CloudOps Overview

Cisco offers a cloud-hosting subscription for Cisco SD-WAN controllers such as Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller that simplifies and accelerates Cisco SD-WAN deployment, while reducing the cost of running these controllers on their own. The cloud deployment model also includes monitoring services for the instances and advanced analytics.

About This Guide

This guide describes the Cisco-managed, cloud-hosted Cisco SD-WAN controller, as well as its capabilities and services. This guide details the cloud infrastructure hosting processes, responsibilities, and recommendations.


The audience for this document includes network design engineers and network operators who want to purchase or deploy the cloud-based subscription options for Cisco SD-WAN.

Solution Design

About This Solution

When you choose a cloud-based subscription for your Cisco SD-WAN controllers, Cisco deploys the Cisco SD-WAN controllers, specifically Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller, on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller are deployed in the primary cloud region and an additional Cisco vBond Orchestrator and Cisco vSmart Controller are deployed in the secondary or backup region.

Figure 1. Solution Architecture

Supported Clouds and Cloud Regions

The following are the supported Clouds and Cloud regions for Cisco SD-WAN Controller deployments:

  • Amazon Web Services

    • US East (Northern Virginia) Region

    • US West (Northern California) Region

    • US West (Oregon) Region

    • US West (Washington) Region

    • Canada (Central) Region

    • EU—Ireland, Frankfurt, London

    • Australia—Sydney

    • West India—Mumbai

    • South East Asia—Singapore

    • Japan East—Tokyo

    • Japan West—Seoul

    • Brazil South—Sao Paulo State

  • Microsoft Azure

    • East US—Virginia

    • West US—California, Washington

    • North Europe—Ireland

    • West Europe—Netherlands

    • UK South—London

    • France Central—Paris

    • Australia—Sydney

    • Australia—Melbourne

    • South East Asia—Singapore

    • West India—Mumbai

    • Japan East—Tokyo

    • Brazil South—Sao Paulo State

Order Cloud-Hosted Controllers

Role of Cisco Plug and Play

Cisco Plug and Play replaces the legacy process of Cisco SD-WAN Salesforce (SFDC).

Refer to the following guide for information about Cisco SD-WAN Plug and Play:

Getting Access to the Cisco SD-WAN Cloud-Hosted Controllers for Sales Orders

Cisco SD-WAN Cloud Infra team creates the Cisco SD-WAN Cloud-hosted controllers for a Sales Order. The following conditions must be met:

  1. The Sales Order that has the cloud subscription licenses.

  2. Cisco SD-WAN items in the sales order are marked as Shipped.

  3. The Sales Order is assigned to an active Smart Account and a Virtual Account within that Smart Account.

EA Ordering

To request overlay for Cisco SD-WAN Enterprise Agreements (EA) customers:

  1. Log into the EA Workspace, select the Cisco DNA for Routing Suite.

  2. For Cloud (Overlay Spin up), select Advantage/Premier Cloud.

    The Request Provisioning for Advantage Cloud window displays.
  3. Fill out the subsequent fields marked with “*” and complete the remaining Renew screens.

Once the request is placed, the Cloud Ops team is informed and the request is processed.

AAA Server Integration for Cloud Controllers

There are certain cases, where the enterprise may not want to access the controllers over the internet for management or other access, even though the edge site nodes create the tunnel over internet. In such cases, the requirement may involve making the management IP addresses of the controllers available from within the Cisco SD-WAN fabric. For example, setting up AAA/TACACS for login to controllers from within the enterprise. In such cases, you need to share a 26 prefix for each of the 2 regions of deployment of controllers. These IP prefixes will be used to create the controllers, and the subnets can then be configured to be available within the Cisco SD-WAN fabric.

Whitelist IP Addresses

Cisco managed Cloud Hosted controllers are by default closed for management access. To allow an enterprise to connect to the controllers, you need to provide your Enterprise public IP address space to be whitelisted. You may add to request the whitelisting for only https or ssh ports. By default, Cisco will whitelist given IP prefixes for all ports and protocols.

The whitelist is applied to all the network interfaces of all the controllers, that have public IPs. To update or view the whitelist applied to your Cloud hosted Controller set, please open a case with Cisco TAC.

To add, delete, or modify cloud security group whitelist using CloudOps, provide the following information:

Overlay/VA name

Cisco vManage IP/FQDN

Prefixes/Rules (vManage GUI access) that need to be added, deleted, or modified in the whitelist

IP address

Specify whether to Whitelist an IP address for all traffic or selected traffic (for example https, SSH, and so on). By default, IP addresses for all traffic are whitelisted.

Web Server Certificates

Cisco does not issue web certificates for the Cisco vManage. It is recommended to generate the CSR and get it signed by your CA for your DNS name.

The controller certificates issued by Cisco are for the controllers to use internally. You canot use these certificates to issue web server certificates.

For more information, see Web Server Certificates section in the Getting Started Guide.

Cisco Cloud Hosted Controller Snapshots

The Cisco Cloud Infra team takes regular backup snapshots of the cloud-hosted Cisco vManage disks because the Cisco vManage is a stateful machine.The frequency and retention of the Cisco vManage disk snapshot must be set per overlay, for all production overlays. The snapshot frequency is between one and four days. Ten snapshots can be stored at any given point.


Since, Cisco vBond Orchestrator and Cisco vSmart Controller are stateless, snapshots are not captured. Use Cisco vManage template to configure and save Cisco vBond Orchestrator and Cisco vSmart Controller settings.


Be aware of the implications of changing the configs on cloud-hosted controllers before you make the change. Changing Static IP or IP route may result in network connectivity loss. You may have to revert to a previous snapshot to reconnect.

You cannot download the snapshots. However, you can freely download the config-db backup file from the Cisco vManage. You can save the configs but not the stats using command, request nms configuration-db.

Monitor the Cisco SD-WAN Cloud-Hosted Controllers

The cloud-hosted controller monitoring feature monitors the health of the Cisco SD-WAN controllers in the following two ways:

  • Infrastructure monitoring of the following:

    • High CPU, memory, or disk utilization.

    • Loss of connectivity to network interfaces.

    • Failure to reach instances.

  • Service monitoring of the following:

    • Expiration of controller SSL certificates.

    • Availability of the Cisco vManage web server.

    • Loss of connectivity to the controllers.


The cloud monitoring is performed as a part of the Cisco SD-WAN cloud-hosting services to ensure the availability of the Cisco SD-WAN controllers. By default, Cisco vManage is configured with a user called viptelatac that has operator privileges. This user is used by Cisco to collect the monitor the health of Cisco SD-WAN. Due to this, the Cisco vManage audit log displays periodic logins from the monitoring system using the viptelatac user. This user allows the monitoring service to access Cisco vManage, The monitoring service uses RestAPIs to collect health information from Cisco vManage.

To disable the cloud monitoring system, you can open a Cisco TAC case to request that the cloud infrastructure team disable it. Once the monitoring is disabled, you can disable the viptelatac user.

Renew Cisco SD-WAN SSL Certificates for Controllers

Signed certificates are used to authenticate devices in the overlay network. Once authenticated, devices can establish secure sessions between each other. You can generate the certificates using Cisco vManage and install them on the controller devices—Cisco vManage, Cisco vBond Orchestrator, and Cisco vSmart Controller. You can use certificates signed by Symantec/CISCO PKI (for Cisco SD-WAN Releases 19.1, 19.2, and 19.3), or you can use enterprise root certificates.

The controller certification authorization settings configures the certification generation process for all controller devices.


Select the certificate-generation method only once. The method you select is automatically applied each time you add a device to the overlay network.


To enable vAnalytics for a customer overlay:

Please open a support case with the following information:

  • Customer Name:

  • Org-Name (Mandatory, as configured in vManage):

  • Cisco SD-WAN Sales Account Manager contact:

  • Subscription/ License Type:

  • Approved by (Customer contact):

  • Customer Email:

  • Approved on (Date):

Pen Test

You can conduct pen tests or penetration testing, for the Cisco SD-WAN solution using


Pen test is not allowed for vSmarts if vSmart is in a container. If you want to conduct pentest in that case, you can replace with dedicated vSmart instead.

Move overlays

To move an overlay from one Smart Account (SA) or Virtual Account (VA) to another SA/VA:

  • Provide source SA/VA and destination SA/VA details to the TAC.

  • The overlay owner/SE must open a TAC csone for the migration.

  • There is no expected downtime for the migration.

You can move the devices to the new SA/VA or you can get assistance from PNP team at

The functionality and the following details of the overlay does not change due to migration:

  1. Organization name

  2. vBond/vManage/vSmart DNS name

  3. All current public IPs assigned to all controllers

  4. Whole vManage configuration including certificates

  5. Current whitelisted IPs

Post migration, you must update the Smart account credentials configured on the Cisco vManage.

Open a Support Case

To open a Support Case :

  1. Go to support case.

  2. Open New Case > Products & Services > Open Case.

  3. Enter appropriate entitlement information and the serial number of the WAN Edge device.

  4. Select Next and enter case details.

  5. Manually select Technology > Search for appropriate Sub Tech keyword. For example,

    • Technology: Software Defined Wide Area Networking (SDWAN)

    • SubTechnology: SDWAN Cloud Infra