The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You create the Cisco Cloud APIC components using either the Cisco Cloud APIC GUI or the REST API. This section explains how to create configuration, application management, operations, and administrative components.
 Note |
|
Configuring the Cisco Cloud APIC Using the GUI
This section explains how to create a tenant using the Cisco Cloud APIC GUI.
You can create a tenant that is managed by the Cisco Cloud APIC or a tenant that is unmanaged. To establish a managed tenant, you must first obtain the Azure subscription ID from the Azure portal. You enter the subscription ID in the appropriate field of the Cisco Cloud APIC when creating the tenant. Before you can use the managed tenant, you must explicitly grant the Cisco Cloud APIC permission to manage the subscription. The steps for doing so are displayed in the Cisco Cloud APIC GUI during tenant creation. The steps for the infra tenant, however, are displayed in the infra tenant details view:
Click the Navigation menu > Application Management subtab.
Double-click the infra tenant.
Click View Azure Role Assignment Command. The steps for granting the Cisco Cloud APIC permission to manage the subscription are displayed.
Note |
For information about obtaining the Azure subscription ID, see the Microsoft Azure documentation. |
Creating an unmanaged tenant requires obtaining a directory (Azure Tenant) ID, an Azure enterprise application ID, and a client secret from the enterprise application. For more information, see the Microsoft Azure documentation.
Note |
Cloud APIC does not disturb Azure resources created by other applications or users. It only manages the Azure resources created by itself. |
The required steps to explicitly grant the Cisco Cloud APIC permission to manage a given subscription are located in the Cisco Cloud APIC GUI. When creating a tenant, the steps are displayed after entering the client secret.
Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in Azure subscription IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in Azure subscription IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations.
Capic1:
IA1-R1: TA1-R1 - ok
TA1-R2 - ok
Capic2:
IA1-R2: TA1-R1 - not allowed
TA1-R3 - ok
Capic3:
IA2-R1: TA1-R1 - not allowed
TA1-R4 - ok
TA2-R4 - okOwnership enforcement is done using Azure Resource Groups. When a new tenant in subscription TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012__eastus2) is created in the subscription. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in subscription IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.
Here is a summary of AciOwnerTag mismatch cases:
Initially Cloud APIC is installed in a subscription, and then taken down and Cloud APIC is installed in a different subscription. All existing tenant-region deployment will fail.
Another Cloud APIC is managing the same tenant-region.
In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's Azure subscription and manually remove the affected Resource Group (for example: CAPIC_123456789012__eastus2). Next, reload Cloud APIC or delete and add the tenant again.
Prior to release 5.2(1), support varied for the method that could be used to access Azure resources, depending on the type of tenant:
Infra tenants: Prior to release 5.2(1), support is only available for managed identity when dealing with authorization or credentials.
User tenants: Support is available for both managed identity and unmanaged identity/service principal when dealing with authorization or credentials.
Beginning with release 5.2(1), for both the infra tenants and the user tenants, support is now available for both managed identity and unmanaged identity/service principal when dealing with authorization or credentials.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||||||||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears. |
||||||||||||||||||||||||||||||||||||||||
| Step 4 |
Choose the appropriate options and enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.
|
||||||||||||||||||||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||||||||||||||||||||
This section explains how to create an application profile using the Cisco Cloud APIC GUI.
Create a tenant.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
| Step 3 |
From the Application Management list in the Intent menu, click Create Application Profile. The Create Application Profile dialog box appears. |
| Step 4 |
Enter a name in the Name field. |
| Step 5 |
Choose a tenant: |
| Step 6 |
Enter a description in the Description field. |
| Step 7 |
Click Save when finished. |
This section explains how to create a VRF using the Cisco Cloud APIC GUI.
Create a tenant.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create VRF. The Create VRF dialog box appears. |
||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create VRF Dialog Box Fields table then continue.
|
||||||||||
| Step 5 |
When finished, click Save. |
||||||||||
Use the procedures in this section to create an application EPG, an external EPG, or a service EPG. The available configuration options vary, depending on which type of EPG you are creating.
This section explains how to create an application EPG using the Cisco Cloud APIC GUI. Each service needs at least one consumer EPG and one provider EPG.
Note |
Beginning with Release 5.0(2), Cisco Cloud APIC creates the overlay-2 VRF in the infra tenant by default during the bring up, along with the overlay-1 VRF. In addition, beginning with Release 5.0(2), you can create cloud EPGs and cloud external EPGs in the infra tenant, where all the cloud EPGs and cloud external EPGs will be associated with the overlay-2 VRF in the infra tenant. A cloud EPG in the overlay-2 VRF can communicate with other cloud EPGs and cloud external EPGs in the overlay-2 VRF, and can also communicate with cloud EPGS in other user tenant VRFs. We recommend that you do not use existing "cloud-infra" application profiles, and instead create a new application profile in the infra tenant and associate that new application profile to the cloud EPGs and cloud external EPGs in the overlay-2 VRF. |
Create an application profile and a VRF.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create EPG. The Create EPG dialog box appears. |
||||||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create EPG Dialog Box Fields table then continue.
|
||||||||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||||||||
This section explains how to create an external EPG using the Cisco Cloud APIC GUI. Each service needs at least one consumer EPG and one provider EPG.
Note |
Beginning with Release 5.0(2), Cisco Cloud APIC creates the overlay-2 VRF in the infra tenant by default during the bring up, along with the overlay-1 VRF. In addition, beginning with Release 5.0(2), you can create cloud EPGs and cloud external EPGs in the infra tenant, where all the cloud EPGs and cloud external EPGs will be associated with the overlay-2 VRF in the infra tenant. A cloud EPG in the overlay-2 VRF can communicate with other cloud EPGs and cloud external EPGs in the overlay-2 VRF, and can also communicate with cloud EPGS in other user tenant VRFs. We recommend that you do not use existing "cloud-infra" application profiles, and instead create a new application profile in the infra tenant and associate that new application profile to the cloud EPGs and cloud external EPGs in the overlay-2 VRF. |
Create an application profile and a VRF.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create EPG. The Create EPG dialog box appears. |
||||||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create EPG Dialog Box Fields table then continue.
|
||||||||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||||||||
Use the procedures in the following sections to create a service EPG.
Before you can configure a service EPG, there are certain tasks that you might have to perform beforehand. If you are using subnets or private link labels with your service EPG, you must first configure the subnets and/or private link label outside of the service EPG.
| Step 1 |
Create a VRF, if necessary. |
||||||||||||||||||||||
| Step 2 |
Configure a cloud context profile. |
||||||||||||||||||||||
| Step 3 |
Enter the appropriate values in each field as listed in the following Cloud Context Profile Dialog Box Fields table then continue.
|
||||||||||||||||||||||
| Step 4 |
Click Save. |
||||||||||||||||||||||
This section explains how to create a service EPG using the Cisco Cloud APIC GUI. Each service needs at least one consumer EPG and one provider EPG.
Review the information in Cloud Service Endpoint Groups.
Verify that you have the NSG-per-subnet configuration enabled.
You must have the NSG-per-subnet configuration enabled if you are configuring cloud service EPGs. See Security Groups for more information.
Create an application profile and a VRF.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create EPG. The Create EPG dialog box appears. |
||||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create EPG Dialog Box Fields table then continue.
|
||||||||||||||||||||||||||
| Step 5 |
Enter the necessary information in the Endpoint Selector area, depending on the selection you made in the Deployment Type field:
|
||||||||||||||||||||||||||
Use the procedures in this section to configure Cloud Native as the deployment type for the service EPG.
Review the information provided in Cloud Native to understand tasks that you might have to perform prior to using these instructions.
| Step 1 |
Verify that you have completed the steps in Creating a Service EPG Using the Cisco Cloud APIC GUI before beginning these procedures. These procedures are a continuation of the procedures provided in Creating a Service EPG Using the Cisco Cloud APIC GUI, where you would have set a service type, such as |
| Step 2 |
If you selected Private as the access type, the Select Private Link Label option becomes available. A private link label is used to associate the subnets to the service EPGs. |
| Step 3 |
Click Select Private Link Label. The Select Private Link Label window appears. |
| Step 4 |
Search for the appropriate private link label. Search for the private link label that you created using the procedures provided in Tasks To Perform Prior to Configuring Service EPGs. |
| Step 5 |
In the Select Private Link Label window, select the appropriate private link label. You are returned to the Create EPG window. Next, add an endpoint selector in the Endpoint Selectors field. |
| Step 6 |
Click Add Endpoint Selector. The Add Endpoint Selector window appears. |
| Step 7 |
In the Add Endpoint Selector window, enter a name in the Name field. |
| Step 8 |
Click the Key drop-down list to choose a key. The options are:
|
| Step 9 |
Click the Operator drop-down list to choose an operator. The options are:
|
| Step 10 |
Enter a value in the Value field then click the check mark to validate the entries. The value you enter depends on the choices you made for the Key and Operator fields. For example, if the Key field is set to IP and the Operator field is set to equals, the Value field must be an IP address or subnet. However, if the Operator field is set to has key, the Value field is disabled. |
| Step 11 |
When finished, click the check mark to validate the selector expression. |
| Step 12 |
Determine if you want to create additional endpoint selector expressions for the endpoint selector. If you create more than one expression under a single endpoint selector, a logical AND exists between those expressions. For example, assume you created two sets of expressions under a single endpoint selector:
In this case, if both of these expressions are true (if the region is |
| Step 13 |
Click the check mark after every additional expression that you want to create under this endpoint selector, then click Add when finished. You are returned to the Create EPG screen, with the new endpoint selector and the configured expressions shown. |
| Step 14 |
If you want to create additional endpoint selectors, click Add Endpoint Selector again and repeat these steps to create additional endpoint selectors. If you create more than one endpoint selector under an EPG, a logical OR exists between those endpoint selectors. For example, assume you had created endpoint selector 1 as described in the previous step, and then you created a second endpoint selector as described below:
In this case:
Then that end point is assigned to the service EPG. |
| Step 15 |
Click Save when finished. |
Use the procedures in this section to configure Cloud Native Managed as the deployment type for the service EPG.
Review the information provided in Cloud Native Managed to understand tasks that you might have to perform prior to using these instructions.
| Step 1 |
Verify that you have completed the steps in Creating a Service EPG Using the Cisco Cloud APIC GUI before beginning these procedures. These procedures are a continuation of the procedures provided in Creating a Service EPG Using the Cisco Cloud APIC GUI, where you would have set a service type, such as |
||
| Step 2 |
Click Add Endpoint Selector. The Add Endpoint Selector window appears. |
||
| Step 3 |
In the Add Endpoint Selector window, enter a name in the Name field. |
||
| Step 4 |
Click the Key drop-down list to choose a key. At this time, IP is the only option available as a key for this access type.
|
||
| Step 5 |
Click the Operator drop-down list to choose an operator. The options are:
|
||
| Step 6 |
Enter the appropriate IP address or a subnet in the Value field then click the check mark to validate the entries. Enter the IP address or subnet that you created using the procedures provided in Tasks To Perform Prior to Configuring Service EPGs. |
||
| Step 7 |
When finished, click the check mark to validate the selector expression. |
||
| Step 8 |
Determine if you want to create additional endpoint selector expressions to the endpoint selector. If you create more than one expression under a single endpoint selector, a logical AND exists between those expressions. For example, assume you created two sets of expressions under a single endpoint selector:
In this case, if both of these expressions are true (if the IP address belongs to subnet 192.1.1.1/24 AND the IP address is not 192.1.1.2), then that endpoint is assigned to the service EPG. |
||
| Step 9 |
Click the check mark after every additional expression that you want to create under this endpoint selector, then click Add when finished. You are returned to the Create EPG screen, with the new endpoint selector and the configured expressions shown. |
||
| Step 10 |
If you want to create additional endpoint selectors, click Add Endpoint Selector again and repeat these steps to create additional endpoint selectors. If you create more than one endpoint selector under an EPG, a logical OR exists between those endpoint selectors. For example, assume you had created endpoint selector 1 as described in the previous step, and then you created a second endpoint selector as described below:
In this case:
Then that end point is assigned to the service EPG. |
||
| Step 11 |
Click Save when finished. |
Use the procedures in this section to configure Third-Party as the deployment type for the service EPG.
Note |
You must choose Custom as the Service Type if you choose Third-Party as the Deployment Type. |
| Step 1 |
Verify that you have completed the steps in Creating a Service EPG Using the Cisco Cloud APIC GUI before beginning these procedures. These procedures are a continuation of the procedures provided in Creating a Service EPG Using the Cisco Cloud APIC GUI, where you would have set the service type as |
| Step 2 |
Make the necessary selections for the access type for the Third-Party deployment type. Private is the only option available to you as an access type. This means that you will use only private endpoints to the service, if the service offers it. The Select Private Link Label option becomes available with this access type. A private link label is used to associate the subnets to the service EPGs. |
| Step 3 |
Search for the appropriate private link label. Search for the private link label that you created using the procedures provided in Tasks To Perform Prior to Configuring Service EPGs. |
| Step 4 |
In the Select Private Link Label window, select the appropriate private link label. You are returned to the Create EPG window. Next, add an endpoint selector in the Endpoint Selectors field. |
| Step 5 |
Click Add Endpoint Selector. The Add Endpoint Selector window appears. |
| Step 6 |
In the Add Endpoint Selector window, enter a name in the Name field. |
| Step 7 |
Click the Key drop-down list to choose a key. At this time, URL is the only option available as a key for this access type, where you will use the alias or fully qualified domain name (FQDN) that identifies the service for the endpoint selector. |
| Step 8 |
Click the Operator drop-down list to choose an operator. The options are:
|
| Step 9 |
Enter a valid URL in the Value field then click the check mark to validate the entries. |
| Step 10 |
When finished, click the check mark to validate the selector expression, then click Add. You are returned to the Create EPG screen, with the new endpoint selector and the configured expression shown. |
| Step 11 |
If you want to create additional endpoint selectors, click Add Endpoint Selector again and repeat these steps to create additional endpoint selectors. If you create more than one endpoint selector under an EPG, a logical OR exists between those endpoint selectors. For example, assume you created two endpoint selectors as described below:
In this case:
Then that end point is assigned to the service EPG. |
| Step 12 |
Click Save when finished. |
This section explains how to create a filter using the Cisco Cloud APIC GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create Filter. The Create Filter dialog box appears. |
||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Filter Dialog Box Fields table then continue.
|
||||||||||||||
| Step 5 |
When finished, click Save. |
This section explains how to create a contract using the Cisco Cloud APIC GUI.
Create filters.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create Contract. The Create Contract dialog box appears. |
||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Contract Dialog Box Fields table then continue.
|
||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||
This section explains how to create an inter-tenant contract using the Cisco Cloud APIC GUI. See Shared Services for more information on situations where you might want to create an inter-tenant contract.
Create filters.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create Contract. The Create Contract dialog box appears. |
||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Contract Dialog Box Fields table then continue.
|
||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||
| Step 6 |
Export the contract that you just created to another tenant. For example, assume the following:
|
||||||||||||||||
| Step 7 |
Configure the first tenant's EPG as the provider EPG, with the original contract, as the first part of the EPG communication configuration. |
||||||||||||||||
| Step 8 |
Configure the second tenant's EPG as the consumer EPG, with the exported contract, as the second part of the EPG communication configuration. |
||||||||||||||||
As described in Security Groups, the way the network security groups are configured differ, depending on the release:
For releases prior to Release 5.1(2), there is a one-to-one mapping between NSGs in Azure and EPGs on Cisco Cloud APIC (these configurations are also referred to as NSG-per-EPG configurations throughout this document).
Beginning with Release 5.1(2), in addition to the existing NSG-per-EPG configurations available previously, NSGs in Azure can also have a one-to-one mapping with subnets rather than EPGs on Cisco Cloud APIC (these configurations are also referred to as NSG-per-subnet configurations throughout this document).
Note |
You can have either the newer NSG-per-subnet configuration or the older NSG-per-EPG configuration in your Cisco Cloud APIC. You cannot have both configurations in the same Cisco Cloud APIC system. |
These procedures describe how to select either the newer NSG-per-subnet configuration or the older NSG-per-EPG configuration for your Cisco Cloud APIC for Release 5.1(2) or later.
Review the information provided in Security Groups to better understand how security groups are configured, depending on the release, and to understand the guidelines and limitations for security groups.
| Step 1 |
Log in to the Cloud APIC, if you are not logged in already. |
|||||||||||||
| Step 2 |
In the left navigation bar, navigate to . The General tab is displayed by default. |
|||||||||||||
| Step 3 |
In the General area in the System Configuration window, locate the Network Security Group at Subnet Level field. 
|
|||||||||||||
| Step 4 |
Determine the current setting for the Network Security Group at Subnet Level field.
|
|||||||||||||
| Step 5 |
Determine if you want to change the setting for the Network Security Group at Subnet Level field or leave it as-is.
|
|||||||||||||
| Step 6 |
If you have to change the setting in the Network Security Group at Subnet Level field, click the pencil icon in the upper right corner of the field. The Settings window for Network Security Group at Subnet Level appears. 
|
|||||||||||||
| Step 7 |
Make the necessary changes in this window.
|
|||||||||||||
| Step 8 |
Click Save after you have made the necessary changes in the Network Security Group at Subnet Level window. The General area in the System Configuration window appears again, and the setting in the Network Security Group at Subnet Level field reflects the change that you made in the previous step. |
| Step 1 |
Log into your Cisco Cloud APIC GUI, if you aren't logged in already. |
| Step 2 |
Navigate to . The Security Groups window appears. |
| Step 3 |
Click on the Network Security Groups (NSG) tab or the Application Security Groups ASG tab, depending on which type of security group that you want to get details on. The following information is provided in each tab:
|
| Step 4 |
Click on the value in any of the columns to get more detailed information. For example, clicking on a value in the Name column in the Network Security Groups tab will being up more detailed information about that particular network security group. In this window, clicking on the Details icon ( |
This section explains how to specify an EPG as a consumer or a provider.
You have configured a contract.
You have configured an EPG.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Configuration. A list of Configuration options appears in the Intent menu. |
| Step 3 |
From the Configuration list in the Intent menu, click EPG Communication. The EPG Communication dialog box appears with the Consumer EPGs, Contract, and Provider EPGs information. |
| Step 4 |
To choose a contract:
|
| Step 5 |
To add a consumer EPG: |
| Step 6 |
To add a provider EPG: |
This section explains how to create a cloud context profile using the Cisco Cloud APIC GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu. |
||||||||||||||||||||||||
| Step 3 |
From the Application Management list in the Intent menu, click Create Cloud Context Profile. The Create Cloud Context Profile dialog box appears. |
||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Cloud Context Profile Dialog Box Fields table then continue.
|
||||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||||
When you configure endpoint selectors for Cisco Cloud APIC, you will also need to configure the virtual machines that you will need in Azure that will correspond with the endpoint selectors that you configure for Cisco Cloud APIC.
This topic provides the requirements for configuring the virtual machines in Azure. You can use these requirements to configure the virtual machines in Azure either before you configure the endpoint selectors for Cisco Cloud APIC or afterward. For example, you might go to your account in Azure and create a custom tag or label in Azure first, then create an endpoint selector using a custom tag or label in Cisco Cloud APIC afterward. Or you might create an endpoint selector using a custom tag or label in Cisco Cloud APIC first, then go to your account in Azure and create a custom tag or label in Azure afterward.
You must configure a cloud context profile as part of the Azure virtual machine configuration process. When you configure a cloud context profile, the configurations, such as the VRF and region settings, are pushed out to Azure afterward.
| Step 1 |
Review your cloud context profile configuration to get the following information:
To obtain the cloud context profile configuration information: |
||
| Step 2 |
Log in to the Azure portal account for the Cisco Cloud APIC user tenant and begin creating an Azure VM using the information you gathered from the cloud context profile configuration.
|
This section explains how to create a backup configuration.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Operations. A list of Operations options appear in the Intent menu. |
||||||||||||||||||||
| Step 3 |
From the Operations list in the Intent menu, click Create Backup Configuration. The Create Backup Configuration dialog box appears. |
||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Backup Configuration Dialog Box Fields table then continue.
|
||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||
This section explains how to create a tech support policy.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Operations. A list of Operations options appear in the Intent menu. |
||||||||||||||||
| Step 3 |
From the Operations list in the Intent menu, click Create Tech Support. The Create Tech Support dialog box appears. |
||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Tech Support Dialog Box Fields table then continue.
|
||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||
This section explains how to create a scheduler, which would be in User Laptop Browser local time and will be converted to the Cisco Cloud APIC default UTC time.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Operations. A list of Operations options appear in the Intent menu. |
||||||||||||||
| Step 3 |
From the Operations list in the Intent menu, click Create Scheduler. The Create Scheduler dialog box appears. |
||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Scheduler Dialog Box Fields table then continue.
|
||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||
This section explains how to create a remote location using the Cisco Cloud APIC.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Operations. A list of Operations options appear in the Intent menu. |
||||||||||||||||||||||||||||||
| Step 3 |
From the Operations list in the Intent menu, click Create Remote Location. The Create Remote Location dialog box appears. |
||||||||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Remote Location Dialog Box Fields table then continue.
|
||||||||||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||||||||||
This section explains how to create a login domain using the Cisco Cloud APIC GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu. |
||||||||||||||||
| Step 3 |
From the Administrative list in the Intent menu, click Create Login Domain. The Create Login Domain dialog box appears. |
||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Login Domain Dialog Box Fields table then continue.
|
||||||||||||||||
| Step 5 |
Click Save when finished. |
A security domain restricts the tenant to the security domains that you add. If you do not add a security domain, all security domains will have access to this tenant. This section explains how to create a security domain using the GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu. |
| Step 3 |
From the Administrative list in the Intent menu, click Security > Security Domains > Create Security Domain. The Create Security Domain dialog box appears. |
| Step 4 |
In the Name field, enter the name of the security domain. |
| Step 5 |
In the Description field, enter a description of the security domain. |
| Step 6 |
Set the Restricted Domain control to Yes or No. If the security domain is configured as a restricted domain (Yes), users who are assigned to this domain will not be able to see policies, profiles, or users configured in other security domains. |
| Step 7 |
Click Save when finished. |
This section explains how to create a role using the Cisco Cloud APIC GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu. |
||||||||||||
| Step 3 |
From the Administrative list in the Intent menu, click Create Role. The Create Role dialog box appears. |
||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Role Dialog Box Fields table then continue.
|
||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||
This section explains how to create a certificate authority using the GUI.
Have the certificate chain.
If the certificate authority is for a tenant, create the tenant.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appears in the Intent menu. |
||||||||||||||
| Step 3 |
From the Administrative list in the Intent menu, click Create Certificate Authority. The Create Certificate Authority dialog box appears. |
||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Certificate Authority Dialog Box Fields table then continue.
|
||||||||||||||
| Step 5 |
Click Save when finished. |
This section explains how to create a key ring using the Cisco Cloud APIC GUI.
Create a certificate authority.
Have a certificate.
If the key ring is for a specific tenant, create the tenant.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu. |
||||||||||||||||||||||
| Step 3 |
From the Administrative list in the Intent menu, click Create Key Ring. The Create Key Ring dialog box appears. |
||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Key Ring Dialog Box Fields table then continue.
|
||||||||||||||||||||||
| Step 5 |
Click Save when finished. |
||||||||||||||||||||||
This section explains how to create a local user using the Cisco Cloud APIC GUI.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||||||||||||||||||||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu. |
||||||||||||||||||||||||
| Step 3 |
From the Administrative list in the Intent menu, click Create Local User. The Create Local User dialog box appears. |
||||||||||||||||||||||||
| Step 4 |
Enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields table then continue.
|
||||||||||||||||||||||||
| Step 5 |
Click Advanced Settings and enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields: Advanced Settings table then continue.
|
||||||||||||||||||||||||
| Step 6 |
Click Save when finished. |
||||||||||||||||||||||||
Regions are configured during the first-time setup. When configured, you specify the regions that are managed by Cisco Cloud APIC and the region's inter-site and inter-region connectivity. This section explains how to manage regions with the cloud template using the Cisco Cloud APIC GUI after the initial installation.
For more information about cloud templates, see About the Cloud Template.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Configuration. A list of options appear in the Intent menu. |
||||
| Step 3 |
From the Configuration list in the Intent menu, click cAPIC Setup. |
||||
| Step 4 |
For Region Management, click Edit Configuration. |
||||
| Step 5 |
If you want inter-site connectivity, click to place a check mark in the Enabled box in the Inter-Site Connectivity area. |
||||
| Step 6 |
To choose a region that you want to be managed by the Cisco Cloud APIC, click to place a check mark in check box of that region. |
||||
| Step 7 |
To deploy cloud routers locally to this region, click to place a check mark in the Cloud Routers check box for that region. |
||||
| Step 8 |
To configure the fabric infra connectivity for the cloud site, click Next. |
||||
| Step 9 |
To add a subnet pool for the CSRs, click Add Subnet Pool for Cloud Router and enter the subnet in the text box.
|
||||
| Step 10 |
Enter a value in the BGP Autonomous System Number for CSRs field. The BGP ASN can be in the range of 1 - 65534. |
||||
| Step 11 |
In the Assign Public IP to CSR Interface field, determine if you want to have a public or a private IP address assigned to the CSR interface. Note that CSRs require a public IP address for intersite communication.
Beginning with release 5.1(2), both the public and private IP addresses assigned to a CSR are displayed with the other details of the router in the Cloud Resources area. If a public IP is not assigned to a CSR, only the private IP is displayed. |
||||
| Step 12 |
To chose the number of routers per region, click the Number of Routers Per Region drop-down list and click 2, 3, 4, 6, or 8. |
||||
| Step 13 |
Enter a username in the Username text box.
|
||||
| Step 14 |
Enter a password in the Password and Confirm Password text boxes. |
||||
| Step 15 |
To choose the throughput value, click the Throughput of the routers drop-down list. Currently, the maximum supported CSR throughput speed available for Cisco Cloud APIC is 5GB. Even though 7.5GB and 10GB options are available in the Throughput of the routers field, those throughput speeds are not supported at this time, so do not select the 7.5GB and 10GB options in the Throughput of the routers field.
|
||||
| Step 16 |
Enter the necessary information in the TCP MSS field, if applicable. Beginning with Release 4.2(4q), the TCP MSS option is available to configure the TCP maximum segment size (MSS). This value will be applied to all cloud router tunnel interfaces, including VPN tunnels towards the cloud and external tunnels towards the on-premises site or other cloud sites. For VPN tunnels towards the cloud, if the cloud provider's MSS value is less than the value that you enter in this field, then the lower value is used; otherwise, the value that you enter in this field is used. The MSS value affects only TCP traffic, and has no impact on other types of traffic, such as ping traffic. |
||||
| Step 17 |
(Optional) To specify the license token, enter the product instance registration token in the License Token text box.
|
||||
| Step 18 |
Click Next.
|
||||
| Step 19 |
To enter a peer public IP address of the IPsec Tunnel peer on-premises in the text box, click Add Public IP of IPSec Tunnel Peer. |
||||
| Step 20 |
Enter the OSPF area ID in the OSPF Area Id text box. |
||||
| Step 21 |
To add an external subnet pool, click Add External Subnet and enter a subnet pool in the text box. |
||||
| Step 22 |
When you have configured all the connectivity options, click Next at the bottom of the page. The Cloud Resource Naming Rules page appears. |
||||
| Step 23 |
In the Cloud Resource Naming Rules page, configure the cloud resource naming rules, if necessary. The cloud resource naming rules are described in detail in the Cloud Resources Naming section. If you don't need to make any changes to the naming rules, you can skip this page. |
||||
| Step 24 |
Click Save and Continue when finished. |
This task demonstrates how to set up smart licensing in the Cisco Cloud APIC.
You need the product instance registration token.
| Step 1 |
Click the Intent icon. The Intent menu appears. |
||
| Step 2 |
Click the drop-down arrow below the Intent search box and choose Configuration. A list of options appear in the Intent menu. |
||
| Step 3 |
From the Configuration list in the Intent menu, click Set Up cAPIC. The Set up - Overview dialog box appears with options for DNS Servers, Region Management, and Smart Licensing. |
||
| Step 4 |
To register the Cloud APIC to Cisco's unified license management system: From Smart Licensing, click Register. The Smart Licensing dialog appears. |
||
| Step 5 |
Choose a transport setting:
|
||
| Step 6 |
Enter the product instance registration token in the provided text box. |
||
| Step 7 |
Click Register when finished. |
Prior to Cloud APIC Release 5.0(2), the cloud resources created by the Cloud APIC in Azure were assigned names that were derived from the names of the ACI objects:
Resource groups were created based on the Tenant, VRF, and region. For example, CAPIC_<tenant>_<vrf>_<region>.
VNET names matched the name of the Cloud APIC VRF.
Subnet names were derived from the CIDR address space. For example, subnet-10.10.10.0_24 for the 10.10.10.0/24 cloud subnet.
The cloud application name was derived from the EPG name and the application profile name. For example, <epg-name>_cloudapp_<app-profile-name>
This approach is not ideal for deployments with strict cloud resource naming conventions and it does not follow the Azure best practices for naming and tagging of cloud resources.
Starting with Cloud APIC Release 5.0(2), you can create a global naming policy on the Cloud APIC, which allows you to define a custom cloud resources naming convention for all objects deployed from the Cloud APIC into the Azure cloud. You can define custom naming rules for all cloud resources during the first time setup wizard of the Cloud APIC, with the exception of the Resource group name used for the Cloud APIC ARM template deployment. The resource group name for the template is defined when you first deploy it and cannot be changed after. In addition to the global policy, you can also explicitly define the names of the cloud resources created from each Cloud APIC object using the REST API.
Starting with Cloud APIC Release 5.1(2), for Layer 4 to Layer 7 service deployments, you can provide custom names to cloud resources, such as, Network Load Balancers, Application Load Balancers and Device Application Security Groups.
Note |
Keep in mind that even with custom naming policy, once a cloud resource is created, you will not be able to modify the name. If you want to change the name of an existing cloud resource, you would need to delete all configured cloud resources and recreate them. Cloud resources to be deleted include overlay-2 CIDR and subnets, Cisco Cloud Services Router 1000Vs deployed by Cloud APIC and therefore IPSec tunnels from the CSRs to every remote site. |
When creating your cloud resources naming policy, you can use the following variables to dynamically define the name of the cloud resource based on the Cisco Cloud APIC objects:
${tenant} – the resource will include the name of the Tenant
${ctx} – the resource will include the name of the VRF
${ctxprofile} – the resources will include the cloud context profile, which is a VRF deployed in a given cloud region
${subnet} – the resource will include the string subnet followed by the subnet IP address
${app} – the resource will include the name of the application profile.
${epg} – the resource will include the name of the EPG.
${contract} – the resource will include the name of the contract
${region} – the resource will include the name of the cloud region
${priority} – the resource will include the name of the network security group (NSG) rule priority. This number is allocated automatically
to ensure that each NSG rule name is unique
${serviceType} – the resource will include an abbreviation of the service Type (only valid for private endpoint resources)
${resourceName} – the resource will include the name of the target resource (only valid for private endpoint resources)
${device} – the resource will include the name of the Layer 4 to Layer 7 device.
${interface} – the resource will include the name of the Layer 4 to Layer 7 device interface.
${deviceInterfaceDn} – the resource will include the DN of the Layer to Layer 7 device interface.
For private endpoints, the combination of the ${app}-${svcepg}-${subnet}-${serviceType}-${resourceName} makes the private endpoint name unique. Removing any of these variables might form a name of a private endpoint that already
exists. This would result in a fault raised by the Cisco Cloud APIC. Also, the max length requirements vary from Azure service to service.
When you define a global naming policy using one or more of the above variables, Cisco Cloud APIC validates the string to ensure that all mandatory variables are present and no invalid string is specified.
There is a maximum name length limit in Azure. If the length of the name exceeds the length supported by the cloud provider, it rejects the config and Cisco Cloud APIC raises a fault that the resource creation failed. You can then check the fault for details and correct the naming rules. The maximum length limits at the time of Cisco Cloud APIC, Release 5.0(2) are listed below, for the latest up-to-date information and any changes to the length limit, consult the Azure documentation.
The following table provides a summary of which cloud resources support each of the naming variables above. Cells denoted
with an asterisk (*) indicate variables that are mandatory for that type of cloud resource. Cells denoted with a plus sign (+) indicate that at least one of these variables is mandatory for that type of cloud resource; for example, for VNET resources
you can provide ${ctx}, or ${ctxprofile}, or both.
|
Azure Resource |
${tenant} |
${ctx} |
${ctxprofile} |
${subnet} |
${app} |
${epg} |
${contract} |
${region} |
${priority} |
|---|---|---|---|---|---|---|---|---|---|
|
Resource Group Max Length: 90 |
Yes* |
Yes* |
Yes* |
||||||
|
Virtual Network (VNET) Max Length: 64 |
Yes |
Yes+ |
Yes+ |
Yes |
|||||
|
Subnet Max Length: 80 |
Yes |
Yes |
Yes |
Yes* |
Yes |
||||
|
Application Security Group (ASG) Max Length: 80 |
Yes |
Yes* |
Yes* |
Yes |
|||||
|
Network Security Group (NSG) Max Length: 80 |
Yes |
Yes* |
Yes* |
Yes |
|||||
|
Network Security Group Rule Max Length: 80 |
Yes |
Yes |
Yes* (auto) |
|
Azure Resource |
${tenant} |
${region} |
${ctxprofile} |
${device} |
${interface} |
${deviceInterfaceDN} |
|---|---|---|---|---|---|---|
|
Internal Network Load Balancer Max Length: 80 |
Yes |
Yes |
Yes |
Yes* |
||
|
Internet-facing Network Load Balancer Max Length: 80 |
Yes |
Yes |
Yes |
Yes* |
||
|
Internal Application Load Balancer Max Length: 80 |
Yes |
Yes |
Yes |
Yes* |
||
|
Internet-facing Application Load Balancer Max Length: 80 |
Yes |
Yes |
Yes |
Yes* |
||
|
Device ASG Max Length: 80 |
Yes |
Yes |
Yes* |
Yes* |
Yes* |
When configuring custom rules for naming cloud resources, the following restrictions apply:
You define global naming policy during the Cloud APIC's first time setup using two sets of naming rules:
Hub Resource Naming Rules define names for the Hub Resource Group, Hub VNET, Overlay-1 CIDR, Overlay-2 CIDR subnet in the Infra Tenant, as well as the subnet prefixes for subnets that are created automatically by the system in the Infra tenant.
Cloud Resource Naming Rules define the names of the Network Security Group (NSG), Application Security Group (ASG), Network Load Balancer, Application Load Balancer, Device Application Security Group, and subnets you create in the Infra Tenant, as well as the names of all resources (Resource Groups, Virtual Networks, Subnets, NSG, ASG, Network Load Balancer, Application Load Balancer) in user Tenants.
After you define the naming rules, you will be required to review and confirm them. Keep in mind that you must confirm the naming rules before any cloud resources are deployed.
Once a cloud resource is created, its name cannot be changed and the naming policy cannot be updated in the GUI. If you upgrade your Cloud APIC to Release 5.0(2) with some resources already deployed in Azure, you will also not be able to change the global custom naming rules.
If you want to change the names of the existing cloud resources or the policy, you would need to delete the deployed resources before being able to update the global naming policy in the GUI.
In these cases you can use the REST API to explicitly assign custom names to any new resources you create.
When updating cloud resources naming via REST API, we recommend you do not import configuration at the same time.
We recommend you define any naming rules first. Then any tenant configuration.
We recommend that you do not change the naming policy after the tenant configuration is deployed.
You initially define the cloud resource naming rules in the Region Management part of the first time setup wizard when you deploy your Cloud APIC, which is described in the Cisco Cloud APIC Installation Guide. After the initial setup, you can view the rules you configured in the System Configuration screen of your Cloud APIC GUI as described in this section.
Note that the information in this screen is presented in read-only view and if you want to change the rules any time after the original deployment, you will need to re-run the first time setup wizard .
| Step 1 |
Log in to your Cloud APIC GUI. |
| Step 2 |
Navigate to the Cloud Resource Naming Rules screen.  |
Configuring Cisco Cloud APIC Using the REST API
There are two types of subscriptions: own and shared. Each subscription type has a primary tenant. You choose the own subscription when creating a new managed or unmanaged tenant. You choose the shared subscription when creating a tenant that inherits the managed or unmanaged settings of an existing primary tenant. This section demonstrates how to create a managed and unmanaged tenant with the own type of subscription and how to create a shared subscription.
This section demonstrates how to create a tenant using the REST API using sample POST requests from the body of Postman.
| Step 1 |
Create an own subscription. |
| Step 2 |
Create a shared subscription: |
This example demonstrates how to create a contract for the Cisco Cloud APIC using the REST API.
Create filters.
|
To create a contract: Example: |
This section demonstrates how to create a cloud context profile.
| Step 1 |
To create a basic cloud context profile: Example: |
| Step 2 |
To create a cloud context profile where you are adding a secondary VRF, CIDR, and subnet for a VNet: Example: |
This section demonstrates how to manage a cloud region using the REST API.
|
To create a cloud region: |
This section demonstrates how to create a filter using the REST API.
|
To create a filter: |
This section demonstrates how to create an application profile using the REST API.
Create a tenant.
|
To create an application profile: |
This example demonstrates how set the newer NSG-per-subnet configuration for your Cisco Cloud APIC using the REST API.
Review the information provided in Security Groups.
|
To set the NSG-per-subnet configuration for your Cisco Cloud APIC: Example: |
Use the procedures in this section to create an application EPG, an external EPG, or a service EPG using the REST API.
This example demonstrates how to create a cloud EPG using the REST API.
Create an application profile and a VRF.
|
To create a cloud EPG: Example: |
This example demonstrates how to create an external cloud EPG using the REST API.
Create an application profile and a VRF.
| Step 1 |
To create an external cloud EPG: Example: |
| Step 2 |
To create an external cloud EPG with type site-external: Example: |
This example demonstrates how to create a service EPG using the REST API.
Review the information in Cloud Service Endpoint Groups.
Create an application profile and a VRF.
| Step 1 |
To create a service EPG with a deployment type of Cloud Native: Example: |
| Step 2 |
To create a service EPG with a deployment type of Cloud Native Managed: Example: |
| Step 3 |
To create a service EPG with a deployment type of Third-Party: Example: |
This section demonstrates how to create a cloud template using the REST API. For more information about cloud templates, see About the Cloud Template.
|
To create a cloud template: |
This section provides an example REST API POST you can use to configure a global policy for naming your cloud resources or override a specific cloud resource's name.
Note |
To ensure that any custom naming conventions can be supported, cloud resource names can be defined on a per-object basis. These explicit name overrides are not available in the Cloud APIC GUI and can be done using REST API only. We recommend using the global cloud resource naming policy to define the names. Explicit name overrides shouldf be used only when naming requirements cannot be met using the global naming policy. |
| Step 1 |
To create Hub Resource Naming Rules: |
| Step 2 |
To create Cloud Resource Naming Rules: |
| Step 3 |
To override an Azure cloud resource name corresponding to a specific Cloud APIC object: You can use the same variables (for example, |
| Step 4 |
To override a Layer 4 to Layer 7 Azure cloud resource name corresponding to a specific Cloud APIC object: You can use the same variables (for example, Override policy for load balancer: Override policy for device ASG: |
).
Feedback