Configuration Drift Notifications and Faults
When you deploy Cisco ACI in a public cloud, you will perform most of the fabric configuration from the Cloud APIC. However, there may be cases where you or another cloud administrator changes the deployed configuration directly in the cloud provider's GUI using the tools provided by AWS or Azure. In these cases, the intended configuration you deployed from the Cloud APIC and the actual configuration in the cloud site may become out of sync, we call this a configuration drift.
Starting with release 5.0(2), Cloud APIC provides visibility into any security policy (contracts) configuration discrepancy between what you deploy from the Cloud APIC and what is actually configured in the cloud site.
Note |
See Updates in Release 25.0(4) for more information. |
There are two aspects to analyzing configuration drift:
-
Have all the fabric elements configured in the Cloud APIC and intended to be deployed in the cloud fabric been properly deployed?
This scenario can occur due to user configuration errors in Cloud APIC that could not be deployed in the cloud, connection or API issues on the cloud provider end, or if a cloud administrator manually deletes or modifies security rules directly in the cloud provider's UI. Any intended but missing configurations may present an issue for the Cloud APIC fabric.
-
Are there any additional configurations that exist in the cloud but were not intended to be deployed from the Cloud APIC?
Similarly to the previous scenario, this can occur if there are connection or API issues or if a cloud administrator manually creates additional security rules directly in the cloud provider's UI. Any existing but not intended configuration may present issues.
Updates in Release 25.0(4)
Beginning with release 25.0(1), configuration drift information is available for EPGs and VRFs, in addtion to contracts.
Beginning with release 25.0(4), the following changes have been made for configuration drift:
-
Configuration drift is now enabled by default.
-
Prior to release 25.0(4), configuration drift information was not available for contracts that had Layer 4 to Layer 7 service graphs attached. Beginning with release 25.0(4), contract drift information is now available for contracts with or without Layer 4 to Layer 7 service graphs attached. See Deploying Layer 4 to Layer 7 Services for more information.
-
Configuration drift information is now consolidated under a single page, located at
.See Accessing the Main Configuration Drift Page for more information.