AWS CloudFormation for NFV


Are you thinking of deploying virtual network appliances in Amazon EC2? If so, eventually you'll realize that launching instances in AWS from the wizard can become a bit cumbersome. Thinking long term you'll likely need a more automated, repeatable approach. Enter: CloudFormation.

This entry will serve mostly as an introduction to 'infrastructure as code', especially for us dense, behind the times network types but perhaps not for those already well-versed in this arena.

Below is a CloudFormation stack which I created for quickly deploying the Cisco CSR1000V into AWS. I created it because I needed a way to quickly and repeatedly launch instances properly. I'm going to roll with this use case for demo purposes here, however the function could realistically be modified to reference any AMI in the marketplace. The template:

https://github.com/bucklander/CF_Templates/blob/master/CSRstack.json

(3/27/2017) Update - Bonus VyOS and ASAv Deployment Templates:
https://github.com/bucklander/CF_Templates/blob/master/VyOSstack.json
https://github.com/bucklander/CF_Templates/blob/master/ASAvstack.json

A nice thing about Amazon's CloudFormation is that it will allow you to completely automate not just the instance deployment, but also all of the components that the instance requires. Launching this stack should seamlessly handle the deployment of the following:
  • Right-size the EC2 instance, based on your bandwidth requirements
  • Give choice of either bundled or BYOL Cisco licensed AMIs from the marketplace
  • Give choice to EC2 tenancy type & termination protection
  • Bootstrap the image with an existing SSH key pair
  • Bootstrap the CSR configuration with whatever you want
  • Allocate and assign an Elastic IP address to the instance
  • Create / assign an IAM instance policy (since they can't be assigned post-launch)
  • Create / assign a security-group (initially only permitting port 22/TCP inbound)
  • Disable the 'src/dst' check on the instance
  • Specify the existing VPC and public subnet to launch the instance
  • Enable instance status check alarm with auto restore if failure
Quite the list, right? Now imagine performing all of these by hand - bad!

To use the template to deploy a CSR instance in one of your existing AWS VPCs, follow the directions below.

1. Navigate to AWS CloudFormation and click 'Create Stack'.


2. Download the CloudFormation template mentioned above (it's just a JSON file) and specify it as the template file for upload


3. CF will parse the template file and translate it to request user input. This allows the deployment to be created based on your specific requirements. Simply read through and fill those out. (If you don't know, leave the default values where possible.)



4. Optionally add tags, or click through


5. Show time! The stack should now build, and you can view the progress of it from the CF console. This part could take a few minutes while AWS launches all of the necessary resources.


6. Once the instance is provisioned by the stack, you should now see it from your regular EC2 console view.


You'll notice from the console that the instance already has a public elastic IP address assigned, so can be accessed via the associated private key that you selected in the stack. As mentioned previously, other important items were created and assigned as well - security group, IAM role, status check alarm, etc.

By simply copying the elastic IP address I'm able to login to the instance via SSH from my local computer:

At this point, you should now be able to login to the instance and configure it however you need your virtual router to behave, just don't forget to open the relevant ports on the security group!

Cheers!

Popular posts from this blog

Configuring Cisco ASA for Route-Based VPN

Up and Rawring with TRex: Cisco's Open Traffic Generator

Running ASA on Firepower 2100: An End-to-End Guide