cliqr cloudcenter™ with cisco aci common use cases

CliQr CloudCenter™

with Cisco ACI Common Use Cases

CliQr CloudCenter™ with Cisco ACI Common Use Cases

Table of Contents

1 ExecutiveSummary ..................................................................................................................................2

2 Introduction ................................................................................................................................................3

3 UseCase1:SecurelydeployN-tierapplication .................................................................................6

4 UseCase2:StretchedApplicationDeployment ................................................................................8

5 UseCase3:MigrateApplicationtoACIEnvironment ................................................................... 10

6 Conclusion ............................................................................................................................................... 13

1 ExecutiveSummary

CliQrCloudCenter™isanapplication-centrichybridcloudmanagementplatformthatsecurelyprovisionsinfrastructureresourcesanddeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.CloudCenter’sapplication-centrichybridcloudmanagementisanidealfitwithCiscoApplicationCentricInfrastructure(ACI)andpolicy-basednetworkmanagement.

ITorganizationspursuingaHybridITstrategyneedflexibilityinhowandwhereapplicationsaredeployedindatacenter,private,andpubliccloudenvironments.CloudCenteruserscanself-service,on-demanddeployapplicationstoanyenvironment.ButwhentheychoosetodeployanentireapplicationorjustasingletiertoanenvironmentwithACImanagednetwork,theygetpubliccloudagilitywithgreaternetworksecurity,andmorecosteffectivedeploymentoptionsthanpubliccloudalone.

CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.CloudCenterwithCiscoACIprovisionsinfrastructureandsecurelydeploysapplicationsbasedonthedesiredendstateandneedsoftheapplication.CloudCenterautomatestheentireapplicationdeploymentprocessandcommunicatesdirectlywithCiscoACI’sAPIstoautomatecreationofACIpolicyobjectsincludingApplicationNetworkProfiles,EndPointGroups,Contracts,Filtersandanyotherobjectsrequiredformicro-segmentedsecurecommunications.


ITgetsoptimalnetworksecurityandoperationalefficiencywithouthavingtomanuallycreateandmaintainpolicies,andwithouthavingtolearnnewprogramminglanguages.Usersgetself-serviceondemandflexibility,withoutneedinganynetworkskillsorknowledgeofcloudenvironmentdetails.Scalingandend-oflifeactionsareautomatedaswell,resultinginupdatesandterminationofnetworkpolicies.

ThispapersummarizesthreepowerfulusescasesenabledbyCloudCenterandCiscoACIdeployments.

2 Introduction

CiscoApplicationCentricInfrastructure(ACI)increasesnetworksecurity,automatescommunicationpoliciesbasedonbusiness-relevantapplicationrequirements,anddecreasesdeveloperwaittimetoaccelerateapplicationdeploymentinthenext-generationDataCenter.

Atthecore,ACIapplicationpoliciesarewhitelistswithinazero-trustmodelensuringthatnocommunicationisallowedbetweenapplicationtiers,unlessapolicyspecifiesthatanobjectcanbeonthenetwork,whichotherobjectsitcantalkto,andwhatitcantalkabout.CiscoACItranslatesandappliesthelogicalbusinessdrivenpolicydefinitionsintoconcreteinfrastructureconfiguration.

CloudCenter™isanapplication-centrichybridcloudmanagementplatformthatprovisionsinfrastructureresourcesandsecurelydeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.Userscaneasilymodel,self-servicedeploy,andthenmanagebothnewandexistingapplicationswithoutdetailedknowledgeoftheunderlyingenvironment,cloudservices,orAPIs.

UsersworkinCloudCenter’sdrag-and-dropmodelerasseeninFigure1tocreateacloudagnosticandportableapplicationprofilesthatcanbedeployedtoanyenvironment.UserscanchoosefromaflexiblemixofeasilycustomizedOSimages,applicationorcloudservices,containers,orconfigurationmanagementtools,tomodelneworexisting,simpleorcomplexapplications.


Figure 1. Application profile topology modeler

Eachapplicationprofilecombinesinfrastructureautomationandapplicationautomationlayersintoasingledeployableblueprint.WithCloudCenterapplicationprofile,oneCloudCenterplatformcanbeusedtodeployandmanageanymodeledapplicationinanydatacenterorcloudenvironmentinaconsistentandpredictableway.

CloudCenter’scloud-agnosticapplicationprofilecoupledwithcloud-specificOrchestrator,abstractstheapplicationfromthecloud,byinterpretingtheneedsoftheapplicationandtranslatingthoseneedsintocloudspecificAPIcalls.Asaresult,CloudCentereliminatescloud-specificscriptingandcloudlock-inthatoftenreducebothdeveloperandIToperationsefficiency.


WorkingwithCiscoACICloudCenterworksseamlesslywithCiscoACI.IfauserchoosestodeploytheapplicationprofiletoanenvironmentmanagedbyCiscoACI,nothingadditionalisrequiredbytheuserornetworkadministrator.CloudCenterinterpretstheneedsoftheapplication,callsCiscoACInorthboundAPItoautomatenetworkpolicyobjectsthatdeliverthefullpowerofasoftwaredefinednetwork.

CloudCenterandACIareoftendeployedinanenvironmentthathasVMwareorOpenStackAPIsasseeninFigure2.

Figure 2. CloudCenter with Cisco ACI and VMware vCenter

CloudCenterandACIworktogetherwithoutinstallingplugins,withoutcreatingenvironmentspecificscripting,ormodifyinganyapplicationcode.Networkadministratorsdon’tneedtolearnprogramminglanguagestogetthemostoutoftheACIprogrammaticinterface.

TheflowoforchestrationmanagedbyCloudCenterincludes:

1. Model Application Profile—AservicemanagercanusetheCloudCentergraphicalUItocreateacloudagnosticapplicationprofileandthensharewithspecificusersorpublishtoamarketplace.

2. Self-ServiceDeploy—roleanduser-basedaccesscontrols,pairedwithtag-based


governance,helpuserschooseappropriatedeploymentenvironmentthatoptionallyincludesACI.

3. CreateandDeployAPICPolicyObjects—IfauserchoosesanenvironmentthatispartofanACIfabric,CloudCenterautomatescreationoftheappropriatepolicyobjectsandcallsAPICnorthboundRESTAPItocreatenetworksspecificallyfortheapplication.

4. ProvisionInfrastructure—CloudCentercallsinfrastructureAPIs(forexample,OpenStack,vCenter)toprovisioncompute,memory,andstorageintheappropriatenetworksegment.

5. DeployApplicationTiers–CloudCenterdeploysandorchestratesallapplicationcomponentsbasedonthetopologyanddependenciesmodeledintheapplicationprofile.

6. Ongoingmanagement–Bothuserandadminscanreviewthedeploymentprogressandtakeactiontoensureproperconfiguration.

7. BlockEast-WestTraffic—ifatierismanuallyorauto-scaled,CloudCenterupdatesACIpoliciestoblockeast-westtrafficandconfinebreachestoasinglemachineifcompromised.

8. End-of-life-Infrastructureandnetworkpolicyobjectsareautomaticallydeleted,preservingtheintegrityofthenetworkaswellasconservinginfrastructureresources.

WithCloudCenterandCiscoACI,ITgetsapowerfulsolutionthatimprovessecurity,streamlinesapplicationdeployment,andincreasesDev,Opsandnetworkadminefficiency.

TheremainderofthispaperoutlinesthreeprimaryusecasesforCloudCenterwithCiscoACI.

3 UseCase1:SecurelydeployN-tierapplication

CloudCentersimplifiesandexpeditesthedeploymentofanapplicationbyprogramminggovernancerules,whichdictatepoliciessuchasinfrastructureplacementandsecurityprofiles.Thesehelptoobscurethecomplexityofincreasinglydiverseinfrastructureenvironments.

Usersgettheflexibilityofself-serviceondemanddeployment,whilenetworkadminsareabletocontrolportsettingsandothersecurityconfigurationparameters.SecurityandnetworkdirectivesareincludedineachCloudCenterapplicationprofilethatispublishedorsharedwithusers.


Figure 3. CloudCenter application profile determine ACI application network profile objects

WhenauserinitiatesdeploymentviatheCloudCenterManagerasdisplayedinFigure3,CloudCenterOrchestratorusestopologyandnetworksettinginformationintheCloudCenterapplicationprofile,toautomatecreationofpolicyobjectsforCiscoACI.CloudCenterOrchestratorcallsthelocalAPICAPItoinstantiatetheACIApplicationNetworkProfile(AP),theEndpointGroups(EPGs)andtheConsumerandProviderContractsbasedonthetopologyandsecurityrequirementsoftheCloudCenterapplicationprofile.Eachapplicationtierisplacedinauniqueandisolatedapplicationtiernetwork.Theconnectivitybetweentheapplicationtiernetworksisautomaticallydrivenbytheapplicationtopology.

AsseeninFigure4,theACIuserinterfacethatshowsadeployedthree-tierapplication,comparedtotheCloudCenterinterfacethatshowsthesameapplicationdeployment.Theside-by-sidediagramshighlightthreeEPGsaswellascontractsthatmangenetworktrafficbetweenthem.

Figure 4. CloudCenter Orchestration and ACI segmentation


CloudCenterautomaticallygeneratesContractsandFiltersthatrestricttheprotocolandportaccessonapplicationtiernetworkbasedonapplicationstackservicerequirementscontainedintheCloudCenterapplicationprofile.

CombiningCloudCenterandCiscoACIcouplestheapplicationtopology,theapplicationstackservices,thenetworkconfigurations,andtheend-to-endnetworkisolationforbothapplicationdeploymentandindividualapplicationtiers.Thecombinedsolutionprovidesanintuitiveinterfacetoallowbothusersandadminstoreviewtheprogressofthedeployment.Italsoensuresthatnamingconventionsareconsistentacrossbothplatforms.

Oncetheapplicationisterminated,theauto-provisionedinfrastructureobjectsthatareassociatedwiththeapplicationaredeleted,therebypreservingtheintegrityoftheapplifecycle,minimizingremnantpoliciesthatcancausesecuritythreat,andutilizevaluablememoryresources.

4 UseCase2:StretchedApplicationDeployment

CloudCentersupportsdeployingapplicationswithdifferenttiersdeployedindifferentenvironments.Whenusersdeploy,theynormallychooseasingledeploymenttargetdatacenter,privateorpubliccloudlocationthatisavailabletothembasedonrole,governancerules,andothercontrols.Buttheyalsohavetheoptiontochooseastretcheddeployment,andthatprovidesuserstheabilitytoselectspecifictargetsitesforeachtierwithintheapplication.

Severalreasonsjustifyastretchedapplicationdeployment:

Reason 1 –Cost.Cloudpay-per-useandscalabilityisidealfortransitoryworkloads.Butrentinginfrastructuremaynotbethebestoptionforlongrunningworkloads.Asaresult,theUItierofwebapplicationormobileapplicationsmaybeagreatfitforapayperuseenvironmentlikeapubliccloud.ButmorestableandlongrunningtierssuchasapplicationserverordatabaseservermaybemorecosteffectivelydeployedbackinACImanagednetworkinprivatecloudordatacenter.

Reason 2–Securityandcompliance.Eveniftheapplicationserverorloadbalancertierscanbedeployedinvariousotherenvironments,thedatabasetierisagoodfitforanACImanagednetworkenvironmentintheprivatecloudordatacenterinordertoaddresssecurityandcompliancerequirements..

Reason 3–HA/DRmasterslaveconfiguration.Userscanmodelanapplicationprofilethatcontainsbothmasterandslavecomponentsthatgetdeployedindifferentcloudavailability


zones,ordifferentdatacenterandcloud.Ifuserscanone-clickdeployfullapplicationstackwithHA/DRsetupindifferentavailabilityzonesorevendifferentdatacenterandcloud,theycaneasilyandcosteffectivelytestvariousfailoverscenariosanddeletethewholesetupwhendone.And,getthesamefully-testedconfigurationautomaticallydeployedforproductionworkloadsaswell.

WithCloudCenter,deployingastretchedapplicationtopologyiseasywhenmultipledeploymentenvironmentsareavailable.Atdeploymenttime,theuserjustselectsHybridasthetargetcloudasdisplayedinFigure4,andthentheUIexposesaseparateclouddeploymentdropdownforeachtiermodeledintheapplicationprofile.

Figure 5. User selects Hybrid to activate the stretched application deployment feature

.

PlacementdecisionsfortheentirestackorindividualtierscanbeguidedbyCloudCentertaggingandrulesengine.Forexample,aHIPPAcompliantapplicationcanbetaggedsouserscanonlychooseanACImanageddatacenterforthedatabasetier,regardlessofwhereothertiersaredeployed.

CloudCenterwithCiscoACIenablesthreestretchedapplicationdeploymenttopologies.Ineachcase,theusercanselecttheappropriatedeploymentenvironmentforeachapplicationtier,withoutbeingrequiredtochangetheapplication’sarchitectureorattributes,orhaveanydomainknowledgeaboutACIorsoftwaredefinednetworking.Therearenoenvironmentspecificscriptsorworkflowsthatlockanytierintoanyenvironment.


Multi-PodCloudCentercandeployN-TieredapplicationstoadatacenterwithmultipleCiscoACIpods.Ithisscenario,theapplicationcanbedistributedacrossdifferentpodsinasingledatacenter.DifferenttiersofanenterprisewebapplicationcanbeplacedindifferentnetworkswithdifferentVLANs.ACI’suniquelabel-based,dynamicdirectionalroutingensuresthattheonlytheconsumerVMsconnecttotheproviderVMswithmatchinglabels.Thisprovidesatrulyisolatednetworkforeachtierintheapplication.

StretchedFabricCloudCentercandeployN-TieredapplicationstoaCiscoACIfabricthatisstretchedacrossgeographicallydispersedsitesandoverlongdistances.Inthisscenario,theapplicationcanbedistributedtodifferentpodsinseparatedatacenterswhiletakingadvantageofthenetworkservicesprovidedbythesinglestretchednetworkfabric.ForexampletheloadbalancerandtheapplicationservercanbeinDatacenterAandthedatabasecanbeinDatacenterB.ThestretchedfabrictopologyextendsthecapabilitiesofCiscoACI’sintegrationwithL4-L7services.

Multi-CloudCloudCentercandeployN-TieredapplicationsacrossaCiscoACIpodandapubliccloud.PartoftheapplicationcanbedeployedadatacenterorprivatecloudwithACImanagednetwork,andpartoftheapplicationcanbedeployedtopubliccloud.Thisscenarioworksforwebapplicationsthathaveedgecachinginmultipledistributedcloudlocations,ormobileapsthathavetheapplicationtierordatabasetierbackinsecuredatacenter.

CloudCenterandACItogetherofferatrulyuniqueandflexiblesolutiontoaddressthecost,security,andagilityrequirementsforincreasinglycomplexenterpriseworkloads.The“Profileonce,deployanywhere”capabilitiesofCloudCenterextendtostretcheddeploymenttopologies.

Inallthesestretchedapplicationdeploymenttopologies,theCloudCenterapplicationprofiledoesn’tneedtobechanged,noenvironmentortopologyspecificscriptingneedstobewrittenandmaintained,andtheapplicationremainsportable.

5 UseCase3:MigrateApplicationtoACIEnvironment

Userscantakeapplicationsthatwerepreviouslydeployedtonon-ACIdatacenterandpubliccloudenvironmentsandmigratetoamoresecureACImanageddatacenter.ThejointsolutionfullyautomatesmigrationaswellascreationofrelevantACIpolicyobjects.


ApplicationworkloadsthataredeployedmanagedbyCloudCenteraremadeportableacrossdifferentcloudsviathe“Migrate”feature.CloudCenterapplicationprofilesarecloudagnosticandportable,nothardwiredtoasingleenvironment.Asaresult,CloudCenterandACIsupportaHybridITstrategythatallowsuserstooptimizeworkloadplacementbasedonbusinessneed.Andeasilychoosetomigrateto,orfrom,orbetweendifferentdatacetnerprivateandpubliccloudsbasedonuse,governancerules,costandperformancerequirements,orapplicationlifecyclephase.

Threeprimarymigrationscenarios:

1–BackfromCloudManyITorganziatiosnhavedeplyedappliationsaspartofacloudstrategy,andarenowhavingsomestickershockasmonthlypubliccloudcostsareaddedup.Ortheyhaveconcernsaboutpubliccloudmeetssecurityandcompliancerequirements.WithCloudCenter,userscanchosetomigrateanapplicationfrompubliccloudbacktodatacenterorprivatecloudwithACImanagednetwork.

Asseeninfigure6,userscanselectandexistingdeployment,andchoosearangeofmanagementactionsincludingmigrate.IfanACIenvironmentisselectedasmigrationtarget,CloudCenterautomatescreationofpolicyobjectsandinstantiatesnetworkconfigurationviaAPICAPI.

Figure 6. User selects migrate for existing deployment. 2 – Cross-cloud SDLC


UsingpubliccloudforDev/Testactivities,andproductionbackindatacenterorprivatecloud,isthemostcommonhybridcloudusecase.CloudCentersupportsthatscenariowithapowerfulandintegratedCI/CDProjectBoardfeaturethatmanagestheend-to-endSoftwareDevelopmentLifeCycle(SDLC).

ManagerscreateprojectsinCloudCenterthatmirrortheirsoftwaredevelopmentlifecycle.Theycanallocateresourcesorbudgetfortheoverallprojectorspecificphases.Useraccesscontrolsandpoliciesdefinewhocanpromotecodealongstagesofthelifecycleaswellaswhichcloudissuitableforeachphase.

Figure7.showsCI/CDprojectboardwithdifferentstagesthateachhavedifferentownersaswellasprojectbudgetallocation

Figure 7. CI/CD project board – with ACI environment for production

ForaDevOpsscenariothatincludesanonACIenvironmentforDev/TestandanACIenvironmentforproduction,theCI/CDprojectboardcanbesetupwithacrossenvironmentworkflow,thatgivesdeveloperssomechoicesinpre-productionenvironments,butlimitschoicesinmoresecureACImanagednetworkenvironmentforthefinalproductionphase.

CloudCenteralsoincludespowerfultaggingandgovernanceenginethatcanmodifysecuritysettingsbasedonphase.SodeploymentinaDevphasemightbesetuptoleaveopencertainports.ButwhenmigratedtotheProdphase,wouldnotonlybenefitfrommicrosegmentationappliedbasedonACIpolicy,butcloudalsoautomaticallyclosethoseports.Conversely,apromotiontoProdmightopencertainportsfornetworkorsecuritymonitoringagentsinproduction.

CliQr Technologies 1732NorthFirstSt.,Suite100,SanJose,CA95112888.837.2739•[email protected]•www.cliqr.com

©2016 CliQr Technologies. All rights reserved. CliQr, the CliQr logo, and CliQr CloudCenter are trademarks of CliQr Technologies in the United States. All other trademarks and company names are the property of their respective owners.


WP-ACI-UC-0416

CloudCenterandACItogetherprovideunprecedentedflexibilityandsecuritycontrolnotpossiblewithdeploymentsinpubliccloudenvironments.

3-DatacenterMigrationManyITorganizationscontinuetomodifytheirdatacenterfootprintastheyevolvetheirHybridITstrategy,pursuemergersandacquisitions,andforahostofotherbusinessreasons.CloudCentercanstreamlinetheprocess,andbringworkloadsintoanACIenvironmenttogainthebenefitofsoftwaredefinednetworking.

Inamigrationscenario,ITorganizationstypicallyscopethemove,thenbringexistingworkloadsintoACIenvironmentinphasesviaarollingupgrade.Byprofilingeachapplication,CloudCentercanhelpconvertVLANportstoACImanagedports,andgettheACIbenefitsoftrafficmonitoring,visibilityintopacketloss,latencyandnetworkloops.

6 Conclusion

CloudCenterisanapplication-centrichybridcloudmanagementplatformthatmakesiteasytodeployandmanageapplicationdatacenter,privatecloud,andpubliccloudenvironments.However,CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.And,deliversagility,securityandefficiencythatisunmatchedbypubliccloudalone.

CloudCenterandACIoffertheunmatchedabilitytosecurityprovisionmulti-tierapplications,automatestretchedapplicationdeploymentswithoutmodifyingapplication,blueprints,ordeploymentscripts,andefficientlymigrateapplicationstoACIenvironments.

cliqr cloudcenter™ with cisco aci common use cases

Documents