Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...
Transcript of Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Connect Greater Bay AreaHong Kong • 30 May 2019
Qianhai & Macau • 31 May 2019
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Javed Asghar
Principal Engineer, ACI Team
May 2019
ACI Product Team
ACI Anywhere Update
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automation with Consistent Policy
Virtual ACI Cloud ACI
ACI AnywhereAny Workload. Any Location. Any Cloud.
WANWAN
Edge / Remote DC Public or Private CloudRegional/Central Location
Security Everywhere Policy EverywhereAnalytics Everywhere
ACI On-Premises
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI MultisiteShipping
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
Multisite Orchestrator
VMVMVM
VMVMVM
Policy Consistency
Single Point Of Orchestration
Availability Fault Isolation
Scale
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5Presentation ID
IP Network
(WAN Core – IPv4, MPLS, SR, etc …)
ACI: Physical Remote Leaf Extend ACI to Satellite Data Centers
On-Prem DC
Remote Locations
Zero Touch Auto Discovery of Remote Leaf
Two Remote Leaf vPC Pair Up To 64 Remote Locations
Multi-site SupportStretch Tenant, EPG, etc
All benefits of ACI visibility Health Scores, Stats
VMVMVM VMVMVMVM VMVMVM VMVMVMVM
Shipping
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual ACI: Virtual PodExtend ACI to Bare Metal Clouds and Remote Data Centers
6
Shipping
IP Network
Bare Metal Clouds (IBM, OVH, etc.)
Remote Data Centers
Co-location Facilities
(Equinix, CoreSite etc.)
Brownfield Deployments
Remote location On-premises ACI Data Center
VMVMVM VMVMVMVM
VMVMVM VMVMVMVM
Hypervisor
Policy extension from
On-premise DC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Multi-Cloud ExtensionsDeep Dive
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenges in building a Multi Cloud environment
• Maintain consistent policy,
security and analytics for
workloads deployed
across on-premises and
cloud locations
• Building an automated and
secure interconnect
between on-Premises and
Cloud datacenters with
ease of provisioning and
monitoring at scale
• Requires a single pane of
glass to manage policies
across on-premise and
cloud locations
8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site A
Site BSite C
Site D
VMVMVM
ACI Extensions To Multi-CloudACI Multi-Site
Appliance
Consistent Network and Policy across clouds
Seamless Workload Migration
Single Point of Orchestration
Secure Automated Connectivity
ACI – On Prem
VMVMVM
Region(s)
VMVMVM
Region(s)
VMVMVM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG
Web
EPG
APPContract Contract
EPG
DBSG
Web
SG
APPSG Rule SG Rule
SG
DB
ACI Extensions to AWS
IP Network
AWS Region
On-Premise DC
VMVMVM
Public Cloud
Multi-Site
Automated Inter-connect provisioning
Simplified Operations with end-to-end
visibility
Consistent Policy Enforcement on-Premise & Public Cloud
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Group
Virtual Private Cloud
Security Group Rule
Outbound rule
Inbound rule
User Account
Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort
Network Adapter
Tenant
VRF
BD Subnet
EP to EPG Mapping
Contracts, Filters
Consumed contracts
Provided contracts
EC2 Instance
VPC subnet
EPG
Tag / Label
End Point (fvCEp)
Network Access List Taboo
Policy Mapping – AWS to ACI (1/2)
For your info & reference
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Mapping – AWS to ACI (2/2)
Region
Identity and Access Management (IAM)
AAA Users, Security Domains
Pod
Path/Node Attachment
Overlay-1 VRF (ACI Infra)
Border Leaf, Spine (Internal and External connectivity)
Shared Services / Common
Availability Zone (AZ)
Infra VPC
VPC Peering
Internet Gateway,
VPN Gateway,
Direct Connect,
CSR1000V
Inter Region VPC PeeringDirect Connect Gateway
Inter POD Connectivity
For your info & reference
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Deployments Usecases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site A
Site BSite C
Usecase #1: Hybrid-Cloud Deployment
ACI Multi-Site Orchestrator
VMVMVM
ACI – On Premise
AWS ACI 4.1
Region(s)
VMVMVMRegion(s)
VMVMVM
15Presentation ID
Hybrid Cloud supported with AWS in Q2-CY19 and Azure in Q3-CY19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #2: Cloud First with Multiple Regions Target ACI 4.2
One ACI Policy Domain with Multiple AWS Regions
Site1
Region: us-east-1
VMVMVM
Site1
Region: sa-east-1
VMVMVM
Site1
Region: eu-west-3
VMVMVM
Site1
Region: ap-northeast-1
VMVMVM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #3: Multi-Cloud (Cloud Only)
Multi-Cloud with AWS and Azure Cloud Sites supported in 2H-CY19
Target ACI 4.2
Site 2
Region: UK South
VMVMVM
Site 1
Region: us-east-1
VMVMVM
Site 3
Region: ap-northeast-1
VMVMVM
ACI Multi-Site Orchestrator
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Connectivity Usecases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Usecase #1: IPSec VPN
19
AWS Region
On-Premise
VMVMVM
Public Cloud Site B
AWS Instances
AWS Instances
CSR1000V
Customer
Premise
Router
Site A
AWS
Internet
Gateway
VGW
VGW
Infra VPC
User VPC-1
User VPC-2
Multisite Orchestrator
Supported ACI 4.1
IPSec VPN Tunnel (Underlay)
VXLAN Tunnel (Data Plane)
Internet
BGP-EVPN Session (Control Plane)
• VXLAN data-plane connects ACI fabric and Cloud site• BGP-EVPN routing reachability between ACI fabric and Cloud Site• IPSec VPN connection between customer Premise Router before ACI fabric and CSR1kv
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Usecase #2: Direct Connect (DX)
20
AWS Region
On-Premise
VMVMVM
Public CloudSite A Site B
Multi-Site
CSR1000V
Amazon
DGW/
VGW
AWS Instances
VGW
AWS Instances
VGW
Infra VPC
User VPC-1
User VPC-2
Targeted ACI 4.x
Direct Connect (DX) / BGP Underlay
BGP-EVPN
VXLAN
• Direct Connect and BGP underlay between Infra-VPC and ACI Border Leaf
• BGP-EVPN and VXLAN over Direct Connect ACI fabric to CSR 1000v
Border ACI
Leaf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Usecases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC Cloud APIC
Tenant
VRFBD1/Subnet1
Web-EPG1
BD3/Subnet3
App-EPG1
CIDR 2
Web-EPG2
CIDR 4
App-EPG2
Usecase #1: Application Stretch
On-Premises Public Cloud
Multi-Site Orchestrator
• Stretch tenant/vrf across on-premises and cloud sites
• During peak times easily deploy application tiers and resources in the cloud site
• Consistent segmentation policy and enforcement within and across on-premises and cloud sites
• Application stack failover between sites (active/disaster recovery)
Supported ACI 4.1
https https
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #2: Stretched EPG with Consistent Segmentation
• Web Tier and App Tier are stretched and securely segmented across on-premise and public cloud sites
• Consistent segmentation policy and enforcement for endpoints of Web/App Tier are independent of location
APIC Cloud APIC
Tenant
VRFBD/Subnet1
BD3/Subnet3
CIDR 2
CIDR 4
On-Premises Public Cloud
Multi-Site Orchestrator
EPG - Web
EPG - App
https, redis
Supported ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #3: Shared Services for Hybrid-Cloud
• Provides a capability to deploy shared service across hybrid cloud
• Shared Service deployed in 1 Site can be consumed by endpoints across other sites
• Contract will leak subnet between VRFs for reachability
APIC Cloud APIC
Tenant 1
VRF1
BD/Subnet1
DNS-EPG
On-Premises Public Cloud
Multi-Site Orchestrator
CIDR 3
App-EPG
CIDR 2
Web-EPG
https
Tenant 2
VRF2
dns
Route Leaking
Supported ACI 4.1
CIDR 5
App-EPG
CIDR 4
Web-EPG
Tenant 3
VRF3
https, redis
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #4: Cloud and On-Prem L3outs
On-Premise
Multi-Site Orchestrator (MSO)
Public Cloud
Site B
Infra VPC
AZ-1 AZ-2
Region 1
CSR CSR
Site A
User VPC -2
VGW
User VPC - 1
VGWIPSec Tunnel IPSec Tunnel
EPG-1 EPG-3EPG-2EPG-1
SG-1 SG-1 SG-3SG-2
Instance 01 Instance 02 Instance 03 Instance 04
IGW
IGW
L3outL3out
L3out
• Cloud local L3out via IGW
• On-Prem local L3out
• On-Prem site endpoints cannot use Cloud L3out
• Shared On-Prem L3out for Cloud VPCs *
Supported ACI 4.1
* Depends on QA Validation Completion by FCS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services Usecases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #1: AWS Application Load Balancer Supported
ACI 4.1
On-PremiseSite A
Multisite Orchestrator
VMVMVM
Customer
Premise
Router
AWS Region
Public Cloud Site B
AZ-1
CSR1000v AWS
Internet
Gateway
VGW
Infra VPC
User VPC-1
Application
Load Balancer
AZ-2
EC2 Instances
EC2 Instances
L3 Out (0.0.0.0/0)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase 2: On-Prem FW for AWS VPCs
AWS Region-1
On-Premise Datacenter
VMVMVM
Public Cloud
Infra VPC
CSR1000VAmazon IGW/VGW
Customer Premise Router
BGP EVPN Control P lane
VXLAN Tunnel
Firewall
L3out
VPCsFW Flow
• VPCs don’t have external connectivity in AWS
• All VPC traffic is tunneled to on-premFW and then uses on-prem L3out
Supported ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service-EPG
On-Premise
Site A
Multi-SiteOrchestrator (MSO)
Public Cloud
AWS Region 1
Site B
Infra VPC
EPG-1
AZ-1 AZ-2
User VPC - 1
SG-1 SG-2
VGW
CSR CSR
Instance-1 VPC endpoint
IPSec Tunnel
S3 bucket
Endpoint
Usecase #3: AWS Cloud Native Services
• EC2 instances access Cloud Native Service (eg. S3 bucket) via VPC endpoint
• All AWS services are supported in phase 2
Future
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Anywhere Public Cloud Extensions Roadmap
ACI 4.2 Release *
Azure
Cloud Native Services
Connectivity via DMZ
with FW
L4-L7 FW and NAT
Services
AWS Direct-Connect
from cAPIC
AWS Transit Gateway
ACI 4.1 Release
ACI-AWS Launch
cAPIC Policy Translation
CSR Interconnect
Automation
MSO Public Cloud
Operations
AWS ALB support
4 Cloud Sites and 4
Physical Sites
Multi-Cloud
(AWS, Azure)
MSO Cloud Packaging
Day 2 Operations
Policy Offload to CSR for
High Policy Scale
Cloud Center Integration
6 Cloud Sites and 18
Physical Sites
Future
Clouds: GCP, IBM, Ali
Azure ExpressRoute
Azure & AWS Parity
SD-WAN Interconnect
Ecosystem Partners
Higher Scale
* Targeted for Q3-CY19, subject to change without notice