Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
3
Helpful
1
Replies

Cisco ISE Hybrid Deployment Design (On-premise and Azure)

Go to solution
kyawkyawnaing
Level 1
Level 1

‎07-21-2023 03:01 AM

Dear Community Members,

I'm seeking your valuable input regarding Cisco ISE's recommended design for a Hybrid Cloud environment. The scenario involves approximately 100 users, and the plan is to deploy 2 x Cisco ISE nodes to ensure High Availability (HA) with essential features like 802.1x, profiling, and posture functionalities.

It's feasible to have the Cisco ISE Primary node located on-premise; the secondary node is hosted on Azure. Does this approach make sense, and is it possible to implement? If you have experience or insights related to the Cisco ISE "Hybrid Deployment," I would greatly appreciate it if you could share the prerequisites for hybrid design and the related documentation and best practices for a successful setup. I understood that database sync might have some concern, and I would like to know more about network requirements for on-premise and Azure nodes to sync the ISE database.

I thank you in advance for your assistance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-21-2023 08:28 AM - edited ‎07-21-2023 08:40 AM

These exact topics have been covered by @Charlie Moreton in our recent ISE Webinars which get archived to our ISE YouTube Channel:

▷ Cloud Load Balancing with ISE 2023/06/15, GitHub: ISE_in_MultiCloud_Webinar
▷ ISE in a Hybrid Cloud Environment 2022/12/06, GitHub: Cloud_Based_Load_Balancers

Screenshot 2023-07-21 at 8.16.07 AM.png

There is also a document for Deploy Cisco ISE Natively on Cloud Platforms which includes Cisco ISE on Azure Cloud Services as you requested.

People regularly ask for an "ISE in the Cloud CVD". 90% of the architecture decisions have nothing to do with ISE and are all about the same old routing, redundancy, high availability, and security practices for any applications or services in any datacenter. The Cloud is just another set of datacenters for ISE nodes. You may mix and match your ISE nodes to be deployed in any on-premise data or cloud provider as long as you use the supported appliances or VM hypervisors or cloud instances.

  • Regions: Yes, for redundancy! How many? Which ones? Depends on the geography and scale of your organization
  • Availability Zones: Always a cloud best practice. How many? Which ones? See Regions above.
  • VPNs: Yes! RADIUS and TACACS are 30-year old protocols and do not have encryption therefore it is critical to use a VPN to secure all traffic. Which one depends on the customer's preferences, needs, and of course budget:
    • static VPN gateway per VPC to one or more locations
    • Cisco vASA in the cloud and/or on premises
    • Meraki vMX with auto VPN in the cloud and/or on premises
    • other physical or virtual VPN(s) in the cloud and/or on premises
  • Load Balancing:
    • this is probably a given for large scale deployments
    • But even for small, 2-node ISE deployments in the cloud for Blue/Green deployments during upgrade and allow the load balancer VIPs to remain unchanged on all of your network devices. Unless you want to change the RADIUS configuration on all network devices with every ISE upgrade or tediously manage taking one PSN down and starting another with the same IP. 8-)
    • Which network load balancer (brand, model, size, physical or virtual, etc.) is a customer choice and independent of ISE
  • Security Groups: Yes, but exact rules depends on your network architecture decided above and which ISE services you run on which nodes. See the Cisco ISE Ports Reference for a complete list.

The official Cisco ISE on AWS Reference Deployment and ISE on AWS QuickStart Deployment Guide give you the template architecture that you should be able to apply with any cloud provider.

All ISE cloud instance have a Bring Your Own License (BYOL) model which is the same for any on-premises deployment. All licensing is done via the ISE PAN nodes whether on-premises or based in a cloud environment.

For the hourly cost of the various VM instances in the cloud environments, you may estimate it based on the suggested instance sizes @  > Cisco ISE on Azure Cloud Services.  Additional costs may be billed by your cloud provider(s) for data traffic and other related services (VPN, load balancing, DNS, etc.).

 

View solution in original post

1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-21-2023 08:28 AM - edited ‎07-21-2023 08:40 AM

These exact topics have been covered by @Charlie Moreton in our recent ISE Webinars which get archived to our ISE YouTube Channel:

▷ Cloud Load Balancing with ISE 2023/06/15, GitHub: ISE_in_MultiCloud_Webinar
▷ ISE in a Hybrid Cloud Environment 2022/12/06, GitHub: Cloud_Based_Load_Balancers

Screenshot 2023-07-21 at 8.16.07 AM.png

There is also a document for Deploy Cisco ISE Natively on Cloud Platforms which includes Cisco ISE on Azure Cloud Services as you requested.

People regularly ask for an "ISE in the Cloud CVD". 90% of the architecture decisions have nothing to do with ISE and are all about the same old routing, redundancy, high availability, and security practices for any applications or services in any datacenter. The Cloud is just another set of datacenters for ISE nodes. You may mix and match your ISE nodes to be deployed in any on-premise data or cloud provider as long as you use the supported appliances or VM hypervisors or cloud instances.

  • Regions: Yes, for redundancy! How many? Which ones? Depends on the geography and scale of your organization
  • Availability Zones: Always a cloud best practice. How many? Which ones? See Regions above.
  • VPNs: Yes! RADIUS and TACACS are 30-year old protocols and do not have encryption therefore it is critical to use a VPN to secure all traffic. Which one depends on the customer's preferences, needs, and of course budget:
    • static VPN gateway per VPC to one or more locations
    • Cisco vASA in the cloud and/or on premises
    • Meraki vMX with auto VPN in the cloud and/or on premises
    • other physical or virtual VPN(s) in the cloud and/or on premises
  • Load Balancing:
    • this is probably a given for large scale deployments
    • But even for small, 2-node ISE deployments in the cloud for Blue/Green deployments during upgrade and allow the load balancer VIPs to remain unchanged on all of your network devices. Unless you want to change the RADIUS configuration on all network devices with every ISE upgrade or tediously manage taking one PSN down and starting another with the same IP. 8-)
    • Which network load balancer (brand, model, size, physical or virtual, etc.) is a customer choice and independent of ISE
  • Security Groups: Yes, but exact rules depends on your network architecture decided above and which ISE services you run on which nodes. See the Cisco ISE Ports Reference for a complete list.

The official Cisco ISE on AWS Reference Deployment and ISE on AWS QuickStart Deployment Guide give you the template architecture that you should be able to apply with any cloud provider.

All ISE cloud instance have a Bring Your Own License (BYOL) model which is the same for any on-premises deployment. All licensing is done via the ISE PAN nodes whether on-premises or based in a cloud environment.

For the hourly cost of the various VM instances in the cloud environments, you may estimate it based on the suggested instance sizes @  > Cisco ISE on Azure Cloud Services.  Additional costs may be billed by your cloud provider(s) for data traffic and other related services (VPN, load balancing, DNS, etc.).

 

Customers Also Viewed These Support Documents