Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Connect Greater Bay AreaHong Kong • 30 May 2019

Qianhai & Macau • 31 May 2019


Javed Asghar

Principal Engineer, ACI Team

May 2019

ACI Product Team

ACI Anywhere Update


Automation with Consistent Policy

Virtual ACI Cloud ACI

ACI AnywhereAny Workload. Any Location. Any Cloud.

WANWAN

Edge / Remote DC Public or Private CloudRegional/Central Location

Security Everywhere Policy EverywhereAnalytics Everywhere

ACI On-Premises


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

ACI MultisiteShipping

VMVMVM

Site A

Site B

Site C

Site D

VMVMVM

Multisite Orchestrator

VMVMVM

VMVMVM

Policy Consistency

Single Point Of Orchestration

Availability Fault Isolation

Scale

Consistent Policy across sites

Single Point of Orchestration

Fault Isolation

Scale

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5Presentation ID

IP Network

(WAN Core – IPv4, MPLS, SR, etc …)

ACI: Physical Remote Leaf Extend ACI to Satellite Data Centers

On-Prem DC

Remote Locations

Zero Touch Auto Discovery of Remote Leaf

Two Remote Leaf vPC Pair Up To 64 Remote Locations

Multi-site SupportStretch Tenant, EPG, etc

All benefits of ACI visibility Health Scores, Stats

VMVMVM VMVMVMVM VMVMVM VMVMVMVM

Shipping


Virtual ACI: Virtual PodExtend ACI to Bare Metal Clouds and Remote Data Centers

6

Shipping

IP Network

Bare Metal Clouds (IBM, OVH, etc.)

Remote Data Centers

Co-location Facilities

(Equinix, CoreSite etc.)

Brownfield Deployments

Remote location On-premises ACI Data Center

VMVMVM VMVMVMVM

VMVMVM VMVMVMVM

Hypervisor

Policy extension from

On-premise DC


ACI Multi-Cloud ExtensionsDeep Dive



Challenges in building a Multi Cloud environment

• Maintain consistent policy,

security and analytics for

workloads deployed

across on-premises and

cloud locations

• Building an automated and

secure interconnect

between on-Premises and

Cloud datacenters with

ease of provisioning and

monitoring at scale

• Requires a single pane of

glass to manage policies

across on-premise and

cloud locations

8


Site A

Site BSite C

Site D

VMVMVM

ACI Extensions To Multi-CloudACI Multi-Site

Appliance

Consistent Network and Policy across clouds

Seamless Workload Migration

Single Point of Orchestration

Secure Automated Connectivity

ACI – On Prem

VMVMVM

Region(s)

VMVMVM

Region(s)

VMVMVM



EPG

Web

EPG

APPContract Contract

EPG

DBSG

Web

SG

APPSG Rule SG Rule

SG

DB

ACI Extensions to AWS

IP Network

AWS Region

On-Premise DC

VMVMVM

Public Cloud

Multi-Site

Automated Inter-connect provisioning

Simplified Operations with end-to-end

visibility

Consistent Policy Enforcement on-Premise & Public Cloud

ACI 4.1


Security Group

Virtual Private Cloud

Security Group Rule

Outbound rule

Inbound rule

User Account

Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort

Network Adapter

Tenant

VRF

BD Subnet

EP to EPG Mapping

Contracts, Filters

Consumed contracts

Provided contracts

EC2 Instance

VPC subnet

EPG

Tag / Label

End Point (fvCEp)

Network Access List Taboo

Policy Mapping – AWS to ACI (1/2)

For your info & reference


Policy Mapping – AWS to ACI (2/2)

Region

Identity and Access Management (IAM)

AAA Users, Security Domains

Pod

Path/Node Attachment

Overlay-1 VRF (ACI Infra)

Border Leaf, Spine (Internal and External connectivity)

Shared Services / Common

Availability Zone (AZ)

Infra VPC

VPC Peering

Internet Gateway,

VPN Gateway,

Direct Connect,

CSR1000V

Inter Region VPC PeeringDirect Connect Gateway

Inter POD Connectivity

For your info & reference


Cloud Deployments Usecases


Site A

Site BSite C

Usecase #1: Hybrid-Cloud Deployment

ACI Multi-Site Orchestrator

VMVMVM

ACI – On Premise

AWS ACI 4.1

Region(s)

VMVMVMRegion(s)

VMVMVM

15Presentation ID

Hybrid Cloud supported with AWS in Q2-CY19 and Azure in Q3-CY19


Usecase #2: Cloud First with Multiple Regions Target ACI 4.2

One ACI Policy Domain with Multiple AWS Regions

Site1

Region: us-east-1

VMVMVM

Site1

Region: sa-east-1

VMVMVM

Site1

Region: eu-west-3

VMVMVM

Site1

Region: ap-northeast-1

VMVMVM


Usecase #3: Multi-Cloud (Cloud Only)

Multi-Cloud with AWS and Azure Cloud Sites supported in 2H-CY19

Target ACI 4.2

Site 2

Region: UK South

VMVMVM

Site 1

Region: us-east-1

VMVMVM

Site 3

Region: ap-northeast-1

VMVMVM

ACI Multi-Site Orchestrator


Network Connectivity Usecases



Usecase #1: IPSec VPN

19

AWS Region

On-Premise

VMVMVM

Public Cloud Site B

AWS Instances

AWS Instances

CSR1000V

Customer

Premise

Router

Site A

AWS

Internet

Gateway

VGW

VGW

Infra VPC

User VPC-1

User VPC-2


Supported ACI 4.1

IPSec VPN Tunnel (Underlay)

VXLAN Tunnel (Data Plane)

Internet

BGP-EVPN Session (Control Plane)

• VXLAN data-plane connects ACI fabric and Cloud site• BGP-EVPN routing reachability between ACI fabric and Cloud Site• IPSec VPN connection between customer Premise Router before ACI fabric and CSR1kv



Usecase #2: Direct Connect (DX)

20

AWS Region

On-Premise

VMVMVM

Public CloudSite A Site B

Multi-Site

CSR1000V

Amazon

DGW/

VGW

AWS Instances

VGW

AWS Instances

VGW

Infra VPC

User VPC-1

User VPC-2

Targeted ACI 4.x

Direct Connect (DX) / BGP Underlay

BGP-EVPN

VXLAN

• Direct Connect and BGP underlay between Infra-VPC and ACI Border Leaf

• BGP-EVPN and VXLAN over Direct Connect ACI fabric to CSR 1000v

Border ACI

Leaf


Segmentation Usecases


APIC Cloud APIC

Tenant

VRFBD1/Subnet1

Web-EPG1

BD3/Subnet3

App-EPG1

CIDR 2

Web-EPG2

CIDR 4

App-EPG2

Usecase #1: Application Stretch

On-Premises Public Cloud

Multi-Site Orchestrator

• Stretch tenant/vrf across on-premises and cloud sites

• During peak times easily deploy application tiers and resources in the cloud site

• Consistent segmentation policy and enforcement within and across on-premises and cloud sites

• Application stack failover between sites (active/disaster recovery)

Supported ACI 4.1

https https


Usecase #2: Stretched EPG with Consistent Segmentation

• Web Tier and App Tier are stretched and securely segmented across on-premise and public cloud sites

• Consistent segmentation policy and enforcement for endpoints of Web/App Tier are independent of location

APIC Cloud APIC

Tenant

VRFBD/Subnet1

BD3/Subnet3

CIDR 2

CIDR 4



EPG - Web

EPG - App

https, redis

Supported ACI 4.1


Usecase #3: Shared Services for Hybrid-Cloud

• Provides a capability to deploy shared service across hybrid cloud

• Shared Service deployed in 1 Site can be consumed by endpoints across other sites

• Contract will leak subnet between VRFs for reachability

APIC Cloud APIC

Tenant 1

VRF1

BD/Subnet1

DNS-EPG



CIDR 3

App-EPG

CIDR 2

Web-EPG

https

Tenant 2

VRF2

dns

Route Leaking

Supported ACI 4.1

CIDR 5

App-EPG

CIDR 4

Web-EPG

Tenant 3

VRF3

https, redis


Usecase #4: Cloud and On-Prem L3outs

On-Premise

Multi-Site Orchestrator (MSO)

Public Cloud

Site B

Infra VPC

AZ-1 AZ-2

Region 1

CSR CSR

Site A

User VPC -2

VGW

User VPC - 1

VGWIPSec Tunnel IPSec Tunnel

EPG-1 EPG-3EPG-2EPG-1

SG-1 SG-1 SG-3SG-2

Instance 01 Instance 02 Instance 03 Instance 04

IGW

IGW

L3outL3out

L3out

• Cloud local L3out via IGW

• On-Prem local L3out

• On-Prem site endpoints cannot use Cloud L3out

• Shared On-Prem L3out for Cloud VPCs *

Supported ACI 4.1

* Depends on QA Validation Completion by FCS


Services Usecases


Usecase #1: AWS Application Load Balancer Supported

ACI 4.1

On-PremiseSite A


VMVMVM

Customer

Premise

Router

AWS Region

Public Cloud Site B

AZ-1

CSR1000v AWS

Internet

Gateway

VGW

Infra VPC

User VPC-1

Application

Load Balancer

AZ-2

EC2 Instances

EC2 Instances

L3 Out (0.0.0.0/0)


Usecase 2: On-Prem FW for AWS VPCs

AWS Region-1

On-Premise Datacenter

VMVMVM

Public Cloud

Infra VPC

CSR1000VAmazon IGW/VGW

Customer Premise Router

BGP EVPN Control P lane

VXLAN Tunnel

Firewall

L3out

VPCsFW Flow

• VPCs don’t have external connectivity in AWS

• All VPC traffic is tunneled to on-premFW and then uses on-prem L3out

Supported ACI 4.1


Service-EPG

On-Premise

Site A

Multi-SiteOrchestrator (MSO)

Public Cloud

AWS Region 1

Site B

Infra VPC

EPG-1

AZ-1 AZ-2

User VPC - 1

SG-1 SG-2

VGW

CSR CSR

Instance-1 VPC endpoint

IPSec Tunnel

S3 bucket

Endpoint

Usecase #3: AWS Cloud Native Services

• EC2 instances access Cloud Native Service (eg. S3 bucket) via VPC endpoint

• All AWS services are supported in phase 2

Future



ACI Anywhere Public Cloud Extensions Roadmap

ACI 4.2 Release *

Azure

Cloud Native Services

Connectivity via DMZ

with FW

L4-L7 FW and NAT

Services

AWS Direct-Connect

from cAPIC

AWS Transit Gateway

ACI 4.1 Release

ACI-AWS Launch

cAPIC Policy Translation

CSR Interconnect

Automation

MSO Public Cloud

Operations

AWS ALB support

4 Cloud Sites and 4

Physical Sites

Multi-Cloud

(AWS, Azure)

MSO Cloud Packaging

Day 2 Operations

Policy Offload to CSR for

High Policy Scale

Cloud Center Integration

6 Cloud Sites and 18

Physical Sites

Future

Clouds: GCP, IBM, Ali

Azure ExpressRoute

Azure & AWS Parity

SD-WAN Interconnect

Ecosystem Partners

Higher Scale

* Targeted for Q3-CY19, subject to change without notice

Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...

Documents

Transcript of Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...