topic Re: cisco ISE Azure Application in Network Access Control

cisco ISE Azure Application

iran — Sat, 01 Apr 2023 23:21:55 GMT

I have seen here Deploy Cisco Identity Services Engine Natively on Cloud Platforms - Cisco ISE on Azure Cloud Services [Cisco Identity Services Engine] - Cisco

That Cisco ISE has two variants in Azure.
1. Azure Application
2. Virtual Machine variant

In the first option is it possible to add or assign an IP address to a second interface after the deployment?

I did not find any documentation about it

Re: cisco ISE Azure Application

hslai — Sun, 02 Apr 2023 19:13:03 GMT

@iran

Both options create and initialize an ISE VM with one and only one network interface. We may add additional interfaces afterwards.

The doc you cited above has the info there. Deploy Cisco Identity Services Engine Natively on Cloud Platforms / Chapter: Cisco ISE on Azure Cloud Services / Known Limitations of Cisco ISE in Microsoft Azure Cloud Services says,

...

To add a secondary NIC to any VM in Microsoft Azure, you must first power off the VM.

...

Then, follow Azure doc on Microsoft Learn / Azure Networking / Virtual Network / Add network interfaces to or remove network interfaces from virtual machines to add another interface.

Finally, power on the ISE VM and use ISE admin CLI to configure the private IP address for the new interfaces.

Re: cisco ISE Azure Application

iran — Sun, 02 Apr 2023 22:58:18 GMT

Thank you for your quick reply.

One more question.
I am a little bit confused between the difference from Azure Application and Virtual Machine variant.

In Azure Application variant, it is a virtual machine like any other virtual machines in which we can access the console, edit/add interfaces... ?
Still not very clear to me, the difference between the two variants and the advantages of each one.

Thank you

Re: cisco ISE Azure Application

Greg Gibbs — Tue, 04 Apr 2023 00:01:35 GMT

@iran , both methods deploy the same resulting ISE virtual instance in Azure with the same features and capabilities. The only difference is how the node is deployed.
With the Azure Application method, you are presented with a template and prompted to enter each value that will be used to configure the ISE application (hostname, DNS name, etc). Azure uses this to build an ARM template that is then used to build the node.
With the VM variant, you must provide those details in the User Data field. This option is typically easier to use if you are deploying ISE nodes using your own orchestration tools like Ansible/Terraform.

Re: cisco ISE Azure Application

Tony-Nguyen — Fri, 19 Jul 2024 06:27:56 GMT

Hi @Greg Gibbs, we plan to migrate ISEs to Azure cloud and upgrade to 02 dedicated PAN/MNT and 02 dedicated PSN nodes.

Could you pls advise what are best network/security practice for implementation such

put them on the same Azure Group Resource, Region, Virtual network, Subnet ... or on the different resources and how?

Thank you

Tony

Re: cisco ISE Azure Application

Greg Gibbs — Sun, 21 Jul 2024 22:07:52 GMT

Please open a new conversation for questions that are not specifically related to the same topic.

Your question is also more of a general Azure architecture best practice and depends greatly on your Azure environment, so you should discuss this with your Azure architects. At a minimum, you would at least want high-availability across two AZs, if not two Regions.