Cloud Network Controller (previously cAPIC) Access Policies

Table of Contents:

  1. Introduction
  2. Access Policy Details
    2.a.Global Level Access Policies
    2.b.Account/Tenant Level Access Policies
    2.c.VPC Level Access Policies
    2.d.Subnet Level Access Policies
  3. References

Introduction

This writeup will explain the purpose for Access Policies from cAPIC release 25.0.4. If you recall, I had written an article previously on Cloud ACI 25.0.2 AWS Brownfield Integration to Cloud ACI Fabric on AWS.
At that time Brownfield Integration involved doing some manual configuration from AWS console for the integration. The manual configurations needed were all on the brownfield side. That is because we treated the brownfield VPC as an unmaged VPC from the viewpoint of cAPIC. The manual configuations needed were as such:

  • create TGW attachments from brownfield vpc to Infra VPC TGW
  • add static routes on brownfield vpc for ACI managed VPC prefix destinations, with NH pointing to Infra TGW
  • Configure Proper Security Group Rules in AWS for brownfield VPCs

From release 25.0.4 onwards the entire brownfield configurations including the items listed above can be confgured directly from cAPIC if desired. However, if you wanted to keep the brownfield VPCs still in unmanaged mode, that is still an option.

To make the options possible a new concept of "Access Policies" has been implemented in cAPIC.

The options available for Access Policies are:

  • Routing & Security (the default policy)
  • Routing-only
  • Read-only (same as the previous unmanaged mode available before)

Cisco CCO documenation: Importing Existing Brownfield AWS Cloud VPCs Into Cisco Cloud APIC has the following section on When You Might Use Different Access Policies
Following are several use cases where you might use different access policies:

  • Gradual migration of brownfield resources: Assume that you have an existing brownfield VPC with a number of subnets and you want to migrate one subnet, leaving the remaining subnets untouched. You could accomplish this task using access policies in the following manner:
    • Assign a Routing & Security access policy for the one subnet that you want to migrate.
    • Assign a Read Only access policy for the remaining subnets that you want to leave untouched.
  • Granular control over what the Cisco Cloud APIC does to the cloud resources: Using different access policies, you can have Cisco Cloud APIC-managed resources and brownfield resources co-existing in the same VPC.
    • For example, assigning a Routing Only access policy at any level means that you are entirely in control of the network at that level. Conversly, assigning a Routing & Security access policy at any level means that the Cisco Cloud APIC controls the Routing & Security at that level.
  • Having brownfield and greenfield VPCs co-exist in Cisco Cloud APIC fabric: When importing a brownfield VPC into Cisco Cloud APIC, that brownfield VPC is able to co-exist with Cisco Cloud APIC-created and managed VPCs by using different access policies.
  • Determining overall functionality of Cisco Cloud APIC: For example, if you wanted to use the Cisco Cloud APIC only for routing, and have the security policy managed outside of Cisco Cloud APIC. In that case, you would assign a Routing Only access policy at the Cisco Cloud APIC level.

📙 All screenshots shown in this article will be using cAPIC release 25.0.5k. Incidentially, from release 25.0.5, cAPIC has been renamed to CNC (Cisco Network Controller)
file
Figure 1: Cisco Network Controller

Access Policy Details

The meaning of the access policy levels are as such:

  • Routing & Security: Assigning a Routing & Security access policy to a cloud context profile means that it has full permissions, where it is able to control routing and security.
  • Routing-Only: Assigning a routing-only access policy to a cloud context profile means that it can control only the routing policy and the network connectivity.
  • Read-Only: Assigning a read-only access policy to a cloud context profile means that it does not have write permissions and can only read the inventory.

The access policies can be configured at various levels to enable more granularity. There are 4 differet places that access policies can be configured.

  • Global Level
  • Account/Tenant Level
  • VPC Level
  • Subnet Level
Global Level Access Policies
  • Routing & Security: The default access policy. If you do not assign an access policy to the Cisco Cloud APIC, then the Cisco Cloud APIC has the Routing and Security access policy applied to it by default. Assigning a Routing and Security access policy to a Cisco Cloud APIC means that it has full permissions, where it is able to control routing and security.
  • Routing Only: Assigning a routing-only access policy to a Cisco Cloud APIC means that it can control only the routing policy and the network connectivity.
  • Read Only: Not available in Global Level Policy

To Configure Global Level Policies, you would need to go to CNC Initial setup and click on Cloud Network Controller setup as shown below.
file
Figure 2: CNC Initial Setup

Next, edit the configuration for Advanced Settings
file
Figure 3: Edit Advanced Settings

As you can see below, you can choose the Global configuration between the 2 choices:

  • Routing & Security (the default policy)
  • Routing Only

file
Figure 4: Advanced Settings Global Policy Options

Account/Tenant Level Access Policies
  • Routing & Security: Assigning a Routing & Security access policy to an account/tenant means that it has full permissions, where it is able to control routing and security.
  • Routing Only: Assigning a routing-only access policy to a Cisco Cloud APIC means that it can control only the routing policy and the network connectivity.
  • Read Only: The existing access policy that was available prior to release 25.0(4). Assigning a read-only access policy to an account/tenant means that it does not have write permissions and can only read the inventory.

📙Keep in mind that the access policies available to you at the account/tenant level are based on the access policy that was assigned at the parent level (in this case, at the global level). For example, if the access policy at the parent global level is set to Routing Only, then you will only see Routing Only and Read Only as options at the child account/tenant level because the access policy at the child level cannot be more restrictive than the access policy at the parent level.

Account/Tenant Level Policies can be configured from Advanced Settings of the Tenant as shown below.
file
Figure 5: Configuring Account/Tenant Level Policies

VPC Level Access Policies

VPC Level Policy is configured at the Cloud Context Profile

  • Routing & Security: Assigning a Routing & Security access policy to a cloud context profile means that it has full permissions, where it is able to control routing and security.
  • Routing Only: Assigning a routing-only access policy to a cloud context profile means that it can control only the routing policy and the network connectivity.
  • Read Only: Assigning a read-only access policy to a cloud context profile means that it does not have write permissions and can only read the inventory.

📙Keep in mind that the access policies available to you at the VPC (cloud context profile) level are based on the access policy that was assigned at the parent level (in this case, at the account/tenant level). For example, if the access policy at the parent account/tenant level is set to Read Only, then you will only see Read Only as an option at the child VPC (cloud context profile) level because the access policy at the child level cannot be more restrictive than the access policy at the parent level.
⚠️ Read Only Access Policy is only available for Brownfield imported VPC

VPC Level Access Policy can be configured from the Cloud Context Profile of CNC as shown below.
file
Figure 6: VPC Level Access Policy Configuration

Subnet Level Access Policies
  • Access policies applied at the subnet level (the cloudSubnet level) apply to all resources under that subnet. All objects under the subnet automatically inherit the access policy applied at the subnet level.
  • Assigning an access policy at the subnet level affects the following resources under that subnet:
    • Association of the subnet to the given routing table
    • Association of the subnet to the NSG or the endpoints in that subnet that are associated with that security group

📙The subnet associations of the brownfield route tables change when subnets with a Routing & Security or Routing Only access policy are imported into a Cloud APIC, where these subnets are then associated to the Cloud APIC-created route tables.

⚠️ Read Only Access Policy for subnet level is only available for subnets in Brownfield imported VPC

Subnet Level Access Policies can be onfigured at the subnet level of Cloud Context Profiles as shown below:
file
Figure 7: Subnet Level Access Policies

References

Cisco Cloud Application Policy Infrastructure Controller
Cloud ACI 25.0.2 AWS Brownfield Integration to Cloud ACI Fabric on AWS.
Go To TOP


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.