Blog Primary Author – Cesar Obediente, CCIE No. 5620
Cesar is a Principal Systems Engineer for Cisco Global Enterprise Segment specializing in the Data Center area, where he helps customers design and build their next-generation data centers. He has been with Cisco Systems for over 17 years, and has co-authored “CCNA Data Center DCICN 200-150” and “Programmability and Automation with Cisco Open NX-OS”. He holds a CCIE in routing and switching and holds a degree in computer engineering from the University of South Florida.
Introduction: In a world buzzing with micro-services, containers and distributed cloud platforms, most organizations are faced with a daunting challenge: entering the promised land of shiny cloud-native apps and rapid application deployments at scale without compromising security and compliance. The good news is that there is an increasing number of technologies that can help in this regard; the bad news is that most of them apply only to new, cloud-native applications. Objectively speaking, micro-services remain the primary target of all major container solutions. Incidentally, this type of application is often a minority within the portfolios of established companies. The bulk of applications fueling the business today were created several years ago following the architectures that are not conducive to rapid cloud deployments. Migrating the business-critical legacy apps over to the new tech may take time or may prove to be not economically viable due to complexities of the business logic they contain. Some organizations may decide to keep them around a build a façade of new cloud native apps around the legacy components.
In these cases, the question becomes how to deploy, secure and monitor the two categories of applications in a consistent and efficient way. Using the traditional methods of network security for continuous application deployments is not a trivial undertaking. Solutions are typically manual, or based on custom and short-lived scripting, which renders them inherently inefficient and error-prone. The matter gets progressively worse when dealing with the mix of legacy and cloud-native components.
Solution: Cisco and Apprenda have been working together to address these challenges through an integration of Cisco ACI and Apprenda Container Management Platform. Application Centric Infrastructure (ACI) is Cisco’s next generation data center architecture designed to address the requirements of today’s traditional networks around network automation. . Recently ACI added native support to Kubernetes clusters, which now extends its flexible policy model to containers.
Apprenda is a maker of a versatile container platform for rapid deployments of both cloud-native and traditional application workloads. The Apprenda platform natively integrates with ACI and provides secure containerization and automated network isolation of applications at deployment time. This automation applies to different types of workloads: cloud-native, legacy and mixed.
Apprenda – ACI integration helps with two use cases. It simplifies the process of attaching and configuring ACI fabric to the Apprenda platform and Kubernetes clusters. It also reduces complexities of securing individual applications and their components during continuous deployment processes.
Use Case-1: Day One Scenario:
The process of enabling Apprenda on the ACI fabric is fully automated. A platform operator, typically an IT admin, can use the ACI initialization tool, built into the Apprenda Operator Portal. All the operator needs to do is provide connection information and credentials to the APIC. Once these sets of credentials are saved, the operator pushes the Initialize button. From there, the automated process takes over, sparing everyone from the need for lengthy meetings, delays and human errors. Within seconds the platform becomes a part of the ACI-fabric including the Kubernetes clusters managed by Apprenda. The Apprenda configuration in ACI is based on at least two tenants.
The first tenant has an ANP and at least one EPG that protects the core Apprenda platform, which comprises several Windows servers where .Net workloads are deployed. The other ACI tenant is for the Kubernetes cluster managed by Apprenda.
The automated setup process also creates several contracts for some shared services like ICMP, L3-out, DNS, etc., and contracts that govern the communication between the two tenants. One contract ensures that platform can manage deployments of applications to the Kubernetes cluster. There is a separate contract for the guest application deployed to the Kubernetes cluster to be able to communicate with the platform core services and vice versa.
Use-Case 2: Automated Secure Deployment Scenario:
The integrated solution also reduces complexities of securing individual applications and their components during continuous deployment processes.
Apprenda provides an abstraction layer for developers and product management to communicate business requirements and application SLAs to the infrastructure layers prior to making the application live. The platform takes these requirements and translates them into specific commands to, for example, trigger network segmentation and isolation. During the configuration phase, the developer has the opportunity to tell Apprenda how the app has to be protected at the network level by ACI. This can be accomplished with just one setting – Network Isolation Mode, which has the following options:
- Isolated – to make the app its own island, fully isolated from everything else on the platform.
- Custom – allows for the isolation of groups of apps based on various ad hoc criteria, associated with Apprenda deployment policies. For example, this mode can be used to establish secure communication for application with similar compliance requirements (PCI, HIPAA, etc.).
- Development team – is a form of custom isolation that allows all apps of a single development team (an Apprenda tenant) to communicate with each other, but remain isolated from other applications on the platform.
The selected value ultimately triggers the automation of ACI network policies while Apprenda containerizes the application. In addition, developers can specify the external services that their applications may need to rely on. By default, shared services like DNS, ICMP, external connectivity, etc. are available for all apps to consume.
This is where developers can also tell Apprenda that their Kubernetes components need to talk to a legacy guest app deployed to the platforms legacy network segment. In this example, all legacy apps are relegated to a single EPG. In reality, the segmentation can be much more granular. The ACI contracts between the deployed application and all the selected services are created automatically during the deployment time.
This way, both new and existing apps can be secured by a single tool in a consistent and frictionless way.
Follow this link for additional technical details and to view video demonstrations of the setup and usage of this integrated solution:
and for other ACI-Apprenda assets, www.cisco.com/go/dcecosystem