Deploying the Cloud APIC in AWS
Before you begin
Verify that you have met the requirements that are outlined in Requirements for Extending the Cisco ACI Fabric to the Public Cloud before proceeding with the tasks in this section. For example, verify that you have the correct number of elastic IP addresses and that you have checked the limits allowed to deploy the instances.
Verify that you have the full Administrator Access on AWS, because specific AWS IAM roles and permissions are required for the installation and operation of the Cisco Cloud APIC.
When installing Cloud APIC using the CloudFormation template (CFT), we recommend installation by a user who has the full Administrator Access on AWS (for example, by a user who has the permission policy ARN arn:aws:iam::aws:policy/AdministratorAccess attached to it, either directly, by using a role policy, or with a user group). However, if there is no one with AWS Administrator Access available, the person installing Cloud APIC must have a minimum set of permissions. See AWS IAM Roles and Permissions for more information on these AWS IAM roles and permissions.
If you are using AWS Organizations to control access policies and permissions for various accounts and you want to use Cloud APIC to manage these accounts, verify that the AWS account where you are deploying the Cloud APIC in these procedures (the Cloud APIC infra tenant) is the master account for that AWS organization. When the Cloud APIC is deployed in the master account for an AWS organization, you can add any AWS accounts that are part of the organization as tenants through the Cloud APIC GUI. See Support for AWS Organizations and Organization User Tenant and Configuring a Shared Tenant for more information.
If you are deploying Cloud APIC on AWS GovCloud, review the information provided in the section "AWS GovCloud Support" in Extending the Cisco ACI Fabric to the Public Cloud for information specific to those deployments.
Log into your Amazon Web Services account for the Cloud APIC infra tenant and go to the AWS Management Console, if you are not there already:
In the upper right corner of the AWS Management Console screen, locate the area that shows a region, and choose the region in AWS that you want to have managed by Cloud APIC (where the Cloud APIC AMI image will be brought up).
Create an Amazon EC2 SSH key pair:
Go to the Cloud APIC page on the AWS Marketplace:
Review and accept the End User License Agreement (EULA) by clicking the Accept Terms button.
After a minute, you should see the message Subscription should be processed. Click the Continue to Configuration button.
The Configure this software page appears.
Select the following parameters:
Click the Continue to Launch button.
The Launch this software page appears, which shows a summary of your configuration and lets you launch the cloud formation template.
Click Launch to go directly to the CloudFormation service in the correct region, with the correct Amazon S3 template URL already populated.
Click Next at the bottom of the screen.
The Specify Details page appears within the Create stack page.
Enter the following information on the Specify Details page.
Click Next at the bottom of the screen.
The Options page appears within the Create stack page.
Accept all the default values in the Options screen.
There is a Permissions: IAM Role area on this page. An IAM role is an IAM entity that defines a set of permissions for making Amazon Web Services service requests. You can use roles to delegate access to users, applications, or services that don't normally have access to your Amazon Web Services resources.
There is no need for IAM role information with regards to the Cloud APIC, but if you want to assign an IAM role for another reason, choose the appropriate role in the IAM Role field.
Click Next at the bottom of the Options screen.
The Review page appears within the Create stack page.
Verify that all the information on the Review page is correct.
If you see any errors on the Review page, click the Previous button to go back to the page with the incorrect information.
When you have verified that all the information on the Review page is correct, check the box next to the I acknowledge that AWS CloudFormation might create IAM resources with custom names area.
Click the Create button at the bottom of the page.
The CloudFormation page reappears, and the Cloud APIC template that you created is displayed with the text CREATE_IN_PROGRESS displayed in the Status column.
The system now uses the information that you provided in the template to create the Cisco Cloud APIC instance. This process takes 5-10 minutes to complete. You can monitor the progress of the creation process by checking the box next to the name of your Cisco Cloud APIC template, then clicking on the Events tab. The text CREATE_IN_PROGRESS is displayed in the Status column under the Events tab.
When the CREATE_COMPLETE message is shown, verify that the instance is ready before proceeding.
What to do next
Go to Setting Up the AWS Account for the User Tenant to set up the AWS account for the user tenant.