Extending On-Premises Cisco Cloud ACI Network Security Segmentation to AWS
By Muffadal Quettawala, Solutions Architect at AWS
By Srinivas Kotamraju, Product Manager at Cisco
Businesses need a network that can empower the data center to move workloads to the cloud. In most data centers, the diverse and disjointed visibility, as well as troubleshooting capabilities with no correlation across different environments, results in complex operational models.
There are multiple panes of glass needed to configure, manage, monitor, and operate these instances. More importantly, there are inconsistent segmentation capabilities across hybrid instances posing security, compliance, and governance challenges.
Cisco Cloud Application Centric Infrastructure (ACI) automates the management of end-to-end connectivity as well as the enforcement of consistent security policies for applications running in on-premises data centers and on Amazon Web Services (AWS). Cisco Systems is an AWS Partner Network (APN) Advanced Technology Partner.
AWS Network Connectivity Services
AWS provides customers with multiple network connectivity options for connecting remote networks with the Amazon Virtual Private Cloud (Amazon VPC) environment.
These connectivity options include leveraging either the internet or an AWS Direct Connect connection as the network backbone, and then terminating the connection into either AWS or user-managed network endpoints.
Additionally, with AWS, you can choose how network routing is delivered between Amazon VPC and your networks, leveraging AWS or user-managed network equipment and routes.
Amazon VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Within a VPC, you have control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
Furthermore, you can leverage multiple layers of security, including security groups and network access control lists, to enable inbound and outbound filtering. This enables you to control access to Amazon Elastic Compute Cloud (Amazon EC2) instances in each subnet.
Cisco Cloud ACI
Cisco Cloud ACI is a comprehensive solution that leverages AWS network connectivity options to provide customers with simplified operations, consistent network policy, and visibility across multiple on-premises data centers and the AWS Cloud. With this solution, customers can extend their Cisco Cloud ACI network policies to AWS.
In an on-premises Cisco Cloud ACI data center, Cisco Application Policy Infrastructure Controller (APIC) is the single point of policy configuration and management of the Cisco Cloud ACI fabric deployed in the data center. Cisco Cloud ACI Multi-Site Orchestrator (MSO) seamlessly interconnects and extends ACI constructs to multiple Cisco Cloud ACI-powered data centers.
The Cisco ACI Cloud APIC is software that runs on AWS and translates the on-premises network policies into AWS networking constructs such as VPCs, security groups and rules, and IPSec VPN tunnels that cloud workloads can run on top of. Thereby, Cisco ACI Cloud APIC provides a single point of policy orchestration, operational consistency, and visibility across hybrid environments.
With Cisco Cloud ACI Release 4.1, MSO can manage policies across multiple on-premises Cisco Cloud ACI data centers and AWS Cloud environments. The policies configured from MSO can be pushed to different on-premises Cisco ACI sites as well as AWS.
Cisco Cloud ACI provides a common policy abstraction and consumes AWS public APIs to deliver consistency and segmentation. As such, Cisco Cloud ACI is not confined to bare metal instances on AWS and does not require deployment of agents in cloud workloads to achieve segmentation.
With Cisco Cloud ACI, customers can carry all of their network and security policies across data centers, co-locations, and cloud environments. Cisco Cloud ACI automates cross-domain service chaining of application traffic across physical and virtual L4-L7 devices to scale, and seamlessly integrates bare metal servers, virtual machines (VMs), and containers under a single policy framework.
Cisco Cloud ACI also has a strong tech-partner ecosystem and integrates with a variety of solutions ranging from Cisco AppDynamics and CloudCenter to F5, ServiceNow, Splunk, SevOne, and Datadog. Customers can leverage widely-adopted tools such as Terraform and Ansible to achieve end-to-end workflow-based automation.
Under the Hood
The Cisco Cloud ACI on AWS delivers the following key capabilities:
- Automate and secure hybrid connectivity through unified management: Through a single pane of glass (MSO), users can configure inter-site connectivity, define policies, and monitor health of network infrastructure across hybrid environments.
Inter-site connectivity has two components to it: (i) an underlay network for IP reachability, IPsec VPN over the internet, or through AWS Direct Connect, (ii) an overlay network between on-premises and cloud sites that run BGP EVPN as its control plane and uses VXLAN encapsulation and tunneling as its data plane.
- Enable consistent security posture, governance, and compliance through universal policy model: Cisco Cloud ACI leverages group-based network and security policy models, offering common policy abstraction and translating ACI policies into AWS networking constructs.
The logical network constructs of the Cisco Cloud ACI (tenants, bridge domains, endpoint groups, contracts) translates into AWS constructs, including user accounts, VPCs, security groups and rules, and network access-control lists (ACLs). This enables consistent application segmentation, access control, and isolation across hybrid deployments.
Figure 1 – Underlay network between on-premises and AWS.
Figure 2 – Overlay network between on-premises and AWS Cloud sites.
AWS Services Used to Implement Cisco Cloud ACI on AWS
There were several AWS services used to implement Cisco Cloud ACI on AWS. Here are the most relevant:
- Amazon VPC, Classless Inter-Domain Routing (CIDR), Subnets, and route tables to deploy Amazon EC2 instances.
- Virtual Private Gateway (VGW) on VPCs to act as a secure gateway for the VPN connection on the AWS side between the source VPC and on-premises.
- Internet Gateway (IGW) for internet access to Amazon EC2 instances in the VPC.
- Security Groups to control inbound and outbound traffic for the Amazon EC2 instances.
- AWS site-to-site VPN connection for redundant tunnels between VGW and Cloud Service Routers (CSR) to setup IPv4 BGP and L3 routing. Cisco’s CSRs do VxLAN packet encapsulation to deliver packets to on-premises spine.
- Amazon Simple Notification Service (SNS) and Amazon Simple Queue Service (SQS) to capture events from AWS CloudTrail.
- VPC Flow Logs to capture network interface traffic for statistics and monitoring.
- Amazon Elastic Block Store (EBS) to provide persistent block storage for Cisco ACI Cloud APIC instances on Amazon EC2.
- Amazon Simple Storage Service (Amazon S3) to save logs.
- AWS CloudFormation to automate deployment of Cisco ACI Cloud APIC on AWS.
Steps to Deploy Cisco ACI Cloud APIC on AWS
Deploying Cisco Cloud APIC on AWS includes the following steps:
- On-premises: Fulfill the prerequisites below, to deploy an ACI fabric on-premises:
- ACI fabric with at least one (though two are recommended) -EX or -FX spine switch for the inter-site connectivity.
- Deploy MSO and register the on-premises ACI fabric as a site.
- Configure an IPsec device for the inter-site IPsec tunnels.
- In the AWS environment, set up your AWS accounts—one for infra tenant and one or more for user tenants. Then, subscribe to CSR1kv BYOL and Cisco Cloud APIC BYOL on AWS Marketplace.
- Deploy Cisco Cloud APIC through the AWS CloudFormation template.
- Complete the initial ACI cloud site configuration using the Setup Wizard on the Cisco Cloud APIC user interface.
- Register the ACI cloud site to the MSO, which automatically configures the inter-site overlay control plane.
- Deploy application network policy into the ACI cloud site from the MSO, or locally on the Cisco Cloud APIC.
Figure 3 – Configuring an AWS site from Cisco MSO.
In this post, we introduced the Cisco Cloud ACI solution that is available in AWS Marketplace. We learned that customers can use Cisco Cloud ACI to automate the management of end-to-end connectivity as well as the enforcement of consistent security policies for applications running in on-premises data centers and on AWS.
Under a single policy framework, Cisco Cloud ACI can configure policy for traffic across physical and virtual L4-L7 devices to scale, including bare metal servers, virtual machines, and containers. The solution leverages native AWS services and leverages best-in-class cloud capabilities without common denominator abstractions.
With the Cisco Cloud ACI architecture, customers and analysts see the benefit of seamless layer-in policy consistency, operational simplicity, and the flexibility to leverage services offered on AWS.
To learn more, read the Cisco Cloud ACI on AWS Whitepaper.
Cisco Systems – APN Partner Spotlight
Cisco Systems is an APN Advanced Technology Partner. They provides a range of products for transporting data, voice, and video within buildings, across campuses, and around the world.
*Already worked with Cisco? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.