Cloud ACI 5.2: Azure Brownfield Integration with ACI Fabric

If you already have resources deployed in Azure, you can now connect your brownfield vNETS to the Azure cAPIC vNETs using vNET Peering.  This means your connectivity from ACI Fabric vNETS to the brownfield vNETS can go over Azure’s backbone directly.  Security Policies can be attached for this connectivity based on requirements.

You can follow this guide and which will guide you step by step on the steps involved to Integrate ACI Brownfield on Azure to the ACI Fabric Tenant.  For this Proof Of Concept lab, please use a Azure subscription where you have cAPIC 5.2 already installed.  If you need to install cAPIC 5.2 ACI fabric, please see the previous article Cloud ACI 5.2: Interconnecting ACI Fabrics Over Cloud Provider’s Backbone at High Speed for both AWS and Azure

For this lab, we will first spin up a simple brownfield environment in the same Azure subscription that has your Azure ACI Fabric.  Instead of doing this by hand, we will use Terraform to quickly spin up a brownfield environment in Azure.
Note:  The terraform script that you will download and install was written by me for a bootcamp I conducted for Cloud ACI.  This will create Azure Resource Group, vNets, spin up a Ubuntu VM, install docker and spin up a Radius container.   In this lab we will not use the Radius Server, but rather just double up on the brownfield environment.

Figure 1: Lets spin up the brownfield environment

If you already have Terraform installed and the environment setup, you can just download the Terraform script and start from there.  If not, the below will guide you through doing this quickly (few minutes).

The first thing you will need to do is create the proper environment parameters so Terraform can authenticate to your Azure subscription.  For this you will need to create a Service Principal with contributor role to the azure subscription.   Let’s do this quickly using azure cli on your local MAC or Ubuntu machine.

If you don't have Azure CLI installed, you can do this with the commands shown below:
mac: brew update && brew install azure-cli
ubuntu: curl -sL | sudo bash
  • Now login to your azure account using Azure CLI:
    az login

Your default web browser will open up and you can authenticate from the browser

Figure 2: Logging into Azure subscription using azure cli
  • Now, choose the correct subscription where your cAPIC is installed:
    az account set -s <subscription_ID>  #Make sure to choose one of the subscriptions where you installed cAPIC 5.2
  • Verify that you have selected the correct subscription:
    az account show
Figure 3: from azure cli, choose correct subscription and verify
  • Now create your Azure Service Principal and give it Contributor role to the subscription:
    az ad sp create-for-rbac --name terraformSP --role Contributor
Figure 4: Creating the Azure Service Principal
  • Use the output of the Service Principal creation command to populate the fields below.  I suggest copying the below to a text file and filling in the parameters:

cat > sourceMeTF << EOF
#  Please populate and then source this file
export ARM_CLIENT_ID=<The AppId you got>
export ARM_CLIENT_SECRET=<password you got>
export ARM_TENANT_ID=<Your Tenant Id>
export ARM_SUBSCRIPTION_ID=<Your Subscription ID>  # az account show to get this

As an example, my modified text file looks like below which I copied and pasted to my local terminal:

Figure 5: example in my case on modifying text file and pasting to my local terminal
  • Source the file to set the Terraform environments:
    source ./sourceMeTF
Figure 6: Sourcing the environment file
Figure 7: Copying the link to terraform code
  • On your local MAC or Ubuntu,  create a temporary directory and use curl or wget to get the code using the copied link:
    curl -O <the copied link>
Figure 8: using curl or wget to download the code
  • Unzip the zipped code and then move it to /usr/local/bin:
    sudo mv terraform /usr/local/bin
Figure 9: Unzipping and moving to /usr/local/bin
  • Now verify the terraform version:
    terraform --version
Figure 10: Verifying the terraform version

Now you are done with installing Terraform and creating the correct environment for the Azure Subscription.  All you have to do now is download the script from my git repo and run it to create the brownfield environment in that Azure subscription.  First create a directory where you will download and run the script from:
cd .. ; mkdir myTF && cd myTF

Figure 11: Creating a working directory to run the Terraform script

Now, clone the terraform script and run the script:

Figure 12: Running the Terraform script to spin up brownfield in Azure

Note:  When you are all done with the lab, you can delete the brownfield with the “terraform destroy” command.

ssh into the Ubuntu Instance spun up on your Azure environment to verify that it’s up and running:
ssh -i sshPrivKeyName azureuser@<VM_PUBLIC_IP>

Figure 13: ssh to the Ubuntu VM spun up

Your brownfield environment is now spun up and a VM is running on it.  Follow the below diagram from Azure UI to take a look at the evironment

Figure 14: Looking at the Azure brownfield environment from Azure UI

There are a few Items that you need to keep in mind:

  • These are the set of the things which cAPIC won’t do on these Unmanaged Resource Groups. It is the responsibility of the Unmanaged vNet owner to create all these policies and apply them.
  • cAPIC will not create the Route Tables with the UDRs pointing to the Infra NLB based on the contracts with Greenfield EPGs.
  • cAPIC will not create any NSGs and ASGs in these Unmanaged Resource Groups.
  • There is no Endpoint discovery done for the endpoints in these Unmanaged Resource Groups
  • In 5.2 release, tag-based EP selector is not supported for EPGs in these Unmanaged Resource Groups
  • Unmanaged vNet can present anywhere, i.e in the same subscription or different subscription in the same AD or different AD all together. User should also have a service principal associated to this unmanaged subscription which has the read permissions on various resources.
  • If an unmanaged vNet is present in a different subscription, then a new tenant has to be created.
  • This new account created under the unmanaged tenant will also have a relation to read-only policy which will not trigger the creation of Event Collection/Stat Collection Resources on these subscriptions. Only the inventory pull will be done for these subscriptions.
  • Once this is done, user need to create the Cloud Context Profile corresponding to the brownfield VNET.

Now that we understand the basics, let’s review the steps that are needed to complete the integration:

Summary of Steps at a Glance:

1) Create a ACI Tenant “myACITenant”  in your fabric, create vNet ”myvNet1” with vNet Peering and an EPG  “myEPG1”
   don’t bother about IGW (Internet Connectivity),  we’ll use the Azure Serial Console to jump to the VM spun up in the EPG
2) Spin up a ubuntu VM “myUbuntu1” on your “myEPG1”
3) From cAPIC create a VRF  “aciBootcampVRF” and Import existing brownfield Vnet “aciBootcampVnet” and CIDR, turn vNET Peering on.  This will create vNet Peering from overlay-1 to Brownfield vNet
4) From Azure CLI, manually create the reverse side of vNet Peering – Brownfield vNET to overlay-1 vNET
5) Create EPG “BrownFieldEPG” in the brownfield VRF “aciBootcampVRF”.  EPG selector has to be Subnet Based
6) Create Contract between ACI EPG “myEPG1” and Brownfield EPG “BrownFieldEPG”
7) Create UDRs (static routes) in the Brownfield environment
            UDR in the ACI environment is created by cAPIC automatically
8) Create NSG (Security Policy) in the brownfield Environment
          NSG in the ACI environment is created by cAPIC automatically

Figure 14a: Let’s start implementing Step 1 & 2
Figure 15: Implementing Step 1 and 2
Figure 16: Create the ACI Tenant and Cloud Context Profile
Figure 17: Details of CIDR
Figure 18: Creating the Application Profile
Figure 19: Creating the EPG
Fibure 20: Spin up the VM from Azure UI and verify that the Endpoint is visible from cAPIC
Figure 21: From Azure UI console into the VM you spun up in ACI environment
Figure 22: Verifying vpc Peerig from Azure UI and cAPIC
Figure 23: Let’s Start Implementing: Step 3
Figure 24: Create VRF in ACI environment for brownfield
Figure 25: Importing the brownfield vNET ionto ACI VRF you created
Fibure 26: Importing the brown vNET continued…
Figure 27: Selecting the CIDR to import from brownfield vNET
Figure 28: Checking the CTX you just created
Figure 29: Observig the details of the brownfield CTX from cAPIC
Figure 30: Observing the details of the VRF from cAPIC
Figure 31: Observing the vNET Peering from overlay-1 vNET (from Azure UI)
Figure 32: Observing the VRF that got created in CSR routers
Figure 33: Let’s Start Implementing Step 4
Figure 34: Step 4, manually creating vNET Peering from brownfield vNET to overlay-1 cAPIC vNET
Figure 35: manually create revers vNET Peering contiued…
Figure 36: Verifying the completed vNET Peering from Azure UI (from both vNETs)
Figure 37: The state of the implementation now
Figure 38: Let’s Start Implementing Step 5
Figure 39: Creating the brownfield EPG and IP based selector
Figure 40: Let’s Start Implementing, Step 6
Figure 41: Using the common/default filter for the contract in this example
Figure 42: Associatig the contract between the browfield EPG and ACI Native EPG
Figure 43: Observing the routes for brownfield subnet in CSRs
Figure 44: making sense of how the brownfild bgp prefixes are learnt on CSR
Figure 45: Let’s start implementing Step 7
Figure 46: Observing the automatically created UDRs in ACI Tenant for Brownfild vNET
Figure 47: Verifying that the next hop of the UDR is the front end of the Infra Load Balancer
Figure 48: Manually creating the UDR in the brownfield vNET
Figure 49: Associating the UDR to the subnet of the Brownfield vNET
Figure 50: Let’s Start Implementing, Step 8
Figure 51: Verifying the automatically created NSG inbound rules in ACI environment
Figure 52: Verifying the automatically created NSG outbound rules in ACI environment
Figure 53: Creating NSG inbound rule in brownfield environment
Figure 54: Creating NSG outbound rule in brownfield environment
Figure 55: Verifying the created rules for the NSG
Figure 56: ping test from ACI VM to brownfield VM (private IP)
Figure 57: Note: Brownfield Endpoints don’t show up in cAPIC as endpoints

Conclusion:    This writeup gives a demonstration on how to integrate an existing Azure brownfield environment to ACI / Azure Fabric Tenant

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.