CloudCenter offers three fundamental deployment models pertaining to an ACI-enabled cloud: Existing EPG, New EPG and Bridge Domain Template. This series of articles will describe the different models and explain the resultant artifacts on the fabric.
CloudCenter and Cisco ACI are application-centric platforms which as a result take a top down approach when it comes to application delivery. Because CloudCenter is tightly and natively integrated with the APIC, not only are the requirements of the application satisfied during the design phase, the network and security requirements are similarly satisfied during the execution phase. When an application is deployed by CloudCenter into an ACI fabric, the conventional APIC objects and policies are dynamically created and applied to the respective virtual machines.
Items to note:
The environment used for this documentation is a dCloud reserved lab, so the APIC is a simulated version of the platform.
The CloudCenter version referenced for this document is v4.7.3, which includes many enhancements to the ACI integration.
Primary Guiding Assumptions
The typical ACI constructs for the tenant (Bridge Domain, DHCP Policy/Relay Label, VRF, External Routed Network - whether tenant specific or shared from the common tenant) are pre-configured and operationally healthy
CloudCenter will create a new ACI Application Profile, new EPGs - one per tier of the application, new filters and contracts and apply them to the new EPGs according to the design of the CloudCenter application profile
The ACI objects created by CloudCenter will be named after the original deployment name so that they can be quickly and easily traced to the CloudCenter deployment
If the CloudCenter components (CCM, CCO, AMQP) are contained in a different and separate tenant than the existing EPG(s) into which the application nodes will be deployed, policies and corresponding contracts should exist and be applied so as to allow the nodes to reach the requisite CloudCenter services
CloudCenter does not currently support uEPG(s)
ACI and CC Environment Details
A previous article exists that itemizes the specific details of the environment. To avoid repetition, please review the following headings in that article:
CC Application Profile
CC Deployment Submission
Much of the user's experience during the deployment submission can be predefined in the Default Settings of the Deployment Environment
Use ACI Extension in On position
Once the extension is selected, CC will auto-discover the objects relevant to the privileges of the user whose credentials were used to configure the ACI Extension
Virtual Machine Manager
This is specified by the APIC
This is specified by the APIC and configured according the the description in the above section
This routed network is configured at the common tenant; if there are multiple networks configured for this tenant they would be displayed
End Point Group
This Bridge Domain is configured at the common tenant
This contract is already applied on the L3_Out EPG at the common tenant as a Provider contract
NOTE: The deployment requirements described above applies to both the Apache tier as well as the DB tier
Expected outcomes from the deployment (Existing EPG model)
CloudCenter creates the ACI AP, EPGs, and policies for the new application deployment and connects the CliQr tenant objects to the common tenant objects by applying the contracts to the respective objects
The virtual machines provisioned by vCenter will be connected to the newly created EPG (vDS port group) respective to their tier assignment and can be observed in the Operational tab of the EPG, and the contracts created for the application appear in the Contracts view of the EPG
NewEPGTEST_391 - the name of this objects corresponds to the name of the CloudCenter deployment as specified by the user; the CloudCenter job ID is also included after the underscore
The common/External_Outbound contract selected during the deployment submission is applied to the EPG as a Consumed contract, this allows the EPG members to reach external networks via the L3_Out EPG in the common tenant
One of the new contracts, whose naming convention follows the same logic as that of the Application Profile, is created and applied as a Provided contract and reflects the firewall rule of the CloudCenter service to allow access to HTTP (port 80) to 0.0.0.0/0 - this contract is also applied to the L3_Out EPG at the common tenant
The other new contract is created and applied as a Consumed contract; it reflects the firewall rule of the MySQL service in the CloudCenter application profile to specifically allow members of the Apache EPG to access members of the MySQL EPG via TCP port 3306
Similar to the Apache EPG, the common/External_Outbound contract is applied to handle egress flows to external networks
The other new contract is created and applied as a Provided contract; it reflects the firewall rule of the MySQL service in the CloudCenter application profile to specifically allow members of the Apache EPG to access members of the MySQL EPG via TCP port 3306
Since this EPG was pre-configured and the requisite Provided contracts applied, CloudCenter does not modify the existing contracts or add any new contracts as Provided ones - this implies that for the deployment to be delivered end-to-end, the Provided contract for egress flow must be valid and pre-exist user's request; also, user must select the correct Provided contract during the deployment submission
The newly created contracts from the CliQr tenant will be applied to the L3_Out EPG
I have deployed an asav on an ec2 instance in aws. When I connect to it there is only 1 interface (management) . Every guide I have read requires me to configure the gig0/0 interface. It doesn't exist. I can't connect via asdm .
Fortunately, Cisco thought about it and made available an ACI simulator for people interested by this technology to simulator a whole ACI environment. This simulator includes Cisco APIC instances with real production software, as its native tools (GUI &am...
Hello Everbody, During my use of Umbrella, which I use to study the traffic of my customers, I was faced with the following information, Cisco does not block (NS, SOA, MX) records/queries, even thought the algorithm considering the domains as 100%(Sc...
We are re-architecting a typical server - agent product for AWS SaaS. The UI and configuration DB will be on the cloud while the agents will be deployed on-prem. The problem is that 100K agents need to periodically poll the server if there are any configu...