Configuring Cisco Cloud APIC Components

About Configuring the Cisco Cloud APIC

You create the Cisco Cloud APIC components using either the Cisco Cloud APIC GUI or the REST API. This section explains how to create configuration, application management, operations, and administrative components.

Note

For information about configuring a load balancer and service graph, see Deploying Layer 4 to Layer 7 Services.
For information about the GUI, such as navigation and a list of configurable components, see About the Cisco Cloud APIC GUI.

Configuring the Cisco Cloud APIC Using the GUI

Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(2) and Earlier

This section explains how to create a tenant using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.

Table 1. Create Tenant Dialog Box Fields
Properties	Description
Name	Enter the name of the tenant.
Description	Enter a description of the tenant.
Settings
Add Security Domain	To add a security domain: Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane. Click to choose a security domain. Click Select to add the security domain to the tenant.
Trusted Tenant	Click to check (default) or uncheck the Enabled check box. Trusted Tenant is enabled when checked.
Cloud Account ID	Enter the cloud account ID.

Step 5

Click Save when finished.

Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(3) and Later

This section explains how to create a tenant using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Tenant. The Create Tenant dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tenant Dialog Box Fields table then continue.

Table 2. Create Tenant Dialog Box Fields
Properties	Description
Name	Enter the name of the tenant.
Description	Enter a description of the tenant.
Settings
Add Security Domain	To add a security domain: Click Add Security Domain. The Select Security Domains dialog appears with a list of security domains in the left pane. Click to choose a security domain. Click Select to add the security domain to the tenant.
AWS Account ID	Enter the cloud account ID.
Access Type	Click to enable the tenant type: Untrusted Trusted Organization

Step 5

Click Save when finished.

Configure a Tenant AWS Provider For Release 4.2(2) and Earlier

Before you begin

AWS Provider is auto-configured for Infra tenant. You do not need to do anything to configure the AWS provider for the infra tenant.
For all non-infra tenants, the AWS provider is configured either as a trusted tenant or as untrusted tenant. Our recommendation is to use trusted tenants because managing credentials is not easy. Also, each tenant must be in a separate AWS account. Sharing the same AWS account for multiple tenants is not allowed.

For a trusted tenant, establish the trust relationship first with the account in which Cisco Cloud APIC is deployed (the account for the infra tenant). To establish the trust relation and give all the required permissions to the Cisco Cloud APIC for accessing the tenant account, run the tenant role cloud-formation template in the tenant account. This template is available as a tenant-cft.json object in the S3 bucket that is named capic-common-[capicAccountId]-data in the infra tenant’s AWS account. For security reasons, public access to this S3 bucket is not allowed, so the S3 bucket owner needs to download this file and use it in the tenant account.

Untrusted tenants - use the account access and secret keys. The access and secret keys being used must be for an IAM user having these permissions at a minimum. The IAM role created must be named ApicTenantRole.

Note

Cloud APIC does not disturb AWS resources created by other applications or users. It only manages the AWS resources created by itself.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Action": [
                "ec2:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "events:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "logs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudtrail:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "resource-groups:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "sqs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": "elasticloadbalancing:*",
            "Resource": "*",
           "Effect": "Allow"
        }, {
            "Action": [
                "config:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<account-id>:role/ApicTenantRole",
            "Effect": "Allow"
        }
    ]
}

Add trust relationship:

 {
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "Service": "vpc-flow-logs.amazonaws.com",
                "AWS": "arn:aws:iam::<account-d>:root"
            },
            "Action": "sts:AssumeRole"
       }
    ]
}

Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in AWS account IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in AWS account IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations.
```
Capic1:
IA1-R1: TA1-R1 - ok
        TA1-R2 - ok
 
Capic2:
IA1-R2: TA1-R1 - not allowed
        TA1-R3 - ok
 
Capic3:
IA2-R1: TA1-R1 - not allowed
        TA1-R4 - ok
        TA2-R4 - ok
```
Ownership enforcement is done using AWS Resource Groups. When a new tenant in account TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012_us-east-2) is created in the tenant account. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in account IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.

Here is a summary of AciOwnerTag mismatch cases:
- Initially Cloud APIC is installed in an account, and then taken down and Cloud APIC is installed in a different account. All existing tenant-region deployment will fail.
- Another Cloud APIC is managing the same tenant-region.
In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's AWS account and manually remove the affected Resource Group (e.g. CAPIC_123456789012_us-east-2). Next, reload Cloud APIC or delete and add the tenant again.

Procedure

Step 1

In the Cloud APIC, configure the AWS Provider.

On the Intent menu, choose Tenants > tenant_name from the drop-down.
In the Intent pane, choose Application Management > tenant_name .

Step 2

Perform the following actions:

Confirm there is a check in the Trusted Tenant checkbox.

The AWS account must be a Trusted account for the user tenant using the cloud.
In the Cloud Account ID field, provide the Cloud account ID.

Run the tenant role cloud-formation template available at the URL https://capic-common-<infraAccountId>-data.s3.amazonaws.com/tenant-cft.json which is in a s3 bucket in the infra tenant’s AWS account.

Note

Alternatively, keep the trusted flag unchecked and provide the access and secret keys as done normally for any tenant.

Step 3

Click Save.

Configuring a Tenant AWS Provider For Release 4.2(3) and Later

Before you begin

AWS Provider is auto-configured for Infra tenant. You do not need to do anything to configure the AWS provider for the infra tenant.
For all non-infra tenants, the AWS provider is configured either as a trusted tenant, untrusted tenant, or organization tenant. Our recommendation is to use trusted tenants because managing credentials is not easy. Also, each tenant must be in a separate AWS account. Sharing the same AWS account for multiple tenants is not allowed.

For a trusted tenant, establish the trust relationship first with the account in which Cisco Cloud APIC is deployed (the account for the infra tenant). To establish the trust relation and give all the required permissions to the Cisco Cloud APIC for accessing the tenant account, first create a tenant and assign the Trusted tag to that tenant as the Access Type. Then, bring up that new trusted tenant again by clicking on the tenant name in the Tenants page, and in the AWS Account area in the tenant window, click the Run the CloudFormation template link.
Organization tenants are for adding tenant accounts that are part of the organization. This requires deploying the Cisco Cloud APIC in the master account of the organization.

Untrusted tenants use the account access and secret keys. The access and secret keys being used must be for an IAM user having these permissions at a minimum. The IAM role created must be named ApicTenantRole.

Note

Cloud APIC does not disturb AWS resources created by other applications or users. It only manages the AWS resources created by itself.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Action": [
                "ec2:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "events:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "logs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudtrail:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "resource-groups:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "sqs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": "elasticloadbalancing:*",
            "Resource": "*",
           "Effect": "Allow"
        }, {
            "Action": [
                "config:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<account-id>:role/ApicTenantRole",
            "Effect": "Allow"
        }
    ]
}

Add trust relationship:

 {
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "Service": "vpc-flow-logs.amazonaws.com",
                "AWS": "arn:aws:iam::<infra-account-id>:root"
            },
            "Action": "sts:AssumeRole"
       }
    ]
}

The Cloud APIC uses the OrganizationAccountAccessRole IAM role to manage policies for AWS Organization tenants.

If you created an AWS account within the existing organization in the master account, the OrganizationAccountAccessRole IAM role is automatically assigned to that created AWS account. You do not have to manually configure the OrganizationAccountAccessRole IAM role in AWS in this case.

If the master account invited an existing AWS account to join the organization, then you must manually configure the OrganizationAccountAccessRole IAM role in AWS. Configure the OrganizationAccountAccessRole IAM role in AWS for the organization tenant and verify that it has Cloud APIC-related permissions available.

The OrganizationAccountAccessRole IAM role, together with the SCP (Service Control Policy) used for the organization or the account, must have the minimum permissions that are required by the Cloud APIC to manage policies for the tenants. The access policy requirement is the same as the requirement for the trusted or untrusted tenants.

{
    "Version": "2012-10-17",
    "Statement": [
       {
            "Action": [
                "ec2:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "events:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "logs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudtrail:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "resource-groups:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": [
                "sqs:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
            "Action": "elasticloadbalancing:*",
            "Resource": "*",
           "Effect": "Allow"
        }, {
            "Action": [
                "config:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }, {
           "Action": "iam:PassRole",
           "Resource": "*",
           "Effect": "Allow"
          }

    ]
}

To add a trust relationship for an Organization tenant:

 {
    "Version": "2012-10-17",
    "Statement": [
       {
            "Effect": "Allow",
            "Principal": {
                "Service": "vpc-flow-logs.amazonaws.com",
                "AWS": "arn:aws:iam::<infra-account-id>:root"
            },
            "Action": "sts:AssumeRole"
       }
    ]
}

Cloud APIC enforces ownership checks to prevent deployment of policies in the same tenant-region combination done either intentionally or by mistake. For example, assume that Cloud APIC is deployed in AWS account IA1 in region R1. Now you want to deploy a tenant TA1 in region R2. This tenant deployment i.e. account-region combination TA1-R2 is now owned by IA1-R1. If another Cloud APIC attempts to manage the same tenant-region combination later (say Capic2 in AWS account IA2 deployed in region R3), this will not be allowed because the current owner for the deployment TA1-R2 is IA1-R1. In other words, only one account in one region can be managed by one Cloud APIC. Example below shows some valid and wrong deployment combinations.
```
Capic1:
IA1-R1: TA1-R1 - ok
        TA1-R2 - ok
 
Capic2:
IA1-R2: TA1-R1 - not allowed
        TA1-R3 - ok
 
Capic3:
IA2-R1: TA1-R1 - not allowed
        TA1-R4 - ok
        TA2-R4 - ok
```
Ownership enforcement is done using AWS Resource Groups. When a new tenant in account TA1 in region R2 is managed by Cloud APIC, a Resource Group CAPIC_TA1_R2 (e.g. CAPIC_123456789012_us-east-2) is created in the tenant account. This Resource Group has a resource tag AciOwnerTag with value IA1_R1_TA1_R2, assuming it was managed by Cloud APIC in account IA1 and deployed in region R1. If the AciOwnerTag mismatch happens, tenant-region management is aborted.

Here is a summary of AciOwnerTag mismatch cases:
- Initially Cloud APIC is installed in an account, and then taken down and Cloud APIC is installed in a different account. All existing tenant-region deployment will fail.
- Another Cloud APIC is managing the same tenant-region.
In ownership mismatch cases, retry (to setup tenant-region again) is not currently supported. As a workaround, if you are certain that no other Cloud APIC is managing the same tenant-region combination, logon to the tenant's AWS account and manually remove the affected Resource Group (e.g. CAPIC_123456789012_us-east-2). Next, reload Cloud APIC or delete and add the tenant again.

Procedure

Step 1

In the Cloud APIC, configure the AWS Provider.

On the Intent menu, choose Tenants > tenant_name from the drop-down.
In the Intent pane, choose Application Management > tenant_name .

Step 2

Perform the following actions:

In the AWS Account ID field, provide the cloud account ID.
In the Access Type area, choose Trusted.

The AWS account must be a Trusted account for the user tenant that is using the cloud.
Click Save.
Bring up the new trusted tenant again by clicking on the tenant name in the Tenants page.

In the AWS Account area in the tenant Overview page, you will see the following message: "In order to deploy any configuration from this tenant, you must create a trusted role in the tenant AWS account which will establish trust with the AWS infra account. To do so, open the link below to run the CloudFormation template."
Click the Run the CloudFormation template link.

This returns you to the AWS sign in page, which should be pre-populated with the necessary AWS account information that you entered earlier in these procedures in the Cloud APIC GUI.
Click Next in the AWS sign in page after verifying that the sign-in information is correct.

Run the tenant role cloud-formation template in the tenant account.

Note

Alternatively, keep the trusted flag unchecked and provide the access and secret keys as done normally for any tenant.

Step 3

Click Save.

Creating an Application Profile Using the Cisco Cloud APIC GUI

This section explains how to create an application profile using the Cisco Cloud APIC GUI.

Before you begin

Create a tenant.

Procedure

Step 1	Click the Intent icon. The Intent menu appears.
Step 2	Click the drop-down arrow below the Intent search box and choose Application Management. A list of Application Management options appear in the Intent menu.
Step 3	From the Application Management list in the Intent menu, click Create Application Profile. The Create Application Profile dialog box appears.
Step 4	Enter a name in the Name field.
Step 5	Choose a tenant: Click Select Tenant. The Select Tenant dialog box appears. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Application Profile dialog box.
Step 6	Enter a description in the Description field.
Step 7	Click Save when finished.

Creating a VRF Using the Cisco Cloud APIC GUI

This section explains how to create a VRF using the Cisco Cloud APIC GUI.

Before you begin

Create a tenant.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create VRF. The Create VRF dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create VRF Dialog Box Fields table then continue.

Table 3. Create VRF Dialog Box Fields
Properties	Description
General
Name	Enter a name for the VRF in the Name field. All VRFs are assigned a vrfEncoded value. If the Tenant and VRF name combination has more than 32 characters, then, a VRF name (which also contains the tenant name) is identified in the cloud router using the vrfEncoded value. To see the vrfEncoded value, navigate to Application Management > VRFs subtab. Click a VRF on the right hand pane and look for Encoded VRF Name in Cloud Router.
Tenant	To choose a tenant: Click Select Tenant. The Select Tenant dialog box appears. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create VRF dialog box.
Description	Enter a description of the VRF.
Settings > IPv4 unicast address family BGP targets
Add Filter	Click the Add Route Target option for the unicast address family BGP target you want to configure. Click to choose the following options for the Type field: Export—The route target can be exported to other VRFs Import—The route target is imported from other VRFs Enter the route target that can be exported from the current VRF or imported into the current VRF in the Route Target text box.

Step 5

When finished, click Save.

Creating an EPG Using the Cisco Cloud APIC GUI

This section explains how to create an EPG using the Cisco Cloud APIC GUI. Each service needs at least one consumer EPG and one provider EPG.

Before you begin

Create an application profile and a VRF.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create EPG. The Create EPG dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create EPG Dialog Box Fields table then continue.

Table 4. Create EPG Dialog Box Fields

Properties

Description

Name

Enter the name of the EPG.

Tenant

To choose a tenant:

Click Select Tenant. The Select Tenant dialog box appears.
From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create EPG dialog box.

Application Profile

To choose an application profile:

Click Select Application Profile. The Select Application Profile dialog box appears.
From the Select Application Profile dialog, click to choose an application profile in the left column then click Select. You return to the Create EPG dialog box.

Description

Enter a description of the EPG.

Settings

Type

Choose the EPG type:

Cloud - Click to create the EPG in the cloud.
External - Click to create an external EPG.

Route Reachability

(Visible when creating an external EPG) Click the Route Reachability drop-down list and choose:

On Premises
Internet
Unspecified

VRF

To choose a VRF:

Click Select VRF. The Select VRF dialog box appears.
From the Select VRF dialog, click to choose a VRF in the left column then click Select. You return to the Create EPG dialog box.

Endpoint Selectors

Note

See Configuring Instances in AWS for instructions on configuring instances in AWS as part of the endpoint selector configuration process.

To add an endpoint selector:

Click Add Endpoint Selector to open the Add Endpoint Selector dialog.
In the Add Endpoint Selector dialog, enter a name in the Name field.
Click Selector Expression. The Key, Operator, and Value fields are enabled.

Click the Key drop-down list to choose a key. The options are:

Choose IP if you want to use an IP address or subnet for the endpoint selector.
Choose Zone if you want to use an availability zone for the endpoint selector.
Choose Region if you want to use the Amazon Web Services region for the endpoint selector.

Choose Custom if you want to create a custom key for the endpoint selector.

Note

When choosing the Custom option, the drop-down list becomes a text box. You need to enter a name for the key in the spaces after custom: (for example, custom: Location).

Click the Operator drop-down list to choose an operator. The options are:
- equals: Used when you have a single value in the Value field.
- not equals: Used when you have a single value in the Value field.
- in: Used when you have multiple comma-separated values in the Value field.
- not in: Used when you have multiple comma-separated values in the Value field.
- has key: Used if the expression contains only a key.
- does not have key: Used if the expression contains only a key.
Enter a value in the Value field then click the check mark to validate the entries. The value you enter depends on the choices you made for the Key and Operator fields. For example, if the Key field is set to IP and the Operator field is set to equals, the Value field must be an IP address or subnet. However, if the Operator field is set to has key, the Value field is disabled.
When finished, click the check mark to validate the selector expression.
Determine if you want to create additional endpoint selector expressions to the endpoint selector. If you create more than one expression under a single endpoint selector, a logical AND exists between those expressions.

For example, assume you created two sets of expressions under a single endpoint selector:
- Endpoint selector 1, expression 1:
  - Key: Zone
  - Operator: equals
  - Value: us-west-1a
- Endpoint selector 1, expression 2:
  - Key: IP
  - Operator: equals
  - Value: 192.0.2.1/24
In this case, if both of these expressions are true (if the availability zone is us-west-1a AND if the IP address belongs to subnet 192.0.2.1/24), then that endpoint is assigned to the Cloud EPG.
Click the check mark after every additional expression that you want to create under this endpoint selector then click Add when finished.

If you create more than one endpoint selector under an EPG, a logical OR exists between those endpoint selectors. For example, assume you had created endpoint selector 1 as described in the previous step, and then you created a second endpoint selector as described below:
- Endpoint selector 2, expression 1:
  - Key: Region
  - Operator: in
  - Value: us-east-1, us-east-2
In this case:
- If the availability zone is us-west-1a AND the IP address belongs to the 192.0.2.1/24 subnet (endpoint selector 1 expressions)
  
  OR
- If the region is either us-east-1 or us-east-2 (endpoint selector 2 expression)
Then that end point is assigned to the Cloud EPG.

Step 5

Click Save when finished.

Creating a Contract Using the Cisco Cloud APIC GUI

This section explains how to create a contract using the Cisco Cloud APIC GUI.

Before you begin

Create filters.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Contract. The Create Contract dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Contract Dialog Box Fields table then continue.

Table 5. Create Contract Dialog Box Fields

Properties

Description

Name

Enter the name of the contract.

Tenant

To choose a tenant:

Click Select Tenant. The Select Tenant dialog box appears.
From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Contract dialog box.

Description

Enter a description of the contract.

Settings

Scope

The scope limits the contract to any endpoint groups within the same application profile, within the same VRF instance, throughout the fabric (globally), or within the same tenant.

Note

Shared services enables communication between EPGs in different tenants and between EPGs in different VRFs.

To enable EPGs in one tenant to communicate with EPGs in another tenant, choose Global scope.

To enable an EPG in one VRF to communicate with another EPG in a different VRF, choose Global or Tenant scope.

For more information about shared services, see Shared Services

Click the drop-down arrow to choose from the following scope options:

Application Profile
VRF
Global
Tenant

Apply Filter in Both Directions

Put a check in the box to apply the same filters to traffic from consumer-to-provider and provider-to-consumer. Do not put a check in the box if you want to apply different filters for each direction of traffic.

The check box is enabled by default.

Add Filter

To choose a filter:

Click Add Filter. The filter row appears with a Select Filter option.
Click Select Filter. The Select Filter dialog box appears.
From the Select Filter dialog, click to choose a filter in the left column then click Select. You return to the Create Contract dialog box.

Step 5

Click Save when finished.

Specifying Consumer and Provider EPGs Using the Cisco Cloud APIC

This section explains how to specify an EPG as a consumer or a provider.

Before you begin

You have configured a contract.
You have configured an EPG.

Procedure

Step 1	Click the Intent icon. The Intent menu appears.
Step 2	Click the drop-down arrow below the Intent search box and choose Configuration. A list of Configuration options appears in the Intent menu.
Step 3	From the Configuration list in the Intent menu, click EPG Communication. The EPG Communication dialog box appears with the Consumer EPGs, Contract, and Provider EPGs information.
Step 4	To choose a contract: Click Select Contract. The Select Contract dialog appears. In the pane on the left side of the Select Contract dialog, click to choose a contract then click Select. The Select Contract dialog box closes.
Step 5	To add a consumer EPG: Click Add Consumer EPGs. The Select Consumer EPGs dialog appears. In the pane on the left side of the Select Consumer EPGs dialog, click to place a check in a check box to choose an EPG.
Step 6	To add a provider EPG: Click Add Provider EPGs. The Select Provider EPGs dialog appears. In the pane on the left side of the Select Provider EPGs dialog, click to place a check in a check box to choose a provider EPG. When finished, click Select. The Select Provider EPGs dialog box closes.

Creating a Filter Using the Cisco Cloud APIC GUI

This section explains how to create a filter using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Filter. The Create Filter dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Filter Dialog Box Fields table then continue.

Table 6. Create Filter Dialog Box Fields

Properties

Description

Name

Enter a name for the filter in the Name field.

Tenant

To choose a tenant:

Click Select Tenant. The Select Tenant dialog box appears.
From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Filter dialog box.

Description

Enter a description of the filter.

Add Filter

To add a filter:

Click Add Filter Entry. The Create Filter Entry dialog box appears.
Enter a name for the filter entry in the Name field.
From the Select Filter dialog, click to choose a filter in the left column then click Select. You return to the Create Contract dialog box.

Click the Ethernet Type drop-down list to choose an ethernet type. The options are:

Unspecified

Note

When Unspecified is chosen, the remaining fields are disabled.

Click the IP Protocol drop-down menu to choose a protocol. The options are:

icmp
tcp
udp

Unspecified

Note

The remaining fields are enabled only when tcp or udp is chosen.

Enter the appropriate port information in the Origin Port from and to fields.
Enter the appropriate port information in the Destination Port from and to fields.
When finished entering filter entry information, click Add. You return to the Create Filter dialog box where you can repeat the steps to add another filter entry.

Step 5

When finished, click Save.

Creating a Cloud Context Profile Using the Cisco Cloud APIC GUI

This section explains how to create a cloud context profile using the Cisco Cloud APIC GUI.

Before you begin

Create a VRF.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Cloud Context Profile. The Create Cloud Context Profile dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Cloud Context Profile Dialog Box Fields table then continue.

Table 7. Create Cloud Context Profile Dialog Box Fields

Properties

Description

Name

Enter the name of the cloud context profile.

Tenant

To choose a tenant:

Click Select Tenant. The Select Tenant dialog box appears.
From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

Description

Enter a description of the cloud context profile.

Settings

Select Region

To choose a region:

Click Select Region. The Select Region dialog box appears.
From the Select Region dialog, click to choose a region in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

Select VRF

To choose a VRF:

Click Select VRF. The Select VRF dialog box appears.
From the Select VRF dialog box, click to choose a VRF in the left column then click Select. You return to the Create Cloud Context Profile dialog box.

VPN Gateway Router

Click to check (enabled) or uncheck (disabled) in the VPN Gateway Router check box.

Add CIDR

Note

The following subnets are reserved and should not be used in this Add CIDR field:

169.254.0.0/16 (reserved for VPN tunnel to the transit gateway)
192.168.100.0/24 (reserved by the CCR for the bridge domain interface)

To add a CIDR:

Click Add CIDR. The Add CIDR dialog box appears.
Enter the address in the Address field.
Click Add Subnet and enter the subnet address in the Address field.
To add availability zones:
1. Click Select Availability Zone. The Select Availability Zone dialog box appears.
2. From the Select Availability Zone dialog box, click to choose an availability zone in the left column then click Select. You return to the Create Cloud Context Profile dialog box.
Click to check (enabled) or uncheck (disabled) the Primary check box.
When finished, click Add.

Step 5

Click Save when finished.

Configuring Instances in AWS

When you configure endpoint selectors for Cisco Cloud APIC, you will also need to configure the instances that you will need in AWS that will correspond with the endpoint selectors that you configure for Cisco Cloud APIC.

This topic provides the instructions for configuring the instances in AWS. You can use these procedures to configure the instances in AWS either before you configure the endpoint selectors for Cisco Cloud APIC or afterward. For example, you might go to your account in AWS and create a custom tag or label in AWS first, then create an endpoint selector using a custom tag or label in Cisco Cloud APIC afterward. Or you might create an endpoint selector using a custom tag or label in Cisco Cloud APIC first, then go to your account in AWS and create a custom tag or label in AWS afterward.

Procedure

Step 1

Review your cloud context profile configuration settings and determine which settings you will use with your AWS instance.

You must configure a cloud context profile as part of the AWS instance configuration process. When you configure a cloud context profile, the configurations, such as the VRF and region settings, are pushed out to AWS afterward.

From the Navigation menu, choose the Application Management tab.

When the Application Management tab expands, a list of subtab options appear.
Choose the Cloud Context Profiles subtab option.

A list of the cloud context profiles that you have created for your Cisco Cloud APIC are displayed.
Select the cloud context profile that you will use as part of this AWS instance configuration process.

Various configuration parameters are displayed for this cloud context profile, such as the region, VRF, IP address and subnets. Use the information displayed in this window when you configure the AWS instance.

Step 2

Step 3

Go to Services > EC2 > Instances > Launch Instance.

Step 4

In the Choose an Amazon Machine Image (AMI) page, select an Amazon Machine Image (AMI).

Step 5

In the Choose an Instance Type page, select an instance type, then click Configure Instance Details.

Step 6

In the Configure Instance Details page, enter the necessary information in the appropriate fields.

In the Network field, select your Cisco Cloud APIC VRF.

This would be the VRF that is associated with the cloud context profile that you are using as part of this AWS instance configuration process.
In the Subnet field, select the subnet.
In the Auto-assign Public IP field, if you want to have a public IP, select Enable from the scroll-down menu.

Step 7

When you have finished entering the necessary information into the Configure Instance Details page, click Add Storage.

Step 8

In the Add Storage page, accept the default values or configure the storage in this page, if necessary, and click Add Tags.

Step 9

In the Add Tags page, click Add Tag and enter the necessary information in the appropriate fields in this page.

Note

If you will be using IP Address, Region or Zone for the type of endpoint selector later in these procedures, you do not have to enter any information in this page. In those situations, when you start the instance in AWS, the IP address, region or zone will be discovered by the Cisco Cloud APIC and the endpoint will be assigned to the EPG.

Key: Enter the key that you will use when you create a custom tag for the type of endpoint selector that you are adding later in these procedures.
Value: Enter the value that you will be using for this key.
Instances: Check the box for this field.
Volumes: Check the box for this field.

For example, if you are planning on creating a custom tag for a specific building for your endpoint selector later in these procedures (such as building6), you might enter the following values in these fields on this page:

Key: Location
Value: building6

Step 10

Click Review and Launch.

The Select an existing key pair or create a new key pair page appears. Use the information in this page if you want to ssh to the instance later on.

Creating a Backup Configuration Using the Cisco Cloud APIC GUI

This section explains how to create a backup configuration.

Before you begin

Create a remote location and a scheduler, if needed.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Backup Configuration. The Create Backup Configuration dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Backup Configuration Dialog Box Fields table then continue.

Table 8. Create Backup Configuration Dialog Box Fields

Properties

Description

General

Name

Enter the name of the backup configuration.

Description

Enter a description of the backup configuration.

Settings

Backup Destination

Choose a backup destination.

Local
Remote

Backup Object

Choose the root hierarchical content to consider for the backup

Policy Universe

Selector Object—When chosen, this option adds the Object Type drop-down list and Object DN field.

From the Object Type drop-down list, choose from the following options:
- Tenant—When chosen the Select Tenant option appears.
- Application Profile—When chosen the Select Application Profile option appears.
- EPG—When chosen the Select EPG option appears.
- Contract—When chosen the Select Contract option appears.
- Filter—When chosen the Select Filter option appears.
- VRF—When chosen the Select VRFoption appears.
- Device—When chosen the Select fvcloudLBCtxoption appears.
- Service Graph—When chosen the Select Service Graph option appears.
- Cloud Context Profile—When chosen the Select Cloud Context Profile option appears.
Click the Select <object_name>. The Select <object_name> dialog appears.

From the Select <object_name> dialog, click to choose from the options in the left column then click Select. You return to the Create Backup Configuration dialog box.

Note

The Object DN field is automatically populated with the DN of the object it will use as root of the object tree to backup

Enter DN—When chosen, this option displays the Object DN field.
1. From the Object DN field, enter the DN of a specific object to use as the root of the object tree to backup.

Scheduler

Click Select Scheduler to open the Select Scheduler dialog and choose a scheduler from the left-side column.
Click the Select button at the bottom-right corner when finished.

Trigger Backup After Creation

Choose one of the following:

Yes—(Default) Trigger a backup after creating the backup configuration.
No—Do not trigger a backup after creating the backup configuration.

Step 5

Click Save when finished.

Creating a Tech Support Policy Using the Cisco Cloud APIC GUI

This section explains how to create a tech support policy.

Before you begin

When creating a tech support policy for a remote location, you must first create the remote location.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Tech Support. The Create Tech Support dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Tech Support Dialog Box Fields table then continue.

Table 9. Create Tech Support Dialog Box Fields
Properties	Description
General
Name	Enter the name of the tech support policy.
Description	Enter a description of the tech support.
Settings
Export Destination	Choose an export destination. Controller Remote Location—When chosen the Select Remote Location option appears. Click Select Remote Location. The Select Remote Location dialog box appears. From the Select Remote Location dialog, click to choose a remote location in the left column then click Select. You return to the Create Tech Suport dialog box.
Include Pre-Upgrade Logs	Click to place a check in the Enabled check box if you want to include pre-upgrade logs in the tech support policy.
Trigger After Creation	Click to place a check in the Enabled (the default) check box if you want to create the tech support policy after the policy creation. To disable, click the check box to uncheck.

Step 5

Click Save when finished.

Creating a Trigger Scheduler Using the Cisco Cloud APIC GUI

This section explains how to create a trigger scheduler.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Scheduler. The Create Trigger Scheduler dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Trigger Scheduler Dialog Box Fields table then continue.

Table 10. Create Trigger Scheduler Dialog Box Fields
Properties	Description
General
Name	Enter the name of the trigger scheduler policy.
Description	Enter a description of the trigger scheduler.
Settings
Recurring Windows	Click Add Recurring Window. The Add Recurring Window dialog appears. From the Schedule drop-down list, choose from the following. every-day Monday Tuesday Wednesday Thursday Friday Saturday Sunday odd-day even-day From the Start Time field, enter a time. From the Maximum Concurrent Tasks field, enter a number or leave the field empty to specify unlimited. From the Maximum Running Time, click to choose Unlimited or Custom. Click Add when finished.
Add One Time Window	Click Add One Time Window. The Add One Time Window dialog appears. From the Start Time field, enter a date and time. From the Maximum Concurrent Tasks field, enter a number or leave the field blank to specify unlimited. From the Maximum Running Time, click to choose Unlimited or Custom. Click Add when finished.

Step 5

Click Save when finished.

Creating a Remote Location Using the Cisco Cloud APIC GUI

This section explains how to create a remote location using the Cisco Cloud APIC.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Operations.

A list of Operations options appear in the Intent menu.

Step 3

From the Operations list in the Intent menu, click Create Remote Location. The Create Remote Location dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Remote Location Dialog Box Fields table then continue.

Table 11. Create Remote Location Dialog Box Fields
Properties	Description
General
Name	Enter the name of the remote location policy.
Description	Enter a description of the remote location policy.
Settings
Hostname/IP Address	Enter the hostname or IP address of the remote location
Protocol	Choose a protocol: FTP SFTP SCP
Path	Enter the path for the remote location.
Port	Enter the port for the remote location.
Username	Enter a username for the remote location.
Authentication Type	When using SFTP or SCP, choose the authentication type: Password SSH Key
SSH Key Content	Enter the SSH key content.
SSH Key Passphrase	SSH key passphrase.
Password	Enter a password for accessing the remote location.
Confirm Password	Reenter the password for accessing the remote location.
Management EPG	Click Select Management EPG. The Select Management EPG dialog appears. From the column on the left, click to choose a management EPG. Click Select.

Step 5

Click Save when finished.

Creating a Login Domain Using the Cisco Cloud APIC GUI

This section explains how to create a login domain using the Cisco Cloud APIC GUI.

Before you begin

Create a provider before creating a non-local domain.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Login Domain. The Create Login Domain dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Login Domain Dialog Box Fields table then continue.

Table 12. Create Login Domain Dialog Box Fields
Properties	Description
Name	Enter the name of the login domain.
Description	Enter a description of the login domain.
Realm	Choose a realm: Local LDAP—Requires adding providers and choosing an authenication type. RADIUS—Requires adding providers. TACACS+—Requires adding providers. SAML—Requires adding providers.
Providers	To add a provider: Click Add Providers. The Select Providers dialog appears with a list of providers in the left pane. Click to choose a provider. Click Select to add the provider.
Advanced Settings	Displays the Authentication Type and LDAP Group Map Rules fields.
Authentication Type	When LDAP is chosen for realm option, choose one of the following authentication types: Cisco AV Pairs—(Default) LDAP Group Map Rules—Requires adding LDAP group map rules.
LDAP Group Map Rules	To add an LDAP group map rule: Click Add LDAP Group Map Rule. The Add LDAP Group Map Rule dialog appears with a list of providers in the left pane. Enter a name for the rule in the Name field. Enter a description for the rule in the Description field. Enter a group DN for the rule in the Group DN field. Add security domains: Click Add Security Domain. The Add Security Domain dialog box appears. Click Select Security Domain. The Select Security Domain dialog box appears with a list of security domains in the left pane. Click to choose a security domain. Click Select to add the security domain. You return to the Add Security Domain dialog box. Add a user role: From the Add Security Domain dialog box, click Select Role. The Select Role dialog box appears with a list of roles in the left pane. Click to choose a role. Click Select to add the role. You retun to the Add Security Domain dialog box. From the Add Security Domain dialog box, click the Privilege Type drop-down list and choose Read Privilege or Write Privilege. Click the check mark on the right side of the Privilege Type drop-down list to confirm. Click Add when finished. You return to the Add LDAP Group Map Rule dialog box where you can add another security domain.

Step 5

Click Save when finished.

Creating a Provider Using the Cisco Cloud APIC GUI

This section explains how to create a provider using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Provider. The Create Provider dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Provider Dialog Box Fields table then continue.

Table 13. Create Provider Dialog Box Fields

Properties

Description

Hostname/IP Address

Enter the hostname or IP address of the provider.

Description

Enter a description of the provider.

Type

Click the Type drop-down list and choose one of the following types:

LDAP
RADIUS
TACACS+
SAML

Note

A set of fields will appear based on the type that you choose.

[LDAP] Settings

Bind DN

Enter the LDAP bind DN.

Base DN

Enter the LDAP base DN.

Password

Enter a password for the LDAP settings.

Confirm Password

Reenter the password for the LDAP settings.

Port

Enter the port number for the provider type.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 30.

Retries

Enter the number of allowed retries. The default is 1.

SSL

To enable SSL, click to place a check in the SSL check box. To disable SSL, click to remove the check from the SSL check box. The default is enabled.

SSL Certificate Validation Level

Choose one of the following:

Permissive
Strict

Attribute

Enter an LDAP attribute in the Attribute text box.

Filter Type

Choose a filter type:

Default
Microsoft AD
Custom

Filter

Enter an LDAP filter in the text box. This option only appears when the Custom filter type is chosen.

Select Management EPG

To add a management EPG:

Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.
Click to choose an EPG.
Click Select to add the management EPG to the LDAP.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[RADIUS] Settings

Key

Enter the RADIUS key.

Confirm Key

Reenter the RADIUS key.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Port

Enter the port number for the RADIUS settings. The default is 1812.

Authentication Protocol

Choose from the following:

PAP—(Default)
CHAP
MS-CHAP

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Select Management EPG

To add a management EPG:

Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.
Click to choose an EPG.
Click Select to add the management EPG to the RADIUS.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[TACACS+] Settings

Key

Enter the TACACS+ key.

Confirm Key

Reenter the TACACS+ key.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

Port

Enter the port number for the TACACS+ settings. The default is 1812.

Authentication Protocol

Choose from the following:

CHAP
MS-CHAP
PAP—(Default)

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Select Management EPG

To add a management EPG:

Click Select Management EPG. The Select Management EPG dialog appears with a list of EPGs in the left pane.
Click to choose an EPG.
Click Select to add the management EPG to the TACACS+.

Server Monitoring

To enable server monitoring, click to place a check in the Enabled check box. To disable server monitoring, click to remove the check from the Enabled check box. The default is disabled.

[SAML] Settings

Identity Provider

Choose from the following identity providers:

ADFS—(default)
OKTA
PING IDENTITY

Identity Provider Metadata URL

Enter the metatdata URL provided by the identity provider.

Entity ID

Enter a unique ID as the SAML entity identifier.

HTTPS Proxy for Metadata URL

Enter the HTTPS proxy used to reach the identity provider's metadata URL.

Advanced Settings

Displays additional fields in the Settings section of the provider dialog box.

GUI Redirect Banner Message (URL)

Enter the GUI redirect banner message.

Certificate Authority

To choose a certificate authority:

Click Select Certificate Authoriy. The Select Certificate Authoriy dialog appears with a list of certificates in the left pane.
Click to choose a certificate.
Click Select to add the certificate. You return to the Create Provider dialog box.

Timeout (sec)

Enter the number of seconds allowed before a timeout occurs. The default is 5.

Retries

Enter the number of allowed retries. The default is 1.

Signature Algorithm Authentication User Requests*

Click the Signature Algorithm for Requests drop-down list and choose one of the following:

RSA SHA1
RSA SHA224
RSA SHA256
(Default)
RSA SHA384
RSA SHA512

Sign SAML Authentication Requests

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Sign SAML Response Message

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Sign Assertions in SAML Response

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Encrypt SAML Assertions

To enable, click to place a check in the check box. To disable, click to remove the check from the check box. The default is enabled.

Step 5

Click Save when finished.

Creating a Security Domain Using the Cisco Cloud APIC GUI

A security domain restricts the tenant to the security domains that you add. If you do not add a security domain, all security domains will have access to this tenant. This section explains how to create a security domain using the GUI.

Procedure

Step 1	Click the Intent icon. The Intent menu appears.
Step 2	Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appear in the Intent menu.
Step 3	From the Administrative list in the Intent menu, click Create Security Domain. The Create Security Domain dialog box appears.
Step 4	In the Name field, enter the name of the security domain.
Step 5	In the Description field, enter a description of the security domain.
Step 6	Click Save when finished.

Creating a Role Using the Cisco Cloud APIC GUI

This section explains how to create a role using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Role. The Create Role dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Role Dialog Box Fields table then continue.

Table 14. Create Role Dialog Box Fields
Properties	Description
General
Name	Enter a name for the role in the Name field.
Description	Enter a description of the role.
Settings
Privilege	Click to place a check mark in the check boxes of the privileges you want to assign the user. The privileges are: aaa—Used for configuring authentication, authorization, accouting and import/export policies. access-connectivity-l1Used for Layer 1 configuration under infra. Example: selectors and port Layer 1 policy configurations. access-connectivity-l2—Used for Layer 2 configuration under infra. Example: Encap configurations on selectors, and attachable entity. access-connectivity-l3—Used for Layer 3 configuration under infra and static route configurations under a tenant's L3Out. access-connectivity-mgmt—Used for management infra policies. access-connectivity-util—Used for tenant ERSPAN policies. access-equipment—Used for access port configuration. access-protocol-l1—Used for Layer 1 protocol configurations under infra. access-protocol-l2—Used for Layer 2 protocol configurations under infra. access-protocol-l3—Used for Layer 3 protocol configurations under infra. access-protocol-mgmt—Used for fabric-wide policies for NTP, SNMP, DNS, and image management. access-protocol-ops—Used for operations-related access policies such as cluster policy and firmware policies. access-protocol-util—Used for tenant ERSPAN policies. access-qos—Used for changing CoPP and QoS-related policies. admin—Complete access to everything (combine ALL roles) fabric-connectivity-l1—Used for Layer 1 configuration under the fabric. Example: selectors and port Layer 1 policy and vPC protection. fabric-connectivity-l2—Used in firmware and deployment policies for raising warnings for estimating policy deployment impact. fabric-connectivity-l3—Used for Layer 3 configuration under the fabric. Example: Fabric IPv4 and MAC protection groups. fabric-connectivity-mgmt—Used for atomic counter and diagnostic policies on leaf switches and spine switches. fabric-connectivity-util—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches. fabric-equipment—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches. fabric-protocol-l1—Used for Layer 1 protocol configurations under the fabric. fabric-protocol-l2—Used for Layer 2 protocol configurations under the fabric. fabric-protocol-l3—Used for Layer 3 protocol configurations under the fabric. fabric-protocol-mgmt—Used for fabric-wide policies for NTP, SNMP, DNS, and image management. fabric-protocol-ops—Used for ERSPAN and health score policies. fabric-protocol-util—Used for firmware management traceroute and endpoint tracking policies. none—No privilege. nw-svc-device—Used for managing Layer 4 to Layer 7 service devices. nw-svc-devshare—Used for managing shared Layer 4 to Layer 7 service devices. nw-svc-params—Used for managing Layer 4 to Layer 7 service policies. nw-svc-policy—Used for managing Layer 4 to Layer 7 network service orchestration. ops—Used for operational policies including monitoring and troubleshooting policies such as atomic counter, SPAN, TSW, tech support, traceroute, analytics, and core policies. tenant-connectivity-l1—Used for Layer 1 connectivity changes, including bridge domains and subnets. tenant-connectivity-l2—Used for Layer 2 connectivity changes, including bridge domains and subnets. tenant-connectivity-l3—Used for Layer 3 connectivity changes, including VRFs. tenant-connectivity-mgmt—Used for tenant in-band and out-of-band management connectivity configurations and for debugging/monitoring policies such as atomic counters and health score. tenant-connectivity-util—Used for atomic counter, diagnostic, and image management policies on leaf switches and spine switches. tenant-epg—Used for managing tenant configurations such as deleting/creating endpoint groups, VRFs, and bridge domains. tenant-ext-connectivity-l2—Used for managing tenant L2Out configurations. tenant-ext-connectivity-l3—Used for managing tenant L3Out configurations. tenant-ext-connectivity-mgmt—Used as write access for firmware policies. tenant-ext-connectivity-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk. tenant-ext-protocol-l1—Used for managing tenant external Layer 1 protocols. Generally only used for write access for firmware policies. tenant-ext-protocol-l2—Used for managing tenant external Layer 2 protocols. Generally only used for write access for firmware policies. tenant-ext-protocol-l3—Used for managing tenant external Layer 3 protocols such as BGP, OSPF, PIM, and IGMP. tenant-ext-protocol-mgmt—Used as write access for firmware policies. tenant-ext-protocol-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk. tenant-network-profile—Used for managing tenant configurations, such as deleting and creating network profiles, and deleting and creating endpoint groups. tenant-protocol-l1—Used for managing configurations for Layer 1 protocols under a tenant. tenant-protocol-l2—Used for managing configurations for Layer 2 protocols under a tenant. tenant-protocol-l3—Used for managing configurations for Layer 3 protocols under a tenant. tenant-protocol-mgmt—Only used as write access for firmware policies. tenant-protocol-ops—Used for tenant traceroute policies. tenant-protocol-util—Used for debugging/monitoring/observer policies such as traceroute, ping, oam, and eptrk. tenant-qos—Only used as Write access for firmware policies. tenant-security—Used for Contract related configurations for a tenant. vmm-connectivity—Used to read all the objects in APIC's VMM inventory required for VM connectivity. vmm-ep—Used to read VM and Hypervisor endpoints in the APIC's VMM inventory. vmm-policy—Used for managing policies for VM networking. vmm-protocol-ops—Not used by VMM policies. vmm-security—Used for Contract related configurations for a tenant.

Step 5

Click Save when finished.

Creating an RBAC Rule Using the Cisco Cloud APIC GUI

This section explains how to create an RBAC rule using the GUI.

Before you begin

Create a security domain.

Procedure

Step 1	Click the Intent icon. The Intent menu appears.
Step 2	Click the drop-down arrow below the Intent search box and choose Administrative. A list of Administrative options appears in the Intent menu.
Step 3	From the Administrative list in the Intent menu, click Create RBAC Rule. The Create RBAC Rule dialog box appears.
Step 4	In the DN field, enter the DN for the rule.
Step 5	Choose a security domain: Click Select Security Domain. The Select Security Domain dialog box appears. From the Select Security Domain dialog box, click to choose a security domain from the column on the left then click Select. You return to the Create RBAC Rule dialog box.
Step 6	From the Allow Writes field, click Yes to allow writes or No to not allow writes.
Step 7	Click Save when finished.

Creating a Certificate Authority Using the Cisco Cloud APIC GUI

This section explains how to create a certificate authority using the GUI.

Before you begin

Have the certificate chain.
If the certificate authority is for a tenant, create the tenant.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appears in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Certificate Authority. The Create Certificate Authority dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Certificate Authority Dialog Box Fields table then continue.

Table 15. Create Certificate Authority Dialog Box Fields

Properties

Description

Name

Enter the name of the certificate authority.

Description

Enter a description of the certificate authority.

Used for

Choose from the following options:

Tenant—Choose if the certificate authority is for a specific tenant. When chosen, the Select Tenant option appears in the GUI.
System—Choose if the certificate authority is for the system.

Select Tenant

To choose a tenant:

Click Select Tenant. The Select Tenant dialog box appears.
From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Certificate Authority dialog box.

Certificate Chain

Enter the certificate chain in the Certificate Chain text box.

Note

Add the certificates for a chain in the following order:

CA
Sub-CA
Subsub-CA
Server

Step 5

Click Save when finished.

Creating a Key Ring Using the Cisco Cloud APIC GUI

This section explains how to create a key ring using the Cisco Cloud APIC GUI.

Before you begin

Create a certificate authority.
Have a certificate.
If the key ring is for a specific tenant, create the tenant.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Key Ring. The Create Key Ring dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Key Ring Dialog Box Fields table then continue.

Table 16. Create Key Ring Dialog Box Fields
Properties	Description
Name	Enter the name of the key ring.
Description	Enter a description of the key ring.
Used for	System—The key ring is for the system. Tenant—The key ring is for a specific tenant. Displays a Tenant field for specifying the tenant.
Select Tenant	To choose a tenant: Click Select Tenant. The Select Tenant dialog box appears. From the Select Tenant dialog, click to choose a tenant in the left column then click Select. You return to the Create Key Ring dialog box.
Settings
Certificate Authority	To choose a certificate authority: Click Select Certificate Authority. The Select Certificate Authority dialog appears. Click to choose a certificate authority in the column on the left. Click Select. You return to the Create Key Ring dialog box.
Private Key	Choose one of the following: Generate New Key—Generates a new key. Import Existing Key—Displays the Private Key text box and enables you to use an existing key.
Private Key	Enter an existing key in the Private Key text box (for the Import Existing Key option).
Modulus	Click the Modulus drop-down list to choose from the following: MOD 512 MOD 1024 MOD 1536 MOD 2048—(Default)
Certificate	Enter the certificate information in the Certificate text box.

Step 5

Click Save when finished.

Creating a Local User Using the Cisco Cloud APIC GUI

This section explains how to create a local user using the Cisco Cloud APIC GUI.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Administrative.

A list of Administrative options appear in the Intent menu.

Step 3

From the Administrative list in the Intent menu, click Create Local User. The Create Local User dialog box appears.

Step 4

Enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields table then continue.

Table 17. Create Local User Dialog Box Fields
Properties	Description
Name	Enter the username of the local user.
Password	Enter the password for the local user.
Confirm Password	Reenter the password for the local user.
Description	Enter a description of the local user.
Settings
Account Status	To choose the account status: Active—Activates the local user account. Inactive—Deactivates the local user account.
First Name	Enter the first name of the local user.
Last Name	Enter the last name of the local user.
Email Address	Enter the email address of the local user.
Phone Number	Enter the phone number of the local user.
Security Domains	To add a security domain: Click Add Security Domain. The Add Security Domain dialog box appears. Click Select Security Domain. The Select Security Domain dialog box appears with a list of security domains in the left pane. Click to choose a security domain. Click Select to add the security domain. You return to the Add Security Domain dialog box. Add a user role: From the Add Security Domain dialog box, click Select Role. The Select Role dialog box appears with a list of roles in the left pane. Click to choose a role. Click Select to add the the role. You retun to the Add Security Domain dialog box. From the Add Security Domain dialog box, click the Privilege Type drop-down list and choose Read Privilege or Write Privilege. Click the check mark on the right side of the Privilege Type drop-down list to confirm. Click Add when finished. You return to the Create Local User dialog box where you can add another security domain.

Step 5

Click Advanced Settings and enter the appropriate values in each field as listed in the following Create Local User Dialog Box Fields: Advanced Settings table then continue.

Table 18. Create Local User Dialog Box Fields: Advanced Settings
Property	Description
Account Expires	If you choose Yes, the account is set to expire at the time that you choose.
Password Update Required	If you choose Yes, the user must change the password upon the next login.
OTP	Put a check in the box to enable the one-time password feature for the user.
User Certificates	To add a user certificate: Click Add X509 Certificate. The Add X509 Certificate dialog box appears. Enter a name in the Name field. Enter the X509 certificate in the User X509 Certificate text box. Click Add. The X509 certificate in the User X509 Certificate dialog box closes. You return to the Local User dialog box.
SSH Keys	To add a an SSH key: Click Add SSH Key. The Add SSH Key dialog box appears. Enter a name in the Name field. Enter the SSH key in the Key text box. Click Add. The Add SSH Key dialog box closes. You return to the Local User dialog box.

Step 6

Click Save when finished.

Managing Regions (Configuring a Cloud Template) Using the Cisco Cloud APIC GUI

Regions are configured during the first-time setup. When configured, you specify the regions that are managed by Cisco Cloud APIC and the region's inter-site and inter-region connectivity. This section explains how to manage regions with the cloud template using the Cisco Cloud APIC GUI after the initial installation.

For more information about cloud templates, see About the Cloud Template.

Procedure

Step 1

Click the Intent icon. The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Configuration.

A list of options appear in the Intent menu.

Step 3

From the Configuration list in the Intent menu, click cAPIC Setup.

The Set up - Overview dialog box appears with options for DNS and NTP Servers, Region Management, and Smart Licensing.

Step 4

For Region Management, click Edit Configuration.

The Setup - Region Management dialog box appears. and the first step in the Setup - Region Management series of steps appears, Regions to Manage, with a list of managed regions.

Step 5

If you want inter-site connectivity, click to place a check mark in the Enabled box in the Inter-Site Connectivity area.

The Inter-Site Connectivity step is added in the Setup - Region Management steps at the top of the page.

Step 6

To choose a region that you want to be managed by the Cisco Cloud APIC, click to place a check mark in check box of that region.

Step 7

To deploy cloud routers locally to this region, click to place a check mark in the Cloud Routers check box for that region.

Step 8

To configure the fabric infra connectivity for the cloud site, click Next.

The next step in the Setup - Region Management series of steps appears, General Connectivity

Step 9

To add a subnet pool for the CSRs, click Add Subnet Pool for Cloud Router and enter the subnet in the text box.

Note

The /24 subnet provided during the Cloud APIC deployment would be sufficient for up to two cloud sites. If you need to manage more than two cloud sites, you need to add more subnets.

Step 10

Enter a value in the BGP Autonomous System Number for CSRs field.

The BGP ASN can be in the range of 1 - 65534.

Step 11

In the Assign Public IP to CSR Interface field, determine if you want to have a public or a private IP address assigned to the CSR interface.

To have a public IP address assigned to the CSR interface, leave the check in the Enabled check box. By default, the Enabled check box is checked.
To have public IP disabled to the CSR interfaces, uncheck the Enabled check box. A private IP address is used for connectivity in this case.

Note

Disabling or enabling a public IP address is a disruptive operation and can result in traffic loss.

Beginning with release 5.2(1), both the public and private IP addresses assigned to a CSR are displayed with the other details of the router in the Cloud Resources area. If a public IP is not assigned to a CSR, only the private IP is displayed.

Step 12

To chose the number of routers per region, click the Number of Routers Per Region drop-down list and click 2, 3, or 4.

Step 13

Enter a username in the Username text box.

Step 14

Enter a password in the Password and Confirm Password text boxes.

Step 15

To choose the throughput value, click the Throughput of the routers drop-down list.

Note

Cloud routers should be undeployed from all regions before changing the throughput or login credentials.

Step 16

(Optional) To specify the license token, enter the product instance registration token in the License Token text box.

Note

If no token is entered, the CSR will be in EVAL mode.

Note

If the public IP addresses are disabled to the CSRs in Step 11, the only supported option is AWS Direct Connect or Azure Express Route to Cisco Smart Software Manager (CSSM) when registering smart licensing for CSRs with private IP addresses (available by navigating to Administrative > Smart Licensing). You must provide reachability to the CSSM through AWS Direct Connect or Azure Express Route in this case. When the public IP addresses are disabled, public internet cannot be used because private IP addresses are being used. The connectivity should therefore use Private Connection, which is AWS Direct Connect or Azure Express Route.

Step 17

Click Next.

If you placed a check mark in the Enabled box in the Inter-Site Connectivity area earlier in these procedures, Inter-Site Connectivity appears as the next step in the Setup - Region Management series of steps. Go to Step 18.
If you did not place a check mark in the Enabled box in the Inter-Site Connectivity area earlier in these procedures, go to Step 22.

Step 18

To enter a peer public IP address of the IPsec Tunnel peer on-premises in the text box, click Add Public IP of IPSec Tunnel Peer.

Step 19

Enter the OSPF area ID in the OSPF Area Id text box.

Step 20

To add an external subnet pool, click Add External Subnet and enter a subnet pool in the text box.

Step 21

When you have configured all the connectivity options, click Next at the bottom of the page.

Step 22

Click Save and Continue when finished.

Configuring Cisco Cloud APIC Using the REST API

Creating a Tenant Using the REST API

This section demonstrates how to create a tenant and assigns using the REST API.

Procedure

To create a tenant:


<polUni>
  <fvTenant name="infra">
    <cloudAwsProvider region="us-east-1" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin" status=""/>
  </fvTenant>
</polUni>

Creating a Contract Using the REST API

This example demonstrates how to create a contract for the Cisco Cloud APIC using the REST API.

Before you begin

Create filters.

Procedure

To create a contract:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <vzFilter descr="" name="http-family-destination" ownerKey="" ownerTag="">
      <vzEntry name="http" prot="tcp" etherT="ip" dFromPort="http" dToPort="http"/>
      <vzEntry name="https" prot="tcp" etherT="ip" dFromPort="https" dToPort="https"/>
    </vzFilter>
    <vzBrCP name="httpFamily">
      <vzSubj name="default" revFltPorts="yes" targetDscp="unspecified">
        <vzRsSubjFiltAtt action="permit" directives="" tnVzFilterName="http-family-destination"/>
      </vzSubj>
    </vzBrCP>
  </fvTenant>
</polUni>

Creating a Cloud Context Profile Using the REST API

This section demonstrates how to create a cloud context profile.

Before you begin

Create a VRF.

Procedure

To create a cloud context profile:

Example:

<polUni>
<fvTenant name="Corp1" status="">
	<cloudAwsProvider accessKeyId="" secretAccessKey="" providerId="aws" status="" accountId=""/>

   <fvCtx name="prod-1" status="">
    <bgpRtTargetP af="ipv4-ucast">
      <bgpRtTarget rt="route-target:as4-nn2:400:400" type="export"/>
      <bgpRtTarget rt="route-target:as4-nn2:400:400" type="import"/>
    </bgpRtTargetP>
  </fvCtx>

   <fvCtx name="prod-2" status="">
    <bgpRtTargetP af="ipv4-ucast">
      <bgpRtTarget rt="route-target:as4-nn2:500:500" type="export"/>
      <bgpRtTarget rt="route-target:as4-nn2:500:500" type="import"/>
    </bgpRtTargetP>
  </fvCtx>
  
  <cloudVpnGwPol name="VgwPol" status=""/>

  <cloudApp name="payment" status="">
    <cloudEPg  name="web" status="">
      <cloudRsCloudEPgCtx tnFvCtxName="prod-1" />
    </cloudEPg>
  </cloudApp>
  <cloudApp name="billing">
    <cloudEPg  name="app">
      <cloudRsCloudEPgCtx tnFvCtxName="prod-2" />
    </cloudEPg>
  </cloudApp>

  <cloudCtxProfile name="prod-web-east-1">
    <cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-aws/region-us-east-1"/>
    <cloudRsToCtx tnFvCtxName="prod-1"/>
    <cloudRouterP name="RouterP1" type="vpn-gw">
     <cloudRsToVpnGwPol tnCloudVpnGwPolName="VgwPol"/>
       <cloudIntNetworkP name="IntNetworkP1"/>
    </cloudRouterP>

    <cloudCidr addr="60.10.10.1/16" primary="true">
        <cloudSubnet ip="60.10.10.1/24">
            <cloudRsZoneAttach tDn="uni/clouddomp/provp-aws/region-us-east-1/zone-us-east-1a"/>
        </cloudSubnet>
    </cloudCidr>
  </cloudCtxProfile>

  <cloudCtxProfile name="prod-payment-east-1" status="">
    <cloudRsCtxProfileToRegion tDn="uni/clouddomp/provp-aws/region-us-east-1"/>
    <cloudRsToCtx tnFvCtxName="prod-2" status=""/>
    <cloudRouterP name="RouterP1" type="vpn-gw">
     <cloudRsToVpnGwPol tnCloudVpnGwPolName="VgwPol"/>
       <cloudIntNetworkP name="IntNetworkP1" status=""/>
    </cloudRouterP>

    <cloudCidr addr="70.10.10.1/16" primary="true" status="">
       <cloudSubnet ip="70.10.10.1/24" status="">
           <cloudRsZoneAttach tDn="uni/clouddomp/provp-aws/region-us-east-1/zone-us-east-1a"/>
       </cloudSubnet>
    </cloudCidr>
  </cloudCtxProfile>

</fvTenant>
</polUni>

Managing a Cloud Region Using the REST API

This section demonstrates how to manage a cloud region using the REST API.

Procedure

To create a cloud region:


<polUni>
  <cloudDomP name="dom-us-east-2">
    <cloudBgpAsP asn="64513"/>
    <cloudProvP vendor="aws">
      <cloudRegion name="us-east-2" adminSt="managed">
        <cloudZone name="us-east-2a"/>
        <cloudZone name="us-east-2b"/>
      </cloudRegion>
    </cloudProvP>
  </cloudDomP>
</polUni>

Creating a Filter Using the REST API

This section demonstrates how to create a filter using the REST API.

Procedure

To create a filter:


https://<IP_Address>/api/node/mo/.xml
<polUni>
<fvTenant name="intervpc" >
<fvCtx name="VRF1"/> 
    <cloudApp name="CloudAP1" >
    <cloudEPg name="CloudEPG1" >
        <cloudRsCloudEPgCtx tnFvCtxName="VRF1"/>
        <fvRsProv tnVzBrCPName="Contract2” > </fvRsProv>
        <cloudEPSelector name="sel1" matchExpression="custom:epgtag=='cloudepg1'" />
      </cloudEPg>
     </cloudApp>

      <vzFilter name="http" annotation="orchestrator:msc" >
      <vzEntry name="Entry3" prot="tcp" etherT="ipv4" arpOpc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified" sToPort="unspecified" dFromPort="80" dToPort="80" > </vzEntry>
    </vzFilter>

   <vzBrCP name="Contract2" scope="global">
      <vzSubj name="test-subj" >
       
        
        <vzRsSubjFiltAtt action="permit" tnVzFilterName="http" directives="none" /> 
        
        
      </vzSubj>
    </vzBrCP>
   </fvTenant>
</polUni>

Creating an Application Profile Using the REST API

This section demonstrates how to create an application profile using the REST API.

Before you begin

Create a tenant.

Procedure

To create an application profile:


https://<IP_Address>/api/node/mo/.xml
<polUni>
<fvTenant name="intervpc" >
<fvCtx name="VRF1"/> 
    <cloudApp name="CloudAP1" >

    <cloudEPg name="CloudEPG1" >
        <cloudRsCloudEPgCtx tnFvCtxName="VRF1"/>
        <fvRsProv tnVzBrCPName="Contract2” > </fvRsProv>
        <cloudEPSelector name="sel1" matchExpression="custom:epgtag=='cloudepg1'" />
      </cloudEPg>

     </cloudApp>

      <vzFilter name="http" annotation="orchestrator:msc" >
      <vzEntry name="Entry3" prot="tcp" etherT="ipv4" arpOpc="unspecified" stateful="no" applyToFrag="no" sFromPort="unspecified" sToPort="unspecified" dFromPort="80" dToPort="80" > </vzEntry>
    </vzFilter>
   <vzBrCP name="Contract2" scope="global">
      <vzSubj name="test-subj" >
        <vzRsSubjFiltAtt action="permit" tnVzFilterName="http" directives="none" /> 
        </vzSubj>
    </vzBrCP>
   </fvTenant>
</polUni>

Creating a Cloud EPG Using the REST API

This example demonstrates how to create a cloud EPG using the REST API.

Before you begin

Create an application profile and a VRF.

Procedure

To create a cloud EPG:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <!-- Tenant provide AWS credentials -->
    <cloudAwsProvider region="us-east-2" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin"/>
    <fvCtx name="v1" status=""/>
    <cloudApp name="ap">
      <cloudEPg name="provEPG" status="">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='provfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='provbaz'"/>
        <fvRsProv tnVzBrCPName="httpFamily"/>
      </cloudEPg>
      <cloudEPg name="consEPG">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='consfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='consbaz'"/>
        <fvRsCons tnVzBrCPName="httpFamily"/>
      </cloudEPg>
    </cloudApp>
  </fvTenant>
</polUni>

Creating an External Cloud EPG Using the REST API

This example demonstrates how to create an external cloud EPG using the REST API.

Before you begin

Create an application profile and a VRF.

Procedure

To create an external cloud EPG:

Example:


<polUni>
  <fvTenant name="t2" status="">
    <!-- Tenant provide AWS credentials -->
    <cloudAwsProvider region="us-east-2" accessKeyId="123" secretAccessKey="ABCDE" providerId="admin"/>
    <fvCtx name="v1" status=""/>
    <cloudApp name="ap">
      <cloudEPg name="provEPGInternet" status="">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudEPSelector name="1" matchExpression="custom:tag=='provfoo'"/>
        <cloudEPSelector name="2" matchExpression="custom:tag=='provbaz'"/>
        <fvRsProv tnVzBrCPName="httpFamily"/>
      </cloudEPg>
      <cloudExtEPg name="consInternetEPG">
        <cloudRsCloudEPgCtx tnFvCtxName="v1"/>
        <cloudExtEPSelector name="1" subnet="0.0.0.0/0"/>
        <fvRsCons tnVzBrCPName="httpFamily"/>
      </cloudExtEPg>
    </cloudApp>
  </fvTenant>
</polUni>

Creating a Cloud Template Using the REST API

This section demonstrates how to create a cloud template using the REST API. For more information about cloud templates, see About the Cloud Template.

Procedure

To create a cloud template:

<polUni>
  <fvTenant name="infra">
    <cloudtemplateInfraNetwork name="default" vrfName="overlay-1">
         <cloudtemplateProfile name="defaultxyz" routerUsername="SomeFirstName" routerPassword="SomePass" >
              </cloudtemplateProfile>
      <cloudtemplateExtSubnetPool subnetpool="10.20.0.0/16"/>

      <cloudtemplateIntNetwork name="default">
        <cloudRegionName provider="aws" region="us-west-1"/>
        <cloudRegionName provider="aws" region="us-west-2"/>
      </cloudtemplateIntNetwork>

      <cloudtemplateExtNetwork name="default">
        <cloudRegionName provider="aws" region="us-west-2"/>

        <cloudtemplateVpnNetwork name="default">

          <cloudtemplateIpSecTunnel peeraddr="23.2.1.1/32" />
          <cloudtemplateIpSecTunnel peeraddr="23.0.1.1/32" />
          <cloudtemplateIpSecTunnel peeraddr="23.1.1.1/32" />

          <cloudtemplateOspf area="0.0.0.1"/>

        </cloudtemplateVpnNetwork>

        <cloudtemplateBgpEvpn peeraddr="34.1.1.1/32" asn="63000" siteId="123" password="abcd1234" />

      </cloudtemplateExtNetwork>
</cloudtemplateInfraNetwork>
  </fvTenant>
</polUni>

Cisco Cloud APIC for AWS User Guide, Release 5.2(x)

Bias-Free Language

Results

Chapter: Configuring Cisco Cloud APIC Components

Configuring Cisco Cloud APIC Components

About Configuring the Cisco Cloud APIC

Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(2) and Earlier

Procedure

Creating a Tenant Using the Cisco Cloud APIC GUI For Release 4.2(3) and Later

Procedure

Configure a Tenant AWS Provider For Release 4.2(2) and Earlier

Before you begin

Procedure

Configuring a Tenant AWS Provider For Release 4.2(3) and Later

Before you begin

Procedure

Creating an Application Profile Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a VRF Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating an EPG Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Contract Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Specifying Consumer and Provider EPGs Using the Cisco Cloud APIC

Before you begin

Procedure

Creating a Filter Using the Cisco Cloud APIC GUI

Procedure

Creating a Cloud Context Profile Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Configuring Instances in AWS

Procedure

Creating a Backup Configuration Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Tech Support Policy Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Trigger Scheduler Using the Cisco Cloud APIC GUI

Procedure

Creating a Remote Location Using the Cisco Cloud APIC GUI

Procedure

Creating a Login Domain Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Provider Using the Cisco Cloud APIC GUI

Procedure

Creating a Security Domain Using the Cisco Cloud APIC GUI

Procedure

Creating a Role Using the Cisco Cloud APIC GUI

Procedure

Creating an RBAC Rule Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Certificate Authority Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Key Ring Using the Cisco Cloud APIC GUI

Before you begin

Procedure

Creating a Local User Using the Cisco Cloud APIC GUI

Procedure

Managing Regions (Configuring a Cloud Template) Using the Cisco Cloud APIC GUI

Procedure

Creating a Tenant Using the REST API

Procedure

Creating a Contract Using the REST API

Before you begin

Procedure

Example:

Creating a Cloud Context Profile Using the REST API

Before you begin

Procedure

Example: