DevOps tools became very popular with the adoption of public cloud, but Operational teams now realize that their benefits can be extended to enterprise data centers. In reality, cloud native tools can help bridge public clouds and private data centers by enabling a common framework to manage applications and their underlying infrastructure components. In this session you’ll learn about the latest Cisco ACI integrations with Hashicorp Terraform and Consul to deliver a powerful solution for end-to-end on-prem and cloud infrastructure deployments.

1. Nicolas Vermandé
Technical Marketing Engineer, Cisco IBNG
July 21st 2020
Mind the gap, bridging cloud and
on-prem infrastructures with
Hashicorp and Cisco

2. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
The new Datacenter stack
The cloud native operational
model
Cisco ACI: the reference network
API framework for Terraform
The modern app magnifying glass
with Cisco ACI and Consul

3. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The new Datacenter Stack

4. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Kubernetes
Groundhog Day
Docker
Containers
decoupling code (the
app) from image and
infrastructure
resources
Virtualization
consolidating and
abstracting compute
resources
SDN
Abstracting Networking
resources and
consolidate services
Kubernetes
abstracts the
Datacenter
Docker
Type 1 Hypervisor
SDN
Solving problems by adding abstraction

5. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Microservice
Single Purpose
Stateless
Independently Scalable
Automated
Service
Autonomous
Loosely-coupled
Function
Single Action
Event Sourced
Ephemeral
f()
New Application Architectures

6. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
The infrastructure hasn’t
changed that much

7. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

8. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Modern Datacenter blends
resources into a common
software stack

9. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
A New Model For Cloud Native Operations
Kubernetes
Database
Custom Controller
Custom
Resource
Definition
ExtensionofexistingKubernetesAPI
apiVersion: aci.snat/v1
kind: SnatPolicy
metadata:
name: my-snat-name
spec:
selector:
namespace: testns
labels:
my-snat-label: backend-apps
snatIp: - 10.20.30.40
watchesreconciles
ReplicaSet
ConfigMap
Service
Pods
…
manages
Knowledge
REST API

10. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Kubernetes also introduces
a new model for Networking

11. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Service A
Service B
Kube-proxy

12. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
The cloud native operational
model

13. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
More Services, Less Code

14. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• GitOps model for change control
• IaC for workload deployments and auto-scaling
• CI/CD for application lifecycle management with declarative steps
• automation
• artifact creation
• deployment
Automate all the things
Cloud solution comes with battery included (and the toolbox)

15. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
How can we build a
common framework for
Hybrid Cloud?
ACI
Fabric

16. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
What is Cisco ACI
Site 2Site 1
VMVMVM
Site 4
VMVMVM
Cisco Multi-Site
Orchestrator
VMVMVM
Site 3
VMVMVM
Google Cloud Platform*
*Roadmap
Consistent Network
and Policy
Secure Automated
Connectivity
Single Point of
Orchestration
Secure Automated
Connectivity
Cloud only
(Multi-Cloud)
*

17. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
ACI provides the same
insight for every workload,
regardless of the form factor
and the location

18. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
First Class Citizens
RHEV 4.1+
ACI Multi-Site
Orchestrator
OpenShift Openstack
Remote Datacenter
Primary Datacenter

19. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• ACI has a modeled representation of everything APIC knows
• ACI object model is a distributed MIT (Management Information Tree) structure, fully accessible
through REST API
• Every node is a managed object (MO) with class, attributes and a distinguished name (Dn)
Infrastructure as Code with ACI
Root
Policy
Universe
Tenants
Applications
VLANs Virtual
Network
Fabric
Nodes
Hypervisors
Tenant
VRF
BD 10.10.0.1/24
EPG
VLAN 1001
EPG
VLAN 1002
API

20. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Managing on-prem infra with Terraform and ACI
Tenant
VRF
BD
Subnet
ANP
EPG
vSphere VM

21. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
How about Public Cloud?
Tenant
Cloud Context Profile
VRF Cloud CIDR
Cloud App
Cloud EPG
AWS EC2
Instance
Cloud Subnet
Cloud EP Selector

22. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo 1
Hybrid-cloud workload
deployment with Terraform
and ACI

23. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Provisioning

24. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
How about applications?

25. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Visibility and Policy mapping with Consul and ACI
DevOpsNetOps
Allow the application teams to stay
informed of any network changes and
what is traversing through the switching
fabric
Lower the risk of network faults,
changes, or capacity issues affecting
application services by informing
decisions of contextual impacts
ResultProblem
Lack of contextual insight into the
underlying networking infrastructure
on application service communication
Lack real-time visibility into dynamic
application services and service health
on network configuration and
performance
Solution
ACI topology, fault, stats and health
aware service registry in Consul
Overlay ACI Policy on Consul intentions
to determine Service-to-Service network
reachability
Automated correlation of Consul
application services to ACI fabric and
logical constructs
Contextual overlay of Consul services
health checks and telemetry on ACI
fabric and logical constructs

26. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Problem
Error prone and static Network security
policy resulting from the lack of service
based policy definition
Minimal understanding of impact network
performance issues on service performance
Inconsistent network services across private
and public cloud, virtualization, or container
platform
Extend Application Security and Operations to the Network
Reduce MTTR by immediately detecting
and automatically highlighting service
performance issues, allowing the
appropriate team to see the information
within their tools
Network security policy is based on
dynamic service definition, always up to
date and remove the possibility of human
error
Result
No need to compromise on network
requirements based on using one platform
at the expense of another, letting you
implement best-of-class solutions within
your cloud, virtual, physical, or container
environment
Solution
Augment Consul Connect based Service
Mesh topology on ACI fabric, contracts and
logical constructs
Automated ACI policy creation based on
Consul Connect Intentions of expected
service communication
Context aware cross launch from Consul
Service Graph to ACI Operational report
generation
Integration support for Consul OSS and
Consul Enterprise with on-prem APIC and
cloud APIC
NetOpsDevOpsNetOps
DevOps

27. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Cisco ACI: Consul integration
Service visibility and Network Infrastructure Automation
Service visibility and faster MTTR
• Real-time visibility into dynamic services, service health
and service-to-service communication correlated to the
network
• Faster identification of issue based on service and
network data correlation
Network Middleware Automation
• Dynamic Service Mesh driven policy for the network
• Enable faster Service Mesh deployment for DevOps
teams
• Consistent service driven network automation for virtual
and container workloads across private and public
cloud
App
on APIC
based Service Mesh
REST APIs
Beta/Phase 1
Phase 2

28. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo 2
Cloud Native visibility with
Consul and ACI

29. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• We’ve talked about datacenter automation frameworks, highlighting that your
favorite cloud tools are being used for on-prem too
• This is usually challenging because APIs are not the same on-prem vs in the
cloud
• Terraform and ACI provides the right level of abstraction to accommodate
many hybrid-cloud use cases by providing a declarative language
• Consul and ACI enable a powerful solution for end-to-end application
monitoring and policy discovery and management
To sum it up