CliQr CloudCenter™ with Cisco ACI Common Use Cases

CliQr CloudCenter™

with Cisco ACI Common Use Cases

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 2

Table of Contents

1 ExecutiveSummary ..................................................................................................................................2

2 Introduction ................................................................................................................................................3

3 UseCase1:SecurelydeployN-tierapplication .................................................................................6

4 UseCase2:StretchedApplicationDeployment ................................................................................8

5 UseCase3:MigrateApplicationtoACIEnvironment ................................................................... 10

6 Conclusion ............................................................................................................................................... 13

1 ExecutiveSummary

CliQrCloudCenter™isanapplication-centrichybridcloudmanagementplatformthatsecurelyprovisionsinfrastructureresourcesanddeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.CloudCenter’sapplication-centrichybridcloudmanagementisanidealfitwithCiscoApplicationCentricInfrastructure(ACI)andpolicy-basednetworkmanagement.

ITorganizationspursuingaHybridITstrategyneedflexibilityinhowandwhereapplicationsaredeployedindatacenter,private,andpubliccloudenvironments.CloudCenteruserscanself-service,on-demanddeployapplicationstoanyenvironment.ButwhentheychoosetodeployanentireapplicationorjustasingletiertoanenvironmentwithACImanagednetwork,theygetpubliccloudagilitywithgreaternetworksecurity,andmorecosteffectivedeploymentoptionsthanpubliccloudalone.

CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.CloudCenterwithCiscoACIprovisionsinfrastructureandsecurelydeploysapplicationsbasedonthedesiredendstateandneedsoftheapplication.CloudCenterautomatestheentireapplicationdeploymentprocessandcommunicatesdirectlywithCiscoACI’sAPIstoautomatecreationofACIpolicyobjectsincludingApplicationNetworkProfiles,EndPointGroups,Contracts,Filtersandanyotherobjectsrequiredformicro-segmentedsecurecommunications.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 3

ITgetsoptimalnetworksecurityandoperationalefficiencywithouthavingtomanuallycreateandmaintainpolicies,andwithouthavingtolearnnewprogramminglanguages.Usersgetself-serviceondemandflexibility,withoutneedinganynetworkskillsorknowledgeofcloudenvironmentdetails.Scalingandend-oflifeactionsareautomatedaswell,resultinginupdatesandterminationofnetworkpolicies.

ThispapersummarizesthreepowerfulusescasesenabledbyCloudCenterandCiscoACIdeployments.

2 Introduction

CiscoApplicationCentricInfrastructure(ACI)increasesnetworksecurity,automatescommunicationpoliciesbasedonbusiness-relevantapplicationrequirements,anddecreasesdeveloperwaittimetoaccelerateapplicationdeploymentinthenext-generationDataCenter.

Atthecore,ACIapplicationpoliciesarewhitelistswithinazero-trustmodelensuringthatnocommunicationisallowedbetweenapplicationtiers,unlessapolicyspecifiesthatanobjectcanbeonthenetwork,whichotherobjectsitcantalkto,andwhatitcantalkabout.CiscoACItranslatesandappliesthelogicalbusinessdrivenpolicydefinitionsintoconcreteinfrastructureconfiguration.

CloudCenter™isanapplication-centrichybridcloudmanagementplatformthatprovisionsinfrastructureresourcesandsecurelydeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.Userscaneasilymodel,self-servicedeploy,andthenmanagebothnewandexistingapplicationswithoutdetailedknowledgeoftheunderlyingenvironment,cloudservices,orAPIs.

UsersworkinCloudCenter’sdrag-and-dropmodelerasseeninFigure1tocreateacloudagnosticandportableapplicationprofilesthatcanbedeployedtoanyenvironment.UserscanchoosefromaflexiblemixofeasilycustomizedOSimages,applicationorcloudservices,containers,orconfigurationmanagementtools,tomodelneworexisting,simpleorcomplexapplications.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 4

Figure 1. Application profile topology modeler

Eachapplicationprofilecombinesinfrastructureautomationandapplicationautomationlayersintoasingledeployableblueprint.WithCloudCenterapplicationprofile,oneCloudCenterplatformcanbeusedtodeployandmanageanymodeledapplicationinanydatacenterorcloudenvironmentinaconsistentandpredictableway.

CloudCenter’scloud-agnosticapplicationprofilecoupledwithcloud-specificOrchestrator,abstractstheapplicationfromthecloud,byinterpretingtheneedsoftheapplicationandtranslatingthoseneedsintocloudspecificAPIcalls.Asaresult,CloudCentereliminatescloud-specificscriptingandcloudlock-inthatoftenreducebothdeveloperandIToperationsefficiency.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 5

WorkingwithCiscoACICloudCenterworksseamlesslywithCiscoACI.IfauserchoosestodeploytheapplicationprofiletoanenvironmentmanagedbyCiscoACI,nothingadditionalisrequiredbytheuserornetworkadministrator.CloudCenterinterpretstheneedsoftheapplication,callsCiscoACInorthboundAPItoautomatenetworkpolicyobjectsthatdeliverthefullpowerofasoftwaredefinednetwork.

CloudCenterandACIareoftendeployedinanenvironmentthathasVMwareorOpenStackAPIsasseeninFigure2.

Figure 2. CloudCenter with Cisco ACI and VMware vCenter

CloudCenterandACIworktogetherwithoutinstallingplugins,withoutcreatingenvironmentspecificscripting,ormodifyinganyapplicationcode.Networkadministratorsdon’tneedtolearnprogramminglanguagestogetthemostoutoftheACIprogrammaticinterface.

TheflowoforchestrationmanagedbyCloudCenterincludes:

1. Model Application Profile—AservicemanagercanusetheCloudCentergraphicalUItocreateacloudagnosticapplicationprofileandthensharewithspecificusersorpublishtoamarketplace.

2. Self-ServiceDeploy—roleanduser-basedaccesscontrols,pairedwithtag-based

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 6

governance,helpuserschooseappropriatedeploymentenvironmentthatoptionallyincludesACI.

3. CreateandDeployAPICPolicyObjects—IfauserchoosesanenvironmentthatispartofanACIfabric,CloudCenterautomatescreationoftheappropriatepolicyobjectsandcallsAPICnorthboundRESTAPItocreatenetworksspecificallyfortheapplication.

4. ProvisionInfrastructure—CloudCentercallsinfrastructureAPIs(forexample,OpenStack,vCenter)toprovisioncompute,memory,andstorageintheappropriatenetworksegment.

5. DeployApplicationTiers–CloudCenterdeploysandorchestratesallapplicationcomponentsbasedonthetopologyanddependenciesmodeledintheapplicationprofile.

6. Ongoingmanagement–Bothuserandadminscanreviewthedeploymentprogressandtakeactiontoensureproperconfiguration.

7. BlockEast-WestTraffic—ifatierismanuallyorauto-scaled,CloudCenterupdatesACIpoliciestoblockeast-westtrafficandconfinebreachestoasinglemachineifcompromised.

8. End-of-life-Infrastructureandnetworkpolicyobjectsareautomaticallydeleted,preservingtheintegrityofthenetworkaswellasconservinginfrastructureresources.

WithCloudCenterandCiscoACI,ITgetsapowerfulsolutionthatimprovessecurity,streamlinesapplicationdeployment,andincreasesDev,Opsandnetworkadminefficiency.

TheremainderofthispaperoutlinesthreeprimaryusecasesforCloudCenterwithCiscoACI.

3 UseCase1:SecurelydeployN-tierapplication

CloudCentersimplifiesandexpeditesthedeploymentofanapplicationbyprogramminggovernancerules,whichdictatepoliciessuchasinfrastructureplacementandsecurityprofiles.Thesehelptoobscurethecomplexityofincreasinglydiverseinfrastructureenvironments.

Usersgettheflexibilityofself-serviceondemanddeployment,whilenetworkadminsareabletocontrolportsettingsandothersecurityconfigurationparameters.SecurityandnetworkdirectivesareincludedineachCloudCenterapplicationprofilethatispublishedorsharedwithusers.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 7

Figure 3. CloudCenter application profile determine ACI application network profile objects

WhenauserinitiatesdeploymentviatheCloudCenterManagerasdisplayedinFigure3,CloudCenterOrchestratorusestopologyandnetworksettinginformationintheCloudCenterapplicationprofile,toautomatecreationofpolicyobjectsforCiscoACI.CloudCenterOrchestratorcallsthelocalAPICAPItoinstantiatetheACIApplicationNetworkProfile(AP),theEndpointGroups(EPGs)andtheConsumerandProviderContractsbasedonthetopologyandsecurityrequirementsoftheCloudCenterapplicationprofile.Eachapplicationtierisplacedinauniqueandisolatedapplicationtiernetwork.Theconnectivitybetweentheapplicationtiernetworksisautomaticallydrivenbytheapplicationtopology.

AsseeninFigure4,theACIuserinterfacethatshowsadeployedthree-tierapplication,comparedtotheCloudCenterinterfacethatshowsthesameapplicationdeployment.Theside-by-sidediagramshighlightthreeEPGsaswellascontractsthatmangenetworktrafficbetweenthem.

Figure 4. CloudCenter Orchestration and ACI segmentation

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 8

CloudCenterautomaticallygeneratesContractsandFiltersthatrestricttheprotocolandportaccessonapplicationtiernetworkbasedonapplicationstackservicerequirementscontainedintheCloudCenterapplicationprofile.

CombiningCloudCenterandCiscoACIcouplestheapplicationtopology,theapplicationstackservices,thenetworkconfigurations,andtheend-to-endnetworkisolationforbothapplicationdeploymentandindividualapplicationtiers.Thecombinedsolutionprovidesanintuitiveinterfacetoallowbothusersandadminstoreviewtheprogressofthedeployment.Italsoensuresthatnamingconventionsareconsistentacrossbothplatforms.

Oncetheapplicationisterminated,theauto-provisionedinfrastructureobjectsthatareassociatedwiththeapplicationaredeleted,therebypreservingtheintegrityoftheapplifecycle,minimizingremnantpoliciesthatcancausesecuritythreat,andutilizevaluablememoryresources.

4 UseCase2:StretchedApplicationDeployment

CloudCentersupportsdeployingapplicationswithdifferenttiersdeployedindifferentenvironments.Whenusersdeploy,theynormallychooseasingledeploymenttargetdatacenter,privateorpubliccloudlocationthatisavailabletothembasedonrole,governancerules,andothercontrols.Buttheyalsohavetheoptiontochooseastretcheddeployment,andthatprovidesuserstheabilitytoselectspecifictargetsitesforeachtierwithintheapplication.

Severalreasonsjustifyastretchedapplicationdeployment:

Reason 1 –Cost.Cloudpay-per-useandscalabilityisidealfortransitoryworkloads.Butrentinginfrastructuremaynotbethebestoptionforlongrunningworkloads.Asaresult,theUItierofwebapplicationormobileapplicationsmaybeagreatfitforapayperuseenvironmentlikeapubliccloud.ButmorestableandlongrunningtierssuchasapplicationserverordatabaseservermaybemorecosteffectivelydeployedbackinACImanagednetworkinprivatecloudordatacenter.

Reason 2–Securityandcompliance.Eveniftheapplicationserverorloadbalancertierscanbedeployedinvariousotherenvironments,thedatabasetierisagoodfitforanACImanagednetworkenvironmentintheprivatecloudordatacenterinordertoaddresssecurityandcompliancerequirements..

Reason 3–HA/DRmasterslaveconfiguration.Userscanmodelanapplicationprofilethatcontainsbothmasterandslavecomponentsthatgetdeployedindifferentcloudavailability

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 9

zones,ordifferentdatacenterandcloud.Ifuserscanone-clickdeployfullapplicationstackwithHA/DRsetupindifferentavailabilityzonesorevendifferentdatacenterandcloud,theycaneasilyandcosteffectivelytestvariousfailoverscenariosanddeletethewholesetupwhendone.And,getthesamefully-testedconfigurationautomaticallydeployedforproductionworkloadsaswell.

WithCloudCenter,deployingastretchedapplicationtopologyiseasywhenmultipledeploymentenvironmentsareavailable.Atdeploymenttime,theuserjustselectsHybridasthetargetcloudasdisplayedinFigure4,andthentheUIexposesaseparateclouddeploymentdropdownforeachtiermodeledintheapplicationprofile.

Figure 5. User selects Hybrid to activate the stretched application deployment feature

.

PlacementdecisionsfortheentirestackorindividualtierscanbeguidedbyCloudCentertaggingandrulesengine.Forexample,aHIPPAcompliantapplicationcanbetaggedsouserscanonlychooseanACImanageddatacenterforthedatabasetier,regardlessofwhereothertiersaredeployed.

CloudCenterwithCiscoACIenablesthreestretchedapplicationdeploymenttopologies.Ineachcase,theusercanselecttheappropriatedeploymentenvironmentforeachapplicationtier,withoutbeingrequiredtochangetheapplication’sarchitectureorattributes,orhaveanydomainknowledgeaboutACIorsoftwaredefinednetworking.Therearenoenvironmentspecificscriptsorworkflowsthatlockanytierintoanyenvironment.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 10

Multi-PodCloudCentercandeployN-TieredapplicationstoadatacenterwithmultipleCiscoACIpods.Ithisscenario,theapplicationcanbedistributedacrossdifferentpodsinasingledatacenter.DifferenttiersofanenterprisewebapplicationcanbeplacedindifferentnetworkswithdifferentVLANs.ACI’suniquelabel-based,dynamicdirectionalroutingensuresthattheonlytheconsumerVMsconnecttotheproviderVMswithmatchinglabels.Thisprovidesatrulyisolatednetworkforeachtierintheapplication.

StretchedFabricCloudCentercandeployN-TieredapplicationstoaCiscoACIfabricthatisstretchedacrossgeographicallydispersedsitesandoverlongdistances.Inthisscenario,theapplicationcanbedistributedtodifferentpodsinseparatedatacenterswhiletakingadvantageofthenetworkservicesprovidedbythesinglestretchednetworkfabric.ForexampletheloadbalancerandtheapplicationservercanbeinDatacenterAandthedatabasecanbeinDatacenterB.ThestretchedfabrictopologyextendsthecapabilitiesofCiscoACI’sintegrationwithL4-L7services.

Multi-CloudCloudCentercandeployN-TieredapplicationsacrossaCiscoACIpodandapubliccloud.PartoftheapplicationcanbedeployedadatacenterorprivatecloudwithACImanagednetwork,andpartoftheapplicationcanbedeployedtopubliccloud.Thisscenarioworksforwebapplicationsthathaveedgecachinginmultipledistributedcloudlocations,ormobileapsthathavetheapplicationtierordatabasetierbackinsecuredatacenter.

CloudCenterandACItogetherofferatrulyuniqueandflexiblesolutiontoaddressthecost,security,andagilityrequirementsforincreasinglycomplexenterpriseworkloads.The“Profileonce,deployanywhere”capabilitiesofCloudCenterextendtostretcheddeploymenttopologies.

Inallthesestretchedapplicationdeploymenttopologies,theCloudCenterapplicationprofiledoesn’tneedtobechanged,noenvironmentortopologyspecificscriptingneedstobewrittenandmaintained,andtheapplicationremainsportable.

5 UseCase3:MigrateApplicationtoACIEnvironment

Userscantakeapplicationsthatwerepreviouslydeployedtonon-ACIdatacenterandpubliccloudenvironmentsandmigratetoamoresecureACImanageddatacenter.ThejointsolutionfullyautomatesmigrationaswellascreationofrelevantACIpolicyobjects.

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 11

ApplicationworkloadsthataredeployedmanagedbyCloudCenteraremadeportableacrossdifferentcloudsviathe“Migrate”feature.CloudCenterapplicationprofilesarecloudagnosticandportable,nothardwiredtoasingleenvironment.Asaresult,CloudCenterandACIsupportaHybridITstrategythatallowsuserstooptimizeworkloadplacementbasedonbusinessneed.Andeasilychoosetomigrateto,orfrom,orbetweendifferentdatacetnerprivateandpubliccloudsbasedonuse,governancerules,costandperformancerequirements,orapplicationlifecyclephase.

Threeprimarymigrationscenarios:

1–BackfromCloudManyITorganziatiosnhavedeplyedappliationsaspartofacloudstrategy,andarenowhavingsomestickershockasmonthlypubliccloudcostsareaddedup.Ortheyhaveconcernsaboutpubliccloudmeetssecurityandcompliancerequirements.WithCloudCenter,userscanchosetomigrateanapplicationfrompubliccloudbacktodatacenterorprivatecloudwithACImanagednetwork.

Asseeninfigure6,userscanselectandexistingdeployment,andchoosearangeofmanagementactionsincludingmigrate.IfanACIenvironmentisselectedasmigrationtarget,CloudCenterautomatescreationofpolicyobjectsandinstantiatesnetworkconfigurationviaAPICAPI.

Figure 6. User selects migrate for existing deployment. 2 – Cross-cloud SDLC

CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 12

UsingpubliccloudforDev/Testactivities,andproductionbackindatacenterorprivatecloud,isthemostcommonhybridcloudusecase.CloudCentersupportsthatscenariowithapowerfulandintegratedCI/CDProjectBoardfeaturethatmanagestheend-to-endSoftwareDevelopmentLifeCycle(SDLC).

ManagerscreateprojectsinCloudCenterthatmirrortheirsoftwaredevelopmentlifecycle.Theycanallocateresourcesorbudgetfortheoverallprojectorspecificphases.Useraccesscontrolsandpoliciesdefinewhocanpromotecodealongstagesofthelifecycleaswellaswhichcloudissuitableforeachphase.

Figure7.showsCI/CDprojectboardwithdifferentstagesthateachhavedifferentownersaswellasprojectbudgetallocation

Figure 7. CI/CD project board – with ACI environment for production

ForaDevOpsscenariothatincludesanonACIenvironmentforDev/TestandanACIenvironmentforproduction,theCI/CDprojectboardcanbesetupwithacrossenvironmentworkflow,thatgivesdeveloperssomechoicesinpre-productionenvironments,butlimitschoicesinmoresecureACImanagednetworkenvironmentforthefinalproductionphase.

CloudCenteralsoincludespowerfultaggingandgovernanceenginethatcanmodifysecuritysettingsbasedonphase.SodeploymentinaDevphasemightbesetuptoleaveopencertainports.ButwhenmigratedtotheProdphase,wouldnotonlybenefitfrommicrosegmentationappliedbasedonACIpolicy,butcloudalsoautomaticallyclosethoseports.Conversely,apromotiontoProdmightopencertainportsfornetworkorsecuritymonitoringagentsinproduction.

CliQr Technologies 1732NorthFirstSt.,Suite100,SanJose,CA95112888.837.2739•info@cliqr.com•www.cliqr.com

©2016 CliQr Technologies. All rights reserved. CliQr, the CliQr logo, and CliQr CloudCenter are trademarks of CliQr Technologies in the United States. All other trademarks and company names are the property of their respective owners.

CliQr CloudCenter™ with Cisco ACI Common Use Cases

WP-ACI-UC-0416

CloudCenterandACItogetherprovideunprecedentedflexibilityandsecuritycontrolnotpossiblewithdeploymentsinpubliccloudenvironments.

3-DatacenterMigrationManyITorganizationscontinuetomodifytheirdatacenterfootprintastheyevolvetheirHybridITstrategy,pursuemergersandacquisitions,andforahostofotherbusinessreasons.CloudCentercanstreamlinetheprocess,andbringworkloadsintoanACIenvironmenttogainthebenefitofsoftwaredefinednetworking.

Inamigrationscenario,ITorganizationstypicallyscopethemove,thenbringexistingworkloadsintoACIenvironmentinphasesviaarollingupgrade.Byprofilingeachapplication,CloudCentercanhelpconvertVLANportstoACImanagedports,andgettheACIbenefitsoftrafficmonitoring,visibilityintopacketloss,latencyandnetworkloops.

6 Conclusion

CloudCenterisanapplication-centrichybridcloudmanagementplatformthatmakesiteasytodeployandmanageapplicationdatacenter,privatecloud,andpubliccloudenvironments.However,CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.And,deliversagility,securityandefficiencythatisunmatchedbypubliccloudalone.

CloudCenterandACIoffertheunmatchedabilitytosecurityprovisionmulti-tierapplications,automatestretchedapplicationdeploymentswithoutmodifyingapplication,blueprints,ordeploymentscripts,andefficientlymigrateapplicationstoACIenvironments.