Monday, November 28, 2022
HomeCloud ComputingIntroducing Cisco Cloud Community Controller on Google Cloud Platform – Half 2

Introducing Cisco Cloud Community Controller on Google Cloud Platform – Half 2

Half 1 of this weblog collection demonstrated how Cisco CNC can automate cloud networking inside GCP independently of safety insurance policies. Half 2 goes over extra capabilities pertaining to contract-based routing and firewall guidelines automation by extending the identical coverage mannequin.

One of many causes for decoupling routing and safety is to offer clients extra flexibility. Typically, organizations might have completely different groups liable for cloud networking and safety insurance policies definitions within the cloud. Nevertheless, for these use instances the place coverage consistency is a prime precedence adopted by extra governance of cloud assets, a typical coverage mannequin is a should.

Coverage Mannequin Translation

Under is a high-level one-to-one mapping of the Cisco CNC coverage mannequin to native GCP cloud constructs.

Policy Model Translation

Basically, a tenant maps to a mission and is the top-level logical container holding all the opposite insurance policies. For cloud networking, Cisco CNC interprets the mix of VRF and Cloud Context Profile into world VPC networks and regional subnets. Within the situation beneath, Cisco CNC can even translate safety insurance policies by combining cloud EPGs (Endpoint Teams) with contracts and filters into firewall guidelines and community tags in GCP.

By definition, a cloud EPG is a group of endpoints sharing the identical safety coverage, can have endpoints in a number of subnets and is tied to a VRF.


This situation has two VRFs: network-a and network-b. Moreover, cloud EPGs Net & App will probably be created and related to contracts with particular safety insurance policies outlined by filters. A Cloud Exterior EPG can even be created as Web EPG to permit web entry on network-a.


On GCP, these insurance policies are translated into correct VPC networks, subnets, routing tables, peering, firewall guidelines, and community tags. Word that for this situation, VPCs and subnets had been already pre-provisioned.

High Level Architecture

Contract-based Routing

On Half 1 of this weblog collection, a route leak coverage was created to permit inter-VRF routing between network-a and network-b. For this situation, solely contract-based routing will probably be enabled, which implies contracts will drive routing the place wanted. Due to this fact, the leak route coverage created beforehand was eliminated and peering between VPCs disconnected.

Contract-based Routing is a world mode configuration out there within the Cloud Community Controller Setup. Word that when contract-based routing is enabled, the routes between a pair of inside VRFs will be leaked utilizing contracts solely within the absence of a route leak coverage.

Contract-based Routing

Word: a quick overview of the Cisco CNC GUI was offered on Half 1.

Firewall Guidelines Automation

The configuration beneath illustrates the creation of Net and Web EPGs tied to network-a, together with their related endpoint selectors. These are used to assign endpoints to a Cloud EPG, and will be based mostly on IP handle, Subnet, Area, or Customized tags (utilizing a mix of key worth pairs and match expressions).

For the Net EPG, a key worth pair is used with particular tags to be matched (customized: epg equals net). For the Web EPG, a subnet selector is used permitting all visitors. Moreover, Web EPG must be sort Exterior as web entry will probably be allowed on network-a.

Create EPG
Create EPG

The Cloud EPG App configuration will not be depicted for brevity however is much like that of cloud EPG Net. Nevertheless, it’s tied to network-b and set with its distinctive endpoint selector (customized: epg equals app).

On GCP, these insurance policies get translated to devoted ingress firewall guidelines and community tags for Net and App as highlighted utilizing the next format: capic-<app-profile-name>-<epg-name>.

GCP Console

Word: Rebranding from Cloud APIC to Cloud Community Controller is roofed on Half 1.

Within the instance beneath, cloud endpoints instantiated in GCP with labels matching the endpoint selectors are assigned to community tags and firewall guidelines automated by Cisco CNC.

GCP Console

Associating Contracts to EPGs

Now, let’s affiliate the web-to-app contract between Net and App EPGs utilizing the idea of client and supplier to outline guidelines course.

Associating Contracts to EPGs

Upon associating the contract, extra ingress and egress firewall guidelines are programmed relying on the buyer and supplier relationship specified. Particularly, these firewall guidelines are up to date based mostly on safety insurance policies outlined by contracts and filters. For brevity, all visitors is allowed however granular filters will be added per necessities. On one other be aware, these guidelines are solely programmed as soon as cloud endpoints matching the foundations are instantiated.

GCP VPC Firewall rules

Wait, what about peering between these VPCs? Since contract-based routing is enabled, it additionally drives routing by enabling peering and auto producing routes to one another accordingly.

GCP VPC network peering

Lastly, let’s enable web entry to net providers residing on network-a by including the internet-access contract between Web and Net EPGs.

EPG Communication

As quickly because the contract is related, Cisco CNC provides an ingress firewall rule with community tags representing the Net EPG which permits web entry to endpoints behind it.

GCP VPC firewall rules

From this level on, web entry to web-server is allowed in addition to connectivity from the web-server to the app-server.

root@web-server:/residence/marinfer# ifconfig ens4
ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1460
        inet  netmask  broadcast
        inet6 fe80::4001:acff:fe10:102  prefixlen 64  scopeid 0x20<hyperlink>
        ether 42:01:ac:10:01:02  txqueuelen 1000  (Ethernet)
        RX packets 19988  bytes 3583929 (3.4 MiB)
        RX errors 0  dropped 0  overruns 0  body 0
        TX packets 17707  bytes 1721956 (1.6 MiB)
        TX errors 0  dropped 0 overruns 0  provider 0  collisions 0
root@web-server:/residence/marinfer# ping
PING ( 56(84) bytes of information.
64 bytes from icmp_seq=1 ttl=64 time=58.3 ms
64 bytes from icmp_seq=2 ttl=64 time=56.0 ms
64 bytes from icmp_seq=3 ttl=64 time=56.0 ms
64 bytes from icmp_seq=4 ttl=64 time=56.0 ms

Cloud Sources Visibility

Utilizing a cloud-like coverage mannequin, Cisco CNC supplies a topology and hierarchical view of cloud assets on a per tenant foundation with drill down choices. Furthermore, utility profile containers group collectively cloud EPGs and related contracts for simple visibility of insurance policies and dependencies.

Cloud Resources Visibility

Extra granular visibility is offered all the way in which to cloud endpoints. Firewall guidelines are additionally seen through Cisco CNC GUI beneath Ingress and Egress Guidelines.

Cloud Endpoint Visibility


Defining and managing safety insurance policies will be difficult, which can lead to elevated operational overhead and coverage inconsistency. Moreover automating and giving extra visibility into firewall guidelines in GCP, Cisco CNC can also be offering an extra layer of governance from a centralized administration aircraft.

Half 3 completes this weblog collection by exhibiting how Cisco Cloud Community Controller builds and automates exterior cloud connectivity from and to GCP.



Cisco Cloud Community Controller for Google Cloud Set up Guides

Cisco Cloud Community Controller for Google Cloud Person Guides

Weblog Collection: Introducing Cisco Cloud Community Controller on Google Cloud Platform

Half 1: Native Cloud Networking Automation

Half 3: Exterior Cloud Connectivity Automation – Coming Quickly






Please enter your comment!
Please enter your name here

Most Popular

Recent Comments