Upload
dangdieu
View
233
Download
2
Embed Size (px)
Citation preview
CliQr CloudCenter™
with Cisco ACI Common Use Cases
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 2
Table of Contents
1 ExecutiveSummary ..................................................................................................................................2
2 Introduction ................................................................................................................................................3
3 UseCase1:SecurelydeployN-tierapplication .................................................................................6
4 UseCase2:StretchedApplicationDeployment ................................................................................8
5 UseCase3:MigrateApplicationtoACIEnvironment ................................................................... 10
6 Conclusion ............................................................................................................................................... 13
1 ExecutiveSummary
CliQrCloudCenter™isanapplication-centrichybridcloudmanagementplatformthatsecurelyprovisionsinfrastructureresourcesanddeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.CloudCenter’sapplication-centrichybridcloudmanagementisanidealfitwithCiscoApplicationCentricInfrastructure(ACI)andpolicy-basednetworkmanagement.
ITorganizationspursuingaHybridITstrategyneedflexibilityinhowandwhereapplicationsaredeployedindatacenter,private,andpubliccloudenvironments.CloudCenteruserscanself-service,on-demanddeployapplicationstoanyenvironment.ButwhentheychoosetodeployanentireapplicationorjustasingletiertoanenvironmentwithACImanagednetwork,theygetpubliccloudagilitywithgreaternetworksecurity,andmorecosteffectivedeploymentoptionsthanpubliccloudalone.
CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.CloudCenterwithCiscoACIprovisionsinfrastructureandsecurelydeploysapplicationsbasedonthedesiredendstateandneedsoftheapplication.CloudCenterautomatestheentireapplicationdeploymentprocessandcommunicatesdirectlywithCiscoACI’sAPIstoautomatecreationofACIpolicyobjectsincludingApplicationNetworkProfiles,EndPointGroups,Contracts,Filtersandanyotherobjectsrequiredformicro-segmentedsecurecommunications.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 3
ITgetsoptimalnetworksecurityandoperationalefficiencywithouthavingtomanuallycreateandmaintainpolicies,andwithouthavingtolearnnewprogramminglanguages.Usersgetself-serviceondemandflexibility,withoutneedinganynetworkskillsorknowledgeofcloudenvironmentdetails.Scalingandend-oflifeactionsareautomatedaswell,resultinginupdatesandterminationofnetworkpolicies.
ThispapersummarizesthreepowerfulusescasesenabledbyCloudCenterandCiscoACIdeployments.
2 Introduction
CiscoApplicationCentricInfrastructure(ACI)increasesnetworksecurity,automatescommunicationpoliciesbasedonbusiness-relevantapplicationrequirements,anddecreasesdeveloperwaittimetoaccelerateapplicationdeploymentinthenext-generationDataCenter.
Atthecore,ACIapplicationpoliciesarewhitelistswithinazero-trustmodelensuringthatnocommunicationisallowedbetweenapplicationtiers,unlessapolicyspecifiesthatanobjectcanbeonthenetwork,whichotherobjectsitcantalkto,andwhatitcantalkabout.CiscoACItranslatesandappliesthelogicalbusinessdrivenpolicydefinitionsintoconcreteinfrastructureconfiguration.
CloudCenter™isanapplication-centrichybridcloudmanagementplatformthatprovisionsinfrastructureresourcesandsecurelydeploysapplicationcomponentstomorethan19datacenter,privatecloud,andpubliccloudenvironments.Userscaneasilymodel,self-servicedeploy,andthenmanagebothnewandexistingapplicationswithoutdetailedknowledgeoftheunderlyingenvironment,cloudservices,orAPIs.
UsersworkinCloudCenter’sdrag-and-dropmodelerasseeninFigure1tocreateacloudagnosticandportableapplicationprofilesthatcanbedeployedtoanyenvironment.UserscanchoosefromaflexiblemixofeasilycustomizedOSimages,applicationorcloudservices,containers,orconfigurationmanagementtools,tomodelneworexisting,simpleorcomplexapplications.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 4
Figure 1. Application profile topology modeler
Eachapplicationprofilecombinesinfrastructureautomationandapplicationautomationlayersintoasingledeployableblueprint.WithCloudCenterapplicationprofile,oneCloudCenterplatformcanbeusedtodeployandmanageanymodeledapplicationinanydatacenterorcloudenvironmentinaconsistentandpredictableway.
CloudCenter’scloud-agnosticapplicationprofilecoupledwithcloud-specificOrchestrator,abstractstheapplicationfromthecloud,byinterpretingtheneedsoftheapplicationandtranslatingthoseneedsintocloudspecificAPIcalls.Asaresult,CloudCentereliminatescloud-specificscriptingandcloudlock-inthatoftenreducebothdeveloperandIToperationsefficiency.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 5
WorkingwithCiscoACICloudCenterworksseamlesslywithCiscoACI.IfauserchoosestodeploytheapplicationprofiletoanenvironmentmanagedbyCiscoACI,nothingadditionalisrequiredbytheuserornetworkadministrator.CloudCenterinterpretstheneedsoftheapplication,callsCiscoACInorthboundAPItoautomatenetworkpolicyobjectsthatdeliverthefullpowerofasoftwaredefinednetwork.
CloudCenterandACIareoftendeployedinanenvironmentthathasVMwareorOpenStackAPIsasseeninFigure2.
Figure 2. CloudCenter with Cisco ACI and VMware vCenter
CloudCenterandACIworktogetherwithoutinstallingplugins,withoutcreatingenvironmentspecificscripting,ormodifyinganyapplicationcode.Networkadministratorsdon’tneedtolearnprogramminglanguagestogetthemostoutoftheACIprogrammaticinterface.
TheflowoforchestrationmanagedbyCloudCenterincludes:
1. Model Application Profile—AservicemanagercanusetheCloudCentergraphicalUItocreateacloudagnosticapplicationprofileandthensharewithspecificusersorpublishtoamarketplace.
2. Self-ServiceDeploy—roleanduser-basedaccesscontrols,pairedwithtag-based
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 6
governance,helpuserschooseappropriatedeploymentenvironmentthatoptionallyincludesACI.
3. CreateandDeployAPICPolicyObjects—IfauserchoosesanenvironmentthatispartofanACIfabric,CloudCenterautomatescreationoftheappropriatepolicyobjectsandcallsAPICnorthboundRESTAPItocreatenetworksspecificallyfortheapplication.
4. ProvisionInfrastructure—CloudCentercallsinfrastructureAPIs(forexample,OpenStack,vCenter)toprovisioncompute,memory,andstorageintheappropriatenetworksegment.
5. DeployApplicationTiers–CloudCenterdeploysandorchestratesallapplicationcomponentsbasedonthetopologyanddependenciesmodeledintheapplicationprofile.
6. Ongoingmanagement–Bothuserandadminscanreviewthedeploymentprogressandtakeactiontoensureproperconfiguration.
7. BlockEast-WestTraffic—ifatierismanuallyorauto-scaled,CloudCenterupdatesACIpoliciestoblockeast-westtrafficandconfinebreachestoasinglemachineifcompromised.
8. End-of-life-Infrastructureandnetworkpolicyobjectsareautomaticallydeleted,preservingtheintegrityofthenetworkaswellasconservinginfrastructureresources.
WithCloudCenterandCiscoACI,ITgetsapowerfulsolutionthatimprovessecurity,streamlinesapplicationdeployment,andincreasesDev,Opsandnetworkadminefficiency.
TheremainderofthispaperoutlinesthreeprimaryusecasesforCloudCenterwithCiscoACI.
3 UseCase1:SecurelydeployN-tierapplication
CloudCentersimplifiesandexpeditesthedeploymentofanapplicationbyprogramminggovernancerules,whichdictatepoliciessuchasinfrastructureplacementandsecurityprofiles.Thesehelptoobscurethecomplexityofincreasinglydiverseinfrastructureenvironments.
Usersgettheflexibilityofself-serviceondemanddeployment,whilenetworkadminsareabletocontrolportsettingsandothersecurityconfigurationparameters.SecurityandnetworkdirectivesareincludedineachCloudCenterapplicationprofilethatispublishedorsharedwithusers.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 7
Figure 3. CloudCenter application profile determine ACI application network profile objects
WhenauserinitiatesdeploymentviatheCloudCenterManagerasdisplayedinFigure3,CloudCenterOrchestratorusestopologyandnetworksettinginformationintheCloudCenterapplicationprofile,toautomatecreationofpolicyobjectsforCiscoACI.CloudCenterOrchestratorcallsthelocalAPICAPItoinstantiatetheACIApplicationNetworkProfile(AP),theEndpointGroups(EPGs)andtheConsumerandProviderContractsbasedonthetopologyandsecurityrequirementsoftheCloudCenterapplicationprofile.Eachapplicationtierisplacedinauniqueandisolatedapplicationtiernetwork.Theconnectivitybetweentheapplicationtiernetworksisautomaticallydrivenbytheapplicationtopology.
AsseeninFigure4,theACIuserinterfacethatshowsadeployedthree-tierapplication,comparedtotheCloudCenterinterfacethatshowsthesameapplicationdeployment.Theside-by-sidediagramshighlightthreeEPGsaswellascontractsthatmangenetworktrafficbetweenthem.
Figure 4. CloudCenter Orchestration and ACI segmentation
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 8
CloudCenterautomaticallygeneratesContractsandFiltersthatrestricttheprotocolandportaccessonapplicationtiernetworkbasedonapplicationstackservicerequirementscontainedintheCloudCenterapplicationprofile.
CombiningCloudCenterandCiscoACIcouplestheapplicationtopology,theapplicationstackservices,thenetworkconfigurations,andtheend-to-endnetworkisolationforbothapplicationdeploymentandindividualapplicationtiers.Thecombinedsolutionprovidesanintuitiveinterfacetoallowbothusersandadminstoreviewtheprogressofthedeployment.Italsoensuresthatnamingconventionsareconsistentacrossbothplatforms.
Oncetheapplicationisterminated,theauto-provisionedinfrastructureobjectsthatareassociatedwiththeapplicationaredeleted,therebypreservingtheintegrityoftheapplifecycle,minimizingremnantpoliciesthatcancausesecuritythreat,andutilizevaluablememoryresources.
4 UseCase2:StretchedApplicationDeployment
CloudCentersupportsdeployingapplicationswithdifferenttiersdeployedindifferentenvironments.Whenusersdeploy,theynormallychooseasingledeploymenttargetdatacenter,privateorpubliccloudlocationthatisavailabletothembasedonrole,governancerules,andothercontrols.Buttheyalsohavetheoptiontochooseastretcheddeployment,andthatprovidesuserstheabilitytoselectspecifictargetsitesforeachtierwithintheapplication.
Severalreasonsjustifyastretchedapplicationdeployment:
Reason 1 –Cost.Cloudpay-per-useandscalabilityisidealfortransitoryworkloads.Butrentinginfrastructuremaynotbethebestoptionforlongrunningworkloads.Asaresult,theUItierofwebapplicationormobileapplicationsmaybeagreatfitforapayperuseenvironmentlikeapubliccloud.ButmorestableandlongrunningtierssuchasapplicationserverordatabaseservermaybemorecosteffectivelydeployedbackinACImanagednetworkinprivatecloudordatacenter.
Reason 2–Securityandcompliance.Eveniftheapplicationserverorloadbalancertierscanbedeployedinvariousotherenvironments,thedatabasetierisagoodfitforanACImanagednetworkenvironmentintheprivatecloudordatacenterinordertoaddresssecurityandcompliancerequirements..
Reason 3–HA/DRmasterslaveconfiguration.Userscanmodelanapplicationprofilethatcontainsbothmasterandslavecomponentsthatgetdeployedindifferentcloudavailability
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 9
zones,ordifferentdatacenterandcloud.Ifuserscanone-clickdeployfullapplicationstackwithHA/DRsetupindifferentavailabilityzonesorevendifferentdatacenterandcloud,theycaneasilyandcosteffectivelytestvariousfailoverscenariosanddeletethewholesetupwhendone.And,getthesamefully-testedconfigurationautomaticallydeployedforproductionworkloadsaswell.
WithCloudCenter,deployingastretchedapplicationtopologyiseasywhenmultipledeploymentenvironmentsareavailable.Atdeploymenttime,theuserjustselectsHybridasthetargetcloudasdisplayedinFigure4,andthentheUIexposesaseparateclouddeploymentdropdownforeachtiermodeledintheapplicationprofile.
Figure 5. User selects Hybrid to activate the stretched application deployment feature
.
PlacementdecisionsfortheentirestackorindividualtierscanbeguidedbyCloudCentertaggingandrulesengine.Forexample,aHIPPAcompliantapplicationcanbetaggedsouserscanonlychooseanACImanageddatacenterforthedatabasetier,regardlessofwhereothertiersaredeployed.
CloudCenterwithCiscoACIenablesthreestretchedapplicationdeploymenttopologies.Ineachcase,theusercanselecttheappropriatedeploymentenvironmentforeachapplicationtier,withoutbeingrequiredtochangetheapplication’sarchitectureorattributes,orhaveanydomainknowledgeaboutACIorsoftwaredefinednetworking.Therearenoenvironmentspecificscriptsorworkflowsthatlockanytierintoanyenvironment.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 10
Multi-PodCloudCentercandeployN-TieredapplicationstoadatacenterwithmultipleCiscoACIpods.Ithisscenario,theapplicationcanbedistributedacrossdifferentpodsinasingledatacenter.DifferenttiersofanenterprisewebapplicationcanbeplacedindifferentnetworkswithdifferentVLANs.ACI’suniquelabel-based,dynamicdirectionalroutingensuresthattheonlytheconsumerVMsconnecttotheproviderVMswithmatchinglabels.Thisprovidesatrulyisolatednetworkforeachtierintheapplication.
StretchedFabricCloudCentercandeployN-TieredapplicationstoaCiscoACIfabricthatisstretchedacrossgeographicallydispersedsitesandoverlongdistances.Inthisscenario,theapplicationcanbedistributedtodifferentpodsinseparatedatacenterswhiletakingadvantageofthenetworkservicesprovidedbythesinglestretchednetworkfabric.ForexampletheloadbalancerandtheapplicationservercanbeinDatacenterAandthedatabasecanbeinDatacenterB.ThestretchedfabrictopologyextendsthecapabilitiesofCiscoACI’sintegrationwithL4-L7services.
Multi-CloudCloudCentercandeployN-TieredapplicationsacrossaCiscoACIpodandapubliccloud.PartoftheapplicationcanbedeployedadatacenterorprivatecloudwithACImanagednetwork,andpartoftheapplicationcanbedeployedtopubliccloud.Thisscenarioworksforwebapplicationsthathaveedgecachinginmultipledistributedcloudlocations,ormobileapsthathavetheapplicationtierordatabasetierbackinsecuredatacenter.
CloudCenterandACItogetherofferatrulyuniqueandflexiblesolutiontoaddressthecost,security,andagilityrequirementsforincreasinglycomplexenterpriseworkloads.The“Profileonce,deployanywhere”capabilitiesofCloudCenterextendtostretcheddeploymenttopologies.
Inallthesestretchedapplicationdeploymenttopologies,theCloudCenterapplicationprofiledoesn’tneedtobechanged,noenvironmentortopologyspecificscriptingneedstobewrittenandmaintained,andtheapplicationremainsportable.
5 UseCase3:MigrateApplicationtoACIEnvironment
Userscantakeapplicationsthatwerepreviouslydeployedtonon-ACIdatacenterandpubliccloudenvironmentsandmigratetoamoresecureACImanageddatacenter.ThejointsolutionfullyautomatesmigrationaswellascreationofrelevantACIpolicyobjects.
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 11
ApplicationworkloadsthataredeployedmanagedbyCloudCenteraremadeportableacrossdifferentcloudsviathe“Migrate”feature.CloudCenterapplicationprofilesarecloudagnosticandportable,nothardwiredtoasingleenvironment.Asaresult,CloudCenterandACIsupportaHybridITstrategythatallowsuserstooptimizeworkloadplacementbasedonbusinessneed.Andeasilychoosetomigrateto,orfrom,orbetweendifferentdatacetnerprivateandpubliccloudsbasedonuse,governancerules,costandperformancerequirements,orapplicationlifecyclephase.
Threeprimarymigrationscenarios:
1–BackfromCloudManyITorganziatiosnhavedeplyedappliationsaspartofacloudstrategy,andarenowhavingsomestickershockasmonthlypubliccloudcostsareaddedup.Ortheyhaveconcernsaboutpubliccloudmeetssecurityandcompliancerequirements.WithCloudCenter,userscanchosetomigrateanapplicationfrompubliccloudbacktodatacenterorprivatecloudwithACImanagednetwork.
Asseeninfigure6,userscanselectandexistingdeployment,andchoosearangeofmanagementactionsincludingmigrate.IfanACIenvironmentisselectedasmigrationtarget,CloudCenterautomatescreationofpolicyobjectsandinstantiatesnetworkconfigurationviaAPICAPI.
Figure 6. User selects migrate for existing deployment. 2 – Cross-cloud SDLC
CliQr CloudCenter™ with Cisco ACI Common Use Cases Page 12
UsingpubliccloudforDev/Testactivities,andproductionbackindatacenterorprivatecloud,isthemostcommonhybridcloudusecase.CloudCentersupportsthatscenariowithapowerfulandintegratedCI/CDProjectBoardfeaturethatmanagestheend-to-endSoftwareDevelopmentLifeCycle(SDLC).
ManagerscreateprojectsinCloudCenterthatmirrortheirsoftwaredevelopmentlifecycle.Theycanallocateresourcesorbudgetfortheoverallprojectorspecificphases.Useraccesscontrolsandpoliciesdefinewhocanpromotecodealongstagesofthelifecycleaswellaswhichcloudissuitableforeachphase.
Figure7.showsCI/CDprojectboardwithdifferentstagesthateachhavedifferentownersaswellasprojectbudgetallocation
Figure 7. CI/CD project board – with ACI environment for production
ForaDevOpsscenariothatincludesanonACIenvironmentforDev/TestandanACIenvironmentforproduction,theCI/CDprojectboardcanbesetupwithacrossenvironmentworkflow,thatgivesdeveloperssomechoicesinpre-productionenvironments,butlimitschoicesinmoresecureACImanagednetworkenvironmentforthefinalproductionphase.
CloudCenteralsoincludespowerfultaggingandgovernanceenginethatcanmodifysecuritysettingsbasedonphase.SodeploymentinaDevphasemightbesetuptoleaveopencertainports.ButwhenmigratedtotheProdphase,wouldnotonlybenefitfrommicrosegmentationappliedbasedonACIpolicy,butcloudalsoautomaticallyclosethoseports.Conversely,apromotiontoProdmightopencertainportsfornetworkorsecuritymonitoringagentsinproduction.
CliQr Technologies 1732NorthFirstSt.,Suite100,SanJose,CA95112888.837.2739•[email protected]•www.cliqr.com
©2016 CliQr Technologies. All rights reserved. CliQr, the CliQr logo, and CliQr CloudCenter are trademarks of CliQr Technologies in the United States. All other trademarks and company names are the property of their respective owners.
CliQr CloudCenter™ with Cisco ACI Common Use Cases
WP-ACI-UC-0416
CloudCenterandACItogetherprovideunprecedentedflexibilityandsecuritycontrolnotpossiblewithdeploymentsinpubliccloudenvironments.
3-DatacenterMigrationManyITorganizationscontinuetomodifytheirdatacenterfootprintastheyevolvetheirHybridITstrategy,pursuemergersandacquisitions,andforahostofotherbusinessreasons.CloudCentercanstreamlinetheprocess,andbringworkloadsintoanACIenvironmenttogainthebenefitofsoftwaredefinednetworking.
Inamigrationscenario,ITorganizationstypicallyscopethemove,thenbringexistingworkloadsintoACIenvironmentinphasesviaarollingupgrade.Byprofilingeachapplication,CloudCentercanhelpconvertVLANportstoACImanagedports,andgettheACIbenefitsoftrafficmonitoring,visibilityintopacketloss,latencyandnetworkloops.
6 Conclusion
CloudCenterisanapplication-centrichybridcloudmanagementplatformthatmakesiteasytodeployandmanageapplicationdatacenter,privatecloud,andpubliccloudenvironments.However,CloudCenterandCiscoACItogetherprovideasinglesolutionthatgivesITorganizationsultimateflexibilitytochoosethebestdeploymentoptionforawidevarietyofenterpriseITworkloads.And,deliversagility,securityandefficiencythatisunmatchedbypubliccloudalone.
CloudCenterandACIoffertheunmatchedabilitytosecurityprovisionmulti-tierapplications,automatestretchedapplicationdeploymentswithoutmodifyingapplication,blueprints,ordeploymentscripts,andefficientlymigrateapplicationstoACIenvironments.