Fully Managed AWS Brownfield Integration to Cloud ACI

Table of Contents:

  1. Introduction
  2. What we will show in this writeup
  3. Demo Topology
  4. Implementation Steps
    4.b.Importing in the Brownfield VPC into ACI Fabric
    4.c.Importing the VRF from CNC to NDO
    4.d.Observe in AWS
  5. References


Previously, I had written an article on how to integrate AWS Brownfield VPC into Cloud ACI Fabric. At the time of that writeup, we were using Cloud APIC 25.0.2 to inegrate brownfield AWS VPC into Cisco ACI Fabric. At that time, there was still some manual work to be done on the Brownfield Side for this integration to be fully functional. These manual steps included creating the TGW attachment, manipulating the Security Group and Route Tables.

With the release of CNC 25.0.4 (Cloud APIC has been renamed to Cloud Network Controller), Brownfield Infrastructure in AWS can be imported into the ACI Fabric and no manual configuration has to be done. This effectively makes the integration very fast and simple.

⚠️ Brownfield Import feature has to be done from CNC. Currently this feature has not made it’s way to NDO. However for a hybrid/multi cloud you will need to use NDO. To get the objects into NDO, you can import the objects created on CNC into NDO.

What we will show in this writeup

In this writeup, I will show you with a very simple topology how to implement this fully Following this you can accordingly do what you need to do in your production setup.

For this demo, I will be using the following:

  • CNC 25.0.5k
  • NDO 4.0.2

Demo Topology

I am going to keep the demo topology really simple to get the point across. We will just use 1 AWS account for Tenant. In the Tenant I will spin up a simple greenfield environment that comprises of 1 VPC with a VM attached to it.

Note that I have a different /28 sunbet in the VPC (in same availability zone – us-east-1a) for purposes of the TGW attachment. This subnet is genearlly called the Gateway Subnet.

In the Same AWS account on a different region (US-West-2, Oregon), I will spin up a simple brownfield topology with a VPC/IGW and VM attached to it. During integration into ACI Fabric a TGW attachement will be built automatically from that VPC. For the attachment I will create a separate /28 subnet that belongs to the same AZ (us-west-2a)

This initial Topology that was built from NDO is shown below.
Figure 1: Initial Topology for ACI Tenant and AWS Brownfield

Once the implementation is completed, the topology will change as shown below:
Figure 2: Topology after Brownfield Integration is completed

If you observe closely you will see the following changes that will happen automatically.

  • On Infa account on the Brownfield Region a TGW will be pushed
  • TGW peering between Regions will be implemented
  • The Brownfield TGW on Infra Account will be shared to the Tenant Account in same region (us-west-2)
  • TGW Attachment will be made from Brownfield VPC to the shared TGW in Brownfield Region (us-west-2)

⚠️ Currently during import of Brownfield VPC the Routes and Subnets will not show up for import from the main Route Tables. I have opeed a bug for that. For that reason, please create a Custom Route Table and associate with the brownfield subnets as shown below.

Figure 3: Custom Route Table attached to Brownfield Subnets.

⚠️ on vm2 (the brownfield VM), don’t forget to add tag=vm2. This will be used to automatically pull the VM into the correct epg (security group in AWS) after integration is done.

Implementation Steps


Since my Brownfield VPC is in us-west-2 region, I will first need to ensure that my AWS Infra exists on us-west-2 retion. This is because a TGW will need to be pushed in that region and TGW peering will be formed with the home region. I don’t really need to spin up C8KVs in the brownfeild region (unless I want the traffic from that region to egress directly in case I had a hybrid/multicloud topology). For this, go to CNC initial setup and add in that region if it is not already there.

Figure 4: Add in the brownfield region in Initial Setup if needed.

Also, make sure that you have Access Policy set to Routing & Security in the Global Level as show below.

Figure 7: Global Policy in CNC set to Routing & Security

📙 If you want to undersand Access Policies, I had previously done a writeup on that.

Importing in the Brownfield VPC into ACI Fabric

As mentioned earlier, you will have to do this step from CNC because NDO still does not expose this feature. Once done, you can import the Brownfield VPC from CNC into NDO.

This step is really simple. You will need to do the following:

  • From CNC, create a VRF
  • From CNC, import the brownfield VPC into that VRF

The figure below shows the creation of a new VRF from CNC.
Figure 8: Creating a new VRF from CNC.

Now, import in the Brownfield VPC into the newly created VRF. Foir this you have to go to CNC intent Icon and click on "import Brownfield VPC" box as shown below.

Figure 9: Clicking on Import Brownfield VPC

Next a form will open up. Follow the figure below which is marked with what you need to do.
Figure 10: Filling in the required parameters during Brownfield VPC Import
The import of Brownfield VPC into ACI Fabric is now complete.

Importing the VRF from CNC to NDO

At this tine import the VRF created in CNC into NDO. For this go to NDO and do the import of the VRF as shown in the figure below. Make sure to hit the "Deploy to Sites button" once done.
Figure 11: Importing the CNC created VRF into NDO

Now from NDO do the following (please see the topology diagram shown at the begiing if you need to)

  1. create epg2
  2. tie epg2 to vrf-brownF (the new VRF that you created from CNC in the previous step)
  3. create epg selector tag=vm2
  4. add Tenant Scope Contract between epg1 and epg2
  5. deploy to sites

The figure below shows my epg2 creation in my setup.
Figure 12: Create epg for brownfield from NDO

Your connectivity from Greenfield to Brownfield is now established. You can do a ping test from greefield VM1 to brownfield VM2 (using private IP) to test.
Figure 13: Ping Test

Observe in AWS

You will notice that Brownfield EC2 has a new Security Group attached wih appropriate rules
Figure 14: Appropriate Security Group got attached to Brownfield EC2

You will also notice that appropriate rotues has been added for the connectivity. The original Route Table for Brownfield Subnets have been copied to a new route table.
These are shwon in the figure below.

Figure 15: New Route Table of Brownfield Subnets

Figure 16: Route Table of Greenfield subnet modified to be able to reach brownfield


Importing Existing Brownfield AWS Cloud VPCs Into Cisco Cloud APIC


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.