Configuring Cisco Cloud APIC Components

About Configuring the Cisco Cloud APIC

You create the Cisco Cloud APIC components using either the Cisco Cloud APIC GUI or the REST API. This section explains how to create configuration, application management, operations, and administrative components.


Note


Configuring the Cisco Cloud APIC Using the GUI

Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(2) and Earlier

This section explains how to create a tenant using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.

Table 1. Create Tenant Dialog Box Fields

Properties

Description

Name

Enter the name of the tenant.

Description

Enter a description of the tenant.

Settings

Add Security Domain

To add a security domain:

  1. Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane.

  2. Click to choose a security domain.

  3. Click Select to add the security domain to the tenant.

Trusted Tenant

Click to check (default) or uncheck the Enabled check box. Trusted Tenant is enabled when checked.

Cloud Account ID

Enter the cloud account ID.

Step 5

Click Save when finished.


Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(3) and Later

This section explains how to create a tenant using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.

Table 2. Create Tenant Dialog Box Fields

Properties

Description

Name

Enter the name of the tenant.

Description

Enter a description of the tenant.

Settings

Add Security Domain

To add a security domain:

  1. Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane.

  2. Click to choose a security domain.

  3. Click Select to add the security domain to the tenant.

AWS Account ID

Enter the cloud account ID.

Access Type

Click to enable the tenant type:

  • Untrusted

  • Trusted

  • Organization

Step 5

Click Save when finished.


Configure a Tenant AWS Provider For Release 4.2(2) and Earlier

Before you begin

  • AWS Provider is auto-configured for Infra tenant. You do not need to do anything to configure the AWS provider for the infra tenant.

  • For all non-infra tenants, the AWS provider is configured either as a trusted tenant or as untrusted tenant. Our recommendation is to use trusted tenants because managing credentials is not easy. Also, each tenant must be in a separate AWS account. Sharing the same AWS account for multiple tenants is not allowed.

    For a trusted tenant, establish the trust relationship first with the account in which Cisco Cloud APIC is deployed (the account for the infra tenant). To establish the trust relation and give all the required permissions to the Cisco Cloud APIC for accessing the tenant account, run the tenant role cloud-formation template in the tenant account. This template is available as a tenant-cft.json object in the S3 bucket that is named capic-common-[capicAccountId]-data in the infra tenant’s AWS account. For security reasons, public access to this S3 bucket is not allowed, so the S3 bucket owner needs to download this file and use it in the tenant account.

  • Untrusted tenants - use the account access and secret keys. The access and secret keys being used must be for an IAM user having these permissions at a minimum. The IAM role created must be named ApicTenantRole.


    Note

    Cloud APIC does not disturb AWS resources created by other applications or users. It only manages the AWS resources created by itself.


    {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Action": [
                    "ec2:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "s3:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "events:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "logs:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "cloudtrail:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "cloudwatch:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "resource-groups:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "sqs:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": "elasticloadbalancing:*",
                "Resource": "*",
               "Effect": "Allow"
            }, {
                "Action": [
                    "config:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": "iam:PassRole",
                "Resource": "arn:aws:iam::<account-id>:role/ApicTenantRole",
                "Effect": "Allow"
            }
        ]
    }
  • Add trust relationship:

     {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Effect": "Allow",
                "Principal": {
                    "Service": "vpc-flow-logs.amazonaws.com",
                    "AWS": "arn:aws:iam::<account-d>:root"
                },
                "Action": "sts:AssumeRole"
           }
        ]
    }
  • Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in AWS account IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in AWS account IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations.

    Capic1:
    IA1-R1: TA1-R1 - ok
            TA1-R2 - ok
     
    Capic2:
    IA1-R2: TA1-R1 - not allowed
            TA1-R3 - ok
     
    Capic3:
    IA2-R1: TA1-R1 - not allowed
            TA1-R4 - ok
            TA2-R4 - ok
  • Ownership enforcement is done using AWS Resource Groups. When a new tenant in account TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012_us-east-2) is created in the tenant account. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in account IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.

    Here is a summary of AciOwnerTag mismatch cases:

    • Initially Cloud APIC is installed in an account, and then taken down and Cloud APIC is installed in a different account. All existing tenant-region deployment will fail.

    • Another Cloud APIC is managing the same tenant-region.

    In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's AWS account and manually remove the affected Resource Group (e.g. CAPIC_123456789012_us-east-2). Next, reload Cloud APIC or delete and add the tenant again.

Procedure


Step 1

In the Cloud APIC, configure the AWS Provider.

  1. On the Intent menu, choose Tenants > tenant_name from the drop-down.

  2. In the Intent pane, choose Application Management > tenant_name .

Step 2

Perform the following actions:

  1. Confirm there is a check in the Trusted Tenant checkbox.

    The AWS account must be a Trusted account for the user tenant using the cloud.

  2. In the Cloud Account ID field, provide the Cloud account ID.

  3. Run the tenant role cloud-formation template available at the URL https://capic-common-<infraAccountId>-data.s3.amazonaws.com/tenant-cft.json which is in a s3 bucket in the infra tenant’s AWS account.

    Note 

    Alternatively, keep the trusted flag unchecked and provide the access and secret keys as done normally for any tenant.

Step 3

Click Save.


Configuring a Tenant AWS Provider For Release 4.2(3) and Later

Before you begin

  • AWS Provider is auto-configured for Infra tenant. You do not need to do anything to configure the AWS provider for the infra tenant.

  • For all non-infra tenants, the AWS provider is configured either as a trusted tenant, untrusted tenant, or organization tenant. Our recommendation is to use trusted tenants because managing credentials is not easy. Also, each tenant must be in a separate AWS account. Sharing the same AWS account for multiple tenants is not allowed.

    For a trusted tenant, establish the trust relationship first with the account in which Cisco Cloud APIC is deployed (the account for the infra tenant). To establish the trust relation and give all the required permissions to the Cisco Cloud APIC for accessing the tenant account, first create a tenant and assign the Trusted tag to that tenant as the Access Type. Then, bring up that new trusted tenant again by clicking on the tenant name in the Tenants page, and in the AWS Account area in the tenant window, click the Run the CloudFormation template link.

  • Organization tenants are for adding tenant accounts that are part of the organization. This requires deploying the Cisco Cloud APIC in the master account of the organization.

  • Untrusted tenants use the account access and secret keys. The access and secret keys being used must be for an IAM user having these permissions at a minimum. The IAM role created must be named ApicTenantRole.


    Note

    Cloud APIC does not disturb AWS resources created by other applications or users. It only manages the AWS resources created by itself.


    {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Action": [
                    "ec2:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "s3:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "events:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "logs:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "cloudtrail:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "cloudwatch:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "resource-groups:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": [
                    "sqs:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": "elasticloadbalancing:*",
                "Resource": "*",
               "Effect": "Allow"
            }, {
                "Action": [
                    "config:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }, {
                "Action": "iam:PassRole",
                "Resource": "arn:aws:iam::<account-id>:role/ApicTenantRole",
                "Effect": "Allow"
            }
        ]
    }
  • Add trust relationship:

     {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Effect": "Allow",
                "Principal": {
                    "Service": "vpc-flow-logs.amazonaws.com",
                    "AWS": "arn:aws:iam::<infra-account-id>:root"
                },
                "Action": "sts:AssumeRole"
           }
        ]
    }
  • The Cloud APIC uses the OrganizationAccountAccessRole IAM role to manage policies for AWS Organization tenants.

    • If you created an AWS account within the existing organization in the master account, the OrganizationAccountAccessRole IAM role is automatically assigned to that created AWS account. You do not have to manually configure the OrganizationAccountAccessRole IAM role in AWS in this case.

    • If the master account invited an existing AWS account to join the organization, then you must manually configure the OrganizationAccountAccessRole IAM role in AWS. Configure the OrganizationAccountAccessRole IAM role in AWS for the organization tenant and verify that it has Cloud APIC-related permissions available.

      The OrganizationAccountAccessRole IAM role, together with the SCP (Service Control Policy) used for the organization or the account, must have the minimum permissions that are required by the Cloud APIC to manage policies for the tenants. The access policy requirement is the same as the requirement for the trusted or untrusted tenants.
      {
          "Version": "2012-10-17",
          "Statement": [
             {
                  "Action": [
                      "ec2:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "s3:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "events:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "logs:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "cloudtrail:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "cloudwatch:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "resource-groups:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": [
                      "sqs:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                  "Action": "elasticloadbalancing:*",
                  "Resource": "*",
                 "Effect": "Allow"
              }, {
                  "Action": [
                      "config:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }, {
                 "Action": "iam:PassRole",
                 "Resource": "*",
                 "Effect": "Allow"
                }
      
          ]
      }

    To add a trust relationship for an Organization tenant:

     {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Effect": "Allow",
                "Principal": {
                    "Service": "vpc-flow-logs.amazonaws.com",
                    "AWS": "arn:aws:iam::<infra-account-id>:root"
                },
                "Action": "sts:AssumeRole"
           }
        ]
    }
  • Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in AWS account IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in AWS account IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations.

    Capic1:
    IA1-R1: TA1-R1 - ok
            TA1-R2 - ok
     
    Capic2:
    IA1-R2: TA1-R1 - not allowed
            TA1-R3 - ok
     
    Capic3:
    IA2-R1: TA1-R1 - not allowed
            TA1-R4 - ok
            TA2-R4 - ok
  • Ownership enforcement is done using AWS Resource Groups. When a new tenant in account TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012_us-east-2) is created in the tenant account. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in account IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.

    Here is a summary of AciOwnerTag mismatch cases:

    • Initially Cloud APIC is installed in an account, and then taken down and Cloud APIC is installed in a different account. All existing tenant-region deployment will fail.

    • Another Cloud APIC is managing the same tenant-region.

    In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's AWS account and manually remove the affected Resource Group (e.g. CAPIC_123456789012_us-east-2). Next, reload Cloud APIC or delete and add the tenant again.

Procedure


Step 1

In the Cloud APIC, configure the AWS Provider.

  1. On the Intent menu, choose Tenants > tenant_name from the drop-down.

  2. In the Intent pane, choose Application Management > tenant_name .

Step 2

Perform the following actions:

  1. In the AWS Account ID field, provide the cloud account ID.

  2. In the Access Type area, choose Trusted.

    The AWS account must be a Trusted account for the user tenant that is using the cloud.

  3. Click Save.

  4. Bring up the new trusted tenant again by clicking on the tenant name in the Tenants page.

    In the AWS Account area in the tenant Overview page, you will see the following message: "In order to deploy any configuration from this tenant, you must create a trusted role in the tenant AWS account which will establish trust with the AWS infra account. To do so, open the link below to run the CloudFormation template."

  5. Click the Run the CloudFormation template link.

    This returns you to the AWS sign in page, which should be pre-populated with the necessary AWS account information that you entered earlier in these procedures in the Cloud APIC GUI.

  6. Click Next in the AWS sign in page after verifying that the sign-in information is correct.

  7. Run the tenant role cloud-formation template in the tenant account.

    Note 

    Alternatively, keep the trusted flag unchecked and provide the access and secret keys as done normally for any tenant.

Step 3

Click Save.


Creating an Application Profile Using the Cisco Cloud APIC GUI

This section explains how to create an application profile using the Cisco Cloud APIC GUI.

Before you begin

Create a tenant.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Application Profile. The Create Application Profile dialog box appears.

Step 4

Enter a name in the Name field.

Step 5

Choose a tenant:

  1. Click Select Tenant.

    The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select.

    You return to the Create Application Profile dialog box.

Step 6

Enter a description in the Description field.

Step 7

Click Save when finished.


Creating a VRF Using the Cisco Cloud APIC GUI

This section explains how to create a VRF using the Cisco Cloud APIC GUI.

Before you begin

Create a tenant.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create VRF. The Create VRF dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create VRF Dialog Box Fields table then continue.

Table 3. Create VRF Dialog Box Fields

Properties

Description

General

Name

Enter a name for the VRF in the Name field.

Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create VRF dialog box.

Description

Enter a description of the VRF.

Settings > IPv4 unicast address family BGP targets

Add Filter

  1. Click the Add Route Target option for the unicast address family BGP target you want to configure.

  2. Click to choose the following options for the Type field:

    • Export—The route target can be exported to other VRFs

    • Import—The route target is imported from other VRFs

    • Enter the route target that can be exported from the current VRF or imported into the current VRF in the Route Target text box.

Step 5

When finished, click Save.


Creating an EPG Using the Cisco Cloud APIC GUI

This section explains how to create an EPG using the Cisco Cloud APIC GUI. Each service needs at least one consumer EPG and one provider EPG.

Before you begin

Create an application profile and a VRF.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create EPG. The Create EPG dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create EPG Dialog Box Fields table then continue.

Table 4. Create EPG Dialog Box Fields

Properties

Description

Name

Enter the name of the EPG.

Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create EPG dialog box.

Application Profile

To choose an application profile:

  1. Click Select Application Profile. The Select Application Profile dialog box appears.

  2. From the Select Application Profile dialog, click to choose an application profile in the left column then click Select. You return to the Create EPG dialog box.

Description

Enter a description of the EPG.

Settings

Type

Choose the EPG type:

  • Cloud - Click to create the EPG in the cloud.

  • External - Click to create an external EPG.

Route Reachability

(Visible when creating an external EPG) Click the Route Reachability drop-down list and choose:

  • On Premises

  • Internet

  • Unspecified

VRF

To choose a VRF:

  1. Click Select VRF. The Select VRF dialog box appears.

  2. From the Select VRF dialog, click to choose a VRF in the left column then click Select. You return to the Create EPG dialog box.

Endpoint Selectors

Note 

See Configuring Instances in AWS for instructions on configuring instances in AWS as part of the endpoint selector configuration process.

To add an endpoint selector:

  1. Click Add Endpoint Selector to open the Add Endpoint Selector dialog.

  2. In the Add Endpoint Selector dialog, enter a name in the Name field.

  3. Click Selector Expression. The Key, Operator, and Value fields are enabled.

  4. Click the Key drop-down list to choose a key. The options are:

    • Choose IP if you want to use an IP address or subnet for the endpoint selector.

    • Choose Zone if you want to use an availability zone for the endpoint selector.

    • Choose Region if you want to use the Amazon Web Services region for the endpoint selector.

    • Choose Custom if you want to create a custom key for the endpoint selector.

      Note 

      When choosing the Custom option, the drop-down list becomes a text box. You need to enter a name for the key in the spaces after custom: (for example, custom: Location).

  5. Click the Operator drop-down list to choose an operator. The options are:

    • equals: Used when you have a single value in the Value field.

    • not equals: Used when you have a single value in the Value field.

    • in: Used when you have multiple comma-separated values in the Value field.

    • not in: Used when you have multiple comma-separated values in the Value field.

    • has key: Used if the expression contains only a key.

    • does not have key: Used if the expression contains only a key.

  6. Enter a value in the Value field then click the check mark to validate the entries. The value you enter depends on the choices you made for the Key and Operator fields. For example, if the Key field is set to IP and the Operator field is set to equals, the Value field must be an IP address or subnet. However, if the Operator field is set to has key, the Value field is disabled.

  7. When finished, click the check mark to validate the selector expression.

  8. Determine if you want to create additional endpoint selector expressions to the endpoint selector. If you create more than one expression under a single endpoint selector, a logical AND exists between those expressions.

    For example, assume you created two sets of expressions under a single endpoint selector:

    • Endpoint selector 1, expression 1:

      • Key: Zone

      • Operator: equals

      • Value: us-west-1a

    • Endpoint selector 1, expression 2:

      • Key: IP

      • Operator: equals

      • Value: 192.0.2.1/24

    In this case, if both of these expressions are true (if the availability zone is us-west-1a AND if the IP address belongs to subnet 192.0.2.1/24), then that endpoint is assigned to the Cloud EPG.

  9. Click the check mark after every additional expression that you want to create under this endpoint selector then click Add when finished.

    If you create more than one endpoint selector under an EPG, a logical OR exists between those endpoint selectors. For example, assume you had created endpoint selector 1 as described in the previous step, and then you created a second endpoint selector as described below:

    • Endpoint selector 2, expression 1:

      • Key: Region

      • Operator: in

      • Value: us-east-1, us-east-2

    In this case:

    • If the availability zone is us-west-1a AND the IP address belongs to the 192.0.2.1/24 subnet (endpoint selector 1 expressions)

      OR

    • If the region is either us-east-1 or us-east-2 (endpoint selector 2 expression)

    Then that end point is assigned to the Cloud EPG.

Step 5

Click Save when finished.


Creating a Contract Using the Cisco Cloud APIC GUI

This section explains how to create a contract using the Cisco Cloud APIC GUI.

Before you begin

Create filters.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Contract. The Create Contract dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Contract Dialog Box Fields table then continue.

Table 5. Create Contract Dialog Box Fields

Properties

Description

Name

Enter the name of the contract.

Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Contract dialog box.

Description

Enter a description of the contract.

Settings

Scope

The scope limits the contract to any endpoint groups within the same application profile, within the same VRF instance, throughout the fabric (globally), or within the same tenant.

Note 

Shared services enables communication between EPGs in different tenants and between EPGs in different VRFs.

To enable EPGs in one tenant to communicate with EPGs in another tenant, choose Global scope.

To enable an EPG in one VRF to communicate with another EPG in a different VRF, choose Global or Tenant scope.

For more information about shared services, see Shared Services

Click the drop-down arrow to choose from the following scope options:

  • Application Profile

  • VRF

  • Global

  • Tenant

Apply Filter in Both Directions

Put a check in the box to apply the same filters to traffic from consumer-to-provider and provider-to-consumer. Do not put a check in the box if you want to apply different filters for each direction of traffic.

The check box is enabled by default.

Add Filter

To choose a filter:

  1. Click Add Filter. The filter row appears with a Select Filter option.

  2. Click Select Filter. The Select Filter dialog box appears.

  3. From the Select Filter dialog, click to choose a filter in the left column then click Select. You return to the Create Contract dialog box.

Step 5

Click Save when finished.


Specifying Consumer and Provider EPGs Using the Cisco Cloud APIC

This section explains how to specify an EPG as a consumer or a provider.

Before you begin

  • You have configured a contract.

  • You have configured an EPG.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Configuration.

A list of Configuration options appears in the Intent menu.

Step 3

From the Configuration list in the Intent menu, click EPG Communication. The EPG Communication dialog box appears with the Consumer EPGs, Contract, and Provider EPGs information.

Step 4

To choose a contract:

  1. Click Select Contract. The Select Contract dialog appears.

  2. In the pane on the left side of the Select Contract dialog, click to choose a contract then click Select. The Select Contract dialog box closes.

Step 5

To add a consumer EPG:

  1. Click Add Consumer EPGs. The Select Consumer EPGs dialog appears.

  2. In the pane on the left side of the Select Consumer EPGs dialog, click to place a check in a check box to choose an EPG.

Step 6

To add a provider EPG:

  1. Click Add Provider EPGs. The Select Provider EPGs dialog appears.

  2. In the pane on the left side of the Select Provider EPGs dialog, click to place a check in a check box to choose a provider EPG.

  3. When finished, click Select. The Select Provider EPGs dialog box closes.


Creating a Filter Using the Cisco Cloud APIC GUI

This section explains how to create a filter using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Filter. The Create Filter dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Filter Dialog Box Fields table then continue.

Table 6. Create Filter Dialog Box Fields

Properties

Description

Name

Enter a name for the filter in the Name field.

Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Filter dialog box.

Description

Enter a description of the filter.

Add Filter

To add a filter:

  1. Click Add Filter Entry. The Create Filter Entry dialog box appears.

  2. Enter a name for the filter entry in the Name field.

  3. From the Select Filter dialog, click to choose a filter in the left column then click Select. You return to the Create Contract dialog box.

  4. Click the Ethernet Type drop-down list to choose an ethernet type. The options are:

    • IP

    • Unspecified

      Note 

      When Unspecified is chosen, the remaining fields are disabled.

  5. Click the IP Protocol drop-down menu to choose a protocol. The options are:

    • icmp

    • tcp

    • udp

    • Unspecified

      Note 

      The remaining fields are enabled only when tcp or udp is chosen.

  6. Enter the appropriate port information in the Origin Port from and to fields.

  7. Enter the appropriate port information in the Destination Port from and to fields.

  8. When finished entering filter entry information, click Add. You return to the Create Filter dialog box where you can repeat the steps to add another filter entry.

Step 5

When finished, click Save.


Creating a Cloud Context Profile Using the Cisco Cloud APIC GUI

This section explains how to create a cloud context profile using the Cisco Cloud APIC GUI.

Before you begin

Create a VRF.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Cloud Context Profile. The Create Cloud Context Profile dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Cloud Context Profile Dialog Box Fields table then continue.

Table 7. Create Cloud Context Profile Dialog Box Fields

Properties

Description

Name

Enter the name of the cloud context profile.

Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

Description

Enter a description of the cloud context profile.

Settings

Select Region

To choose a region:

  1. Click Select Region. The Select Region dialog box appears.

  2. From the Select Region dialog, click to choose a region in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

Select VRF

To choose a VRF:

  1. Click Select VRF. The Select VRF dialog box appears.

  2. From the Select VRF dialog box, click to choose a VRF in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

VPN Gateway Router

Click to check (enabled) or uncheck (disabled) in the VPN Gateway Router check box.

Add CIDR

Note 

The following subnets are reserved and should not be used in this Add CIDR field:

  • 169.254.0.0/16 (reserved for VPN tunnel to the transit gateway)

  • 192.168.100.0/24 (reserved by the CCR for the bridge domain interface)

To add a CIDR:

  1. Click Add CIDR. The Add CIDR dialog box appears.

  2. Enter the address in the Address field.

  3. Click Add Subnet and enter the subnet address in the Address field.

  4. To add availability zones:

    1. Click Select Availability Zone. The Select Availability Zone dialog box appears.

    2. From the Select Availability Zone dialog box, click to choose an availability zone in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

  5. Click to check (enabled) or uncheck (disabled) the Primary check box.

  6. When finished, click Add.

Step 5

Click Save when finished.


Configuring Instances in AWS

When you configure endpoint selectors for Cisco Cloud APIC, you will also need to configure the instances that you will need in AWS that will correspond with the endpoint selectors that you configure for Cisco Cloud APIC.

This topic provides the instructions for configuring the instances in AWS. You can use these procedures to configure the instances in AWS either before you configure the endpoint selectors for Cisco Cloud APIC or afterward. For example, you might go to your account in AWS and create a custom tag or label in AWS first, then create an endpoint selector using a custom tag or label in Cisco Cloud APIC afterward. Or you might create an endpoint selector using a custom tag or label in Cisco Cloud APIC first, then go to your account in AWS and create a custom tag or label in AWS afterward.

Procedure


Step 1

Review your cloud context profile configuration settings and determine which settings you will use with your AWS instance.

You must configure a cloud context profile as part of the AWS instance configuration process. When you configure a cloud context profile, the configurations, such as the VRF and region settings, are pushed out to AWS afterward.

  1. From the Navigation menu, choose the Application Management tab.

    When the Application Management tab expands, a list of subtab options appear.

  2. Choose the Cloud Context Profiles subtab option.

    A list of the cloud context profiles that you have created for your Cisco Cloud APIC are displayed.

  3. Select the cloud context profile that you will use as part of this AWS instance configuration process.

    Various configuration parameters are displayed for this cloud context profile, such as the region, VRF, IP address and subnets. Use the information displayed in this window when you configure the AWS instance.

Step 2

Log in to the Amazon Web Services account for the Cisco Cloud APIC user tenant, if you are not logged in already.

Step 3

Go to Services > EC2 > Instances > Launch Instance.

Step 4

In the Choose an Amazon Machine Image (AMI) page, select an Amazon Machine Image (AMI).

Step 5

In the Choose an Instance Type page, select an instance type, then click Configure Instance Details.

Step 6

In the Configure Instance Details page, enter the necessary information in the appropriate fields.

  • In the Network field, select your Cisco Cloud APIC VRF.

    This would be the VRF that is associated with the cloud context profile that you are using as part of this AWS instance configuration process.

  • In the Subnet field, select the subnet.

  • In the Auto-assign Public IP field, if you want to have a public IP, select Enable from the scroll-down menu.

Step 7

When you have finished entering the necessary information into the Configure Instance Details page, click Add Storage.

Step 8

In the Add Storage page, accept the default values or configure the storage in this page, if necessary, and click Add Tags.

Step 9

In the Add Tags page, click Add Tag and enter the necessary information in the appropriate fields in this page.

Note 

If you will be using IP Address, Region or Zone for the type of endpoint selector later in these procedures, you do not have to enter any information in this page. In those situations, when you start the instance in AWS, the IP address, region or zone will be discovered by the Cisco Cloud APIC and the endpoint will be assigned to the EPG.

  • Key: Enter the key that you will use when you create a custom tag for the type of endpoint selector that you are adding later in these procedures.

  • Value: Enter the value that you will be using for this key.

  • Instances: Check the box for this field.

  • Volumes: Check the box for this field.

For example, if you are planning on creating a custom tag for a specific building for your endpoint selector later in these procedures (such as building6), you might enter the following values in these fields on this page:

  • Key: Location

  • Value: building6

Step 10

Click Review and Launch.

The Select an existing key pair or create a new key pair page appears. Use the information in this page if you want to ssh to the instance later on.


Creating a Backup Configuration Using the Cisco Cloud APIC GUI

This section explains how to create a backup configuration.

Before you begin

Create a remote location and a scheduler, if needed.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Backup Configuration. The Create Backup Configuration dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Backup Configuration Dialog Box Fields table then continue.

Table 8. Create Backup Configuration Dialog Box Fields

Properties

Description

General

Name

Enter the name of the backup configuration.

Description

Enter a description of the backup configuration.

Settings

Backup Destination

Choose a backup destination.

  • Local

  • Remote

Backup Object

Choose the root hierarchical content to consider for the backup

  • Policy Universe

  • Selector Object—When chosen, this option adds the Object Type drop-down list and Object DN field.

    1. From the Object Type drop-down list, choose from the following options:

      • Tenant—When chosen the Select Tenant option appears.

      • Application Profile—When chosen the Select Application Profile option appears.

      • EPG—When chosen the Select EPG option appears.

      • Contract—When chosen the Select Contract option appears.

      • Filter—When chosen the Select Filter option appears.

      • VRF—When chosen the Select VRFoption appears.

      • Device—When chosen the Select fvcloudLBCtxoption appears.

      • Service Graph—When chosen the Select Service Graph option appears.

      • Cloud Context Profile—When chosen the Select Cloud Context Profile option appears.

    2. Click the Select <object_name>. The Select <object_name> dialog appears.

    3. From the Select <object_name> dialog, click to choose from the options in the left column then click Select. You return to the Create Backup Configuration dialog box.

      Note 

      The Object DN field is automatically populated with the DN of the object it will use as root of the object tree to backup

  • Enter DN—When chosen, this option displays the Object DN field.

    1. From the Object DN field, enter the DN of a specific object to use as the root of the object tree to backup.

Scheduler

  1. Click Select Scheduler to open the Select Scheduler dialog and choose a scheduler from the left-side column.

  2. Click the Select button at the bottom-right corner when finished.

Trigger Backup After Creation

Choose one of the following:

  • Yes—(Default) Trigger a backup after creating the backup configuration.

  • No—Do not trigger a backup after creating the backup configuration.

Step 5

Click Save when finished.


Creating a Tech Support Policy Using the Cisco Cloud APIC GUI

This section explains how to create a tech support policy.

Before you begin

When creating a tech support policy for a remote location, you must first create the remote location.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Tech Support. The Create Tech Support dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tech Support Dialog Box Fields table then continue.

Table 9. Create Tech Support Dialog Box Fields

Properties

Description

General

Name

Enter the name of the tech support policy.

Description

Enter a description of the tech support.

Settings

Export Destination

Choose an export destination.

  • Controller

  • Remote Location—When chosen the Select Remote Location option appears.

    1. Click Select Remote Location. The Select Remote Location dialog box appears.

    2. From the Select Remote Location dialog, click to choose a remote location in the left column then click Select. You return to the Create Tech Suport dialog box.

Include Pre-Upgrade Logs

Click to place a check in the Enabled check box if you want to include pre-upgrade logs in the tech support policy.

Trigger After Creation

Click to place a check in the Enabled (the default) check box if you want to create the tech support policy after the policy creation. To disable, click the check box to uncheck.

Step 5

Click Save when finished.


Creating a Trigger Scheduler Using the Cisco Cloud APIC GUI

This section explains how to create a trigger scheduler.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Scheduler. The Create Trigger Scheduler dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Trigger Scheduler Dialog Box Fields table then continue.

Table 10. Create Trigger Scheduler Dialog Box Fields

Properties

Description

General

Name

Enter the name of the trigger scheduler policy.

Description

Enter a description of the trigger scheduler.

Settings

Recurring Windows

Click Add Recurring Window. The Add Recurring Window dialog appears.

  1. From the Schedule drop-down list, choose from the following.

    • every-day

    • Monday

    • Tuesday

    • Wednesday

    • Thursday

    • Friday

    • Saturday

    • Sunday

    • odd-day

    • even-day

  2. From the Start Time field, enter a time.

  3. From the Maximum Concurrent Tasks field, enter a number or leave the field empty to specify unlimited.

  4. From the Maximum Running Time, click to choose Unlimited or Custom.

  5. Click Add when finished.

Add One Time Window

Click Add One Time Window. The Add One Time Window dialog appears.

  1. From the Start Time field, enter a date and time.

  2. From the Maximum Concurrent Tasks field, enter a number or leave the field blank to specify unlimited.

  3. From the Maximum Running Time, click to choose Unlimited or Custom.

  4. Click Add when finished.

Step 5

Click Save when finished.


Creating a Remote Location Using the Cisco Cloud APIC GUI

This section explains how to create a remote location using the Cisco Cloud APIC.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Remote Location. The Create Remote Location dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Remote Location Dialog Box Fields table then continue.

Table 11. Create Remote Location Dialog Box Fields

Properties

Description

General

Name

Enter the name of the remote location policy.

Description

Enter a description of the remote location policy.

Settings

Hostname/IP Address

Enter the hostname or IP address of the remote location

Protocol

Choose a protocol:

  • FTP

  • SFTP

  • SCP

Path

Enter the path for the remote location.

Port

Enter the port for the remote location.

Username

Enter a username for the remote location.

Authentication Type

When using SFTP or SCP, choose the authentication type:

  • Password

  • SSH Key

SSH Key Content

Enter the SSH key content.

SSH Key Passphrase

SSH key passphrase.

Password

Enter a password for accessing the remote location.

Confirm Password

Reenter the password for accessing the remote location.

Management EPG

  1. Click Select Management EPG. The Select Management EPG dialog appears.

  2. From the column on the left, click to choose a management EPG.

  3. Click Select.

Step 5

Click Save when finished.


Creating a Login Domain Using the Cisco Cloud APIC GUI

This section explains how to create a login domain using the Cisco Cloud APIC GUI.

Before you begin

Create a provider before creating a non-local domain.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Login Domain. The Create Login Domain dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Login Domain Dialog Box Fields table then continue.

Table 12. Create Login Domain Dialog Box Fields

Properties

Description

Name

Enter the name of the login domain.

Description

Enter a description of the login domain.

Realm

Choose a realm:

  • Local

  • LDAP—Requires adding providers and choosing an authenication type.

  • RADIUS—Requires adding providers.

  • TACACS+—Requires adding providers.

  • SAML—Requires adding providers.

Providers

To add a provider:

  1. Click Add Providers. The Select Providers dialog appears with a list of providers in the left pane.

  2. Click to choose a provider.

  3. Click Select to add the provider.

Advanced Settings

Displays the Authentication Type and LDAP Group Map Rules fields.

Authentication Type

When LDAP is chosen for realm option, choose one of the following authentication types:

  • Cisco AV Pairs—(Default)

  • LDAP Group Map Rules—Requires adding LDAP group map rules.

LDAP Group Map Rules

To add an LDAP group map rule:

  1. Click Add LDAP Group Map Rule. The Add LDAP Group Map Rule dialog appears with a list of providers in the left pane.

  2. Enter a name for the rule in the Name field.

  3. Enter a description for the rule in the Description field.

  4. Enter a group DN for the rule in the Group DN field.

  5. Add security domains:

    1. Click Add Security Domain. The Add Security Domain dialog box appears.

    2. Click Select Security Domain. The Select Security Domain dialog box appears with a list of security domains in the left pane.

    3. Click to choose a security domain.

    4. Click Select to add the security domain. You return to the Add Security Domain dialog box.

    5. Add a user role:

      1. From the Add Security Domain dialog box, click Select Role. The Select Role dialog box appears with a list of roles in the left pane.

      2. Click to choose a role.

      3. Click Select to add the role. You retun to the Add Security Domain dialog box.

      4. From the Add Security Domain dialog box, click the Privilege Type drop-down list and choose Read Privilege or Write Privilege.

      5. Click the check mark on the right side of the Privilege Type drop-down list to confirm.

      6. Click Add when finished. You return to the Add LDAP Group Map Rule dialog box where you can add another security domain.

Step 5

Click Save when finished.


Creating a Provider Using the Cisco Cloud APIC GUI

This section explains how to create a provider using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Provider. The Create Provider dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Provider Dialog Box Fields table then continue.

Table 13. Create Provider Dialog Box Fields

Properties

Description

Hostname/IP Address

Enter the hostname or IP address of the provider.

Description

Enter a description of the provider.

Type

Click the Type drop-down list and choose one of the following types:

  • LDAP

  • RADIUS

  • TACACS+

  • SAML

Note 

A set of fields will appear based on the type that you choose.

[LDAP] Settings

Bind DN

Enter the LDAP bind DN.

Base DN

Enter the LDAP base DN.

Password

Enter a password for the LDAP settings.

Confirm Password

Reenter the password for the LDAP settings.

Port

Enter the port number for the provider type.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 30.

Retries

Enter the number of allowed retries. The default is 1.

SSL

To enable SSL, click to place a check in the SSL check box. To disable SSL, click to remove the check from the SSL check box. The default is enabled.

SSL Certificate Validation Level

Choose one of the following:

  • Permissive

  • Strict

Attribute

Enter an LDAP attribute in the Attribute text box.

Filter Type

Choose a filter type:

  • Default

  • Microsoft AD

  • Custom

Filter

Enter an LDAP filter in the text box. This option only appears when the Custom filter type is chosen.

Select Management EPG

To add a management EPG:

  1. Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.

  2. Click to choose an EPG.

  3. Click Select to add the management EPG to the LDAP.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[RADIUS] Settings

Key

Enter the RADIUS key.

Confirm Key

Reenter the RADIUS key.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Port

Enter the port number for the RADIUS settings. The default is 1812.

Authentication Protocol

Choose from the following:

  • PAP—(Default)

  • CHAP

  • MS-CHAP

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Select Management EPG

To add a management EPG:

  1. Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.

  2. Click to choose an EPG.

  3. Click Select to add the management EPG to the RADIUS.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[TACACS+] Settings

Key

Enter the TACACS+ key.

Confirm Key

Reenter the TACACS+ key.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Port

Enter the port number for the TACACS+ settings. The default is 1812.

Authentication Protocol

Choose from the following:

  • CHAP

  • MS-CHAP

  • PAP—(Default)

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Select Management EPG

To add a management EPG:

  1. Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.

  2. Click to choose an EPG.

  3. Click Select to add the management EPG to the TACACS+.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[SAML] Settings

Identity Provider

Choose from the following identity providers:

  • ADFS—(default)

  • OKTA

  • PING IDENTITY

Identity Provider Metadata URL

Enter the metatdata URL provided by the identity provider.

Entity ID

Enter a unique ID as the SAML entity identifier.

HTTPS Proxy for Metadata URL

Enter the HTTPS proxy used to reach the identity provider's metadata URL.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

GUI Redirect Banner Message (URL)

Enter the GUI redirect banner message.

Certificate Authority

To choose a certificate authority:

  1. Click Select Certificate Authoriy. The Select Certificate Authoriy dialog appears with a list of certificates in the left pane.

  2. Click to choose a certificate.

  3. Click Select to add the certificate. You return to the Create Provider dialog box.

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Signature Algorithm Authentication User Requests*

Click the Signature Algorithm for Requests drop-down list and choose one of the following:

  • RSA SHA1

  • RSA SHA224

  • RSA SHA256

    (Default)
  • RSA SHA384

  • RSA SHA512

Sign SAML Authentication Requests

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Sign SAML Response Message

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Sign Assertions in SAML Response

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Encrypt SAML Assertions

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Step 5

Click Save when finished.


Creating a Security Domain Using the Cisco Cloud APIC GUI

A security domain restricts the tenant to the security domains that you add. If you do not add a security domain, all security domains will have access to this tenant. This section explains how to create a security domain using the GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Security Domain. The Create Security Domain dialog box appears.

Step 4

In the Name field, enter the name of the security domain.

Step 5

In the Description field, enter a description of the security domain.

Step 6

Click Save when finished.


Creating a Role Using the Cisco Cloud APIC GUI

This section explains how to create a role using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Role. The Create Role dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Role Dialog Box Fields table then continue.

Table 14. Create Role Dialog Box Fields

Properties

Description

General

Name

Enter a name for the role in the Name field.

Description

Enter a description of the role.

Settings

Privilege

Click to place a check mark in the check boxes of the privileges you want to assign the user. The privileges are:

  • aaa—Used for configuring authentication, authorization, accouting and import/export policies.

  • access-connectivity-l1Used for Layer 1 configuration under infra. Example: selectors and port Layer 1 policy configurations.

  • access-connectivity-l2—Used for Layer 2 configuration under infra. Example: Encap configurations on selectors, and attachable entity.

  • access-connectivity-l3—Used for Layer 3 configuration under infra and static route configurations under a tenant's L3Out.

  • access-connectivity-mgmt—Used for management infra policies.

  • access-connectivity-util—Used for tenant ERSPAN policies.

  • access-equipment—Used for access port configuration.

  • access-protocol-l1—Used for Layer 1 protocol configurations under infra.

  • access-protocol-l2—Used for Layer 2 protocol configurations under infra.

  • access-protocol-l3—Used for Layer 3 protocol configurations under infra.

  • access-protocol-mgmt—Used for fabric-wide policies for NTP, SNMP, DNS, and image management.

  • access-protocol-ops—Used for operations-related access policies such as cluster policy and firmware policies.

  • access-protocol-util—Used for tenant ERSPAN policies.

  • access-qos—Used for changing CoPP and QoS-related policies.

  • admin—Complete access to everything (combine ALL roles)
  • fabric-connectivity-l1—Used for Layer 1 configuration under the fabric. Example: selectors and port Layer 1 policy and vPC protection.

  • fabric-connectivity-l2—Used in firmware and deployment policies for raising warnings for estimating policy deployment impact.

  • fabric-connectivity-l3—Used for Layer 3 configuration under the fabric. Example: Fabric IPv4 and MAC protection groups.

  • fabric-connectivity-mgmt—Used for atomic counter and diagnostic policies on leaf switches and spine switches.

  • fabric-connectivity-util—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches.

  • fabric-equipment—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches.

  • fabric-protocol-l1—Used for Layer 1 protocol configurations under the fabric.

  • fabric-protocol-l2—Used for Layer 2 protocol configurations under the fabric.

  • fabric-protocol-l3—Used for Layer 3 protocol configurations under the fabric.

  • fabric-protocol-mgmt—Used for fabric-wide policies for NTP, SNMP, DNS, and image management.

  • fabric-protocol-ops—Used for ERSPAN and health score policies.

  • fabric-protocol-util—Used for firmware management traceroute and endpoint tracking policies.

  • none—No privilege.

  • nw-svc-device—Used for managing Layer 4 to Layer 7 service devices.

  • nw-svc-devshare—Used for managing shared Layer 4 to Layer 7 service devices.

  • nw-svc-params—Used for managing Layer 4 to Layer 7 service policies.

  • nw-svc-policy—Used for managing Layer 4 to Layer 7 network service orchestration.

  • ops—Used for operational policies including monitoring and troubleshooting policies such as atomic counter, SPAN, TSW, tech support, traceroute, analytics, and core policies.

  • tenant-connectivity-l1—Used for Layer 1 connectivity changes, including bridge domains and subnets.

  • tenant-connectivity-l2—Used for Layer 2 connectivity changes, including bridge domains and subnets.

  • tenant-connectivity-l3—Used for Layer 3 connectivity changes, including VRFs.

  • tenant-connectivity-mgmt—Used for tenant in-band and out-of-band management connectivity configurations and for debugging/monitoring policies such as atomic counters and health score.

  • tenant-connectivity-util—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches.

  • tenant-epg—Used for managing tenant configurations such as deleting/creating endpoint groups, VRFs, and bridge domains.

  • tenant-ext-connectivity-l2—Used for managing tenant L2Out configurations.

  • tenant-ext-connectivity-l3—Used for managing tenant L3Out configurations.

  • tenant-ext-connectivity-mgmt—Used as write access for firmware policies.

  • tenant-ext-connectivity-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk.

  • tenant-ext-protocol-l1—Used for managing tenant external Layer 1 protocols. Generally only used for write access for firmware policies.

  • tenant-ext-protocol-l2—Used for managing tenant external Layer 2 protocols. Generally only used for write access for firmware policies.

  • tenant-ext-protocol-l3—Used for managing tenant external Layer 3 protocols such as BGP, OSPF, PIM, and IGMP.

  • tenant-ext-protocol-mgmt—Used as write access for firmware policies.

  • tenant-ext-protocol-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk.

  • tenant-network-profile—Used for managing tenant configurations, such as deleting and creating network profiles, and deleting and creating endpoint groups.
  • tenant-protocol-l1—Used for managing configurations for Layer 1 protocols under a tenant.

  • tenant-protocol-l2—Used for managing configurations for Layer 2 protocols under a tenant.

  • tenant-protocol-l3—Used for managing configurations for Layer 3 protocols under a tenant.

  • tenant-protocol-mgmt—Only used as write access for firmware policies.

  • tenant-protocol-ops—Used for tenant traceroute policies.

  • tenant-protocol-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk.

  • tenant-qos—Only used as Write access for firmware policies.

  • tenant-security—Used for Contract related configurations for a tenant.

  • vmm-connectivity—Used to read all the objects in APIC's VMM inventory required for VM connectivity.

  • vmm-ep—Used to read VM and Hypervisor endpoints in the APIC's VMM inventory.

  • vmm-policy—Used for managing policies for VM networking.

  • vmm-protocol-ops—Not used by VMM policies.

  • vmm-security—Used for Contract related configurations for a tenant.

Step 5

Click Save when finished.


Creating an RBAC Rule Using the Cisco Cloud APIC GUI

This section explains how to create an RBAC rule using the GUI.

Before you begin

Create a security domain.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appears in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create RBAC Rule. The Create RBAC Rule dialog box appears.

Step 4

In the DN field, enter the DN for the rule.

Step 5

Choose a security domain:

  1. Click Select Security Domain. The Select Security Domain dialog box appears.

  2. From the Select Security Domain dialog box, click to choose a security domain from the column on the left then click Select. You return to the Create RBAC Rule dialog box.

Step 6

From the Allow Writes field, click Yes to allow writes or No to not allow writes.

Step 7

Click Save when finished.


Creating a Certificate Authority Using the Cisco Cloud APIC GUI

This section explains how to create a certificate authority using the GUI.

Before you begin

  • Have the certificate chain.

  • If the certificate authority is for a tenant, create the tenant.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appears in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Certificate Authority. The Create Certificate Authority dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Certificate Authority Dialog Box Fields table then continue.

Table 15. Create Certificate Authority Dialog Box Fields

Properties

Description

Name

Enter the name of the certificate authority.

Description

Enter a description of the certificate authority.

Used for

Choose from the following options:

  • Tenant—Choose if the certificate authority is for a specific tenant. When chosen, the Select Tenant option appears in the GUI.

  • System—Choose if the certificate authority is for the system.

Select Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Certificate Authority dialog box.

Certificate Chain

Enter the certificate chain in the Certificate Chain text box.
Note 

Add the certificates for a chain in the following order:

  1. CA

  2. Sub-CA

  3. Subsub-CA

  4. Server

Step 5

Click Save when finished.


Creating a Key Ring Using the Cisco Cloud APIC GUI

This section explains how to create a key ring using the Cisco Cloud APIC GUI.

Before you begin

  • Create a certificate authority.

  • Have a certificate.

  • If the key ring is for a specific tenant, create the tenant.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Key Ring. The Create Key Ring dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Key Ring Dialog Box Fields table then continue.

Table 16. Create Key Ring Dialog Box Fields

Properties

Description

Name

Enter the name of the key ring.

Description

Enter a description of the key ring.

Used for

  • System—The key ring is for the system.

  • Tenant—The key ring is for a specific tenant. Displays a Tenant field for specifying the tenant.

Select Tenant

To choose a tenant:

  1. Click Select Tenant. The Select Tenant dialog box appears.

  2. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Key Ring dialog box.

Settings

Certificate Authority

To choose a certificate authority:

  1. Click Select Certificate Authority. The Select Certificate Authority dialog appears.

  2. Click to choose a certificate authority in the column on the left.

  3. Click Select. You return to the Create Key Ring dialog box.

Private Key

Choose one of the following:

  • Generate New Key—Generates a new key.

  • Import Existing Key—Displays the Private Key text box and enables you to use an existing key.

Private Key

Enter an existing key in the Private Key text box (for the Import Existing Key option).

Modulus

Click the Modulus drop-down list to choose from the following:

  • MOD 512

  • MOD 1024

  • MOD 1536

  • MOD 2048—(Default)

Certificate

Enter the certificate information in the Certificate text box.

Step 5

Click Save when finished.


Creating a Local User Using the Cisco Cloud APIC GUI

This section explains how to create a local user using the Cisco Cloud APIC GUI.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Local User. The Create Local User dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields table then continue.

Table 17. Create Local User Dialog Box Fields

Properties

Description

Name

Enter the username of the local user.

Password

Enter the password for the local user.

Confirm Password

Reenter the password for the local user.

Description

Enter a description of the local user.

Settings

Account Status

To choose the account status:

  • Active—Activates the local user account.

  • Inactive—Deactivates the local user account.

First Name

Enter the first name of the local user.

Last Name

Enter the last name of the local user.

Email Address

Enter the email address of the local user.

Phone Number

Enter the phone number of the local user.

Security Domains

To add a security domain:

  1. Click Add Security Domain. The Add Security Domain dialog box appears.

  2. Click Select Security Domain. The Select Security Domain dialog box appears with a list of security domains in the left pane.

  3. Click to choose a security domain.

  4. Click Select to add the security domain. You return to the Add Security Domain dialog box.

  5. Add a user role:

    1. From the Add Security Domain dialog box, click Select Role. The Select Role dialog box appears with a list of roles in the left pane.

    2. Click to choose a role.

    3. Click Select to add the the role. You retun to the Add Security Domain dialog box.

    4. From the Add Security Domain dialog box, click the Privilege Type drop-down list and choose Read Privilege or Write Privilege.

    5. Click the check mark on the right side of the Privilege Type drop-down list to confirm.

    6. Click Add when finished. You return to the Create Local User dialog box where you can add another security domain.

Step 5

Click Advanced Settings and enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields: Advanced Settings table then continue.

Table 18. Create Local User Dialog Box Fields: Advanced Settings

Property

Description

Account Expires

If you choose Yes, the account is set to expire at the time that you choose.

Password Update Required

If you choose Yes, the user must change the password upon the next login.

OTP

Put a check in the box to enable the one-time password feature for the user.

User Certificates

To add a user certificate:

  1. Click Add X509 Certificate. The Add X509 Certificate dialog box appears.

  2. Enter a name in the Name field.

  3. Enter the X509 certificate in the User X509 Certificate text box.

  4. Click Add. The X509 certificate in the User X509 Certificate dialog box closes. You return to the Local User dialog box.

SSH Keys

To add a an SSH key:

  1. Click Add SSH Key. The Add SSH Key dialog box appears.

  2. Enter a name in the Name field.

  3. Enter the SSH key in the Key text box.

  4. Click Add. The Add SSH Key dialog box closes. You return to the Local User dialog box.

Step 6

Click Save when finished.


Managing Regions (Configuring a Cloud Template) Using the Cisco Cloud APIC GUI

Regions are configured during the first-time setup. When configured, you specify the regions that are managed by Cisco Cloud APIC and the region's inter-site and inter-region connectivity. This section explains how to manage regions with the cloud template using the Cisco Cloud APIC GUI after the initial installation.

For more information about cloud templates, see About the Cloud Template.

Procedure


Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Configuration.

A list of options appear in the Intent menu.

Step 3

From the Configuration list in the Intent menu, click Set Up cAPIC. The Set up - Overview dialog box appears with options for DNS Servers, Region Management, and Smart Licensing.

Step 4

For Region Management, click Edit Configuration. The Set Up - Region Management dialog box appears with a list of managed regions.

Step 5

To choose a region that you want to be managed by the Cisco Cloud APIC, click to place a check mark in check box of that region. The Cloud Routers and On-Premises Connectivity check boxes are enabled.

Step 6

To deploy cloud routers locally to this region, click to place a check mark in the Cloud Routers check box.

Step 7

To enable the cloud routers in the region to connect to on-premises AC sites, click to place a check mark in the On-Premises Connectivity check box. The Cloud Routers check box is automatically checked.

Step 8

To configure the fabric infra connectivity for the cloud site, click Next.

Step 9

To specify the subnet, click Add Subnet for Cloud Router and enter the subnet in the text box.

Step 10

To chose the number of routers per region, click the Number of Routers Per Region drop-down list and click 2, 3, or 4.

Step 11

Enter a username in the Username text box.

Step 12

Enter a password in the Password and Confirm Password text boxes.

Step 13

To choose the troughput value, click the Throughput of the routers drop-down list.

Note 

Cloud routers should be undeployed from all regions before changing the throughput or login credentials.

Step 14

To specify the license token, enter the product instance registration token in the License Token text box.

Step 15

To configure inter-site connectivity, click Next.

Step 16

To enter a peer public IP in the text box, click Add Template for IPsec.

Step 17

Enter the OSPF area ID in the OSPF Area Id text box.

Step 18

To add an external subnet pool, click Add External Subnet Pool for Infra Network and enter a subnet pool in the text box.

Step 19

Click Save and Continue when finished.


Configuring Cisco Cloud APIC Using the REST API

Creating a Tenant Using the REST API

This section demonstrates how to create a tenant and assigns using the REST API.

Procedure


To create a tenant:


<polUni>
  <fvTenant name="infra">
    <cloudAwsProvider region="us-east-1" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin" status=""/>
  </fvTenant>
</polUni>

Creating a Contract Using the REST API

This example demonstrates how to create a contract for the Cisco Cloud APIC using the REST API.

Before you begin

Create filters.

Procedure


To create a contract:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <vzFilter descr="" name="http-family-destination" ownerKey="" ownerTag="">
      <vzEntry name="http" prot="tcp" etherT="ip" dFromPort="http" dToPort="http"/>
      <vzEntry name="https" prot="tcp" etherT="ip" dFromPort="https" dToPort="https"/>
    </vzFilter>
    <vzBrCP name="httpFamily">
      <vzSubj name="default" revFltPorts="yes" targetDscp="unspecified">
        <vzRsSubjFiltAtt action="permit" directives="" tnVzFilterName="http-family-destination"/>
      </vzSubj>
    </vzBrCP>
  </fvTenant>
</polUni>

Creating a Cloud Context Profile Using the REST API

This section demonstrates how to create a cloud context profile.

Before you begin

Create a VRF.

Procedure


To create a cloud context profile:

Example:

<polUni>
<fvTenant name="Corp1" status="">
	<cloudAwsProvider accessKeyId="" secretAccessKey="" providerId="aws" status="" accountId=""/>

   <fvCtx name="prod-1" status="">
    <bgpRtTargetP af="ipv4-ucast">
      <bgpRtTarget rt="route-target:as4-nn2:400:400" type="export"/>
      <bgpRtTarget rt="route-target:as4-nn2:400:400" type="import"/>
    </bgpRtTargetP>
  </fvCtx>

   <fvCtx name="prod-2" status="">
    <bgpRtTargetP af="ipv4-ucast">
      <bgpRtTarget rt="route-target:as4-nn2:500:500" type="export"/>
      <bgpRtTarget rt="route-target:as4-nn2:500:500" type="import"/>
    </bgpRtTargetP>
  </fvCtx>
  
  <cloudVpnGwPol name="VgwPol" status=""/>

  <cloudApp name="payment" status="">
    <cloudEPg  name="web" status="">
      <cloudRsCloudEPgCtx tnFvCtxName="prod-1" />
    </cloudEPg>
  </cloudApp>
  <cloudApp name="billing">
    <cloudEPg  name="app">
      <cloudRsCloudEPgCtx tnFvCtxName="prod-2" />
    </cloudEPg>
  </cloudApp>

  <cloudCtxProfile name="prod-web-east-1">
    <cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-aws/region-us-east-1"/>
    <cloudRsToCtx tnFvCtxName="prod-1"/>
    <cloudRouterP name="RouterP1" type="vpn-gw">
     <cloudRsToVpnGwPol tnCloudVpnGwPolName="VgwPol"/>
       <cloudIntNetworkP name="IntNetworkP1"/>
    </cloudRouterP>

    <cloudCidr addr="60.10.10.1/16" primary="true">
        <cloudSubnet ip="60.10.10.1/24">
            <cloudRsZoneAttach tDn="uni/clouddomp/provp-aws/region-us-east-1/zone-us-east-1a"/>
        </cloudSubnet>
    </cloudCidr>
  </cloudCtxProfile>

  <cloudCtxProfile name="prod-payment-east-1" status="">
    <cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-aws/region-us-east-1"/>
    <cloudRsToCtx tnFvCtxName="prod-2" status=""/>
    <cloudRouterP name="RouterP1" type="vpn-gw">
     <cloudRsToVpnGwPol tnCloudVpnGwPolName="VgwPol"/>
       <cloudIntNetworkP name="IntNetworkP1" status=""/>
    </cloudRouterP>

    <cloudCidr addr="70.10.10.1/16" primary="true" status="">
       <cloudSubnet ip="70.10.10.1/24" status="">
           <cloudRsZoneAttach tDn="uni/clouddomp/provp-aws/region-us-east-1/zone-us-east-1a"/>
       </cloudSubnet>
    </cloudCidr>
  </cloudCtxProfile>

</fvTenant>
</polUni>

Managing a Cloud Region Using the REST API

This section demonstrates how to manage a cloud region using the REST API.

Procedure


To create a cloud region:


<polUni>
  <cloudDomP name="dom-us-east-2">
    <cloudBgpAsP asn="64513"/>
    <cloudProvP vendor="aws">
      <cloudRegion name="us-east-2" adminSt="managed">
        <cloudZone name="us-east-2a"/>
        <cloudZone name="us-east-2b"/>
      </cloudRegion>
    </cloudProvP>
  </cloudDomP>
</polUni>

Creating a Filter Using the REST API

This section demonstrates how to create a filter using the REST API.

Procedure


To create a filter:


https://<IP_Address>/api/node/mo/.xml
<polUni>
<fvTenant name="intervpc" >
<fvCtx name="VRF1"/> 
    <cloudApp name="CloudAP1" >
    <cloudEPg name="CloudEPG1" >
        <cloudRsCloudEPgCtx tnFvCtxName="VRF1"/>
        <fvRsProv tnVzBrCPName="Contract2” > </fvRsProv>
        <cloudEPSelector name="sel1" matchExpression="custom:epgtag=='cloudepg1'" />
      </cloudEPg>
     </cloudApp>

      <vzFilter name="http" annotation="orchestrator:msc" >
      <vzEntry name="Entry3" prot="tcp" etherT="ipv4" arpOpc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified" sToPort="unspecified" dFromPort="80" dToPort="80" > </vzEntry>
    </vzFilter>

   <vzBrCP name="Contract2" scope="global">
      <vzSubj name="test-subj" >
       
        
        <vzRsSubjFiltAtt action="permit" tnVzFilterName="http" directives="none" /> 
        
        
      </vzSubj>
    </vzBrCP>
   </fvTenant>
</polUni>

Creating an Application Profile Using the REST API

This section demonstrates how to create an application profile using the REST API.

Before you begin

Create a tenant.

Procedure


To create an application profile:


https://<IP_Address>/api/node/mo/.xml
<polUni>
<fvTenant name="intervpc" >
<fvCtx name="VRF1"/> 
    <cloudApp name="CloudAP1" >

    <cloudEPg name="CloudEPG1" >
        <cloudRsCloudEPgCtx tnFvCtxName="VRF1"/>
        <fvRsProv tnVzBrCPName="Contract2” > </fvRsProv>
        <cloudEPSelector name="sel1" matchExpression="custom:epgtag=='cloudepg1'" />
      </cloudEPg>

     </cloudApp>

      <vzFilter name="http" annotation="orchestrator:msc" >
      <vzEntry name="Entry3" prot="tcp" etherT="ipv4" arpOpc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified" sToPort="unspecified" dFromPort="80" dToPort="80" > </vzEntry>
    </vzFilter>
   <vzBrCP name="Contract2" scope="global">
      <vzSubj name="test-subj" >
        <vzRsSubjFiltAtt action="permit" tnVzFilterName="http" directives="none" /> 
        </vzSubj>
    </vzBrCP>
   </fvTenant>
</polUni>

Creating a Cloud EPG Using the REST API

This example demonstrates how to create a cloud EPG using the REST API.

Before you begin

Create an application profile and a VRF.

Procedure


To create a cloud EPG:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <!-- Tenant provide AWS credentials -->
    <cloudAwsProvider region="us-east-2" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin"/>
    <fvCtx name="v1" status=""/>
    <cloudApp name="ap">
      <cloudEPg name="provEPG" status="">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='provfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='provbaz'"/>
        <fvRsProv tnVzBrCPName="httpFamily"/>
      </cloudEPg>
      <cloudEPg name="consEPG">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='consfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='consbaz'"/>
        <fvRsCons tnVzBrCPName="httpFamily"/>
      </cloudEPg>
    </cloudApp>
  </fvTenant>
</polUni>

Creating an External Cloud EPG Using the REST API

This example demonstrates how to create an external cloud EPG using the REST API.

Before you begin

Create an application profile and a VRF.

Procedure


To create an external cloud EPG:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <!-- Tenant provide AWS credentials -->
    <cloudAwsProvider region="us-east-2" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin"/>
    <fvCtx name="v1" status=""/>
    <cloudApp name="ap">
      <cloudEPg name="provEPGInternet" status="">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='provfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='provbaz'"/>
        <fvRsProv tnVzBrCPName="httpFamily"/>
      </cloudEPg>
      <cloudExtEPg name="consInternetEPG">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudExtEPSelector name="1" subnet="0.0.0.0/0"/>
        <fvRsCons tnVzBrCPName="httpFamily"/>
      </cloudExtEPg>
    </cloudApp>
  </fvTenant>
</polUni>

Creating a Cloud Template Using the REST API

This section demonstrates how to create a cloud template using the REST API. For more information about cloud templates, see About the Cloud Template.

Before you begin

Procedure


To create a cloud template:

<polUni>
  <fvTenant name="infra">
    <cloudtemplateInfraNetwork name="default" vrfName="overlay-1">
         <cloudtemplateProfile name="defaultxyz" routerUsername="SomeFirstName" routerPassword="SomePass" >
              </cloudtemplateProfile>
      <cloudtemplateExtSubnetPool subnetpool="10.20.0.0/16"/>

      <cloudtemplateIntNetwork name="default">
        <cloudRegionName provider="aws" region="us-west-1"/>
        <cloudRegionName provider="aws" region="us-west-2"/>
      </cloudtemplateIntNetwork>

      <cloudtemplateExtNetwork name="default">
        <cloudRegionName provider="aws" region="us-west-2"/>

        <cloudtemplateVpnNetwork name="default">

          <cloudtemplateIpSecTunnel peeraddr="23.2.1.1/32" />
          <cloudtemplateIpSecTunnel peeraddr="23.0.1.1/32" />
          <cloudtemplateIpSecTunnel peeraddr="23.1.1.1/32" />

          <cloudtemplateOspf area="0.0.0.1"/>

        </cloudtemplateVpnNetwork>

        <cloudtemplateBgpEvpn peeraddr="34.1.1.1/32" asn="63000" siteId="123" password="abcd1234" />

      </cloudtemplateExtNetwork>
</cloudtemplateInfraNetwork>
  </fvTenant>
</polUni>