Showing results for 
Search instead for 
Did you mean: 

CloudCenter Integration Fundamentals - ACI Deployment: New EPG



CloudCenter offers three fundamental deployment models pertaining to an ACI-enabled cloud: Existing EPG, New EPG and Bridge Domain Template. This series of articles will describe the different models and explain the resultant artifacts on the fabric.

CloudCenter and Cisco ACI are application-centric platforms which as a result take a top down approach when it comes to application delivery. Because CloudCenter is tightly and natively integrated with the APIC, not only are the requirements of the application satisfied during the design phase, the network and security requirements are similarly satisfied during the execution phase. When an application is deployed by CloudCenter into an ACI fabric, the conventional APIC objects and policies are dynamically created and applied to the respective virtual machines.

Items to note:

The environment used for this documentation is a dCloud reserved lab, so the APIC is a simulated version of the platform.

The CloudCenter version referenced for this document is v4.7.3, which includes many enhancements to the ACI integration.

Primary Guiding Assumptions

  • The typical ACI constructs for the tenant (Bridge Domain, DHCP Policy/Relay Label, VRF, External Routed Network - whether tenant specific or shared from the common tenant) are pre-configured and operationally healthy
  • CloudCenter will create a new ACI Application Profile, new EPGs - one per tier of the application, new filters and contracts and apply them to the new EPGs according to the design of the CloudCenter application profile
  • The ACI objects created by CloudCenter will be named after the original deployment name so that they can be quickly and easily traced to the CloudCenter deployment
  • If the CloudCenter components (CCM, CCO, AMQP) are contained in a different and separate tenant than the existing EPG(s) into which the application nodes will be deployed, policies and corresponding contracts should exist and be applied so as to allow the nodes to reach the requisite CloudCenter services
  • CloudCenter does not currently support uEPG(s)

ACI and CC Environment Details

A previous article exists that itemizes the specific details of the environment. To avoid repetition, please review the following headings in that article:

  • ACI Configuration
  • CC Application Profile
  • CC Environment

CC Deployment Submission

  • Much of the user's experience during the deployment submission can be predefined in the Default Settings of the Deployment Environment
  • Deployment Requirements
    • Use ACI Extension in On position
    • APIC Extension
      • dCloud_APIC
        • Once the extension is selected, CC will auto-discover the objects relevant to the privileges of the user whose credentials were used to configure the ACI Extension
    • Virtual Machine Manager
      • My-vCenter
        • This is specified by the APIC
    • APIC Tenant
      • CliQr
        • This is specified by the APIC and configured according the the description in the above section
    • L3 Out
      • L3_Out
        • This routed network is configured at the common tenant; if there are multiple networks configured for this tenant they would be displayed
    • Network Type
      • ACI
    • End Point Group
      • New EPG
    • Bridge Domain
      • BD_Common
        • This Bridge Domain is configured at the common tenant
    • Contracts
      • common/External_Outbound
        • This contract is already applied on the L3_Out EPG at the common tenant as a Provider contract

Screen Shot 2017-04-17 at 9.56.24 AM.png

    • NOTE: The deployment requirements described above applies to both the Apache tier as well as the DB tier

ACI policies

  • Expected outcomes from the deployment (Existing EPG model)
    • CloudCenter creates the ACI AP, EPGs, and policies for the new application deployment and connects the CliQr tenant objects to the common tenant objects by applying the contracts to the respective objects

Screen Shot 2017-04-17 at 10.09.01 AM.png

    • The virtual machines provisioned by vCenter will be connected to the newly created EPG (vDS port group) respective to their tier assignment and can be observed in the Operational tab of the EPG, and the contracts created for the application appear in the Contracts view of the EPG
    • Application Profile
      • NewEPGTEST_391 - the name of this objects corresponds to the name of the CloudCenter deployment as specified by the user; the CloudCenter job ID is also included after the underscore
      • Apache EPG
        • The common/External_Outbound contract selected during the deployment submission is applied to the EPG as a Consumed contract, this allows the EPG members to reach external networks via the L3_Out EPG in the common tenant
        • One of the new contracts, whose naming convention follows the same logic as that of the Application Profile, is created and applied as a Provided contract and reflects the firewall rule of the CloudCenter service to allow access to HTTP (port 80) to - this contract is also applied to the L3_Out EPG at the common tenant
        • The other new contract is created and applied as a Consumed contract; it reflects the firewall rule of the MySQL service in the CloudCenter application profile to specifically allow members of the Apache EPG to access members of the MySQL EPG via TCP port 3306

Screen Shot 2017-04-17 at 10.05.33 AM.png

Screen Shot 2017-04-17 at 10.07.02 AM.png

      • MySQL EPG
        • Similar to the Apache EPG, the common/External_Outbound contract is applied to handle egress flows to external networks
        • The other new contract is created and applied as a Provided contract; it reflects the firewall rule of the MySQL service in the CloudCenter application profile to specifically allow members of the Apache EPG to access members of the MySQL EPG via TCP port 3306

Screen Shot 2017-04-17 at 10.06.07 AM.png

      • L3_Out EPG
        • Since this EPG was pre-configured and the requisite Provided contracts applied, CloudCenter does not modify the existing contracts or add any new contracts as Provided ones - this implies that for the deployment to be delivered end-to-end, the Provided contract for egress flow must be valid and pre-exist user's request; also, user must select the correct Provided contract during the deployment submission
        • The newly created contracts from the CliQr tenant will be applied to the L3_Out EPG

Screen Shot 2017-04-16 at 9.32.47 PM.png

Content for Community-Ad