An Application Network Profile is the logical foundation of ACI. It is application profiles that determine the interaction policies between all network segments and directly describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, imagine how to organize the interaction between different segments of the network from the point of view of the application.
An application profile consists of End-point groups (EPGs). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not a network, namely security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used: Information security architect salary
Physical port
Logical port (port-group on the virtual switch)
VLAN ID or VXLAN
IP address or IP subnet
Server attributes (name, location, OS version, etc.)
For the interaction of various EPGs, an entity called contracts is provided. The contract defines the relationship between different EPGs. In other words, the contract determines which service one EPG provides another EPG. For example, we are creating a contract that allows traffic to go over the HTTPS protocol. Next, we connect with this contract, for example, EPG Web (group of web servers) and EPG App (group of application servers), after which these two terminal groups can exchange traffic via HTTPS.
The figure below describes an example of setting up communication of various EPGs through contracts within the same ANP.
There can be any number of application profiles within an ACI factory. In addition, contracts are not tied to a specific application profile; they can (and should) be used to connect EPGs in different ANPs.
In fact, every application that needs a network in one form or another is described by its own profile. For example, the diagram above shows the standard architecture of a three-link application, consisting of the N-th number of external access servers (Web), application servers (App) and DBMS servers (DB), and also describes the rules for interaction between them. In a traditional network infrastructure, this would be a set of rules spelled out on various devices in the infrastructure. In the ACI architecture, we describe these rules within a single application profile. ACI using the application profile allows you to greatly simplify the creation of a large number of settings on various devices, grouping them all into a single profile.
The figure below shows a more realistic example. A Microsoft Exchange application profile made from several EPGs and contracts.
Central management, automation and monitoring are one of the key benefits of ACI. ACI factory relieves administrators of the routine of creating a large number of rules on various switches, routers and firewalls (the classic manual configuration method is allowed and can be used). Settings for application profiles and other ACI objects are automatically applied throughout the ACI factory. Even when physically switching servers to other ports of the factory switches, you won’t need to duplicate the settings from the old switches to the new ones and clean up unnecessary rules. Based on the criteria that the host belongs to the EPG, the factory will make these settings automatically and automatically clear unused rules.
Integrated ACI security policies are implemented according to the principle of white lists, that is, what is clearly not allowed is prohibited by default. Together with automatic updating of network equipment configurations (removal of “forgotten” unused rules and permissions), this approach significantly increases the overall level of network security and narrows the surface of a potential attack.
ACI allows you to organize networking between not only virtual machines and containers, but also physical servers, hardware ITUs and third-party network equipment, which makes ACI a unique solution at the moment.
Cisco’s new approach to building an application logic-based data network is not just automation, security, and centralized management. It is also a modern horizontally scalable network that meets all the requirements of modern business.
Implementation of ACI-based network infrastructure allows all departments of the enterprise to speak the same language. The administrator is guided only by the logic of the application, which describes the required rules and communications. As well as the logic of the application, the owners and developers of the application, the information security service, economists and business owners are guided.
An application profile consists of End-point groups (EPGs). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not a network, namely security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used: Information security architect salary
Physical port
Logical port (port-group on the virtual switch)
VLAN ID or VXLAN
IP address or IP subnet
Server attributes (name, location, OS version, etc.)
For the interaction of various EPGs, an entity called contracts is provided. The contract defines the relationship between different EPGs. In other words, the contract determines which service one EPG provides another EPG. For example, we are creating a contract that allows traffic to go over the HTTPS protocol. Next, we connect with this contract, for example, EPG Web (group of web servers) and EPG App (group of application servers), after which these two terminal groups can exchange traffic via HTTPS.
The figure below describes an example of setting up communication of various EPGs through contracts within the same ANP.
There can be any number of application profiles within an ACI factory. In addition, contracts are not tied to a specific application profile; they can (and should) be used to connect EPGs in different ANPs.
In fact, every application that needs a network in one form or another is described by its own profile. For example, the diagram above shows the standard architecture of a three-link application, consisting of the N-th number of external access servers (Web), application servers (App) and DBMS servers (DB), and also describes the rules for interaction between them. In a traditional network infrastructure, this would be a set of rules spelled out on various devices in the infrastructure. In the ACI architecture, we describe these rules within a single application profile. ACI using the application profile allows you to greatly simplify the creation of a large number of settings on various devices, grouping them all into a single profile.
The figure below shows a more realistic example. A Microsoft Exchange application profile made from several EPGs and contracts.
Central management, automation and monitoring are one of the key benefits of ACI. ACI factory relieves administrators of the routine of creating a large number of rules on various switches, routers and firewalls (the classic manual configuration method is allowed and can be used). Settings for application profiles and other ACI objects are automatically applied throughout the ACI factory. Even when physically switching servers to other ports of the factory switches, you won’t need to duplicate the settings from the old switches to the new ones and clean up unnecessary rules. Based on the criteria that the host belongs to the EPG, the factory will make these settings automatically and automatically clear unused rules.
Integrated ACI security policies are implemented according to the principle of white lists, that is, what is clearly not allowed is prohibited by default. Together with automatic updating of network equipment configurations (removal of “forgotten” unused rules and permissions), this approach significantly increases the overall level of network security and narrows the surface of a potential attack.
ACI allows you to organize networking between not only virtual machines and containers, but also physical servers, hardware ITUs and third-party network equipment, which makes ACI a unique solution at the moment.
Cisco’s new approach to building an application logic-based data network is not just automation, security, and centralized management. It is also a modern horizontally scalable network that meets all the requirements of modern business.
Implementation of ACI-based network infrastructure allows all departments of the enterprise to speak the same language. The administrator is guided only by the logic of the application, which describes the required rules and communications. As well as the logic of the application, the owners and developers of the application, the information security service, economists and business owners are guided.
No comments:
Post a Comment