Understanding the Cisco Cloud APIC GUI

Navigating the Cisco Cloud APIC GUI

After you install Cisco Cloud APIC, you can use it for extending Cisco Application Centric Infrastructure (ACI) policy to the Amazon Web Services (AWS) or Microsoft Azure public cloud. You do so through the Cisco Cloud APIC GUI.

In the Cisco Cloud APIC GUI, you can create a tenant, configure application profiles, endpoint groups (EPGs), contracts, filters, and VRFs. You can also view Cisco Cloud APIC topology, configurations, and resources.

You perform configuration steps with the. Intent feature. For instructions on using the Intent feature, see the section Configuring Cisco Cloud APIC Components. Also see the section "Understanding the Cisco Cloud APIC GUI Icons" in the Cisco Cloud APIC User Guide.

The steps for performing basic tasks in Cisco Cloud APIC differ from the steps in regular Cisco APIC. However, the functions of the tenant, application profile, and other elements of Cisco APIC are the same. For more information, see the Cisco Application Centric Infrastructure Fundamentals Guide on Cisco.com.

You view configurations and other information with the left navigation pane. You can choose Dashboard (the default view), Topology, Application Management, Cloud Resources, Operations, Infrastructure, and Administrative.

For information abut the icons, see the section "Understanding the Cisco Cloud APIC GUI Icons" in the Cisco Cisco Cloud APIC User Guide on Cisco.com.

Creating a Tenant Using the Cisco Cloud APIC GUI

This section explains how to create a tenant using the Cisco Cloud APIC GUI.

Before you begin

  • You can create a tenant that is managed by the Cisco Cloud APIC or a tenant that is unmanaged. To establish a managed tenant, you must first obtain the Azure subscription ID from the Azure portal. You enter the subscription ID in the appropriate field of the Cisco Cloud APIC when creating the tenant. Before you can use the managed tenant, you must explicitly grant the Cisco Cloud APIC permission to manage the subscription. The steps for doing so are displayed in the Cisco Cloud APIC GUI during tenant creation. The steps for the infra tenant, however, are displayed in the infra tenant details view:

    1. Click the Navigation menu > Application Management subtab.

    2. Double-click the infra tenant.

    3. Click edit > View Azure Roll Assignment Command. The steps for granting the Cisco Cloud APIC permission to manage the subscription are displayed.


    Note

    For information about obtaining the Azure subscription ID, see the Microsoft Azure documentation.

  • Creating an unmanaged tenant requires obtaining a directory (Azure Tenant) ID, an Azure enterprise application ID, and a client secret from the enterprise application. For more information, see the Microsoft Azure documentation.


    Note

    Cloud APIC does not disturb Azure resources created by other applications or users. It only manages the Azure resources created by itself.

  • The required steps to explicitly grant the Cisco Cloud APIC permission to manage a given subscription are located in the Cisco Cloud APIC GUI. When creating a tenant, the steps are displayed after entering the client secret. For the infra tenant:

  • Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in Azure subscription IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in Azure subscription IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations. 

    Capic1:
IA1-R1: TA1-R1 - ok
        TA1-R2 - ok
 
Capic2:
IA1-R2: TA1-R1 - not allowed
        TA1-R3 - ok
 
Capic3:
IA2-R1: TA1-R1 - not allowed
        TA1-R4 - ok
        TA2-R4 - ok

  • Ownership enforcement is done using Azure Resource Groups. When a new tenant in subscription TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012__eastus2) is created in the subscription. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in subscription IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.

    Here is a summary of AciOwnerTag mismatch cases:

    • Initially Cloud APIC is installed in a subscription, and then taken down and Cloud APIC is installed in a different subscription. All existing tenant-region deployment will fail.

    • Another Cloud APIC is managing the same tenant-region.

    In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's Azure subscription and manually remove the affected Resource Group (for example: CAPIC_123456789012__eastus2). Next, reload Cloud APIC or delete and add the tenant again.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears.

Step 4

Choose the appropriate options and enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.

Table 1. Create Tenant Dialog Box Fields

Properties

Description

Name

Enter the name of the tenant.

Description

Enter a description of the tenant.

Settings

Add Security Domain

To add a security domain for the tenant:

  1. Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane.

  2. Click to choose a security domain.

  3. Click Select to add the security domain to the tenant.

Azure Subscription

Mode

Choose an account type:

  • Create Own—Choose this option to create a new tenant.

  • Select Shared—Choose this option to inherit the managed or unmanaged settings from an existing tenant.

Azure Subscription ID

Enter the Azure subscription ID.
Access Type

Choose an access type:

  • Unmanaged Identity—Choose this option if the tenant subscription is not managed by the Cisco Cloud APIC.

  • Managed Identity—Choose this option if the tenant subscription is managed by the Cisco Cloud APIC. For more information, see Configuring a Tenant Azure Provider.

Application ID

Note 

This field is only valid for the Unmanaged Identity access type.

Enter the application ID.

Note 

For information about obtaining the application ID, see the Azure documentation or support.

Client Secret

Note 

This field is only valid for the Unmanaged Identity access type.

Enter the client secret.

Note 

  • For information about creating a client secret, see the Azure documentation or support.

  • You must explicitly grant Cloud APIC permission to manage a given subscription. Go to the Azure portal and follow these steps:

    1. Open the Cloud Shell

    2. Choose 'Bash'

    3. Copy and paste the command displayed in the Cisco Cloud APIC GUI.

Active Directory ID

Note 

This field is only valid for the Unmanaged Identity access type.

Enter the active directory ID.

Note 

For information about obtaining the active directory ID, see the Azure documentation or support.

Add Security Domain

To add a security domain for the account:

  1. Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane.

  2. Click to choose a security domain.

  3. Click Select to add the security domain to the tenant.

Step 5

Click Save when finished.

Configuring Cisco Cloud APIC Components

This section provides an overview of performing key tasks in Cisco Cloud APIC, including creating a tenant, application profile, and endpoint group (EPG).

Before you begin

You must have installed Cisco Cloud APIC. See the previous installation sections in this guide.

Procedure

Step 1

Log into Cisco Cloud APIC.

Step 2

At the upper right of the Dashboard pane, click the icon with an arrow pointing to a bull's-eye.

This icon might be referred to as the Intent icon or feature.

Step 3

In the What do you want to do? window, type a term in the search window to bring up a list of options.

For example, if you want to configure a tenant, type the word tenant in the search window. The search returns a list of tasks that are related to creating and configuring tenants.

Step 4

Click a task and perform the configuration steps in the windows that open.

What to do next

You can view the configuration in the left navigation pane. Expand the pane by clicking the hamburger icon at the upper left of the Dashboard pane. Expand the appropriate heading to view the configurations.

For example, if you've configured a tenant, expand Application Management and click Tenants. Information about tenants appears in the central work pane.