nil.com 1 · discuss basic application requirements in order to define initial design follow-up...
TRANSCRIPT
© 2019 NIL, Security Tag: PUBLIC 1nil.com © 2019 NIL, Security Tag: PUBLIC
© 2019 NIL, Security Tag: PUBLIC 2
Anže Marinčič, IT-arhitekt
Načrtovanje aplikacij s pristopomCisco ACI Application Centric ter
avtomatizacija namestitev
© 2019 NIL, Security Tag: PUBLIC 3
Before we begin
NetCreator
vRO
vSphere+ AVE
GitLab
APIC CSM R80
ASA CP
RH Virtualization
F5
Administrator
AWX IPAM
VMs
VMs
ACI Fabric
Application moddeling
Run automation
1
3
4
56
7
8
Manual
Automated
Administrator
X
Read app. definition
Start provisioning
Publish app. definition2
9
© 2019 NIL, Security Tag: PUBLIC 4
▪ Relatively rigid designs and implementations
▪ Slower application deployments
▪ Various independent systems (compute, network, storage, service devices)
▪ Each system is configured separately
▪ Manual configuration
Network Centric Approach
Virtual SwitchWeb App
VLAN mismatch between hypervisor & switch?
Firewall/Load Balancer/SSL misconfiguration?
VLAN allocation?VLAN missing?Trunk not configured properly?
© 2019 NIL, Security Tag: PUBLIC 5
• Relatively flexible designs and implementations
• Faster application deployments
• Various independent systems (compute, network, storage, service devices)
• Integrated configuration
• Automated and manual configuration
Application Centric Approach (Automation)
SDN – Software Defined NetworkingSDDC – Software Defined Data Center
Virtual SwitchWeb App
ACI Fabric
Device automation
Networkautomation
EPGApp
Service Graph
EPGWeb
Contract
© 2019 NIL, Security Tag: PUBLIC 6
▪ Software Defined Data Center (SDDC) is enabler for automation
▪ Application Programming Interface (API) != salvation
▪ Automation != Graphical User Interface (GUI) rewrite
▪ Automation = logic and automatic infra. configuration based on predefined design
What is automation?
▪Automation changes things on many levels▪People
▪Processes
▪Communication
▪Team boundaries (compute, network, storage, application developers, business owners, etc.)
© 2019 NIL, Security Tag: PUBLIC 7
▪ You will have challenges with automation
▪ Don’t believe everything you read and hear → get your hands dirty
How to tackle automation?
© 2019 NIL, Security Tag: PUBLIC 8
▪ Establish processes and good communicationbetween different teams
How to tackle automation?
Automation
Business requirements
Compute
NetworkStorage
Application Developers
© 2019 NIL, Security Tag: PUBLIC 9
(3) With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea. It is hard to be sure where they
are going to land, and it could be dangerous sitting under them
as they fly overhead.
Source: https://tools.ietf.org/html/rfc1925
How to tackle automation?
▪Get intimate with your environment, application requirements
▪Prepare standardized design(s) that is(are) basis for automation
© 2019 NIL, Security Tag: PUBLIC 10
▪ Start embracing Development & Operations (DevOps) and agile * Plan
Code
Build
TestRelease
Deploy
Operate
Monitor
How to tackle automation?
(4) Some things in life can never be fully appreciated norunderstood unless experienced firsthand. Some things innetworking can never be fully understood by someone who neitherbuilds commercial networking equipment nor runs an operationalnetwork.
Source: https://tools.ietf.org/html/rfc1925
▪ Find a partner that can support you on your automation journey▪ If you do not have in-house resources
© 2019 NIL, Security Tag: PUBLIC 11
▪ Multiple meetings between different teams
▪ Discuss basic application requirements in order to define initial design
▪ Follow-up steps and additional meetings
▪ Information is exchanged in different XLS templates, emails, phone calls, ticketing systems, etc.
▪ Efficiency is not brilliant … Can we do something about this?
Getting application on the network (*story based on my experience)
© 2019 NIL, Security Tag: PUBLIC 12
▪ Infrastructure as Code (IaC)
▪ (Generic) application definition (requirements) in human readable format (JSON)
▪ Standardized language for application definition
▪ Application definition is infrastructure/orchestrator independent
NetCreator - Initial Requirements
© 2019 NIL, Security Tag: PUBLIC 13
▪ Integration with external systems
▪ Orchestrators
▪ IP Address Management (IPAM)
▪ Configuration Management Database (CMDB)
▪ Role Based Access Control (RBAC)
▪ Limited Application Access (application owner and maintainer)
▪ Application Designer
▪ Infrastructure Administrator
NetCreator - Initial Requirements
© 2019 NIL, Security Tag: PUBLIC 14
▪ Application definition
▪ Graphical User Interface (GUI) for application modelling
▪ Application building blocks
▪ Relations between building blocks
▪ Application definition versioning
▪ Create, Read, Edit, Delete (CRUD)
▪ Application inventory
NetCreator – Inaitial Requirements
© 2019 NIL, Security Tag: PUBLIC 15
NetCreator – DEMOOverview
© 2019 NIL, Security Tag: PUBLIC 16
NetCreator – DEMORelations between applications
Relation to existing application
© 2019 NIL, Security Tag: PUBLIC 17
NetCreator – DEMORelations between applications
Relation to existing application
© 2019 NIL, Security Tag: PUBLIC 18
NetCreator – DEMORelations between applications
© 2019 NIL, Security Tag: PUBLIC 19
▪ Changes on the infrastructure (based on lab setup)
▪ Firewall - Add Access Lists
▪ ACI - Add Contracts with Service Insertion
NetCreator – DEMORelations between applications
© 2019 NIL, Security Tag: PUBLIC 20
NetCreator – DEMOAutomation Complexity
Delete Application Tier
© 2019 NIL, Security Tag: PUBLIC 21
NetCreator – DEMOAutomation Complexity
Delete Application Tier
© 2019 NIL, Security Tag: PUBLIC 22
NetCreator – DEMOAutomation Complexity
© 2019 NIL, Security Tag: PUBLIC 23
▪ Changes on the infrastructure (based on lab setup)
▪ Load Balancer - delete virtual server, pool, nodes, health monitors, etc.
▪ Firewall - delete access lists, create access lists, etc.
▪ ACI - delete contracts, delete end point group, create new contracts, etc.
▪ Virtual Infrastructure - delete virtual machines, delete network (RHV), etc.
NetCreator – DEMOAutomation Complexity
What happens if one of the steps fails?
Should we allow this action only during maintenance window?
© 2019 NIL, Security Tag: PUBLIC 24
NetCreator – DEMO Blast from the past
© 2019 NIL, Security Tag: PUBLIC 25
NetCreator – DEMOBlast from the past
IP: 172.200.0.xIP: 172.200.0.x
IP: 172.200.1.xIP: 172.200.1.x
172.200.0.1 172.200.1.1
EPGWEB
EPGDB
Web-BD
IP: 172.200.1.xIP: 172.200.1.x
172.200.1.1
EPGAPP
Web-BD
ctr-WEB-to-APP- permit ssh- permit http
ctr-APP-to-DB- permit ssh- permit mysql
Core
ClientL3out
ctr-L3out-to-WEB- permit ssh- permit http
172.80.0.1
IP: 172.80.0.10
0.0.0.0/0 via 172.80.0.1
172.100.0.1
IP: 172.100.0.10
VIP: 172.100.0.x
0.0.0.0/0 via 172.100.0.1
Cloud
172.70.10.1
IP: 172.70.10.10
0.0.0.0/0 via 172.70.10.1
© 2019 NIL, Security Tag: PUBLIC 26
NetCreator – DEMOBlast from the past
NetCreator
vRO
vSphere+ AVE
GitLab
APIC CSM R80
ASA CP
RH Virtualization
F5
Administrator
AWX IPAM
VMs
VMs
ACI Fabric
Application moddeling
1
Publish app. description2
Run automation
3Read app. description
4
Assign IP addresses5 Network configurationLB VIP, FW ACL, ACI Contracts, ACI Service Graph, vSphere/RHV
Networking, etc.
6Create Virtual Machines 7
Update app. description8
Read updated app. description 9
Manual
Automated
Administrator
Configure Virtual MachinesX
© 2019 NIL, Security Tag: PUBLIC 27
NetCreator – DEMOBlast from the past – step X
© 2019 NIL, Security Tag: PUBLIC 28
NetCreator – DEMOService Insertion
Dynamically insert Load Balancer
© 2019 NIL, Security Tag: PUBLIC 29
NetCreator – DEMOService Insertion
IP: 172.200.0.xIP: 172.200.0.x
IP: 172.200.1.xIP: 172.200.1.x
172.200.0.1 172.200.1.1
EPGWEB
EPGDB
Web-BD
IP: 172.200.1.xIP: 172.200.1.x
172.200.1.1
EPGAPP
Web-BD
ctr-WEB-to-APP- permit ssh- permit http
ctr-APP-to-DB- permit ssh- permit mysql
CoreCloud
ClientL3out
ctr-L3out-to-WEB- permit ssh- permit http
172.50.0.1
IP: 172.50.0.10
VIP: 172.50.0.x
172.80.0.1
IP: 172.80.0.10
0.0.0.0/0 via 172.80.0.10.0.0.0/0 via 172.50.0.1
172.100.0.1
IP: 172.100.0.10
VIP: 172.100.0.x
0.0.0.0/0 via 172.100.0.1
172.70.10.1
IP: 172.70.10.10
0.0.0.0/0 via 172.70.10.1
© 2019 NIL, Security Tag: PUBLIC 30
▪ Understand your environment and requirements
▪ Adjust your current processes
▪ Establish good communication between different teams
▪ Automation is not easy
▪ Find a partner that can support you (if you do not have in-house resources)
▪ Automation does bring business benefits even though it is not simple
Key takeaway
© 2019 NIL, Security Tag: PUBLIC 31nil.com
ENABLING IT FOR BUSINESS