Solved: Re: Cisco ISE in public cloud

jmcgourt@cisco.com · ‎04-17-2019

Hi, can you please advise if it is possible to deploy vISE in any public cloud services such as AWS? If not, is this something that will be available in future?

kthiruve · ‎04-22-2019

This iis a product roadmap question. Please reach out to your Cisco Sales and PM's for this. This is not the forum for that.

-Krishnan

View solution in original post

Damien Miller · ‎04-17-2019

There is only one workable solution for this. VMware Cloud is offered in AWS where you get bare metal servers with esxi on them. ISE will run in these just as it would if you had on prem VMware.

There is no traditional cloud based ISE or ISE as a service offering today

Azure is not an option. You can do nested hyperv, but the networking component won't work for services. It's meant for dev sandboxing.

Arne Bier · ‎04-17-2019

What is the use case for this? I don't expect there is any need to perform network authentication inside of a cloud (no switches/WLC's etc) - so that leads me to believe that perhaps having the PAN in the public cloud be interesting. But MnT is the SYSLOG target for all nodes - so that would consume a lot of bandwidth and IOPS (i.e. require a large VM spec). And the PSN's? You can talk IPSec to the NAD - that means you want to be sure that every NAD supports IPSec (or DTLS).

The whole expense of lifting and shifting a monolith like ISE to the cloud seems non sensical to me - it's expensive enough on premise even if you own your own hardware. I would like to see someone prove that the ROI of shifting a deployment to public cloud is beneficial.

Cisco should produce a smaller version of ISE (stripped down version) or even better, make a cloud native app. Some kind of server-less solution where you pay for the transaction time for your processing radius/TACACS requests. That reminds me - is there even a secure version of the TACACS protocol?

Perhaps it's not about cost. Perhaps it's about hype - that everything is moving to public cloud and we'd all better get on the bandwagon.

kthiruve · ‎04-22-2019

This iis a product roadmap question. Please reach out to your Cisco Sales and PM's for this. This is not the forum for that.

-Krishnan

sureshot · ‎11-10-2020

With ISE 3.0, you can now deploy an ISE node in an ESX infrastructure running on AWS.

Installation is similar to On-Prem VM deployment using ESXi.
For you reference , Release notes ISE 3.0 and Installation Guide ISE 3.0

Arne Bier · ‎11-10-2020

Hi @sureshot

I would be keen to see some cost calculations for running up a 'small' ISE VM in AWS. I am sure there must be some cost modelling for this, and perhaps some options to the customer - e.g. using a specific machine spec that meets the Cisco spec - what is the list price in USD for 365 days of operation. And then compare it with a reserved instance of the same spec.

The other cost factor is perhaps the cost of the networking traffic - possibly won't run into the petabytes ... but if I recall correctly, there may be some implications about the cost AWS egress data (ingress is free, but egress is not free). Perhaps that's all a thing of the past.

My perception of all of this is that running ISE 3.0 in the public cloud could get very expensive. I might also be completely wrong - I'd like to know some facts from people who have looked into the numbers.

If this was a SaaS service then perhaps customers would only pay per RADIUS/TACACS authentication? That would be interesting.

sureshot · ‎02-19-2021

Hi Arne,

Understood your concerns on ISE running as VM instance with VMware Cloud on AWS.

ISE as IaaS with AMI (Amazon Machine Image) on AWS is the expectation with the upcoming major release of ISE 3.x, which can offer much better services.!
Let's wait for the release to know more details on this.