Requirements for Extending the Cisco ACI Fabric to the Public Cloud
Before you can extend the Cisco Application Centric Infrastructure (ACI) to the public cloud, you must meet requirements for the Cisco ACI on-premises datacenter and the Amazon Web Services (AWS) deployment.
Requirements for the On-Premises Data Center
This section lists the on-premises data center requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
-
Ensure that the Cisco ACI fabric is installed with the following components:
-
At least two Cisco Nexus EX or FX spine switches, or Nexus 9332C and 9364C spine switches, running Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
-
At least two Cisco Nexus pre-EX, EX, or FX leaf switches running the Cisco Nexus 9000 Series ACI Mode switch software release 14.1 or later.
-
At least one Cisco Application Policy Infrastructure Controller (APIC) running release 4.1 or later and Cisco ACI Multi-Site Orchestrator (MSO) Release 2.2(x) or later.
-
-
Cisco ACI Multi-Site Orchestrator 2.2(x) deployed with basic configuration.
-
A router capable of terminating Internet Protocol Security (IPsec).
-
You need to make sure that you have enough bandwidth for tenant traffic between on-premises and cloud sites.
-
A Cisco SMART Licensing account and a Cisco ACI Leaf Advantage license.
All leafs on the on-premises site or sites must have Cisco ACI leaf licenses.
-
Workloads that are connected to the Cisco ACI fabric.
-
An intersite network (ISN) that is configured between the Cisco ACI fabric (spine) and the IP Security (IPsec) termination device.
For information about creating an ISN, see the "Multipod" chapter of the Cisco APIC Layer 3 Networking Configuration Guide.
-
Certain firewall ports must be permitted if you are deploying firewalls between your on-premises and AWS deployments. These include HTTPS access for the Cisco Cloud APIC, IPsec ports for each AWS CSR, and SSH connectivity for AWS CSR remote management.
These firewall ports are described in more detail in Cloud APIC Communication Ports in this guide.
Requirements for the AWS Public Cloud
This section lists the Amazon Web Services (AWS) requirements for extending the Cisco Application Centric Infrastructure (ACI) fabric to the public cloud.
AWS Accounts
You need one AWS account for the Infra tenant, and you need one AWS account for each user tenant.
For example, if you want to create two user tenants, you need three AWS accounts. You must have one account for each user tenant and one account for the infra tenant. The user tenant can be trusted or untrusted. For details, see the section Setting Up the AWS Account for the User Tenant in this guide.
AWS Resources
You need the following resources as part of the AWS deployment:
-
Access to the Cisco APIC 4.1 Amazon Machine Image (AMI).
Note
To have access to the AMI, you must subscribe to the Cisco Cloud APIC in the Amazon Marketplace.
-
Two instances of Elastic Cloud Computer (EC2), which function as virtual machines (VM) for applications running in the cloud.
-
Virtual Private Clouds (VPCs), subnets, a virtual private gateway (VGW), an Internet gateway (IGW), security groups, and resources that are based on tasks you plan to perform.
Cisco Cloud Services Router (CSR)
Subscribe to the Cisco Cloud Services Router (CSR) 1000V - Bring Your Own License (BYOL) for Maximum Performance. To subscribe through the AWS Marketplace, type Cisco Cloud Services Router (CSR) 1000V - BYOL for Maximum Performance into the AWS Marketplace search text field.
Deploy the CSRs in the appropriate size, depending on the bandwidth requirement defined during the Cisco Cloud APIC setup.
The value for the throughput of the routers determines the size of the CSR instance that you deploy; a higher value for the throughput results in the deployment of a larger VM. CSR licensing is based on the throughput configuration that you set as part of the Cisco Cloud APIC setup process. You need the equivalent or higher license in your Smart account and the AX feature set for compliance.
The following table lists what AWS EC2 instance is used for different router throughput settings:
CSR Throughput |
AWS EC2 Instance |
---|---|
10 MB |
c4.large |
50 MB |
c4.large |
100 BM |
c4.large |
250 MB |
c4.large |
500 MB |
c4.large |
1 GB |
c4.2xlarge |
2.5 GB |
c4.4xlarge |
5 GB |
c4.8xlarge |
10 GB |
c4.8xlarge |
Make sure that your AWS account has an allowed limit to deploy the instances. You can check your account instance limits in the AWS Management Console:
.Elastic IP Addresses
Make sure that you have at least nine elastic IP addresses in the region where the infra VPC is deployed.
You need one elastic IP address for Cisco Cloud APIC and four for each CSR. Make sure that your account in the region of deployment is allowed nine or more elastic IP addresses. If it is not, raise an AWS case to increase the number of elastic IP addresses. We recommend ten or more.
Note |
The addresses must not be disassociated elastic IP address. You need enough resources for nine new elastic IP addresses. If you have unused elastic IP addresses, you can release them. |
Cisco Cloud APIC
Cisco Cloud APIC is deployed using M4.2xlarge instance.
Make sure that your account has limits that are allowed to deploy this instance. You can check the limits in the AWS Management Console:
.You can also see how many elastic IP addresses that are used in the AWS Management Console:
.