WIXLIB

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco PublicSee the product documentation for moreinformation about ready-to-use supported BaseOS images and application services, as well asfor more information about how to create newservices and how to manage services. Containers: Cisco CloudCenter supportscontainers, such as Docker, that can be easilymodeled as part of any application profile andthen deployed and managed in any data centeror cloud environment. Users can drag and dropthe Docker service into an application profile thatcontains single or multiple Docker containers.Cisco CloudCenter supports compositeapplication topologies using containers mixedwith other application and cloud services. Thesolution adds management and governance tocontainer deployments.See the product documentation for moreinformation about Docker and for a blog abouthow Cisco CloudCenter uses Weave to managemultiple-host and cross-host topologies. Marketplace: Users can share applicationprofiles in several ways. Users can shareapplication profiles directly with other users,or they can publish profiles to either publicor private Cisco CloudCenter marketplaces.Application profiles also can be added to thirdparty service catalogs for broad availability.Access to profiles is based on user credentialsand on governance rules related to such factorsas intended use, geographic location, securitylevels, and compliance requirements. See theproduct documentation for more informationabout marketplaces.Figure 2. Topology Modeler Showing Service Library, Three-Tier Application, and PropertiesCisco CloudCenter OrchestratorCisco CloudCenter Orchestrator is a patentedtechnology that decouples applications fromunderlying infrastructure and hides the complexity ofunderlying cloud resources.One orchestrator is deployed locally in each datacenter, private cloud, and public cloud region andorchestrates the initial deployment of the applicationprofile and all ongoing management requests thatcome from Cisco CloudCenter Manager. 2016 Cisco and/or its affiliates. All rights reserved.The orchestrator receives information andinstructions from the manager, including applicationprofiles, runtime policies, and application lifecyclemanagement commands such as deploy, start,stop, and remove. The orchestrator runs thosecommands and sends a status update back tothe manager.6

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco Public Secure connection to the manager: Theorchestrator uses a REST API to connect withCisco CloudCenter Manager. The managerdoes not communicate directly with the cloudinfrastructure management endpoint. Theorchestrator abstracts the unique API and servicesoffered by each cloud, and it uses the samecommunication mechanism back to the managerregardless of the cloud on which the orchestratoris installed.The distributed architecture makes a clearseparation between security boundaries. Themanager and the orchestrator use only a singleport to communicate securely over HTTPS withmutual certificate-based authentication. Functions during deployment: When deploying anapplication profile, the orchestrator first rules outclouds that may be inappropriate options basedon the needs of the application. The orchestratorthen interprets the deployment and managementrequirements of the application profile and sendscloud-specific API commands to the underlyingcloud to install required infrastructure to meet theneeds of the application.The orchestrator then performs additional actionsneed to fill in gaps in cases in which functions maynot be directly supported by the underlying cloudinfrastructure. For example, microsegmentation orelastic load balancing may not be available in thecloud infrastructure directly. Functions during management: Every cloudbehaves in a different way. Cisco CloudCenterhelps ensure that a request from the manageris interpreted as that it has the same outcomeacross all clouds, regardless of the capabilities ofthe underlying cloud. For example, the suspendcommand in one cloud may be called the poweroff command in another. The orchestratordetermines the correct command mapping foreach cloud so that users don’t need expertise inthe underlying cloud environment commands.Importantly, the orchestrator does not lie in theapplication’s execution path. Instead, it sits tothe side and orchestrates the provisioning andapplication deployment. The orchestrator does notadd any performance overhead and can providebetter application performance through optimalplacement and instance configuration choices. 2016 Cisco and/or its affiliates. All rights reserved.Orchestrator AgentCisco CloudCenter manages each provisionedapplication tier with an orchestrator agent that isinstalled in each virtual machine. The agent receivescommands from the orchestrator to completeapplication deployment or enforce ongoingmanagement actions and automation policies.The agent sends back monitoring informationcollected from underlying cloud APIs.The agent is included in Cisco CloudCenterpreconfigured shared virtual machine images.For customer-provided custom virtual machineimages, Cisco CloudCenter detects whether theagent is present, and if it is missing, the solutionautomatically installs the agent in each virtualmachine after it is deployed.Applications can be run without an agent, and theycan have the agent removed at any time, withoutaffecting the running application. However, if yourun without an agent, some capabilities, such asautoscaling, are not available for those applications.The orchestrator communicates with theorchestrator agent through RabbitMQ queueingservices that run on provisioned virtual machines, asshown in Figure 3.Figure 3. Agent in Each Virtual Machine Communicateswith itoryThe constant exchange of messages betweenthese two components guides the orchestration andongoing management of worker virtual machines ina cloud environment. Advanced Message QueuingProtocol (AMQP)–based communication is usedbetween the orchestrator and the agent. The CiscoCloudCenter solution uses RabbitMQ as the opensource message broker to implement AMQP.7

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco PublicThe orchestrator sends requests to the agent,including requests to: Run custom cleanup scripts during deprovisioningor shutdownCisco CloudCenter supports HTTP, HTTPS, andFTP including Amazon Simple Storage Service(S3), Chef, Puppet, and Artifactory. For an externalrepository, such as S3 for Amazon storage, enterthe host name with the endpoint URL of therepository. See the product documentation for moreinformation about supported artifact repositories. Collect system metrics based on policyenforcement requirementsFigure 4. Selecting the Artifact Repository for aCleanup Script Perform certain tasks such as runningconfiguration scripts during deployment Perform actions that may be required to enforcepolicies, such as reconfiguring middleware serviceduring autoscalingThe agent sends the following information to theorchestrator: Monitoring data, such as system metrics Status information Heartbeat information to indicate thatthe system is aliveArtifact RepositoriesTypically, enterprises maintain application packages,data, and scripts in multiple repositories of theirchoice. Use the artifact repository to link to anexisting repository to store and access files andto point to application binaries, scripts, and sharedfiles. Use the preconfigured Cisco CloudCenterNetwork File System (NFS) options to mountstorage with multiple disks and encryption.Administrators can make the artifact repository (ormultiple artifact repositories) specific to a user, atenant, or a cloud, or any combination of theseresources, based on deployment requirements.Cisco CloudCenter provides a Repositories tabin the manager user interface for this purpose.Administrators can enforce access permissions foreach repository. Tenant users can view repositoriesthat are specific to their tenant.When modeling an application or applicationprofiles, users can select the relevant repositoryto provide the relative path to the applicationpackages, scripts, or files. The list of availablerepositories is displayed for user selection.Figure 4 shows an example.When users select a repository, the endpoint URL isappended automatically to the user-provided nameof the folder in which the packages, scripts, or filesare located. 2016 Cisco and/or its affiliates. All rights reserved.Enterprise-Class SolutionThe Cisco CloudCenter enterprise-class solutionoffers a secure, scalable, and extensible multitenantsolution. It can start simple and scale to meet theneeds of the most demanding IT organizations andcloud service providers.SecureThe Cisco CloudCenter solution is uniquelydesigned with security at its core to span theboundaries of applications, clouds, and users. Itencrypts data at rest and in motion and offers arange of critical management, authentication, andauthorization features that don’t just secure theCisco CloudCenter solution, but also the clouds towhich it connects. Identity management and authentication-- Support for SAML 2.0 based SSO with optionalmultifactor authentication-- LDAP and Active Directory support througha SAML 2.0 SSO IDP such as Ping Identity,ADFS, or Shibboleth-- SHA-256-based password hash with randomsalt to protect against reverse engineering-- Randomly generated REST API keys8

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco Public-- Virtual machine and cloud storage accessthrough a user-specific, unique RSA-2048public key infrastructure (PKI)–based SecureShell (SSH) key pair-- Detailed role-based access control (RBAC) forglobal permissions at the user and user-grouplevels-- Object-level permissions shared within tenantsto control access to a wide range of features,such as the application profiles, deploymentenvironment, and service library Key management-- Compliant with FIPS Java CryptographyArchitecture (JCA)-- Encrypts key pairs using AES-256-- Allows users to specify public or private keyat deployment time, which helps ensure thatCisco has no possession of user keys-- Use of transparent browser-based SSH andsecure VNC with key management, so if a keypair is managed by Cisco CloudCenter, youdon’t need to specify keys for an authorizeduser-- Secure database vault fully encrypted using akey stored in a different security domain, suchas a hardware security module (HSM)-- Support for AWS CloudHSM Network security-- Communication over a two-way trustedHTTPS connection by all Cisco CloudCentercomponents-- Microsegmented application communicationthrough Cisco Application CentricInfrastructure (Cisco ACI ) or VMware NSX Data security and protection-- Block-level AES-256 encryption of CiscoCloudCenter deployed storage-- Consolidated audit logs for all user activity One manager: Only one manager is requiredfor each Cisco CloudCenter installation. Themanager can be used with multiple fully or partiallyisolated tenants and can support thousands ofapplications. The manager is linked to one ormany orchestrators. Additional managers canbe added to meet disaster-recovery or highavailability requirements. Most virtual machinestatus information, messages, and policies aremanaged at the orchestrator and do not requirecommunication with the manager. With thisarchitecture, the manager is not a bottleneck,and the manager and the orchestrator can scaleindependently. Multiple orchestrators: A single multitenantorchestrator is deployed in each public cloudregion, data center, or private cloud. Eachorchestrator can support a single tenant or multipletenants. In either scenario, one orchestratorcan manage up to 10,000 virtual machines. Theorchestrator also can be deployed as a cluster toprovide additional scalability and avoid creation ofa single point of failure. Orchestrator agent communication:Orchestrator scalability is enhanced by AMQPbased communication between the agent andorchestrator. Cisco CloudCenter uses RabbitMQas the open-source message broker to implementAMQP, and it requires the RabbitMQ AMQP serverto be co-located with each orchestrator server.Message exchange is performed by one networkport on RabbitMQ. Both the orchestrator and theagent must be able to connect to RabbitMQ’sport 5671.ExtensibleAs an enterprise-class hybrid cloud managementplatform, Cisco CloudCenter is built to integratewith and extend a wide range of other data centerand cloud management platforms and tools thatare found in the typical IT enterprise (Figure 5).See the product documentation and search for“integrations.”ScalableCisco CloudCenter uses an architecture that issimple enough for a single application in a singlecloud, but that can scale to meet the needs ofthe world’s largest cloud service providers, whichhave many isolated tenants, each with multipleapplications deployed. 2016 Cisco and/or its affiliates. All rights reserved.9

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco PublicFigure 5. North, South, East, and West Extensibility rationContentIntegrationDockerPuppet andChef ComponentsUser ContentVendor ContentModelDeployManage Scripts EventsSecurity SSO HSMAdministration and GovernanceCloudIntegration Content integration: A wide range of contentsources can be tapped when modeling applicationprofiles. Application profiles contain images,application and cloud services, and containers.Users can import images, share completedapplication profiles directly with other users,and import or export application profiles to theCisco CloudCenter private or public applicationmarketplace. Application profiles can be modeledtapping configuration management tools like Chef,Puppet, and SaltStack to deploy individual tiers.Users can modify preconfigured services or addtheir own custom services. Vendors can addcontent to the Cisco CloudCenter service librarythat customers can use to model applicationprofiles. Unique platform-as-a-service (PaaS)offerings such as AWS Relational DatabaseService (RDS) are treated as services (content),not integration points. Platform integration: Northbound REST APIsexpose Cisco CloudCenter actions to otherplatforms. Each application profile has a uniqueID and can be deployed through the API. Forexample, you can integrate Cisco CloudCenterwith Jenkins, ServiceNow, your own front end,or other solutions to automate application stackdeployment and management. See the productdocumentation for more information about the API. 2016 Cisco and/or its affiliates. All rights reserved.HooksInfrastructure IPAM DNSData CenterPrivate and Public Cloud Tool integration: See the product documentationfor the growing list of preconfigured integrationcapabilities for Cisco ACI, ServiceNow, Docker,Jenkins, Infoblox, and more. Also see theproduct documentation for information aboutcallout scripts. Cloud integration: Cisco CloudCenter offerspreconfigured integrations that support morethan 19 data center, private, and public cloudenvironments. Southbound integration includesorchestrators that work in all supportedenvironments. There is no further integrationbeyond setup and configuration. CiscoCloudCenter does not expose the southboundintegration interface. If needed, customers andpartners can request support for additional clouds.See the product documentation for informationabout supported data center and private cloudsand public clouds.MultitenantCisco CloudCenter offers various multitenantmodels to support typical enterprise IT hybrid-clouduse cases, as shown in Figure 6. These modelsgive IT architects and administrators a range ofoptions, from simple to complex, for configuring andcontrolling isolation and sharing within or betweengroups of users.10

Cisco CloudCenter Solution: Architecture OverviewWhite PaperCisco PublicFigure6.Multitenant Isolation, Partial Isolation, and SharingIsolationPeer TenantUsersSharingGroupsPeer sersSharingGroups Full isolation: With Cisco CloudCenter, eachtenant can be fully isolated from other peertenants. In this way, two completely independentbusiness units can use a single Cisco CloudCenterinstance while strictly separating tenants. Flexible sharing: Cisco CloudCenter facilitatessharing within each tenant. Powerful featuresfor sharing application profiles, applicationservices, deployment environments, and moremultiply the speed and agility benefits of anapplication-defined management solution. Partial isolation: Cisco CloudCenter offers anoption for partial isolation between parent and childtenants. In some cases, a central IT organizationmay offer shared services, delivered either on thepremises or through cloud service provider, thatare consumed by various business units that areotherwise independent. For otherwise independentIT departments, the central IT organization maywant to enforce OS image standards, requireuse of specific artifact repositories, or require acommon rules-based governance framework.ConclusionThe Cisco CloudCenter solution employs a two-partarchitecture that simplifies deployment, enablesfast time-to-value, and allows users to start smalland scale as needed. The solution works forone application in one cloud, as well as for a fullmultitenant cloud service provider at scale andeverything in between.The unique Cisco CloudCenter architecture deliversmanagement capabilities that span the boundariesof applications, clouds, and users. It is designed toabstract applications from the cloud, and it reducesthe need for users to understand the detailsunderlying cloud-specific APIs and services. Italso includes a wide range of architectural featuresthat enable comprehensive application and cloudmanagement within enterprise IT ecosystems.The Cisco CloudCenter solution offers compellingbenefits for modern IT organizations whether theyare just starting with user self-service in a datacenter, migrating their first application to the cloud,or running the second or third iteration of a hybrid ITstrategy that includes a portfolio of data center andprivate and public cloud processing services.For More Informationwww.cisco.com/go/cloudcenter 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property oftheir respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)C11-737224-00 05/16

The Cisco CloudCenter hybrid cloud management platform has a simple architecture, with two primary software components that support a wide range of use cases: Cisco CloudCenter Manager: The interface in which users model, deploy, and manage applications on and between a data center and a cloud infrastructure,