ACI and CITEIS Fortify the Cloud-Enabled Data Center
In July 2014, Cisco IT turned on the Application Centric Infrastructure (ACI) fabric for the first time in our San Jose engineering data center. Since then, we’ve been busy building out the ACI fabric in our U.S. production centers and beginning the process of migrating workloads. In phases, we’ll migrate our global infrastructure footprint to ACI within two years. Running on our internal cloud platform called Cisco IT Elastic Infrastructure Services (CITEIS), ACI provides flexibility and elasticity across the data center that wasn’t possible before. So far the results have been better than even we expected.
Compute and storage optimization. Our existing data center configuration is made up of physically separated pods, or zones, which result in compute and storage resources being physically locked when requested by application owners. We figure that 15 to 30 percent of our compute infrastructure alone isn’t being used. In addition to this “vertical lock-in,” VMs can’t tap into free compute capacity from other Cisco UCS clusters. On the other hand, the ACI fabric enables horizontal scaling, or a compute striping model, whereby applications can flexibly tap into any available compute or storage. Stripes (logical computing units) span horizontally across UCS clusters attached to different ACI leaf nodes. Workloads traverse multiple UCS domains because they can be placed on any UCS blade within the stripe. Any application can use any reserve or unused resources. No more stranded capacity.
Simplified consumption. Automation and software-defined networking capabilities, driven by the Cisco Application Policy Infrastructure Controller (APIC), have enabled us to implement a self-service consumption model where application owners are empowered to allocate and manage data center resources based on their specific needs. Via a centralized CITEIS interface, users create and provision their applications and services easily and quickly. For example, developers can choose the composition and grouping of applications and how applications are distributed across data centers for resiliency. They can define their own application lifecycles and follow a continuous integration model as they build and deploy application components.
End users create application profiles that consist of endpoint groups, which are sets of instances with similar policy requirements. Instead of using forwarding constructs such as addressing or VLANs to apply connectivity and policy, ACI endpoint groups act as a container for collections of applications or application components that can be used to apply forwarding and policy logic. Freed from forwarding constructs, endpoint groups allow for better mapping of applications to the network itself, and better mapping of the network to application owners and developers. Users also manage communication between endpoint groups. So, instead of application owners having to work with a networking team to create ACLs for communication between servers, they can request the right ACLs themselves via the CITEIS portal.
The endpoint groups contain policies that allow them to talk to applications and interact with each other in a secure, easily auditable way. Security is facilitated throughout the data center fabric versus having to secure individual components. As part of creating an application profile, users need to create connection points between endpoint groups using policy constructs known as contracts, which stipulate inbound and outbound permit, deny, access, and other rules and policies that define how an endpoint group communicates with other endpoint groups. In this whitelist environment, we’re basically putting application security in the hands of the people who own the data.
When it comes to audits in the ACI environment, if you set up the processes properly and partner with your auditing clients, you can eliminate a bunch of human-error mistakes and also drive down the costs and time it takes for audits. You’re auditing policies, not interviewing people or manually comparing hundreds of lines of configuration for weeks on end.
Zero downtime maintenance. Not only are we using all the resources on the floor, but we can move workloads across the data center to do maintenance. And we can secure these workloads. We understand all of the dependencies associated with them because of endpoint grouping and contracts. Automated provisioning eliminates manual errors formerly introduced by client changes. Changes that resulted in a freeze before can now be done seamlessly and with high integrity without end users even knowing.
End-to-end automated provisioning. With the unified, programmable ACI fabric, we’re doing holistic end-to-end automated provisioning. Before ACI, we made terrific strides reducing provisioning times of individual resources. We cut provisioning a VM from about 8 weeks to under 6 minutes. But with ACI, we’re provisioning the complete data center environment end to end – storage, compute, network, security, dependence mapping, platform capabilities, etc. – with a few button clicks. From development to production, all the needed resources are delivered within minutes after end users order them. Done, secured, and auditable.
By the way, you can find out more here about the products and services that make CITEIS such a powerful part of our cloud strategy.