As companies grow and cloud models change and develop, whether you have AWS or Azure, most people aren't finding that they use one single cloud provider and stick with them. They use clouds from multiple providers, creating a hybrid cloud environment with multiple data centers. When you mix public clouds into this strategy, whether it be AWS, Azure, or Google, it is important to realize that every time a cloud connection is made there is usually connectivity back to your sites as well. You have that increased traffic flow and you have to consider how you're connecting, managing, and securing it.
If an organization moves to Azure, they may add a Cisco ASR to rout up to that cloud, creating that permanent tunnel to AWS because that level of availability locally is needed to meet policy requirements. If you want to handle that traffic locally it is important to consider that as things diversify, as there is a lot of gear involved.
There is also a lot of decision making around what your network is doing. It is static in the sense that if a Google Cloud connection is added then organizations have to consider what they’re doing on that network. They will have to ask questions, such as:
- Is my ASR I'm using for Azure also going to be able to work for this?
- Am I going to need something else with more bandwidth, for example, since there's an agility to what clouds can do, but there isn't really an agility to set up clouds?
Cisco is trying to solve these challenges and provide solutions to answer these questions. This is why Cisco Secure Agile Exchange (SAE) was introduced. At a technical level, Cisco SAE really focuses around network functions virtualization (NFV). This blog will introduce Cisco SAE, discuss four major benefits of it, and explore some package options and use cases.
What is Cisco Secure Agile Exchange (SAE)?
From a network perspective, no one's really dynamic today with shifting workloads across multiple places. People don't necessarily think about connecting multiple data centers around the world to several different clouds, so now the Secure Agile Exchange is more like a hub for making all those connections happen, and that happens through network function virtualization. This means teams can virtualize multiple connectivity options in one system. Whether you're doing something with an ASA or ASR, for example, you can use Cisco SAE to dynamically make those connections to clouds. This makes organizations much more agile when it comes to understanding and managing network connections that already exist, as well as with connecting future applications, such as a company-wide implementation of Microsoft Office 365.
The Next Level in Cloud Connectivity
If you want to add another cloud or if you want to get rid of it and come back later because it’s bursting, you can. SAE is really the next level in cloud connectivity and I think a lot of companies are ending up there now with cloud. Organizations look back at their connectivity models and they're trying to optimize the traffic flows and understand where the connectivity is going out. You may have one data center with connectivity while another data center doesn't, so it may optimize traffic at that data center first and then flow that ASR to AWS. Pushing to the cloud was one thing and people were very excited to consume it, but now it's normalizing and I think people are going back and saying, "Why did I make these decisions? Why did I make my infrastructure decisions the way I did? How can I avoid cloud lock-in and how can I be prepared to shift if I need to?"
When it comes to implementing a cloud strategy, AWS (in the majority of cases) should not be the only answer. Same goes for Azure. To be able to make business decisions without more hardware investments, companies need a level of agility between on-prem and/or to other clouds to avoid a cloud lock-in scenario. If your applications can move from cloud to cloud and you don't want to be locked into AWS, you don’t have to be. If your contract goes up or is going to go up in the next two months, you now have the ability to virtualize, create another tunnel to another cloud, and start that process much more quickly than the traditional method of hardware procurement.
Cisco SAE Benefits
Automation solutions require a deep understanding of current workflows and business requirements. To provide accurate and time-saving processes, there is a large investment of time required at the onset of implementation to map the required connectivity and processes to be built out in SAE. The benefit to this upfront time commitment is clear though. It allows teams to build complex connectivity models once in a workflow, deploy many times, as needed, with agility. There are also many other associated benefits of Cisco SAE, including:
SAE provides a whitelist security model, ensuring users can only access what they need, as well as providing telemetry and analytics on the access that is provided. SAE also enables a much simpler service lifecycle, ensuring access to services and applications that are decommissioned are revoked in a timely and compliant manner. Access rights are tracked in a database, and new user creation or access change requests can be automated and templatized to ensure standards and least-privileged access models are in place.
- Ease of Integration
This solution is easy to integrate for companies that:
- Have dynamic workload requirements
- Find themselves constantly adapting and connecting to new carriers and clouds
- Require agility when optimizing their business processes, or when responding to compliance or security demands
- Experience “cloud sprawl” as a business requirement
- Are struggling to keep up with the hardware and configuration requirements of the business
- Enables Hybrid Cloud
SAE enables automation of virtual network edge devices. An edge router for AWS could be spun up via a workflow policy in minutes, and just as easily decommissioned and replaced with an Azure edge router. It enables you to connect your local resources to cloud resources in a dynamic, agile way with no additional network hardware investment. Cisco SAE and hybrid cloud align very well.
- High Flexibility, Low Cost
Enterprises should want Cisco SAE because it provides more flexibility with a lower cost, requiring less circuits that are now cloud and carrier neutral. It requires less physical hardware to implement and it allows companies to scale out virtually infinitely as needed in an automated way, similar to OpenStack or a custom implementation. SAE allows this with less complexity. It allows the network edge to react to business and compliance demands without manual management or additional hardware requirements.
Cisco SAE Use Cases
The versatility of SAE can be seen with companies experiencing high traffic times such as during the holiday season. If you need to push workloads to three different clouds instead of one, you can automate this process with SAE. This means you accomplish a seemingly complicated task without buying new gear or recreating the wheel. It does all this while adding the agility to set up an infrastructure that supports a cloud. It's much faster as well, creating an instance that feels like cloud connectivity as a service. In this instance, Cisco SAE is similar to VMware vSphere.
SAE can be used for cloud optimization and portability to move services from cloud to cloud in an effort to reduce Op-Ex costs. It can be used to enable a quick turnaround time to deploy new users in multi-cloud, multi-permission environments based on their requirements (due to its agility). Cisco SAE can also reduce the amount of hardware required, while enabling additional flexibility with the hardware you already have, which tones down configuration sprawl through virtualization technology.
What Options Are Available?
The SAE solution is based around the Cisco Cloud Services Platform 2100, which is available in a single node or two node/HA cluster, which is comprised of Cisco UCS C series servers (C220 and C240 depending on how many PCIe slots are required), which generally connects to a Nexus 9300 switching infrastructure in the data center.
Once the system is purchased, you can host a multitude of Cisco Virtual Network Appliances based on your requirements, which are priced out individually based on their existing cost models (per user, per VM, etc.):
- Cisco Cloud Services Router (CSR) 1000V virtual router
- Cisco IOS® XRv 9000 Router
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower™ NGFW Virtual
- Cisco Prime® Virtual Network Analysis Module (vNAM)
- Cisco Virtual Wide Area Application Services (vWAAS)
- Cisco Web Security Virtual Appliance (WSAv)
- Cisco Virtual Security Gateway (VSG) for Cisco Nexus® 1000V Series Switch deployments
- Cisco Virtual Supervisor Module (VSM) for Cisco Nexus 1000V Series Switch deployments
- Cisco Data Center Network Manager (DCNM)
Cisco SAE was introduced as a way to answer all the network function virtualization questions facing enterprises. It provides the next level of cloud connectivity and a heightened degree of clarity in doing so. SAE brings many benefits to the enterprise, allowing a new way to increase business efficiencies while also cutting costs. It even has a significant degree of customization, with numerous appliances available to create the best fit for your enterprise.
WEI has deep experience with Cisco solutions and have developed numerous customized networking and security solutions for our customers using Cisco platforms and products. If you're a Cisco-shop and have questions about to evolve your data center, contact us today.
Next Steps: Learn more about WEI's experience with Cisco in the case study, “Data Center Relocation and Policy-Based Networking.”