Part 1 of this weblog collection demonstrated how Cisco CNC can automate cloud networking inside GCP independently of safety insurance policies. Part 2 goes over further capabilities pertaining to contract-based routing and firewall guidelines automation by extending the identical coverage mannequin.
One of the explanations for decoupling routing and safety is to offer clients extra flexibility. Often, organizations could have totally different groups chargeable for cloud networking and safety insurance policies definitions within the cloud. However, for these use circumstances the place coverage consistency is a high precedence adopted by extra governance of cloud assets, a typical coverage mannequin is a should.
Policy Model Translation
Below is a high-level one-to-one mapping of the Cisco CNC coverage mannequin to native GCP cloud constructs.
Essentially, a tenant maps to a venture and is the top-level logical container holding all the opposite insurance policies. For cloud networking, Cisco CNC interprets the mix of VRF and Cloud Context Profile into world VPC networks and regional subnets. In the situation under, Cisco CNC can even translate safety insurance policies by combining cloud EPGs (Endpoint Groups) with contracts and filters into firewall guidelines and community tags in GCP.
By definition, a cloud EPG is a set of endpoints sharing the identical safety coverage, can have endpoints in a number of subnets and is tied to a VRF.
Scenario
This situation has two VRFs: network-a and network-b. Additionally, cloud EPGs Web & App will likely be created and related to contracts with particular safety insurance policies outlined by filters. A Cloud External EPG can even be created as Internet EPG to permit web entry on network-a.
On GCP, these insurance policies are translated into correct VPC networks, subnets, routing tables, peering, firewall guidelines, and community tags. Note that for this situation, VPCs and subnets had been already pre-provisioned.
Contract-based Routing
On Part 1 of this weblog collection, a route leak coverage was created to permit inter-VRF routing between network-a and network-b. For this situation, solely contract-based routing will likely be enabled, which suggests contracts will drive routing the place wanted. Therefore, the leak route coverage created beforehand was eliminated and peering between VPCs disconnected.
Contract-based Routing is a worldwide mode configuration accessible within the Cloud Network Controller Setup. Note that when contract-based routing is enabled, the routes between a pair of inside VRFs could be leaked utilizing contracts solely within the absence of a route leak coverage.
Note: a quick overview of the Cisco CNC GUI was supplied on Part 1.
Firewall Rules Automation
The configuration under illustrates the creation of Web and Internet EPGs tied to network-a, together with their related endpoint selectors. Those are used to assign endpoints to a Cloud EPG, and could be based mostly on IP handle, Subnet, Region, or Custom tags (utilizing a mixture of key worth pairs and match expressions).
For the Web EPG, a key worth pair is used with particular tags to be matched (customized: epg equals internet). For the Internet EPG, a subnet selector is used permitting all site visitors. Furthermore, Internet EPG must be kind External as web entry will likely be allowed on network-a.
The Cloud EPG App configuration isn’t depicted for brevity however is much like that of cloud EPG Web. However, it’s tied to network-b and set with its distinctive endpoint selector (customized: epg equals app).
On GCP, these insurance policies get translated to devoted ingress firewall guidelines and community tags for Web and App as highlighted utilizing the next format: capic-<app-profile-name>-<epg-name>.
Note: Rebranding from Cloud APIC to Cloud Network Controller is roofed on Part 1.
In the instance under, cloud endpoints instantiated in GCP with labels matching the endpoint selectors are assigned to community tags and firewall guidelines automated by Cisco CNC.
Associating Contracts to EPGs
Now, let’s affiliate the web-to-app contract between Web and App EPGs utilizing the idea of shopper and supplier to outline guidelines path.
Upon associating the contract, further ingress and egress firewall guidelines are programmed relying on the buyer and supplier relationship specified. Specifically, these firewall guidelines are up to date based mostly on safety insurance policies outlined by way of contracts and filters. For brevity, all site visitors is allowed however granular filters could be added per necessities. On one other be aware, these guidelines are solely programmed as soon as cloud endpoints matching the principles are instantiated.
Wait, what about peering between these VPCs? Since contract-based routing is enabled, it additionally drives routing by enabling peering and auto producing routes to one another accordingly.
Lastly, let’s enable web entry to internet companies residing on network-a by including the internet-access contract between Internet and Web EPGs.
As quickly because the contract is related, Cisco CNC provides an ingress firewall rule with community tags representing the Web EPG which permits web entry to endpoints behind it.
From this level on, web entry to web-server is allowed in addition to connectivity from the web-server to the app-server.
root@web-server:/house/marinfer# ifconfig ens4 ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460 inet 172.16.1.2 netmask 255.255.255.255 broadcast 172.16.1.2 inet6 fe80::4001:acff:fe10:102 prefixlen 64 scopeid 0x20<hyperlink> ether 42:01:ac:10:01:02 txqueuelen 1000 (Ethernet) RX packets 19988 bytes 3583929 (3.4 MiB) RX errors 0 dropped 0 overruns 0 body 0 TX packets 17707 bytes 1721956 (1.6 MiB) TX errors 0 dropped 0 overruns 0 provider 0 collisions 0 root@web-server:/house/marinfer# ping 172.16.128.2 PING 172.16.128.2 (172.16.128.2) 56(84) bytes of knowledge. 64 bytes from 172.16.128.2: icmp_seq=1 ttl=64 time=58.3 ms 64 bytes from 172.16.128.2: icmp_seq=2 ttl=64 time=56.0 ms 64 bytes from 172.16.128.2: icmp_seq=3 ttl=64 time=56.0 ms 64 bytes from 172.16.128.2: icmp_seq=4 ttl=64 time=56.0 ms
Cloud Resources Visibility
Using a cloud-like coverage mannequin, Cisco CNC supplies a topology and hierarchical view of cloud assets on a per tenant foundation with drill down choices. Moreover, software profile containers group collectively cloud EPGs and related contracts for straightforward visibility of insurance policies and dependencies.
More granular visibility is supplied all the best way to cloud endpoints. Firewall guidelines are additionally seen by way of Cisco CNC GUI underneath Ingress and Egress Rules.
Summary
Defining and managing safety insurance policies could be difficult, which can lead to elevated operational overhead and coverage inconsistency. Besides automating and giving extra visibility into firewall guidelines in GCP, Cisco CNC can be offering a further layer of governance from a centralized administration aircraft.
Part 3 completes this weblog collection by displaying how Cisco Cloud Network Controller builds and automates exterior cloud connectivity from and to GCP.
Resources
Cisco Cloud Network Controller for Google Cloud Installation Guides
Cisco Cloud Network Controller for Google Cloud User Guides
Blog Series: Introducing Cisco Cloud Network Controller on Google Cloud Platform
Part 1: Native Cloud Networking Automation
Part 3: External Cloud Connectivity Automation – Coming Soon
Share: