Configuration Drift Notifications and Faults
When you deploy Cisco ACI in a public cloud, you will perform most of the fabric configuration from the Cloud APIC. However, there may be cases where you or another cloud administrator changes the deployed configuration directly in the cloud provider's GUI using the tools provided by AWS or Azure. In these cases, the intended configuration you deployed from the Cloud APIC and the actual configuration in the cloud site may become out of sync, we call this a configuration drift.
Starting with Release 5.0(2), Cloud APIC provides visibility into any security policy (contracts) configuration discrepancy between what you deploy from the Cloud APIC and what is actually configured in the cloud site. Future releases will provide the configuration drift visibility into the other Cloud APIC objects as well as information about extraneous configurations deployed in the cloud but not defined in the Cloud APIC.
There are two aspects to analyzing configuration drift:
Have all the fabric elements configured in the Cloud APIC and intended to be deployed in the cloud fabric been properly deployed?
This scenario can occur due to user configuration errors in Cloud APIC that could not be deployed in the cloud, connection or API issues on the cloud provider end, or if a cloud administrator manually deletes or modifies security rules directly in the cloud provider's UI. Any intended but missing configurations may present an issue for the Cloud APIC fabric.
Are there any additional configurations that exist in the cloud but were not intended to be deployed from the Cloud APIC?
Similarly to the previous scenario, this can occur if there are connection or API issues or if a cloud administrator manually creates additional security rules directly in the cloud provider's UI. Any existing but not intended configuration may present issues.