nil.com 1 · discuss basic application requirements in order to define initial design follow-up...

© 2019 NIL, Security Tag: PUBLIC 2

Anže Marinčič, IT-arhitekt

Načrtovanje aplikacij s pristopomCisco ACI Application Centric ter

avtomatizacija namestitev


Before we begin

NetCreator

vRO

vSphere+ AVE

GitLab

APIC CSM R80

ASA CP

RH Virtualization

F5

Administrator

AWX IPAM

VMs

VMs

ACI Fabric

Application moddeling

Run automation

1

3

4

56

7

8

Manual

Automated

Administrator

X

Read app. definition

Start provisioning

Publish app. definition2

9


▪ Relatively rigid designs and implementations

▪ Slower application deployments

▪ Various independent systems (compute, network, storage, service devices)

▪ Each system is configured separately

▪ Manual configuration

Network Centric Approach

Virtual SwitchWeb App

VLAN mismatch between hypervisor & switch?

Firewall/Load Balancer/SSL misconfiguration?

VLAN allocation?VLAN missing?Trunk not configured properly?


• Relatively flexible designs and implementations

• Faster application deployments

• Various independent systems (compute, network, storage, service devices)

• Integrated configuration

• Automated and manual configuration

Application Centric Approach (Automation)

SDN – Software Defined NetworkingSDDC – Software Defined Data Center

Virtual SwitchWeb App

ACI Fabric

Device automation

Networkautomation

EPGApp

Service Graph

EPGWeb

Contract


▪ Software Defined Data Center (SDDC) is enabler for automation

▪ Application Programming Interface (API) != salvation

▪ Automation != Graphical User Interface (GUI) rewrite

▪ Automation = logic and automatic infra. configuration based on predefined design

What is automation?

▪Automation changes things on many levels▪People

▪Processes

▪Communication

▪Team boundaries (compute, network, storage, application developers, business owners, etc.)


▪ You will have challenges with automation

▪ Don’t believe everything you read and hear → get your hands dirty

How to tackle automation?


▪ Establish processes and good communicationbetween different teams


Automation

Business requirements

Compute

NetworkStorage

Application Developers


(3) With sufficient thrust, pigs fly just fine. However, this is

not necessarily a good idea. It is hard to be sure where they

are going to land, and it could be dangerous sitting under them

as they fly overhead.

Source: https://tools.ietf.org/html/rfc1925


▪Get intimate with your environment, application requirements

▪Prepare standardized design(s) that is(are) basis for automation


▪ Start embracing Development & Operations (DevOps) and agile * Plan

Code

Build

TestRelease

Deploy

Operate

Monitor


(4) Some things in life can never be fully appreciated norunderstood unless experienced firsthand. Some things innetworking can never be fully understood by someone who neitherbuilds commercial networking equipment nor runs an operationalnetwork.

Source: https://tools.ietf.org/html/rfc1925

▪ Find a partner that can support you on your automation journey▪ If you do not have in-house resources


▪ Multiple meetings between different teams

▪ Discuss basic application requirements in order to define initial design

▪ Follow-up steps and additional meetings

▪ Information is exchanged in different XLS templates, emails, phone calls, ticketing systems, etc.

▪ Efficiency is not brilliant … Can we do something about this?

Getting application on the network (*story based on my experience)


▪ Infrastructure as Code (IaC)

▪ (Generic) application definition (requirements) in human readable format (JSON)

▪ Standardized language for application definition

▪ Application definition is infrastructure/orchestrator independent

NetCreator - Initial Requirements


▪ Integration with external systems

▪ Orchestrators

▪ IP Address Management (IPAM)

▪ Configuration Management Database (CMDB)

▪ Role Based Access Control (RBAC)

▪ Limited Application Access (application owner and maintainer)

▪ Application Designer

▪ Infrastructure Administrator

NetCreator - Initial Requirements


▪ Application definition

▪ Graphical User Interface (GUI) for application modelling

▪ Application building blocks

▪ Relations between building blocks

▪ Application definition versioning

▪ Create, Read, Edit, Delete (CRUD)

▪ Application inventory

NetCreator – Inaitial Requirements


NetCreator – DEMOOverview


NetCreator – DEMORelations between applications

Relation to existing application



Relation to existing application


▪ Changes on the infrastructure (based on lab setup)

▪ Firewall - Add Access Lists

▪ ACI - Add Contracts with Service Insertion



NetCreator – DEMOAutomation Complexity

Delete Application Tier



Delete Application Tier


▪ Changes on the infrastructure (based on lab setup)

▪ Load Balancer - delete virtual server, pool, nodes, health monitors, etc.

▪ Firewall - delete access lists, create access lists, etc.

▪ ACI - delete contracts, delete end point group, create new contracts, etc.

▪ Virtual Infrastructure - delete virtual machines, delete network (RHV), etc.


What happens if one of the steps fails?

Should we allow this action only during maintenance window?


NetCreator – DEMO Blast from the past


NetCreator – DEMOBlast from the past

IP: 172.200.0.xIP: 172.200.0.x

IP: 172.200.1.xIP: 172.200.1.x

172.200.0.1 172.200.1.1

EPGWEB

EPGDB

Web-BD

IP: 172.200.1.xIP: 172.200.1.x

172.200.1.1

EPGAPP

Web-BD

ctr-WEB-to-APP- permit ssh- permit http

ctr-APP-to-DB- permit ssh- permit mysql

Core

ClientL3out

ctr-L3out-to-WEB- permit ssh- permit http

172.80.0.1

IP: 172.80.0.10

0.0.0.0/0 via 172.80.0.1

172.100.0.1

IP: 172.100.0.10

VIP: 172.100.0.x

0.0.0.0/0 via 172.100.0.1

Cloud

172.70.10.1

IP: 172.70.10.10

0.0.0.0/0 via 172.70.10.1


NetCreator – DEMOBlast from the past

NetCreator

vRO

vSphere+ AVE

GitLab

APIC CSM R80

ASA CP

RH Virtualization

F5

Administrator

AWX IPAM

VMs

VMs

ACI Fabric

Application moddeling

1

Publish app. description2

Run automation

3Read app. description

4

Assign IP addresses5 Network configurationLB VIP, FW ACL, ACI Contracts, ACI Service Graph, vSphere/RHV

Networking, etc.

6Create Virtual Machines 7

Update app. description8

Read updated app. description 9

Manual

Automated

Administrator

Configure Virtual MachinesX


NetCreator – DEMOBlast from the past – step X


NetCreator – DEMOService Insertion

Dynamically insert Load Balancer


NetCreator – DEMOService Insertion

IP: 172.200.0.xIP: 172.200.0.x

IP: 172.200.1.xIP: 172.200.1.x

172.200.0.1 172.200.1.1

EPGWEB

EPGDB

Web-BD

IP: 172.200.1.xIP: 172.200.1.x

172.200.1.1

EPGAPP

Web-BD

ctr-WEB-to-APP- permit ssh- permit http

ctr-APP-to-DB- permit ssh- permit mysql

CoreCloud

ClientL3out

ctr-L3out-to-WEB- permit ssh- permit http

172.50.0.1

IP: 172.50.0.10

VIP: 172.50.0.x

172.80.0.1

IP: 172.80.0.10

0.0.0.0/0 via 172.80.0.10.0.0.0/0 via 172.50.0.1

172.100.0.1

IP: 172.100.0.10

VIP: 172.100.0.x

0.0.0.0/0 via 172.100.0.1

172.70.10.1

IP: 172.70.10.10

0.0.0.0/0 via 172.70.10.1


▪ Understand your environment and requirements

▪ Adjust your current processes

▪ Establish good communication between different teams

▪ Automation is not easy

▪ Find a partner that can support you (if you do not have in-house resources)

▪ Automation does bring business benefits even though it is not simple

Key takeaway

nil.com 1 · discuss basic application requirements in order to define initial design follow-up...

Documents