Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...
Transcript of Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2...
![Page 1: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/1.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Connect Greater Bay AreaHong Kong • 30 May 2019
Qianhai & Macau • 31 May 2019
![Page 2: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/2.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Javed Asghar
Principal Engineer, ACI Team
May 2019
ACI Product Team
ACI Anywhere Update
![Page 3: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/3.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automation with Consistent Policy
Virtual ACI Cloud ACI
ACI AnywhereAny Workload. Any Location. Any Cloud.
WANWAN
Edge / Remote DC Public or Private CloudRegional/Central Location
Security Everywhere Policy EverywhereAnalytics Everywhere
ACI On-Premises
![Page 4: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/4.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI MultisiteShipping
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
Multisite Orchestrator
VMVMVM
VMVMVM
Policy Consistency
Single Point Of Orchestration
Availability Fault Isolation
Scale
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
![Page 5: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/5.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5Presentation ID
IP Network
(WAN Core – IPv4, MPLS, SR, etc …)
ACI: Physical Remote Leaf Extend ACI to Satellite Data Centers
On-Prem DC
Remote Locations
Zero Touch Auto Discovery of Remote Leaf
Two Remote Leaf vPC Pair Up To 64 Remote Locations
Multi-site SupportStretch Tenant, EPG, etc
All benefits of ACI visibility Health Scores, Stats
VMVMVM VMVMVMVM VMVMVM VMVMVMVM
Shipping
![Page 6: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/6.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual ACI: Virtual PodExtend ACI to Bare Metal Clouds and Remote Data Centers
6
Shipping
IP Network
Bare Metal Clouds (IBM, OVH, etc.)
Remote Data Centers
Co-location Facilities
(Equinix, CoreSite etc.)
Brownfield Deployments
Remote location On-premises ACI Data Center
VMVMVM VMVMVMVM
VMVMVM VMVMVMVM
Hypervisor
Policy extension from
On-premise DC
![Page 7: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/7.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Multi-Cloud ExtensionsDeep Dive
![Page 8: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/8.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenges in building a Multi Cloud environment
• Maintain consistent policy,
security and analytics for
workloads deployed
across on-premises and
cloud locations
• Building an automated and
secure interconnect
between on-Premises and
Cloud datacenters with
ease of provisioning and
monitoring at scale
• Requires a single pane of
glass to manage policies
across on-premise and
cloud locations
8
![Page 9: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/9.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site A
Site BSite C
Site D
VMVMVM
ACI Extensions To Multi-CloudACI Multi-Site
Appliance
Consistent Network and Policy across clouds
Seamless Workload Migration
Single Point of Orchestration
Secure Automated Connectivity
ACI – On Prem
VMVMVM
Region(s)
VMVMVM
Region(s)
VMVMVM
![Page 10: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/10.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG
Web
EPG
APPContract Contract
EPG
DBSG
Web
SG
APPSG Rule SG Rule
SG
DB
ACI Extensions to AWS
IP Network
AWS Region
On-Premise DC
VMVMVM
Public Cloud
Multi-Site
Automated Inter-connect provisioning
Simplified Operations with end-to-end
visibility
Consistent Policy Enforcement on-Premise & Public Cloud
ACI 4.1
![Page 11: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/11.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Group
Virtual Private Cloud
Security Group Rule
Outbound rule
Inbound rule
User Account
Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort
Network Adapter
Tenant
VRF
BD Subnet
EP to EPG Mapping
Contracts, Filters
Consumed contracts
Provided contracts
EC2 Instance
VPC subnet
EPG
Tag / Label
End Point (fvCEp)
Network Access List Taboo
Policy Mapping – AWS to ACI (1/2)
For your info & reference
![Page 12: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/12.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy Mapping – AWS to ACI (2/2)
Region
Identity and Access Management (IAM)
AAA Users, Security Domains
Pod
Path/Node Attachment
Overlay-1 VRF (ACI Infra)
Border Leaf, Spine (Internal and External connectivity)
Shared Services / Common
Availability Zone (AZ)
Infra VPC
VPC Peering
Internet Gateway,
VPN Gateway,
Direct Connect,
CSR1000V
Inter Region VPC PeeringDirect Connect Gateway
Inter POD Connectivity
For your info & reference
![Page 13: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/13.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Deployments Usecases
![Page 14: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/14.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Site A
Site BSite C
Usecase #1: Hybrid-Cloud Deployment
ACI Multi-Site Orchestrator
VMVMVM
ACI – On Premise
AWS ACI 4.1
Region(s)
VMVMVMRegion(s)
VMVMVM
15Presentation ID
Hybrid Cloud supported with AWS in Q2-CY19 and Azure in Q3-CY19
![Page 15: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/15.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #2: Cloud First with Multiple Regions Target ACI 4.2
One ACI Policy Domain with Multiple AWS Regions
Site1
Region: us-east-1
VMVMVM
Site1
Region: sa-east-1
VMVMVM
Site1
Region: eu-west-3
VMVMVM
Site1
Region: ap-northeast-1
VMVMVM
![Page 16: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/16.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #3: Multi-Cloud (Cloud Only)
Multi-Cloud with AWS and Azure Cloud Sites supported in 2H-CY19
Target ACI 4.2
Site 2
Region: UK South
VMVMVM
Site 1
Region: us-east-1
VMVMVM
Site 3
Region: ap-northeast-1
VMVMVM
ACI Multi-Site Orchestrator
![Page 17: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/17.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Connectivity Usecases
![Page 18: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/18.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Usecase #1: IPSec VPN
19
AWS Region
On-Premise
VMVMVM
Public Cloud Site B
AWS Instances
AWS Instances
CSR1000V
Customer
Premise
Router
Site A
AWS
Internet
Gateway
VGW
VGW
Infra VPC
User VPC-1
User VPC-2
Multisite Orchestrator
Supported ACI 4.1
IPSec VPN Tunnel (Underlay)
VXLAN Tunnel (Data Plane)
Internet
BGP-EVPN Session (Control Plane)
• VXLAN data-plane connects ACI fabric and Cloud site• BGP-EVPN routing reachability between ACI fabric and Cloud Site• IPSec VPN connection between customer Premise Router before ACI fabric and CSR1kv
![Page 19: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/19.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Usecase #2: Direct Connect (DX)
20
AWS Region
On-Premise
VMVMVM
Public CloudSite A Site B
Multi-Site
CSR1000V
Amazon
DGW/
VGW
AWS Instances
VGW
AWS Instances
VGW
Infra VPC
User VPC-1
User VPC-2
Targeted ACI 4.x
Direct Connect (DX) / BGP Underlay
BGP-EVPN
VXLAN
• Direct Connect and BGP underlay between Infra-VPC and ACI Border Leaf
• BGP-EVPN and VXLAN over Direct Connect ACI fabric to CSR 1000v
Border ACI
Leaf
![Page 20: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/20.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Usecases
![Page 21: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/21.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC Cloud APIC
Tenant
VRFBD1/Subnet1
Web-EPG1
BD3/Subnet3
App-EPG1
CIDR 2
Web-EPG2
CIDR 4
App-EPG2
Usecase #1: Application Stretch
On-Premises Public Cloud
Multi-Site Orchestrator
• Stretch tenant/vrf across on-premises and cloud sites
• During peak times easily deploy application tiers and resources in the cloud site
• Consistent segmentation policy and enforcement within and across on-premises and cloud sites
• Application stack failover between sites (active/disaster recovery)
Supported ACI 4.1
https https
![Page 22: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/22.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #2: Stretched EPG with Consistent Segmentation
• Web Tier and App Tier are stretched and securely segmented across on-premise and public cloud sites
• Consistent segmentation policy and enforcement for endpoints of Web/App Tier are independent of location
APIC Cloud APIC
Tenant
VRFBD/Subnet1
BD3/Subnet3
CIDR 2
CIDR 4
On-Premises Public Cloud
Multi-Site Orchestrator
EPG - Web
EPG - App
https, redis
Supported ACI 4.1
![Page 23: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/23.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #3: Shared Services for Hybrid-Cloud
• Provides a capability to deploy shared service across hybrid cloud
• Shared Service deployed in 1 Site can be consumed by endpoints across other sites
• Contract will leak subnet between VRFs for reachability
APIC Cloud APIC
Tenant 1
VRF1
BD/Subnet1
DNS-EPG
On-Premises Public Cloud
Multi-Site Orchestrator
CIDR 3
App-EPG
CIDR 2
Web-EPG
https
Tenant 2
VRF2
dns
Route Leaking
Supported ACI 4.1
CIDR 5
App-EPG
CIDR 4
Web-EPG
Tenant 3
VRF3
https, redis
![Page 24: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/24.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #4: Cloud and On-Prem L3outs
On-Premise
Multi-Site Orchestrator (MSO)
Public Cloud
Site B
Infra VPC
AZ-1 AZ-2
Region 1
CSR CSR
Site A
User VPC -2
VGW
User VPC - 1
VGWIPSec Tunnel IPSec Tunnel
EPG-1 EPG-3EPG-2EPG-1
SG-1 SG-1 SG-3SG-2
Instance 01 Instance 02 Instance 03 Instance 04
IGW
IGW
L3outL3out
L3out
• Cloud local L3out via IGW
• On-Prem local L3out
• On-Prem site endpoints cannot use Cloud L3out
• Shared On-Prem L3out for Cloud VPCs *
Supported ACI 4.1
* Depends on QA Validation Completion by FCS
![Page 25: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/25.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services Usecases
![Page 26: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/26.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase #1: AWS Application Load Balancer Supported
ACI 4.1
On-PremiseSite A
Multisite Orchestrator
VMVMVM
Customer
Premise
Router
AWS Region
Public Cloud Site B
AZ-1
CSR1000v AWS
Internet
Gateway
VGW
Infra VPC
User VPC-1
Application
Load Balancer
AZ-2
EC2 Instances
EC2 Instances
L3 Out (0.0.0.0/0)
![Page 27: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/27.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Usecase 2: On-Prem FW for AWS VPCs
AWS Region-1
On-Premise Datacenter
VMVMVM
Public Cloud
Infra VPC
CSR1000VAmazon IGW/VGW
Customer Premise Router
BGP EVPN Control P lane
VXLAN Tunnel
Firewall
L3out
VPCsFW Flow
• VPCs don’t have external connectivity in AWS
• All VPC traffic is tunneled to on-premFW and then uses on-prem L3out
Supported ACI 4.1
![Page 28: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/28.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service-EPG
On-Premise
Site A
Multi-SiteOrchestrator (MSO)
Public Cloud
AWS Region 1
Site B
Infra VPC
EPG-1
AZ-1 AZ-2
User VPC - 1
SG-1 SG-2
VGW
CSR CSR
Instance-1 VPC endpoint
IPSec Tunnel
S3 bucket
Endpoint
Usecase #3: AWS Cloud Native Services
• EC2 instances access Cloud Native Service (eg. S3 bucket) via VPC endpoint
• All AWS services are supported in phase 2
Future
![Page 29: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/29.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Anywhere Public Cloud Extensions Roadmap
ACI 4.2 Release *
Azure
Cloud Native Services
Connectivity via DMZ
with FW
L4-L7 FW and NAT
Services
AWS Direct-Connect
from cAPIC
AWS Transit Gateway
ACI 4.1 Release
ACI-AWS Launch
cAPIC Policy Translation
CSR Interconnect
Automation
MSO Public Cloud
Operations
AWS ALB support
4 Cloud Sites and 4
Physical Sites
Multi-Cloud
(AWS, Azure)
MSO Cloud Packaging
Day 2 Operations
Policy Offload to CSR for
High Policy Scale
Cloud Center Integration
6 Cloud Sites and 18
Physical Sites
Future
Clouds: GCP, IBM, Ali
Azure ExpressRoute
Azure & AWS Parity
SD-WAN Interconnect
Ecosystem Partners
Higher Scale
* Targeted for Q3-CY19, subject to change without notice
![Page 30: Cisco Connect Greater Bay Area€¦ · Public Cloud AWS Region 1 Site B Infra VPC EPG-1 AZ-1 AZ-2 User VPC - 1 SG-1 SG-2 VGW CSR CSR Instance-1 VPC endpoint IPSec Tunnel S3 bucket](https://reader035.fdocuments.net/reader035/viewer/2022071005/5fc2735e12448e6dcc464876/html5/thumbnails/30.jpg)