Cisco Multicloud: The HOW ! · Secure Extension to Public Clouds Consistent Security Policies Optimize Workloads (Cloud and DC) ... CSR 1000v, ACI, Stealthwatch Cloud, HyperFlex,

Hybrid Cloud Automation

Višnja Radoš, [email protected]

Consulting Systems Engineer

Eastern Europe

• Cisco Multi/Hybrid Cloud Strategy

• Multicloud Services Integration

• Infrastructure

• Security

• Analytics

• Management

Agenda

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Customer Challenges with Multicloud

FRAGMENTED

COMPLEX

NO DATA CONTROL

SaaS

SaaS

SaaS

SaaS

SaaS

SaaSSaaS

OtherPublicClouds

Azure

AWS

GCP

SaaS

PrivatePrivate

BRKCLD-2604 3

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Customer Initiatives: Evolve, Add / Develop, Manage

Automate Private & Hybrid Clouds

Deploy Containers Infra

Manage from Cloud

Performance Visibility

(App and Infra)

Secure Extension to Public Clouds

Consistent Security Policies

Optimize Workloads

(Cloud and DC)

Leverage SaaS Solutions

Build New Cloud Applications

Customer

Initiatives

BRKCLD-2604

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKCLD-2604


Cloud Technologies and Applications Platforms

Infra

CI/HCI

On Premises

Private Cloud

Choice ?

BRKCLD-2604 6



Bringing Choice at Private Cloud

Infra

VIM

Infra

CI/HCI

Infra

CVD

Infra

POD

Public Cloud Options

Private Cloud Co-Lo

Choice of Private and Hybrid Cloud Stacks

On Premises or Co-Lo / Hosted

Infra

POD

H1CY18

BRKCLD-2604 7



Infra

VIM

Infra

CI/HCI

Infra

CVD

Infra

POD

Public Cloud Options

Private Cloud Co-Lo

On Premises or Co-Lo / Hosted

Infra

POD

NETWORKING MANAGEMENTANALYTICSSECURITY

Bringing Consistency and Services with Public Clouds

BRKCLD-2604 8


Campus BranchPrivate clouds Public clouds

Multicloud Requirements

NETWORKING MANAGEMENTANALYTICSSECURITYMulticloud

Software

…to connect, protect, and consume cloud services

Data centers Colocation Devices Internet of Things

Helping customers optimize their multicloud strategy

BRKCLD-2604 9


Tactic Solution

10BRKCLD-2604

Microsoft View with Azure and Cisco Integrated Solution for Azure Stack


• Develop in the cloud – deploy anywhere

• Access information and break down boundaries between

public and private cloud

• Enforce network and security policy without losing agility

• Bridge existing investments with new capabilities

BRKCLD-2604 11


Cisco and Google Open Hybrid Cloud Solution: consistent and policy driven environment across clouds

On Prem/Colo Data Center Google Cloud

Google Cloud

Platform

Google Kubernetes

Engine

Existing

ServicesApps | Data

Private Cloud infrastructurecontainer platform on

hyperconverged infrastructure

Cloud

Apps

Istio: Hybrid Cloud

Service Management

Consistent

Environment

Networking | Security | Private Cloud Infrastructure | Consumption Management

CSR 1000v, ACI, Stealthwatch Cloud, HyperFlex, Contiv, CloudCenter, AppDynamics

BRKCLD-2604 12


Cisco and Google First Cover Three MajorHybrid Cloud Use Cases

Cloud apps consuming on-prem services

(ERP, CRM,…)On-premise applications leveraging

GCP’s services

Consistent CI/CD experience across

environments

Unified Management and Networking

Big Query DataflowCloud

functions

Unified Management and NetworkingUnified Management and Networking

BRKCLD-2604 13



• Infrastructure

• Security

• Analytics

• Management

Agenda


ACI Anywhere - VisionAny Workload, Any Location, Any Cloud

BRKCLD-2604 15


ACI 1.1 - Geographically

Stretch a single Pod

DC1 DC2

ACI Stretched Fabric

APIC Cluster

ACI Single Pod Fabric

ACI 1.0 -

Leaf/Spine Single

Pod Fabric

ACI 2.0 - Multiple Networks

(Pods) in a single Availability

Zone (Fabric)

Pod ‘A’

MP-BGP - EVPN

…

IPNPod ‘n’

ACI Multi-Pod Fabric

APIC Cluster

ACI 3.0 – Multiple Availability

Zones (Fabrics) in a Single

Region ’and’ Multi-Region

Policy Management

Fabric ‘A’

MP-BGP - EVPN

…

IPFabric ‘n’

ACI Multi-Site

ISE

ISE 2.1 & ACI 1.2

Federation of Identity

and Interconnect

TrustSec and ACI using

IP based EPG/SGT

ACI 3.1/3.2 - Remote Leaf

and vPod extends an

Availability Zone (Fabric) to

remote locations

Application Centric InfrastructureFabric and Policy Domain Evolution

BRKCLD-2604 16


Security Group

Virtual Private Network

Security Group Rule

Outbound rule

Inbound rule

User Account

Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort

Network Adapter

Tenant

VRF

BD Subnet

EPG

EPG Contracts

Consumed contracts

Provided contracts

EC2 Instance

VPC subnet

Why use Cloud Constructs?Policy Mapping - AWS

BRKCLD-2604


Application Security Group (ASG)

Virtual Network

Subnet

Network Security Group (NSG)

Outbound rule

Inbound rule

Resource Group

Source/Destination: ASG or Subnet or IP or Any or ‘Internet’ProtocolPort

Network Adapter

Tenant

VRF

BD Subnet

EPG

EPG Contracts

Consumed contracts

Provided contracts

Virtual Machine

Why use Cloud Constructs? Policy Mapping - Azure

BRKCLD-2604


Fabric ‘A’ (AZ 1)

Fabric ‘B’ (AZ 2)

Application

workloads

deployed across

availability zones

Typical RequirementCreation of Two Independent Fabrics / Availability Zones (AZs)

BRKCLD-2604 19


Pod ‘1.A’ Pod ‘2.A’

Pod ‘1.B’ Pod ‘2.B’

‘Classic’ Active/Active

Fabric ‘A’ (AZ 1)

Fabric ‘B’ (AZ 2)

‘Classic’ Active/Active

Application

workloads

deployed across

availability zones

Typical RequirementCreation of Two Independent Fabrics / Availability Zones (AZs)

BRKCLD-2604 20


ACI Multi-SiteOverview

Separate ACI Fabrics with independent APIC clusters

ACI Multi-Site pushes cross-fabric configuration to

multiple APIC clusters providing scoping of all

configuration changes

MP-BGP EVPN control plane between sites

Data Plane VXLAN encapsulation across sites

End-to-end policy definition and enforcement

MP-BGP - EVPN

Availability Zone ‘A’ Availability Zone ‘B’

IP Network

REST

API GUI

Region ‘C’

VXLAN Data-Plane


IP Network

ACI Extension Beyond On-Premise Data Center(s)

Hypervisor

AVE

Hypervisor

vSwitch

Hypervisor

vSwitch

ACI Policies

vSpine + vLeaf

On-Premise Data Center Remote Virtual POD

Web App

Hypervisor

AVE

Hypervisor

AVE

Hypervisor

AVE

Virtual POD

App DBDB Web

Co-Lo / Remote DCs /

Bare-Metal Clouds /

Brownfield Deployments

AVE = ACI Virtual Edge

BRKCLD-2604 22


Cisco Intersight

SaaS

Simplicity

Actionable

Intelligence

SaaS DeliveredIntuitive Experience Enhanced Support Proactive Guidance Secure and Extensible

Intersight

BRKCLD-2604


Notice: Actual cost will depend on negotiated terms and discounts

Cloud Connect - CSR 1000V?

• CSR is so far offered on Amazon AWS and Microsoft Azure. CSR1000v on GCP coming in 2018

• CSR1000V pricing based on technology package, throughput, license term PLUS platform cost

• How do I choose the platform for CSR on AWS or Azure?

24BRKCLD-2604



• Infrastructure

• Security

• Analytics

• Management

Agenda


Cisco Multicloud Security

Secure Internet Gateway

(SIG)

Umbrella Cloudlock &

Email Security

Cloud access security

brokers (CASB) & Email

Public Cloud Threat

Detection and Visibility

Stealthwatch Cloud

Security when

Accessing the CloudSecurity for

SaaS Apps

Security for

Public Cloud

Cloud Security Assessment Services

BRKCLD-2604 26


Holistic Approach to Server Protection

Dynamic and heterogeneous

environment

Traffic visibility, server process

baseline, and analytics

Policy that enables

application segmentation

Segmentation

Application control

using whitelists

Advanced

behavior analysis

Break organizational siloes

BRKCLD-2604 27


Cisco TetrationArchitecture overview

BRKCLD-2604 28


Segmentation Policy: Express Policies in Human Language

Development can’t talk to production

• Cisco Tetration™ knows who is production

• Cisco Tetration knows who is development

• Policies are continuously updated as applications

change


How Does it Work?Cisco Tetration™ automatically converts your intent into blacklist and whitelist rules

Intent Rules

Block nonproduction applications from

talking to production applications

SOURCE 10.0.0.0/8

DEST 128.0.0.0/8

Allow HR applications to use the

employee database

SOURCE 128.0.10.0/24

DEST 128.0.11.0/24

Block all HTTP connections that are

not destined for web servers

SOURCE * DEST

128.0.100.0/24 PORT = 80

SOURCE * DEST * PORT = 80


Mobility

Intent stays with the endpoint, no matter the infrastructure it resides on

Endpoint Endpoint

VLANs

ACLs

Cisco Nexus™ 7000,

5000, and 2000 Series

(Gen 1.0)

Subnets

Interfaces

Security rules

Cloud

Security groupsCisco Tetration™ calculates all necessary rule

changes and automatically applies them


Cisco Tetration: Deployment options

Cisco Tetration™ Cloud

• Software deployed in public

cloud

• Suitable for deployments of

less than 1000 workloads

• Cloud instance owned

by customer

Cisco Tetration™ Platform

(large form factor)

• Suitable for deployments of more

than 5,000 workloads

• Built-in redundancy

• Scales to up to 25,000 workloads

Includes:

• 36 x Cisco UCS® C220 servers

• 3 x Cisco Nexus® 9300

platform switches

Cisco Tetration-M (small form factor)

• Suitable for deployments of less

than 5,000 workloads

Includes:

• 6 x Cisco UCS C220 servers

• 2 x Cisco Nexus 9300

platform switches

AmazonWeb Services

On-premises options Public cloud

Microsoft

Azure



• Infrastructure

• Security

• Analytics

• Management

Agenda


What’s AppDynamics ? End-to-end visibility and actions for business transactions

Tag Learn

Instrument every user transaction Collect application and business dataBaseline behavior and performance

Trace

NoSQL

Java Heap Usage: 76%

/<SearchFlight>/: 32ms

From: LON

To: LAS

Out: Thursday 10th

Network Errors: 1.3%

</GetCustLevel/>: 12ms

Platinum Customer

Lives: CA, USA

Using: Chrome

CPU Usage: 36%

</GetPrice/>: 56ms

Class: Business

Price: $3,269

Special Meals: No

Database Time: 156ms

</WPProcess/>: 340ms

Payment: Mastercard

Merchant: WorldPay

Confirmed: True

Business Transaction:

Book A FlightResponse Time: 2.1s

Follow

Follow through complex systems

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public35

BRKCLD-2604

TOMCAT DOCKER ORACLE

ESB/MQ

ASYNC

APACHE

1| Application Mapping“When we first saw the graph of the architectural

components of the application that came up, we had a much

clearer understanding of how to maximize the application

design as we moved to run on the AWS Cloud” – Roy Early, Production Support Manager, Allconnect

Cloud Migration

Confidence to migrate applications at speed



ESB/MQ

ASYNC

APACHE

CPU

NETWORK

MEMORYCPU

NETWORK“The ability to trace a transaction visually and

intuitively through the interface was a major

benefit. This visibility was especially valuable

when Nasdaq was migrating a platform from its

internal infrastructure to the AWS Cloud.”

Heather Abbott, SVP Corporate Solutions

Technology, Nasdaq

Cloud Migration

2| Visualize User

Journeys1| Application Mapping


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCLD-2604 37


ESB/MQ

ASYNC

APACHE

CPU

NETWORK

MEMORYCPU

NETWORK

Cloud Migration

3| Prove the business

value

TOMCAT

APACHE

NETWORK“Using AppDynamics helps us to accurately rightsize

which Amazon EC2 instances we need based on

resource consumption in order to avoid overspend”

Eric Poon, Head of Global Technical Operations and IT

Analytics, Nasdaq

1| Application Mapping 2| Visualize User

Journeys



Clarity of app and business performance in hybrid architectures

“With AppDynamics, we gain better

visibility into how microservices

interface with the rest of the components

of our application, and the increased

velocity to resolve issues faster than

ever.” Nuno Pereira, CTO, iJET

International

Cloud Monitoring

1| Unified Monitoring

Instant, end-to-end

monitoring of apps

in any environment



Instant, end-to-end

monitoring of apps

in any environment

Cloud Monitoring

2| Machine Learning

Accurate and

granular alerting

based on real-time

usage



Cloud Monitoring

3| Business context

Correlate and analyze

app performance with

engagement and

business outcomes


Instant, end-to-end

monitoring of apps

in any environment

2| Machine Learning

Accurate and

granular alerting

based on real-time

usage




ESB/MQ

APACHE

NETWORK

MEMORYCPU

NETWORK

Cloud Elasticity

Control to instantly increase scale when required

1| Cloud Autoscaling based on

technical or business metrics



ESB/MQ

APACHE

NETWORK

MEMORYCPU

NETWORK

Cloud Elasticity

1| Cloud Autoscaling based on

technical or business metrics

2| Prebuilt extensions make

scaling easy

Control to instantly increase scale when required



• Infrastructure

• Security

• Analytics

• Management

Agenda


Cisco CloudCenterModel Once. Deploy and Manage Anywhere.

Data

Center

DEPLOY

MANAGE

MODEL

Public

Cloud

Private

Cloud

One Integrated

Platform

Lifecycle

Management

New and Existing

Applications

BRKCLD-2604 44


Cloud Agnostic Cloud API-Specific

45BRKCLD-2604

Cisco CloudCenter: Hybrid Cloud ManagementOne Platform

Orchestrator

Extendable

Multi-tenant

Secure

Scalable

Orchestrator

Orchestrator

ManagerApplication

Profile


HooksScripts

Events

SecuritySSO

HSM

InfrastructureIPAM

DNS

Docker

Puppet, Chef

Components

User Content

Vendor Content

Content Integration

Tool Integration

Extendable

Secure

Scalable

Cisco CloudCenter: API Extendable and Brokerage

Cloud APIsDatacenter Private and Public Cloud

Platform IntegrationITSM | Build Automation (Jenkins)

Model

Multi-Tenant

DEPLOY

MANAGE

MODEL

BRKCLD-2604


Relationship Between CloudCenter, VIM, Cisco Container Platform, and Intersight

Other private

and public clouds

Cisco CloudCenterCloud-Hosted or On-Premises

UCS Non

UCS

UCS UCS HX HX HX

Other Distributions

Bare Metal

Non

UCS

Non

UCS

Network – ACI, Nexus

StorageVMs and Bare Metal VMs and Bare Metal

Cisco

IntersightCloud-Hosted

• Manage HW

• Provision infrastructure SW

• Provision applications on any infrastructure

Cisco VIM

Deployed & Managed by

Cisco Cloud Platform

Documents

Cisco Multicloud: The HOW ! · Secure Extension to Public Clouds Consistent Security Policies Optimize Workloads (Cloud and DC) ... CSR 1000v, ACI, Stealthwatch Cloud, HyperFlex,