ACI anywhere, true multi-cloud

ACI (Application Centric Infrastructure) Anywhere is a logical multi-cloud SDN extension for ACI MSO (Multi-Site Orchestrator). MSO is a software component used for the deployment of Multi-Site ACI. The MSO is responsible for ensuring the ACI fabrics in each DC have the same polices and objects created. Think of MSO as the glue that takes two entirely independent fabrics (each with its own failure domain) and ensures they function as a single entity (on-premise to cloud and cloud to cloud), including seamless region to region inside the same cloud provider.

With ACI anywhere the same MSO can perform this function for various cloud IaaS providers, ensuring that functions such as security enforcement policies and workload analytics are visible and adhered to automatically, the underlying network functions as a secure cloud interconnect, managed as a single entity.

MSO uses APIs to communicate with the ACI fabric APIC’s (Application Policy Infrastructure Controller) and the fabrics various cloud providers, meaning MSO provides a single pane of glass to manage not only the private cloud (ACI) but the public cloud as well.

ACI anywhere can quickly deploy a cloud fabric, including the networking and security components that are indistinguishable from the private cloud, this process removes one of the blockers for organisations to fully leverage a true seamless hybrid cloud - the operational, configurational and management complexity. With ACI anywhere seamless fabrics can be automated and stood up on demand, using a single intuitive GUI.

APIC has a cloud hosted version, imaginatively titled - Cloud APIC, available from the marketplace on each of the cloud providers. The Cloud APIC is usually deployed automatically by the MSO and configured using restful northbound API’s. At least one Cloud APIC is required for each cloud provider. The Cloud APIC is responsible for performing ACI policy translation into the cloud provider fabric.

The Cloud APIC does not necessarily need the private cloud element (on premise ACI) to function, it’s a perfectly valid use case, to use it to provide seamless multi-cloud using just cloud provider IaaS. That being said a hybrid cloud architecture is recommended to truly realise the power of ACI Anywhere and the inherent cost savings it provides.

To act as the network layer to underpin this process ACI Anywhere leverages the popular 1000v CSR (a staple of many cloud provisions) to act as the fabric underlay, with support for IPSEC (DMVPN), VxLAN, mBGP EVPN and anycast gateway, the 1000v CSR provides seamless IP mobility options for virtualised environments. The CSR 1000v’s are usually deployed automatically by the MSO and configured using Netconf.

For the purposes of seamlessly stitching the private / public cloud together the following technologies are used as overlays, all configured by the Cloud APIC, thus abstracting the complexity involved:

• VxLAN data plane is used to connect the ACI fabric to the cloud provider, this is transported over an overlay technology such as IPSEC, DMVPN, SDWAN, which forms an underlay for Multi-cloud itself.
• mBGP EVPN is used for routing reachability between the ACI fabric and the cloud provider.
• Other Sites are connected with any overlay technology IPSEC, DMVPN, SDWAN.

The flexibility provided in the networking stack ensures that true cloud based VM mobility is possible, whereby VMs can be hosted and addressed in the same way whether they are physically (from a hypervisor point of view) in the private cloud or the public cloud. I’d strongly recommend that SD-WAN be used as an underlay for all multi-cloud connections. With SD-WAN, ACI Anywhere can leverage many additional benefits such as policy based best path selection and seamless fabric integration with the major cloud providers. This includes SaaS providers (including O365, Salesforce, ServiceNow etc.) and IaaS providers.

Due to the flexibility of ACI anywhere it is possible to deploy applications seamlessly across multiple cloud vendors whilst maintaining identical policy enforcement and networking stacks.