MSO Dashboard overview

In this walkthrough, we will highlight the simplicity in which Cisco ACI and more specifically the Multi-site Orchestrator through Azure integration enables customers to manage an insfrastructure of multiple sites including on premise data center and Azure sites. We will create a schema in the Multi-site Orchestrator and then successfully deploy those set of policies across various sites through just a few clicks which will highlight the notion of  simplified operations, automated network connectivity, consistent policy management, and visibility for multiple on-premises data centers and Microsoft Azure Cloud.

 

 

 

List view of the three sites in MSO

View the schemas

Application profile with two EPGs

A schema is a nothing but a collection of templates, which are used for defining policies. In this example we have created a schema for our hybrid application - hybrid-app-template-9. This schema consists of two tiers or EPGs as seen under the Application Profile " hybrid-ap-9".

EPG details

An intuitive GUI displays more information on any of the constructs within the tenant; in this case the web EPG as seen. In the next step, we will take a look at the details of the contract between the web and the database EPG.

Contract details

The policies betwen the web and database EPG is maintained in the web to db contact as seen here. In the next step, we will also see the simplicity in maitaining the same contract with an external EPG- aka the web EPG which in turn highlights the simplicity in managing a hyrbid infrastructure.

External EPG contract details

As discussed in the previous step, here we can see the details of the web to  internet contract which happens to be the external EPG.

VMM domain

The database EPG is connected to a VMM domain as seen. VMM domain profile is a policy that defines a VMM domain. VMM domains contain VM controllers such as Microsoft SCVMM Manager and the credential(s) required for the ACI API to interact with the VM controller.

VMM domain details

Azure site local properties

Continue to see the site local properties.

Site local properties (cont.)

Continue to view the site local properties.

web end point selector

Click to save the web end point selector which is nothing but an ip subnet for that end point in the Azure site.

Cloud EPG site local properties

End point selector IP

Here we will specify the ip address where you want your webserver to be reachable on the internet from. Here we specify a 0.0.0.0/0 which means source can be any ip address.

Deploy to sites

We will now continue to deploy the schema to the sites.

Pushing configurations to Azure

As seen here, we will push the configurations from the earlier steps to the Azure site ( as indicated with the green checks).

Deployment successful

The configurations have been successfully pushed on to the Azure site.

Verifying poilicy update on the on premise APIC

Verifying poilicy update on the on premise APIC (cont.)

As we can see here, the VMM domain has been associate with the Database EPG on the Hybrid-ap-9 application profile under the CL-student-9  tenant.  This was created on the MSO controller in the earlier steps. This steps validates the intent as specified in the MSO.

Verifying poilicy update on the Cloud APIC

We will contiue to validate the correcteness of the MSO contoller for the demo purposes that the approprate policy was also pushed to the Cloud APIC.

Verifying poilicy update on the Cloud APIC (cont.)

Navigate to the tenants tab.

Verifying poilicy update on the Cloud APIC (cont.)

Notice the CL-student-9 tab. This was pushed from the MSO controller.

Verifying poilicy update on the Cloud APIC (cont.)

Verify the application profile as seen here which was successfully pushed from the MSO.

Verifying poilicy update on the Cloud APIC (cont.)

Verify the EPGs as seen here which were successfully pushed from the MSO.

Verifying poilicy update on the Cloud APIC (cont.)

Verify the web enpoint IP selector ip address which was successfully pushed from the MSO.

Verifying poilicy update on the Microsost Azure

Navigate to the resource group to check if the policies were correctly pushed down from the MSO.

Verifying poilicy update on the Microsost Azure (cont.)

Continue by selecting the desired resource group.

Verifying poilicy update on the Microsost Azure (cont.)

Choose the desired VM and then proceed to the next steps to check the correctness of the rules (contracts).

Verifying poilicy update on the Microsost Azure (cont.)

Verifying poilicy update on the Microsost Azure (cont.)

As we can notice here, all the security policies as defined in the MSO controller schemas were successfully tranaslated into port rules.