Requirements for Extending the Cisco ACI Fabric to the Public Cloud
Before you can extend the Cisco Application Centric Infrastructure (ACI) to the public cloud, you must meet requirements for the Cisco ACI on-premises datacenter and the Microsoft Azure deployment.
Requirements for the On-Premises Data Center
This section lists the on-premises data center requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
-
Ensure that the Cisco ACI fabric is installed with the following components:
-
At least two Cisco Nexus EX or FX spine switches, or Nexus 9332C and 9364C spine switches, running Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
-
At least two Cisco Nexus pre-EX, EX, or FX leaf switches running the Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
Note
Even though Cisco Nexus pre-EX leaf switches are supported, we recommend using later-generation leaf switches, such as EX or FX leaf switches, due to the End-of-Life announcement for these older pre-EX leaf switches as described in End-of-Sale and End-of-Life Announcement for the Cisco Nexus 9372PX and 9372TX Switches.
-
At least one on-premises Cisco Application Policy Infrastructure Controller (APIC) running release 4.1 or later and Cisco Nexus Dashboard Orchestrator (NDO) Release 2.2(x) or later.
-
-
Cisco Nexus Dashboard Orchestrator 2.2(x) deployed with basic configuration.
-
A network device capable of terminating Internet Protocol Security (IPsec).
-
Verify that you have enough bandwidth for tenant traffic between on-premises and cloud sites.
-
Verify that all leaf switches on the on-premises sites have the appropriate Cisco ACI license:
-
If the Cisco ACI on-premises site is a single site, then use the Essentials license tier (or higher) for the on-premises leaf switches
-
If the Cisco ACI on-premises site is a multi-site, then use the Advantage license tier (or higher) for the on-premises leaf switches
Note
These licensing requirements for the on-premises data center are independent of the number of Cloud APICs deployed on public clouds. For Cloud APIC licensing requirements, see Cisco Cloud APIC and On-Premises ACI Licensing Summary.
-
-
Workloads that are connected to the Cisco ACI fabric.
-
An intersite network (ISN) that is configured between the Cisco ACI fabric (spine) and the IP Security (IPsec) termination device.
For information about creating an ISN, see the "Multipod" chapter of the Cisco APIC Layer 3 Networking Configuration Guide.
-
Certain firewall ports must be permitted if you are deploying firewalls between your on-premises and Azure deployments. These include HTTPS access for the Cisco Cloud APIC, IPsec ports for each Azure CCR, and SSH connectivity for Azure CCR remote management.
These firewall ports are described in more detail in Cloud APIC Communication Ports in this guide.
Requirements for the Azure Public Cloud
This section lists the Microsoft Azure requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
Azure Accounts
You must have at least one Azure account. You will then create a subscription in your Azure account, where you can choose to deploy multiple tenants within the same subscription or you can create multiple subscriptions for the tenants.
Azure Quota Limits
Verify that you have the appropriate Azure quota limits:
-
Navigate to Subscriptions > Settings: Usage + quotas.
-
In the Select a provider field, select:
-
Microsoft.Compute
-
Microsoft.Network
-
-
In the Select a location field, select your region (for example, West US).
-
In the last field, change Show only items with usage to Show all.
Output similar to the following appears. Use this output to verify that you have the appropriate Azure quota limits.
Azure Resources
You need the following resources as part of the Azure deployment:
-
Access to the Azure Marketplace offer. Locate the Cisco Cloud APIC offer on the Azure Marketplace and follow the steps in that page:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cisco.cisco-aci-cloud-apic
-
The following cloud resource requirements (assumes one tenant, one VRF):
Resource Name
Resource Type
Minimum Requirement
Virtual Networks
Network
2
Static Public IP Addresses
Network
9
Network Security Groups
Network
5
Application Security Groups
Network
5
Application Gateways
Network
1
Virtual Machines
Compute
3
Standard DSv2 Family vCPUs
Compute
16
Standard DSv3 Family vCPUs
Compute
8
Premium Storage Managed Disks
Compute
4
Azure Resource Providers
For every subscription that you use with the Cloud APIC, including for tenants that have subscriptions that you might add later, you must register the following resource providers:
-
microsoft.insights
-
Microsoft.EventHub
-
Microsoft.Logic
-
Microsoft.ServiceBus
For more information, see Registering the Necessary Resource Providers.
CCR
Deploy the CCRs in the appropriate size, depending on the bandwidth requirement defined during the Cisco Cloud APIC setup.
The value for the throughput of the routers determines the size of the CCR instance that you deploy; a higher value for the throughput results in the deployment of a larger VM. CCR licensing is based on the throughput configuration that you set as part of the Cisco Cloud APIC setup process. You need the equivalent or higher license in your Smart account and the AX feature set for compliance.
Cisco Cloud Services Router 1000v
The following table lists what Azure VM sizes are needed for different router throughput settings for the Cisco Cloud Services Router 1000v:
CSR Throughput |
Azure VM Size |
Premium Storage |
Accelerated Networking |
---|---|---|---|
Up to 1 GB |
DS3_v2 |
Yes |
On |
1 GB - 5 GB |
DS4_v2 |
Yes |
On |
Beginning with Release 5.1(2), up to 40G throughput is supported by version 17.3 CSRs for the Cisco Cloud Services Router 1000v. The maximum throughput a CSR supports depends on the instance type. For achieving 40G throughput, a minimum of eight CSRs are required.
The following table lists the number of CSRs required and the instance type to achieve 40G throughput (per region):
Throughput per CSR |
CSR Instance Type |
Number of CSRs |
---|---|---|
5 Gbps |
F16s_v2 |
8 |
Cisco Catalyst 8000V
The Cisco Catalyst 8000V supports tier-based (T0/T1/T2/T3) throughput options. The following table lists what Azure VM sizes are needed for different router throughput settings for the Cisco Catalyst 8000V:
CCR Throughput |
Azure VM Size |
---|---|
T0 (up to 15M throughput) |
DS3_v2 |
T1 (up to 100M throughput) |
DS3_v2 |
T2 (up to 1G throughput) |
DS3_v2 |
T3 (up to 10G throughput) |
F16s_v2 |
Tier2 (T2) is the default throughput supported by Cisco Cloud APIC.
Cisco Cloud APIC
Cisco Cloud APIC is deployed using Standard_D8s_v3.