Chapter 15
Virtual Application Containers

The following Understanding Cisco Cloud Administration CLDADM (210-455) Exam Objectives are covered in this chapter:

✓ 1.3 Deploy virtual app containers

  • 1.3.a Provide basic support and troubleshoot app container with firewall, networking, and load balancer

Understanding and Deploying Virtual Application Containers

In this chapter, you will be introduced to Virtual Application Container Segmentation (VACS) services and learn how to create and manage them using the Cisco UCS Director application. A virtual application container (VAC) is defined as a logical construct composed of one or more network tiers that contain either virtualized or physical compute resources in a secured private network in a cloud data center that can be ordered, managed, and removed as a single entity.

Each application container is a group of virtual machines or bare-metal servers that contains a private internal network that is controlled by you and not the cloud service provider. The container is protected by security services that you define and manage. UCS Director allows you to create and manage container templates that can be stored, replicated, and offered in a catalog as a preconfigured option. UCS Director allows you to quickly deploy a complete container in the cloud and automatically configures all devices in the VACS service.

A good analogy to help you understand virtual application containers is to think of each VAC as the city or town you live in. The application container would be your city, with each IP subnet being a postal code. Routes can be thought of as roads, and if there are gates on the roads, those are like network access control lists. Servers and services in the container are like buildings, and security groups are much like a security guard in each building.

When migrating to a public, community, or hybrid cloud, security is always a primary concern. The hesitation to run your operations in the “wild west” is certainly understandable, and cloud service providers have taken many steps to make the transition safe, secure, reliable, and easy to manage. One common approach is to emulate your own personal data center inside the public, hybrid, and community cloud models.

What if you could cut out a section of the cloud that is exclusively for your own internal use? You would then have total control over the configuration, security, and management of this personal public cloud. This is what virtual application container services provide customers. VACS provides a secure environment in the cloud that is completely isolated from other users and services. You configure how all the devices in the container interact with each other and also the outside world. Traffic entering and exiting the container are under your complete control. You define all virtual machines, storage options, and network services such as load balancing, DNS, subnetting, and firewall security rules in the container that you obtain from the cloud service provider. There is an almost endless array of services and options offered by the leading public cloud providers today that allow you to design and implement advanced containers quickly and at a reasonable cost.

Before going too far into the world of virtual application containers, you should know that the term containers has multiple, and completely different, definitions in the cloud computing industry. You see, containers is also a popular term for virtual compute resources that are isolated at the application level instead of at the server level with the traditional hypervisor model. In this context, a single operating system runs many applications that are isolated from each other even though they run on the same operating system instance. Another way of saying this is that containers are an alternative to the standard virtual machine deployments that run multiple virtualized isolated applications at the server operating system level. Examples and frameworks of containers on the market include Kubernetes, Docker, Lambda, and LXC. So, when you hear the term container, you will need to determine which definition is applicable.

There are also several different names given to creating a virtual private cloud. Cisco uses VACS, as covered in this chapter. The cloud offerings from Google and Amazon prefer to use the term virtual private cloud, or VPC for short. If you hear VPC, know that it is the same as VACS.

What Are Virtual Application Container Segmentation Services?

Cisco Virtual Application Container Segmentation services provide cloud segmentation services.

A VACS container provides a secure microsegmentation architecture that allows you to create a “private cloud inside of a public cloud.” You can provision VACS to have limited secure ingress and egress points, and then inside you can configure multiple zones and subnets for your deployed applications. Special services such as load balancing, firewalls, and applications such as databases can also be placed in your container.

The Cisco VACS framework consists of the following applications:

  • Automated provisioning and orchestration with the UCS Director
  • Load balancing with HA Proxy
  • Routing and edge firewall services with Cisco CSR 1000 V and Cisco ASAv
  • Zone-based firewalls with Cisco Virtual Security Gateway
  • Virtual fabric services with the Cisco Nexus 1000v platform for distributed firewalls

VACS features include unified licensing support and life-cycle management. The data throughput into and out of a VACS is up to 10Gb per second with full layer 3 routing supported.

Provisioning a complete compute block from the ground up can take a considerable amount of time, effort, and money in the enterprise. With VACS, configuration wizards are provided to assist with the creation of your application environment. Wizards help create your virtual networks and all of the security requirements between the segments. When the design template is completed, it can be published in the Cisco Prime Services Catalog for user and customer consumption. Containers ordered off of the Prime catalog menu allow for complete application-specific computing systems to be predesigned, standardized, and ready for repeated deployments. With cloud orchestration services, deployments can be live in just a few minutes as compared to many months when using the traditional enterprise data center business model.

The requirements to deploy VACS include the following:

  • Virtual Switch Update Manager (VSUM) application
  • Nexus 1000 V virtual switch module
  • Cisco Prime Network Services Controller
  • UCS Director application with support for VACS

VACS creates a logical data center that allows you to deploy all of your cloud-based assets into a private container where all services inside can be interconnected. This logically isolated section of the cloud is for your exclusive use where you can launch applications in a network that you define. Containers are easily customized for network and security configurations to meet your own needs and requirements.

VACS allows you to create a public-facing subnet for your web servers that have access to the Internet, and then you place your backend systems such as databases or application servers in a private subnet with no Internet access. Granular user access control policies, access control lists, and firewall policies can be created at interconnection points and services in the container.

You can leverage multiple layers of security, including zone-based firewall support, to help control access to the container and services in each subnet. The router allows for standard Cisco access control lists to be defined for network-based security. The VACS design allows for much better security over your cloud resources than the traditional cloud offerings of the past.

Using Virtual Application Containers

VLAN access control lists (VACLs) offer the advantage of a reference design that can be quickly deployed in the cloud.

VACL services are often prepackaged based on approved designs. Each application model can be engineered by your organization to meet all corporate governance requirements, governmental compliance laws, performance, security, storage, and network access requirements. All of these requirements can be included in a reference design that is then offered as a supported service to your end users. This allows for ongoing support to be more streamlined since all designs are approved designs that have been prepackaged.

Application container templates are created to allow for easy replication of VACS containers. These templates can serve as a reference design and can also be cloned and modified to create containers with different requirements.

The following elements are created and defined when working with templates:

  • Virtual account (cloud)
  • Network configuration information
  • Virtual machine configuration details
  • Security information for the container
  • Gateway router policy (This is optional.)
  • Any options for services and end-user needs

Deploying Containers

The Cisco UCS Director application introduced in Chapter 13 is your primary management application to create and deploy virtual application containers in the intercloud. The VACS management area in UCS Director allows users to create, deploy, and manage groups of cloud services, such as virtual machines that are grouped into a single logical management entity. Each container can be designed for multiple tiers of applications as is commonly found in public cloud designs. UCS Director allows you to create a virtual data center that you have complete control over. Even though you are using the shared resources of a cloud data center, containers allow you to isolate your operations from the other cloud consumers.

There are different container types offered based on different use cases. UCS Director offers the following container types:

  • Application Centric Infrastructure Controller (APIC), used for Cisco ACI APIC deployments
  • Fabric, used in Dynamic Fabric Automation (DFA) networks
  • Fenced virtual containers, for use with virtual machines and the most common of the container types
  • Virtual application container service, specific to UCS Director VACS application subsystem deployments with the VACS modules installed in UCS Director

After a virtual application container has been deployed, the UCS Director application allows for the addition and deletion of objects inside the container. As such, container configurations are not static and can evolve based on user requirements, allowing you to make modifications to containers even after they have been deployed and are live.

Supporting and Troubleshooting Virtual App Containers

The container administrator has management control over the containers to perform different operations such as the ability to add virtual machines as required. Templates can be deleted, cloned, and modified to allow new containers to be defined based on newly created templates.

Firewalls

There are a range of firewall options to choose from when creating a container, such as the virtualized Cisco Application Security Appliance (ASAv). After the container has been deployed, you can add and modify firewall policies as required to support your ongoing operations through the UCS Director management portal.

Networking

VACS support includes all of the advanced capabilities of the Cisco CSR 1000v router, which has all of the software features as the hardware-based CSR series. Full layer 3 routing support is a requirement to route traffic inside and to and from the container. Network-based access control lists can also be implemented in the CSR 1000v.

The management portal supports ERSPAN, which is a method of tapping into a data flow and attaching network test equipment such as analyzers to the VACS for troubleshooting.

Load Balancers

UCS Director implements the load balancer offering from F5 Systems in the fenced virtual application container. F5 is a leading server load balancing vendor that offers virtualized versions of its hardware-based products. Server load balancing allows for the distribution of traffic across multiple virtual servers and allows for high availability, resiliency, scalability, and the efficient utilization of server resources.

UCS Director defines the load balancing algorithm policies such as sending incoming connection requests to a pool of servers via round robin, least connections, fastest response, or weighted preferences.

UCS Director allows you to create and manage all F5 operations in the container including the following:

  • Allocation of resources
  • Network provisioning
  • VM provisioning
  • Resync container
  • Container gateway configuration
  • F5 load balancer–specific configurations

Once the F5 firewall has been deployed in a container, the network administrator can use all the management tools provided by F5 to manage the load balancer. The topics of configuration, management, and support of F5 load balancers are beyond the scope of the CCNA cloud exam and this book.

Power Management

Power management in the VACS can be controlled by the administrator as well. When a container is powered off, all configuration information and interconnections are maintained and restored when the container power is restored.

Monitoring

Each container creates its own set of log files and can provide custom reports for maintenance, benchmark analysis, billing, and many other uses. The UCSD management portal can be used to monitor your deployed VACS.

Summary

In this chapter, you learned about VACS and that the services are used to create a virtual private cloud in a public or shared computing environment.

Containers have two definitions in the industry; for virtual application containers, containers are the complete set of application, compute, storage, networking, and security services in one isolated package that you have administrative control over. You learned that the Cisco UCS Director management application is used to create the containers.

VACS templates can be created that allow for a standardized offering to be published in the Prime Services Catalog for customers to order and deploy. Templates of containers are created for ease of use and replications; a template can be created, cloned, and modified to offer new container designs.

The primary container types in UCS Director are Application Policy Infrastructure Controller (APIC) that is used for Cisco Application Centric Infrastructure ACI APIC deployments, Fabric used in Dynamic Fabric Automation (DFA) networks, fenced virtual containers that are the most common in that they support virtual machines types, and also VACS services that are specific to UCS Director.

When VACS templates are defined, there are many elements that are created and defined, including a virtual cloud account, network configuration information, VM configuration details, security information for the container, gateway router policies, and other options for services and end-user needs.

To create and deploy a VACS service, the following modules are required: the virtual switch update manager application, the Nexus 1000 V Virtual Switch Module, the Cisco Prime Network Services Controller, and the UCS Director application with support for VACS.

Finally, you learned about supporting and troubleshooting options for containers that included firewalls, networking, load balancers, power management, and monitoring.

Exam Essentials

Know that the most common container type is the fenced container that allows VMs to be defined in them. The other UCS Director container types are APIC, Dynamic Fabric Automation (DFA), and standard VACS services created with the UCSD VACS software plug-in module.

Be able to list the applications that are used to create a virtual application container. The Cisco applications that are used in the VACS framework are the UCS Director, load balancing VMs, the CSR 1000V virtual router, zone-based firewalls such as the ASAv and the Cisco Virtual Security Gateway, and the virtual fabric services provided by the Nexus 1000v platform.

Understand the defined elements needed when creating a container. The configuration elements needed when creating a VACS service include a virtual account, the network configuration information, the virtual machine configuration details, the security information, the router gateway policy, and any additional options for services and end-user needs.

Written Lab

Fill in the blanks for the questions provided in the written lab. You can find the answers to the written labs in Appendix B.

  1. The virtualized load balancer in a fenced VACS is developed by _______.

  2. A _______ container includes virtual machines.

  3. Preconfigured containers that are approved for reuse are published in the _______ _______ _______ for end-user access and deployment.

  4. A _______ container can be created for ACI deployments.

  5. VACS emulates a _______ cloud in the public cloud.

  6. _______ _______are the VACS container type that supports DFA networks.

  7. The UCS Director _______ _______ feature allows VMs to be cycled without losing the current configuration.

  8. The UCS Director _______ feature allows the creation of log files, benchmarking analysis, maintenance reporting, billing features, and many other options.

  9. It is a common VACS design to configure web servers to be _______ _______ with public IP addresses and be referenced by the DNS system.

  10. 10. What UCS Director container type supports Cisco automating networking operations?

Review Questions

The following questions are designed to test your understanding of this chapter’s material. You can find the answers to the questions in Appendix A. For more information on how to obtain additional questions, please see this book’s Introduction.

  1. VACS eliminates the need for transparent isolation between cloud consumers.

    1. True
    2. False

  2. Containers are designed to be accessible by all users of a public cloud.

    1. True
    2. False

  3. VACS prepackaged designs are offered using which application feature?

    1. UCSD
    2. APIC
    3. Templates
    4. Playbooks

  4. What is Cisco’s cloud offering that allows for a logical construct for private deployments in a public cloud?

    1. VPC
    2. VACS
    3. APIC
    4. UCSD

  5. VACS emulates what type of cloud offering?

    1. Hybrid
    2. Public
    3. Private
    4. Community

  6. VACS layer 2 switching services are provided by which Cisco product?

    1. UCSD
    2. APIC
    3. VSM 1000v
    4. CSR 1000v

  7. What are elements that are configured when creating a VACS template? (Choose three.)

    1. VM configurations
    2. Security configurations
    3. User confederations
    4. Network configuration
    5. Schema tables and columns

  8. VACS lifecycle management support is included within which Cisco intercloud management application?

    1. VSUM
    2. CUCM
    3. APIC
    4. UCSD

  9. Unified licensing support is provided by which Cisco product?

    1. CULM plug-in
    2. APIC
    3. UCSD
    4. F5 ULAM

  10. Approved containers are published for public use and deployment using which Cisco service?

    1. UCS storefront
    2. HEAT
    3. Prime Services Catalog
    4. Cisco user portal

  11. What is the status of virtual machines when a container is powered off?

    1. All service configurations are deleted.
    2. VMs are removed from the container.
    3. Storage volumes connected to the root of VMs are flushed.
    4. All configurations are maintained, and the VMs can be powered up at a later time.

  12. What Cisco products are required when creating a container? (Choose three.)

    1. APIC
    2. Intercloud Director
    3. UCS Manager
    4. Nexus 1000v VSM
    5. Prime services catalog controller
    6. VSUM

  13. The fenced virtual application controller includes a load balancer from which vendor?

    1. Citrix
    2. Cisco
    3. Juniper
    4. F5

  14. What Cisco firewall product is available for VACS?

    1. NetScaler
    2. Local Director
    3. ASAv
    4. Alteon
    5. Arrowpoint

  15. UCS Director supports which fenced firewall solution? (Choose three.)

    1. Linux
    2. Palo Alto
    3. F5
    4. ASAv
    5. Virtual Security Gateway

  16. UCS Director supports the addition and deletion of VMs after the container has been deployed.

    1. True
    2. False

  17. UCS Director supports the following container types? (Choose five.)

    1. APIC
    2. Lambda
    3. Kubernetes
    4. LXE
    5. Fabric
    6. VACS
    7. Fenced virtual
    8. Virtual security

  18. A container cannot be modified after deployment without first disabling all components.

    1. True
    2. False

  19. Virtual application containers eliminate the microsegmentation requirements.

    1. True
    2. False

  20. ACLs can be applied to interfaces on which product?

    1. UCSD
    2. APIC
    3. CSR 1000v
    4. VACS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.94.153