Most companies have plans to run or move a certain percentage of new and existing applications to the cloud in the next few years. While the cloud offers many compelling benefits, consuming cloud resources is often not as easy as IT departments might expect. The complex list of challenges to be considered when moving to the cloud are enumerated in the cloud adoption frameworks from cloud providers.

One of the major challenges to be surmounted is combining different network policy definitions across on prem and cloud environments and between different cloud vendors. Adapting to only a single cloud provider’s strategy limits an organization’s ability to move workloads to another cloud when another vendor would be a better fit from a technical or business perspective. For many organizations, a multicloud vendor strategy to spread the risks of outages and disaster recovery scenarios may be the best choice.

These different strategies require a more flexible way to provision native cloud resources for any and all cloud vendors. That way is Cisco Cloud Application Centric Infrastructure (ACI) for multicloud environments. Cloud ACI lets IT interconnect workloads across different public clouds or between public clouds and on-premises deployments with a single API.

Automation to Handle Complexity and Scale

Cisco Cloud ACI uses a high degree of automation to provide:

  • Secure connectivity across clouds and on-premises
  • Provisioning and enforcement of network policies for tag or IP-based workloads across clouds and on premises
  • Provisioning of cloud native objects, including Azure Virtual Network (VNET) and AWS Transit Gateway (TGW) and their route tables to enable communication intra-region, inter-region and inter-site
  • Provisioning and configurations of cloud-native load balancers

With Cisco Cloud ACI, APIs from different cloud providers are abstracted into a single API while using each cloud provider’s specific tools, so there’s no need to create an overlay in the cloud.

A single pane of glass enables administrators to monitor, configure, and troubleshoot connectivity across region, sites, applications, and cloud objects. Using Cisco Cloud Application Policy Infrastructure Controller (APIC), a key component of Cisco Cloud ACI, IT can define their intent to orchestrate an application’s data path within the cloud and between different cloud and on-premises sites. A single pane of glass dashboard enables IT to define application templates and apply those to multiple clouds and on-premises sites using Cisco Nexus Dashboard Orchestrator.

For Day 2 ops, Cisco Network Insights (NI) and Cisco Network Assurance Engine (NAE) tools will in the future support both inter-cloud and on-premises traffic with automated troubleshooting, proactive monitoring, resource utilization, capacity planning, and continuous and proactive network verification and assurance.

It is important to stress that the Cisco Cloud ACI solution will only act as an object translator, abstracting the cloud-specific API into a common Cloud ACI language. It enables the cloud admin to automate the provisioning of consistent network resources across different clouds by utilizing this common ACI language.

Figure 1 highlights the main ACI objects that map to Azure and AWS network objects. The network admin only needs to interact with Cisco ACI APIs while the Cisco Cloud APIC takes care of provisioning the specific cloud network policy objects.

Cloud ACI-to-Cloud Object Mapping
Figure 1. Cloud ACI-to-Cloud Object Mapping

There is no overlay or VM agent required in a Cisco Cloud ACI design. All that is needed for setup is to find and deploy the Cloud APIC from the cloud vendor marketplace and register Cloud APIC with Cisco Nexus Dashboard Orchestrator if inter-site connectivity is needed. In less than an hour, a company can be managing on-premises and multi-cloud deployments.

Figure 2 shows an example of an AWS to Azure network extension architecture. An AWS infra-virtual private cloud (VPC) and Azure infra-virtual network (VNET) are automatically provisioned in AWS and Azure respectively. The infra VPC and infra VNET host Cisco Cloud APIC and Cisco CSR1000v virtual routers. The routers are fully operated by the Cisco Cloud APIC and route application data across clouds, cloud regions, and on-premises sites through encrypted tunnels.

Figure 2. Extension of Applications Across AWS to Azure
Figure 2. Extension of Applications Across AWS to Azure

Many enterprise IT professions today provision cloud resources with Infrastructure as a Code (IaaC) tools like Ansible and Terraform. However, none of those tools are capable of reducing the complexity of orchestrating different cloud providers and maintaining consistency in routes and network policies across clouds and on-prem.

Cisco Nexus Dashboard Orchestrator offers a REST API to fully support automated provisioning of network resources. Terraform provider and Ansible galaxy modules are available for Cisco Nexus Dashboard Orchestrator and can help to dramatically reduce the complexity of provisioning multicloud network policies in consistent manner across multiple clouds and on-premises.

The following simple demo shows how easy it is to provision a multi-tier application where the frontend is deployed in AWS and the database is a virtual machine deployed in Azure, as shown in the topology in Figure 3. Based on the custom tag applied to the virtual machines, Cloud ACI automatically configures the right network policies, allowing, in this case, the frontend to expose HTTP service to the Internet and to connect to the database for MySQL service.

Figure 3. Topology of the Demo
Figure 3. Topology of the Demo

In the demo shown in Figure 3, an Ansible Playbook deploys the network application templates to Cisco Nexus Dashboard Orchestrator. Virtual machines that will serve the application will then be deployed through a Terraform plan. Based on the tags configured on the virtual machines, Cloud ACI will attach Azure Application Security Groups and AWS Security Groups to allow only the selected inbound and outbound traffic. If necessary, cloud application load balancers or other network services can be controlled through Cisco Nexus Dashboard Orchestrator and Cisco Cloud APIC.

Click the image below to play the demo video.

Video Link to MSO
Link to Demo Video

Enterprises using Cisco Cloud ACI today report that it’s exactly what they need to help them create consistent network policies in a multicloud environment.

For more information, visit Cisco Cloud ACI web page.


Domenico Dastoli

Technical Leader

Intent Based Networking Group (IBNG)