Requirements for Extending the Cisco ACI Fabric to the Public Cloud
Before you can extend the Cisco Application Centric Infrastructure (ACI) to the public cloud, you must meet requirements for the Cisco ACI on-premises datacenter and the Amazon Web Services (AWS) deployment.
Requirements for the On-Premises Data Center
This section lists the on-premises data center requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
-
Ensure that the Cisco ACI fabric is installed with the following components:
-
At least two Cisco Nexus EX or FX spine switches, or Nexus 9332C and 9364C spine switches, running Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
-
At least two Cisco Nexus pre-EX, EX, or FX leaf switches running the Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
Note
Even though Cisco Nexus pre-EX leaf switches are supported, we recommend using later-generation leaf switches, such as EX or FX leaf switches, due to the End-of-Life announcement for these older pre-EX leaf switches as described in End-of-Sale and End-of-Life Announcement for the Cisco Nexus 9372PX and 9372TX Switches.
-
At least one on-premises Cisco Application Policy Infrastructure Controller (APIC) running release 4.1 or later and Cisco Nexus Dashboard Orchestrator (NDO) Release 2.2(x) or later.
-
-
Cisco Nexus Dashboard Orchestrator 2.2(x) deployed with basic configuration.
-
A router capable of terminating Internet Protocol Security (IPsec).
-
You need to make sure that you have enough bandwidth for tenant traffic between on-premises and cloud sites.
-
Verify that all leaf switches on the on-premises sites have the appropriate Cisco ACI license:
-
If the Cisco ACI on-premises site is a single site, then use the Essentials license tier (or higher) for the on-premises leaf switches
-
If the Cisco ACI on-premises site is a multi-site, then use the Advantage license tier (or higher) for the on-premises leaf switches
Note
These licensing requirements for the on-premises data center are independent of the number of Cisco Cloud Network Controllers deployed on public clouds. For Cisco Cloud Network Controller licensing requirements, see Cisco Cloud Network Controller and On-Premises ACI Licensing Summary.
-
-
Workloads that are connected to the Cisco ACI fabric.
-
An intersite network (ISN) that is configured between the Cisco ACI fabric (spine) and the IP Security (IPsec) termination device.
For information about creating an ISN, see the "Multipod" chapter of the Cisco APIC Layer 3 Networking Configuration Guide.
-
Certain firewall ports must be permitted if you are deploying firewalls between your on-premises and AWS deployments. These include HTTPS access for the Cisco Cloud Network Controller, IPsec ports for each AWS CCR, and SSH connectivity for AWS CCR remote management.
These firewall ports are described in more detail in Cisco Cloud Network Controller Communication Ports in this guide.
Requirements for the AWS Public Cloud
This section lists the Amazon Web Services (AWS) requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
AWS Accounts
You need one AWS account for the infra tenant, and you need atleast one AWS account for each user tenant.
Note |
You can run only one Cloud Network Controller in the infra account. Running multiple Cloud Network Controllers in the same infra account is not supported. |
For example, if you want to create two user tenants, you need at least three AWS accounts. You must have one account for each user tenant and one account for the infra tenant. The user tenant can be trusted or untrusted. For details, see the section Setting Up the AWS Account for the User Tenant in this guide.
Note |
Beginning with 26.0(2), support is now available for having multiple cloud accounts under a single tenant. For more information, see Tenants. |
AWS Resources
You need the following resources as part of the AWS deployment:
-
Access to the Cisco APIC 5.0 Amazon Machine Image (AMI).
Note
To have access to the AMI, you must subscribe to the Cisco Cloud Network Controller in the Amazon Marketplace.
-
Two instances of Elastic Cloud Computer (EC2), which function as virtual machines (VM) for applications running in the cloud.
-
Virtual Private Clouds (VPCs), subnets, a virtual private gateway (VGW), an Internet gateway (IGW), security groups, and resources that are based on tasks you plan to perform.
CCR
There are two types of licensing models available:
-
BYOL (Bring Your Own License)
-
PAYG (Pay as You Go)
BYOL
Subscribe to the CCR Bring Your Own License (BYOL) through the AWS Marketplace. See Cisco Cloud Network Controller Licensing for more information.
Deploy the CCRs in the appropriate size, depending on the bandwidth requirement defined during the Cisco Cloud Network Controller setup.
The value for the throughput of the routers determines the size of the CCR instance that you deploy; a higher value for the throughput results in the deployment of a larger VM. CCR licensing is based on the throughput configuration that you set as part of the Cisco Cloud Network Controller setup process. You need the equivalent or higher license in your Smart account and the AX feature set for compliance.
Make sure that your AWS account has an allowed limit to deploy the instances. You can check your account instance limits in the AWS Management Console: .
The Cisco Catalyst 8000V supports tier-based (T0/T1/T2/T3) throughput options. The following table lists what AWS EC2 instance is used for different router throughput settings for the Cisco Catalyst 8000V:
|
CCR Throughput |
AWS EC2 Instance |
|---|---|
|
T0 (up to 15M throughput) |
c5.xlarge |
|
T1 (up to 100M throughput) |
c5.xlarge |
|
T2 (up to 1G throughput) |
c5.xlarge |
|
T3 (up to 10G throughput) |
c5.9xlarge |
Tier2 (T2) is the default throughput supported by Cisco Cloud Network Controller.
PAYG
Cisco Cloud Network Controller will support a range of AWS EC2 instances for cloud networking needs powered by Cisco’s Catalyst 8000V virtual router. The table below shows the cloud instance type supported by Cisco Cloud Network Controller on AWS.
|
AWS EC2 Instance |
CCR Throughput |
vCPUs |
Memory |
|---|---|---|---|
|
c5.xlarge |
up to 5 Gigabit throughput |
4 |
8 GiB |
|
c5.2xlarge |
up to 10 Gigabit throughput |
8 |
16 GiB |
|
c5.4xlarge |
up to 10 Gigabit throughput |
16 |
32 GiB |
|
c5.9xlarge |
up to 10 Gigabit throughput |
36 |
72 GiB |
|
c5n.xlarge |
up to 25 Gigabit throughput |
4 |
10.5 GiB |
|
c5n.2xlarge |
up to 25Gigabit throughput |
8 |
21 GiB |
|
c5n.4xlarge |
up to 25 Gigabit throughput |
16 |
42 GiB |
|
c5n.9xlarge |
up to 50 Gigabit throughput |
36 |
96 GiB |
Changing the value in the VM Type field in the First Time Setup changes the other factors of the CCR as listed in the table above. Choosing a higher value for the VM size results in higher throughput.
Elastic IP Addresses
Make sure that you have at least nine elastic IP addresses in the region where the infra VPC is deployed.
You need one elastic IP address for Cisco Cloud Network Controller and four for each CCR. Make sure that your account in the region of deployment is allowed nine or more elastic IP addresses. If it is not, raise an AWS case to increase the number of elastic IP addresses. We recommend ten or more.
Note |
The addresses must not be disassociated elastic IP address. You need enough resources for nine new elastic IP addresses. If you have unused elastic IP addresses, you can release them. |
Cisco Cloud Network Controller
Cisco Cloud Network Controller is deployed using the m5.2xlarge AWS instance.
Make sure that your account has limits that are allowed to deploy this instance. You can check the limits in the AWS Management Console: .
You can also see how many elastic IP addresses that are used in the AWS Management Console: .
Feedback