/Cisco Cloud ACI on Oracle Cloud Infrastructure

Cisco Cloud ACI on Oracle Cloud Infrastructure

There are some good whitepapers about Cisco Cloud Application Centric Infrastructure (Cisco Cloud ACI), but there’s no information about Oracle Cloud Infrastructure (OCI). This post will try to cover the fundamentals that can help you integrate ACI on OCI.

When it comes down to hybrid cloud environments, one of the priorities is to extend your existing policies and operational processes to the cloud. It becomes a challenge to maintain and keep those policies in multiple disperse sites centralized, and even worse, it’s hard to navigate through security approvals when there is no integration between your on-prem management tools and the cloud.

Cisco saw the need to seamlessly interconnect Cisco ACI-powered datacenters with the different cloud providers like AWS or Azure . Doing that would remove the need of managing multiple security building blocks and decrease any potential learning curve when adopting new technologies/platforms. Cisco introduced the Cisco ACI Multi-Site Orchestrator (MSO), a software solution that extends Cisco ACI constructs and policies across sites, enabling a single pane of glass for your policies across multiple geographically dispersed sites. Whatever policies you configure on MSO, could be pushed to different on-prem sites and cloud environments. However, with Cisco MSO 3.2, you have to deploy the Cisco Multi-Site Orchestrator (MSO) as an application in Cisco Nexus Dashboard Orchestrator (NDO). This is the new management platform that interconnects Cisco ACI, Cisco Cloud ACI and Cisco Nexus Dashboard Fabric Controller sites. Figure 1 shows the Cisco Nexus Dashboard Orchestrator overview:

Cisco Cloud APIC

Cisco Cloud APIC manages the network policies for the cloud it’s running on. It uses the Cisco ACI network policy model mapped to the cloud-native policy construct. You can automate the configuration of the end-to-end connectivity between your on-prem datacenter and OCI. This connectivity can take place using IPSec VPN or OCI FastConnect.

Cisco Cloud APIC deploys a pair of Cisco CSR1000V routers (which are now being replaced by Catalyst 8000v) on your Virtual Cloud Network (VCN) and builds the the IPSec tunnel that connects to the endpoint available on-prem. Once the interconnect is up and running, MSO will configure the overlay between your on-prem ACI spines and the Cisco CSR/Cat8000v devices deployed on OCI.

Both Cisco ACI and OCI use group-based network and security policy models. What differs is the constructs. While Cisco uses tenants, Bridge Domains (BDs), BD subnets, Endpoint Groups (EPGs) and contracts, OCI uses compartments, Virtual Cloud Network (VCN), Network security groups (NSGs), and security lists (among others).

From a security policy perspective Oracle OCI uses 3 constructs: Security Lists (SL), Network Security Groups (NSG), Security Rules (SR – which are simple lines with source, destination, port, and direction) while Cisco ACI uses EPG (a grouping of servers), Contracts (a grouping of security rules) and Filters (a subcomponent of Contracts that have TCP/UDP/ICMP ports).

Cisco ACI policies are deployed at the network ports and will deploy on OCI in the form of ipTables on the host where the VM is running.


The overall mapping of the security policy models between Cisco APIC and OCI is shown in the following figure:

Deployment Options

There are few options to deploy Cisco APIC on OCI. It will depend on your needs and business requirements. Following are couple of high-level overview diagrams where you can deploy a pair of CSR/Cat8000V devices in a multi-region deployment or in a hub and spoke architecture.e

Multi-region deployment

  • Each region can have its own infra VCN with a pair of Cisco CSR 1000V/ Catalyst 8000V Series devices for networking.
  • Full inter-region connectivity using OCI backbone (MACsec encryption) and Infra_VCN as transit gateway.
Hub and Spoke

  • Transit routing with a DRG hub and a pair of Cisco CSR/Cat8000V virtual appliance in an attached VCN.
  • The transit gateway is configured using Terraform files.
  • For inter-region OCI connectivity will use DRG and OCI backbone network.

We will dig further in each architecture in the next blogs and provide the Terraform files for an easy deployment.

Something to note is the cloud instance requirements to deploy the virtual appliances. As of writing, Cisco only supports Intel-based instances. It is recommended the following configuration:

From OCI instance catalog we will select the following instance that provides a balance of compute, memory and networking resources:

  • VM.Standard3.Flex w/ 4 oCPU
  • X9-based standard compute. Processor: Intel Xeon Platinum 8358. Base frequency 2.6 GHz, max turbo frequency 3.4 GHz.

If you are curios about the cost of running a pair of virtual appliances, it will cost 311.5 EUROS /month (3.7k/year).

Migrating Cisco APIC to OCI native security policies

Alternatively you could just translate Cisco APIC policies to OCI security policy model and operate and manage your environment using cloud tools. This requires to export your configuration from the APIC and run the scripts that will programmatically translate the specific Cisco data structure to another data structure suitable for OCI, and deployed it in minutes.

There is already an interesting project that provides the python scripts to migrate the policies: https://github.com/aegiacometti/cloud-automation


Cisco Cloud ACI lets you simplify the overall management and maintenance of your security policies. Even though it is NOT officially supported by Cisco, you can run virtual appliances on OCI and extend the overlay between your on-prem and cloud environments, treating your cloud environment as just another site in your NDO.

In addition, you can directly translate Cisco ACI policies and run them natively in the cloud. It might require some tunning of the terraform and python scripts provided above to adapt it to your business needs.