnet
Fundamentals (Cont.) Route
table Router
Route
table
Network ACL Network ACL
• Security Group – Act as a firewall for associated EC2

instance (VM), controlling both inbound and outbound Security Group Security Security
traffic at network interface (EP) level. Equivalent to EPG with

Group Group
white-list
• Security Group Rule – Rules applied to inbound traffic Subnet 1 Subnet 2
(ingress) or outbound traffic (egress). Combination of
contracts and filters in ACI VRF
L3out
• Network ACL – Used to deny / permit select traffic at a

subnet level. Network ACLs are stateless. In ACI, it is similar Routes
PSVI
Routes
to taboo and grey-list contracts

Taboo Taboo
• Route Table – Can be associated with multiple subnets.
Acts like a source-based policy-based routing (PBR) rule. EPG EPG EPG
BD Subnet 1 BD Subnet 2
Connectivity Terms
For your info
& reference
AWS Only – External Connectivity
• Internet Gateway (IGW) – Horizontally scaled, redundant and highly available VPC component
that allows communication between instances in your VPC and the Internet
• NAT Gateway – Acts like an ECMP route to a set of NAT devices

• Virtual Private Gateway (VGW) – is the VPN concentrator. It terminates VPN and AWS Direct
Connect. Also provides BGP control plane for route-exchange
• Virtual Private Network (VPN) – comes in two flavors: VPNs provided through VGW and
instances running VPN software
• Direct Connect (DX) – Private dedicated link to an AWS region (not encrypted). Used for
speed and throughout.
• In ACI, IGW / VGW / DX is equivalent to L3out
For your info
& reference
Policy Mapping - AWS

User Account Tenant
Virtual Private Cloud VRF
VPC subnet BD Subnet
Tag / Label EP to EPG Mapping
Security Group EPG

Network Access List Taboo
Security Group Rule Contracts, Filters
Outbound rule Consumed contracts
Source/Destination: Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts
EC2 Instance
Network Adapter End Point (fvCEp)
Challenges in building a Multi Cloud environment
• Building an automated and • Maintain consistent policy, • Requires a single pane of

secure interconnect security and analytics for glass to manage policies
between on-Premises and workloads deployed across on-premise and
Cloud datacenters with across on-premises and cloud locations
ease of provisioning and cloud locations
monitoring at scale
ACI Extensions to AWS Multi-Site
On-Premise DC Public Cloud
IP
EPG
Contract
EPG
Contract
EPG Network
Web APP DB
SG SG SG
SG Rule SG Rule
Web APP DB
VM VM VM AWS Region
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premise & Public Cloud provisioning with end-to-end visibility
Architecture
ACI 4.1
Cloud APIC Architecture

• Cloud APIC AMI downloaded from AWS
Marketplace
• Interconnect connectivity automation (BGP-

Web Server (NGINX) EVPN, VXLAN)
Policy Distributor (PD) • Automates and manages cloud routers

lifecycle
Policy Manager (PM) • Translates ACI Policy to cloud native

Constructs
Cloud Policy Cloud Policy
Element Element • Deploys cloud resources and infrastructure
….…. components
Connector Connector
• Intuitive GUI and REST API North Bound
API (AWS, Azure...) NetConf Interface
(CSR1000v)
• cAPIC manages 1 or more regions
Cloud APIC Resources
• m4.2xlarge EC2 Instance type
• 2.3-2.4 GHz Intel Xeon E5-2686/2676 v4/v3 processors
• Balance of compute, memory and networking resources
Network
vCPU Mem (GiB) Storage Network
Performance
8 32 100Gig –300 Gig 2xvNIC High
Cloud EPG and Cloud ExtEPG
• Cloud EPG:
A collection of network interfaces on the cloud provider, which will share the same
security policy. Can have endpoints in one or more subnets as well as can span across
regions. Tied to a VRF
• Cloud Ext EPG:

A set of subnets that represent the outside world compared to the cloud provider.
Outside world can either be another site or Internet.
Example: IPv4 internet as outside, cloudExtEPg will be identified with the subnet
0.0.0.0/0
Cloud Endpoint (EP) Classification
• Set of rules run against the cloud instances, once there is a match the endpoint (NIC)
is assigned to the Cloud EPG
• 4 classifier for endpoint assignment to Cloud EPG
a. Predefined
1. IP Address / Subnet
2. Region
3. Zone
b. Custom
1. Tags / label
• An endpoint can be classified into multiple Cloud EPGs

• Match operators are supported
Cloud EP Classification
Operators
• Below are few examples. You can use any combination
Key Operator Value

IP Address / Subnet =, != 10.10.10.1, 10.10.10.0/24
Region In, Not in us-west-1, us-east-1
Zone In, Not in us-west-1a, us-west-1b
Has key
Custom Application web, db
Doesn’t have key
Cloud EP Classification
Microsegmentation
• Example 1: Cloud EPG ”Dev”

Condition Key(s) + Operator(s) + Value(s)
Match Custom:department == Engineering, Region In (us-west-1, us-east-1),

expression custom:Role NotIn (Management, ITStaff)
• Example 2: Cloud EPG ”Finance”
Condition Key(s) + Operator(s) + Value(s)
Match Custom:department == Finance, Region In (us-west-1, us-east-1),

expression IP == 172.16.0.0/24
Cloud Infra
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
Region - 1
Infra VPC
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VGW VGW
User VPC 1 User VPC 2
Infra VPC
• Infra VPC will be used as transit VPC
to connect between on-premises
ACI DC ACI Fabric and AWS region or
connect one AWS region with
another AWS region
Infra VPC
• You would need an AWS account
AZ-1 AZ-2
which will act similar to Fabric admin
VM VM VM
Region • Need to have proper IP subnet
planned ahead of the deployment
User VPC
• User VPC will be created by Cloud
ACI DC APIC where all application policy
will be enforced
• Need an AWS account which will
Infra VPC
act as Tenant admin before
AZ-1 AZ-2 creating user VPC
Customer App
VM VM VM
Region User VPC • IP subnets need to be unique
within a User VPC
• User VPC communicates with
another User VPC through the Infra
VPC
Infra VPC
ACI DC
Infra VPC Infra VPC
AZ-1 AZ-2 AZ-1 AZ-2
Region - 1 Region - 2 User VPC

VM VM VM
Infra VPC
ACI DC
Infra VPC
AZ-1 AZ-2
Region - 1 Region - 2 User VPC

VM VM VM
Region - 3 User VPC Region - 4 User VPC
User VPC
ACI DC
Infra VPC Infra VPC
AZ-1 AZ-2 AZ-1 AZ-2
Customer App Customer App
Region - 1 User VPC Region - 2 User VPC

VM VM VM
Roles of MSO and Cloud APIC
Multisite Orchestrator Cloud APIC
Packaging Deployed On-Premise and not in Cloud Deployed only in Cloud Infra-VPC
Virtual Appliance (e.g. OVA) (e.g. AMI)
Deployment Models Hybrid-Cloud and Multi-Cloud Cloud-First
Inter-Connect On-Premise ACI to Cloud and Cloud to Intra-Region and Inter-Region
Cloud
Segmentation Deploys segmentation policies On- Deploys segmentation policies in
premise/Cloud and Cloud/Cloud Intra-Region and Inter-Region
L4-L7 and Cloud Services L4-L7 Services Only Cloud Native Services
APIs Consumed ACI APIs Mapping ACI to Cloud Native APIs
Scale Many 100s of Cloud Sites All regions of a public cloud provider
Authentication & RBAC Only ACI AUTH and RBAC Manages ACI users and Cloud local
accounts
Operations Inter-Site Health and Operations Dashboard Cloud Health and Operations
Dashboard
Demo
Quick Teaser
Instances within a VPC
AWS Cloud
AWS Region
Infra VPC
• All traffic between instances
within the same VPC, can
CSR1000V CSR1000V directly communicate to each
IPSec Tunnel
other based on the respective
security group policies
User VPC-1 VGW User VPC-2 VGW programmed by Cloud APIC
Epg-1 Epg-1 Epg-2 Epg-3 Availability

Security Group
Zone
Instance-1 Instance-2 Instance-3 Instance-4 CSR1000V End Point Group
SG-1 SG-1 SG-2 SG-3

Virtual Private Gateway
Cloud APIC
(VGW)
Packet Walk
-EC2 instances in Same EPG, Same Region
AWS Cloud
AWS Region
Infra VPC • Instance-1 &
Instance-2 are
CSR1000V CSR1000V part of same EPG
IPSec Tunnel
User VPC-1 VGW
Route table
Security group has a rule to allow
The
all traffic within theroute
Inbound
same table
rule shows that the
in the Destination
security
group (intra-EPG destination
Security group has
traffic) is local
allow all within
the same Security Group (Intra-
Instance-1 sends a packet EPGto traffic)
Instance-1 Traffic reaches Instance-2 Instance-2
Instance-2 in same EPG
Epg-1 (same Security Group) Epg-1
SG-1 SG-1
EPG1 is translated to Security

Group-1
Instances across VPC
AWS Cloud
• For instances in two different VPC’s
AWS Region
communicating to each other, the
Infra VPC
traffic has to exit the VPC either via
VGW of the user VPC and reach
CSR in infra VPC.
CSR1000V CSR1000V
• Once the traffic reaches the
IPSec Tunnel
CSR1000v in infra VPC, packets are
User VPC-1 User VPC-2
routed to the destination based on
VGW VGW
the configured policies
Epg-1 Epg-1 Epg-2 Epg-3 Availability

Security Group
Zone
Instance-1 Instance-2 Instance-3 Instance-4 CSR1000V End Point Group
SG-1 SG-1 SG-2 SG-3

Virtual Private Gateway
Cloud APIC
(VGW)
Instance-1 & Instance-2 are
Packet Walk
part of two EPGs in two VRFs
EPGs are translated to

Instances in two User VPCs Security Group’s and attached
to Network interfaces
AWS Cloud Instance-1 sends a packet to
AWS Region Instance-2
Infra VPC Based on contract between EPG-

1 & EPG-2, the rules are
programmed on security groups
CSR1000V CSR1000V
The route table shows that the
IPSec Tunnel IPSec Tunnel destination is reachable via VGW
User VPC-1 VGW User VPC-2 VGW VGW Sends the packet to the
CSR via the tunnel
Route table CSR sends packet via tunnel to

destination VGW
Route table
Instance-1 Instance-2
Traffic is permitted based on the
Epg-1 Epg-2
SG-2 inbound rules of the security
SG-1
group in the destination instance
Traffic reaches Instance-2
Instances in a VPCs and on-Premises
On-Premise Public Cloud
Site A Site B
Region 1
Infra VPC • For traffic from Instances in
VXLAN TUNNEL
(DATA PLANE) a VPC to on-premise,
traffic reaches CSR in Infra
BGP EVPN
Control Plane CSR1000v CSR1000v
VPC and over the VXLAN
tunnel to the ACI Spines
AZ-1 AZ-2 on-premise
IPSec IPSec Tunnel
CSR VGW
• Spine forwards the traffic
User VPC - 1 User VPC -2
to the corresponding leaf
VM
EPG-1 EPG-1 EPG-2 EPG-3 on which the EP is located
EPG-1 Security Group (SG) Availability Zone (AZ)
CSR-1000V AWS Internet Gateway

(IGW)
SG-1 SG-1 SG-2 SG-3 AWS Virtual Private Gateway
Cloud APIC
Instance 01 Instance 02 Instance 03 Instance 04 (VGW)
Packet Walk Instance-1 & Instance-2 are
part of two EPGs in two VRFs
Instances in AWS to On-premise EPGs are translated to Security
Multi-Site Orchestrator Public Cloud Group’s and attached to
AWS Cloud Network interfaces
On-Premise
AWS Region Site B Instance-1 sends a packet to
Instance-2
Infra VPC
IPSec VPN Tunnel (Underlay) Based on contract between EPG-
1 & EPG-2, the rules are
CSR1000V CSR1000V programmed on security groups
The route table shows that the

IPSec Tunnel destination is reachable via VGW
User VPC-1 VGW

VGW Sends the packet to the
CSR via the tunnel
Route table
VM CSR sends packet via tunnel to
on-Premises Leaf
EPG-1 Instance-1
Epg-1
Traffic is permitted based on the
SG-1 contract to EPG1’s (EP`) at the
destination leaf
Traffic reaches the destination

end point (EPG-1)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Connectivity
Supported
ACI 4.1
1 Virtual Private Network (VPN)
Site B
Site A
User VPC-1
IPSec VPN Tunnel (Underlay)
VGW
CSR1000V
BGP-EVPN Session (Control Plane)
VXLAN Tunnel (Data Plane)
Customer
Premise AWS
AWS Instances
Internet
Router Internet
Gateway
Infra VPC VGW
VM VM VM
AWS Instances
AWS Region User VPC-2
• VXLAN data-plane connects ACI fabric and Cloud site

• BGP-EVPN routing reachability between ACI fabric and Cloud Site
• IPSec VPN connection between customer Premise Router before ACI fabric and CSR1kv
Targeted
2 Direct Connect (DX) ACI 4.x
On-Premise
Site A Public Cloud Site B
User VPC-1
VXLAN VGW
BGP-EVPN
Direct Connect (DX) / BGP Underlay CSR1000V AWS Instances
Border Amazon
ACI Leaf DGW/
VGW Infra VPC
VM VM VM
AWS Region VGW
• Direct Connect and BGP underlay between Infra-VPC and

ACI Border Leaf AWS Instances
• BGP-EVPN and VXLAN over Direct Connect ACI fabric to User VPC-2
CSR 1000v
Targeted
ACI 4.x
3 DMZ with Firewall
ACI DC On-Premises Public Cloud
IP Network Co-location DMZ Firewall
ACI Mini
Direct Connect (DX) ` User VPC
VM VM VM
Amazon
VGW Infra VPC Customer App
DMZ FW Region
VM VM
• ACI Mini Fabric in Co-location DMZ terminates AWS Direct Connect

• DMZ firewall provides perimeter security
• L1/L2/L3 PBR can be used to steer traffic into Firewall
Targeted
ACI 4.x
4 Transit Gateway (TGW)
On-Premise Public Cloud • Transit Gateway
Site B connects User VPC to
Infra VPC Region 1 other User VPC
• Infra VPC will be used
CSR CSR for connectivity to on-
ENI AZ-1 ENI AZ-2
premise
• Provides higher Inter-
Site A
VPC throughput
AZ-1 AZ-2 AZ-1 AZ-2
ENI ENI ENI ENI
User VPC - 1 User VPC - 2
Segmentation
Supported
ACI 4.1
1 Application Stretch
• Stretch tenant/vrf across on-

APIC Cloud APIC
premises and cloud sites
Tenant
• During peak times easily deploy
VRF
CIDR 2
application tiers and resources in
the cloud site
BD1/Subnet
1Web-EPG1 Web-EPG2
• Consistent segmentation policy and

https https enforcement within and across on-
premises and cloud sites
BD3/Subnet3 CIDR 4
App-EPG1 App-EPG2
• Application stack failover between
sites (active/disaster recovery)
Supported
2 ACI 4.1
Stretched EPG with Consistent Segmentation
APIC Cloud APIC

• Web Tier and App Tier are
Tenant stretched and securely segmented
VRF across on-premise and public cloud
BD/Subnet1 CIDR 2 sites
EPG - Web
• Consistent segmentation policy and

https, redis
enforcement for endpoints of
Web/App Tier are independent of
BD3/Subnet3 CIDR 4 location
EPG - App
Demo
How to consume it!
Supported
ACI 4.1
3 Shared Services for Hybrid-Cloud

• Provides a capability to
APIC Cloud APIC deploy shared service
across hybrid cloud
Tenant 1 Route Tenant 2 Tenant 3
Leaking
VRF1 VRF2 VRF3 • Shared Service

CIDR 2 CIDR 4 deployed in 1 Site can
dns Web-EPG Web-EPG be consumed by
endpoints across other
BD/Subnet1
https https, redis
sites
DNS-EPG
CIDR 3 CIDR 5 • Contract will leak

App-EPG App-EPG subnet between VRFs
for reachability
Supported
ACI 4.1
4 Cloud and On-Prem L3outs
Multi-Site Orchestrator (MSO)
Site B
• Cloud local L3out via

Region 1 Infra VPC IGW
L3out
CSR CSR
• On-Prem local L3out
Site A
AZ-1 AZ-2
• On-Prem site
IPSec Tunnel
VGW VGW IPSec Tunnel endpoints cannot use
User VPC - 1 User VPC -2 Cloud L3out
EPG-1 EPG-1 EPG-2 EPG-3
IGW • Shared On-Prem L3out
L3out L3out for Cloud VPCs *
IGW
SG-1 SG-1 SG-2 SG-3
Instance 01 Instance 02 Instance 03 Instance 04

* Depends on QA Validation Completion by FCS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Future
5 Cloud First
• Cloud APIC only without on-
premises ACI or MSO
• Abstract AWS networking constructs
from user that is familiar with ACI,
delivering ACI-consistent policy and
operational model
• Deploy EPG and contracts on top of
AWS public cloud
Future
5 Cloud First (Cont.)
premises ACI or MSO
• Abstract AWS networking
constructs from user that is familiar
with ACI, delivering ACI-consistent
policy and operational model
• Deploy EPG and contracts on top of
AWS public cloud
Future
5 Cloud First (Cont.)
premises ACI
• Abstract AWS networking
constructs from user that is
familiar with ACI, delivering ACI-
consistent policy and operational
model
• Deploy EPG and contracts on
top of AWS public cloud
Services
BRKACI-2690
Supported
ACI 4.1
1 AWS Application Load Balancer
User VPC-1
CSR1000v VGW AWS 2 Packet Flows
Internet
L3 Out Gateway
(0.0.0.0/0) 1. Packet arrives from IGW
EC2 Instances AZ-1
L3out is sent to ALB
Infra VPC
Application 2. Packet from user VPC is

Load Balancer
sent to ALB
EC2 Instances AZ-2
AWS Region
3 ALB Scenarios:
1. Intra-VPC – ACI 4.1
2. Inter-VPC – Future
3. Inter VPC and On-Premise - Future
Instance-1 is part of EPG-1 & Supported
ALB distributes the traffic to
Instance-2 and Instance-3 are ACIin4.1
various instance EPG2
part of EPG-2 in same VRFs
Intra-VPC Application Load Balancer EPGs are translated to Security
Group’s and attached to
Network interfaces
Contract exist between EPG-1
and EPG-2
Service Graph is attached to the

contract
User VPC-1
EPG-2
ALB EPG
ALB EPG is created. This EPG is
EPG-1
translated to security group and
Application EC2 Instances attached to ALB
Load Balancer
AZ-1
Rules are re-programmed
Contract SG-2 between [EPG-1, ALB EPG] and
[ALB EPG, EPG-2] as per the
SG-1 contract.
EC2 Instances
Instance-1 sends the traffic to
Service Graph AZ-2 ALB
Route table shall show the

destination is local
Traffic reaches the load

balancer
Future
2
AWS Cloud Native Services
Multi-Site Orchestrator (MSO)
Site B
Site A
AWS Region 1 • EC2 instances access
Cloud Native Service
CSR CSR (eg. S3 bucket) via
VPC endpoint
AZ-1 Infra VPC AZ-2
IPSec • All AWS services are
Tunnel
VGW S3 bucket supported in phase 2
EPG-1 Service-EPG
Endpoint
SG-1 SG-2
Instance-1 VPC endpoint
User VPC - 1
Demo
Bring it up!
Cloud APIC Infra steps
• Deploy Cloud APIC using Cloud Formation Template
• Cloud APIC setup wizard (automated)
• AWS regions managed by Cloud APIC
• CSR1000v bring up and connectivity
• IPSec tunnel creation
• Inter-site connectivity to on-premises
• Inter-region
Cloud APIC – Bring Up
• Cloud APIC AMI will be available from AWS
marketplace
• Cloud Formation Template does:
• Launch Cloud APIC EC2 Instance
• Create management and Infra Interface with IP address
from Infra VPC pool
• Assign elastic IP to the management interface to enable
communication with the Internet
• Create Internet Gateway on the Infra VPC and setup the
route table to point to Internet Gateway
• Program security group rules on management interface
to allow https / ssh access from configured external
networks
Deployment Steps
• Multisite Orchestrator
• Site registration
• Configure Infra – BGP EVPN Session is up
• Create Tenant
• Create Schema
• Add Sites to Schema
• Site local properties
• Deploy the Schema
Operations
BRKACI-2690
Operations
• We have covered multiple aspects of operation lifecycle:
• Visore object browser
• Firmware Management
• Tech Support
• Statistics
• Event Analytics
• Active Sessions
• Backup & Restore
• Remote Locations
Visore – Web Base MO Query and Browser Tool
https://<IP address>/visore.html
APIC Management Information Model Reference
https://<IP address>/doc/html
Policy based upgrade
• Similar steps as APIC
• Under Firmware
Management select
image location
• Schedule a time to
upgrade
• Once done, it will show
upgrade got completed
Tech Support
• We will collect the following:
• CSR1kv
• Logs
• Cloud APIC
• Configuration
• Logs
• Core Files
Statistics
• We will show multiple
statistics:
• Inter-site
• Inter-region
• Inter-VPC
• Cloud EPG
• Cloud Routers
Topology Health
• Network connectivity and Health
Best Practices
• One account per Tenant
• AWS ALB is within a single VPC
• Shared service provider on-premise and consumer in one or more cloud is
supported
• All the child objects must be deleted before parent
• Example: cannot delete a VRF without deleting all VPC context profiles deployed
• In order to use Cloud statistics, CloudWatch service should be subscribed first

• Direct connect is planned for ACI 4.2
References
References
• Cisco ACI
https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-
infrastructure/index.html#~stickynav=1
• Cloud ACI
https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-
centric-infrastructure/solution-overview-c22-741802.pdf
• AWS
https://aws.amazon.com/console/
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2690
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

BRKACI-2690-How To Extend Your ACI Fabric To Amazon AWS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKACI-2690-How To Extend Your ACI Fabric To Amazon AWS

Uploaded by

Copyright:

Available Formats

BRKACI-2690

How to extend your ACI

Azeem Suleman, Principal Engineer

Traditional Data Center AWS

Router / Host Routers (CSR1kv) Virtual Private Cloud (VPC)

On-Premise Servers Amazon Machine Image (AMI)

SAN Elastic Block Store (EBS),

• Modular Spine with EX/FX line card to

Cloud Region(s) On-Premises Cloud Region(s)

• Subnet – Range of IP addresses. Each subnet must reside BD

Network ACL Network ACL

• Security Group – Act as a firewall for associated EC2

traffic at network interface (EP) level. Equivalent to EPG with

• Network ACL – Used to deny / permit select traffic at a

to taboo and grey-list contracts

AWS Only – External Connectivity

• NAT Gateway – Acts like an ECMP route to a set of NAT devices

Policy Mapping - AWS

VPC subnet BD Subnet

Tag / Label EP to EPG Mapping

Security Group EPG

Network Adapter End Point (fvCEp)

• Building an automated and • Maintain consistent policy, • Requires a single pane of

On-Premise DC Public Cloud

Consistent Policy Enforcement Automated Inter-connect Simplified Operations

Cloud APIC Architecture

• Interconnect connectivity automation (BGP-

Policy Distributor (PD) • Automates and manages cloud routers

Policy Manager (PM) • Translates ACI Policy to cloud native

• Cloud Ext EPG:

• An endpoint can be classified into multiple Cloud EPGs

• Below are few examples. You can use any combination

Key Operator Value

Region In, Not in us-west-1, us-east-1

Zone In, Not in us-west-1a, us-west-1b

• Example 1: Cloud EPG ”Dev”

Match Custom:department == Engineering, Region In (us-west-1, us-east-1),

• Example 2: Cloud EPG ”Finance”

Condition Key(s) + Operator(s) + Value(s)

Match Custom:department == Finance, Region In (us-west-1, us-east-1),

User VPC 1 User VPC 2

On-Premises Public Cloud

Infra VPC Infra VPC

AZ-1 AZ-2 AZ-1 AZ-2

Region - 1 Region - 2 User VPC

Region - 1 Region - 2 User VPC

Region - 3 User VPC Region - 4 User VPC

Infra VPC Infra VPC

AZ-1 AZ-2 AZ-1 AZ-2

Customer App Customer App

Region - 1 User VPC Region - 2 User VPC

Epg-1 Epg-1 Epg-2 Epg-3 Availability

Instance-1 Instance-2 Instance-3 Instance-4 CSR1000V End Point Group

SG-1 SG-1 SG-2 SG-3

User VPC-1 VGW

EPG1 is translated to Security

Epg-1 Epg-1 Epg-2 Epg-3 Availability

Instance-1 Instance-2 Instance-3 Instance-4 CSR1000V End Point Group

SG-1 SG-1 SG-2 SG-3

EPGs are translated to

Infra VPC Based on contract between EPG-

Route table CSR sends packet via tunnel to

Traffic reaches Instance-2