Latest

Home / Cisco / Cisco ACI / Cloud / Microsoft / Cisco Cloud ACI (Azure) : External Connectivity to Internet

Cisco Cloud ACI (Azure) : External Connectivity to Internet

August 08, 2022 , , ,

Cisco Cloud ACI (Azure) : External Connectivity to Internet

In our earlier article, we discuss basics of Cisco Cloud ACI, MSO and APICs. Here in this article we will discuss if we have the APICs (one APIC is in on-prem and other is in the Cloud), how the L3 out works.

For workloads deployed on Microsoft Azure, cloud-local Internet connections are available (called L3Out in Cisco ACI).



L3out from Cloud itself (Azure)

Step 1: For the cloud site in Microsoft Azure, an external EPG needs to be configured in NDO (Nexus Dashboard Orchestrator).

Step 2: After an EPG enters a contract with an external cloud-based EPG, security rules are created in the Azure Network Security Group via NDO (Nexus Dashboard Orchestrator), In order to make the workloads in the EPG to reach the external network.

Step 3: Azure will program appropriate routes into the VNet internally.

In other case, The traffic from some customer environments must transit to an on-premises site and be inspected by a firewall/IDS/IPS before it can exit to, or enter from, the Internet.

L3out from on-Prem

An on-premises L3Out can be defined as a traffic exit and associated with the cloud endpoints via an EPG or you can say A contract can also be used to associate cloud endpoints with an on-premises L3Out as the internet exit for traffic.

Microsoft Azure Virtual Machines in a VNet will be able to directly communicate with the internet based on policy settings when the administrator configures a cloud-local L3Out in the Microsoft Azure environment.

A Cisco ACI L3Out can be defined on-premises and forced to be used by cloud instances if the administrator does this. The traffic from Azure Virtual Machines is routed through VPN tunnels to the Cisco CSR 1000V Series router, and it is sent on-premises over a VXLAN tunnel that is encrypted with IPsec.

On-premises Cisco ACI L3Out can be used instead of direct internet access from VNet to exit traffic.

In Cisco ACI, traffic can be subjected to various inspections after reaching the on-premises site and then exited through the Internet once it is inspected.