Application Security with Cisco ACI and Apprenda

By Atos Apprenda Support

Blog co-authored by
Cesar Obediente, Principal Systems Engineer, Cisco


In a world buzzing with micro-services, containers and distributed cloud platforms, most organizations are faced with a daunting challenge:  entering the promised land of shiny cloud-native apps and rapid application deployments at scale without compromising security and compliance. The good news is that there is an increasing number of technologies that can help in this regard; the bad news is that most of them apply only to new, cloud-native applications which remain the primary target of prevalent container solutions.

Incidentally, this type of application is an absolute minority within the portfolios of established companies. The bulk of applications fueling the business today were created several years ago and, oftentimes, in a way that is not conducive to rapid cloud deployments. Many of these apps won’t even “fit” within common container segmentations. With the exception of brand new start-ups, who have the inherent luxury of starting fresh, most technologists exist in a schizophrenic world encompassing both tomorrow and today.

  • Tomorrow – an increasing, yet small, footprint of modern and portable apps upon which everyone wants to work but that may not yet bring in any money.
  • Todayi.e. the legacy of the past – proven production apps that are not as pretty and sexy but nonetheless remain the revenue machines.

Everyone realizes that this schizophrenic state cannot be overcome in short order; porting the business-critical apps over to the new tech will take time. The question is how to deploy, secure and monitor the two categories of applications in a consistent and efficient way.

Cisco and Apprenda have been working together to address the challenge regarding where technology organizations have to deal with simultaneous discrepancies of today and tomorrow.

Application Centric Infrastructure (ACI) is Cisco’s next generation data center architecture designed to address the requirements of today’s traditional networks around network automation. ACI meets emerging demands that new applications require to be deployed within the network. Cisco ACI brings innovation around application-centric policy models in which connectivity is defined by consolidating endpoints (physical devices, virtual machines and containers) into endpoint groups (EPGs) in order to allow communication between the EPGs based on application requirements.

Apprenda is a maker of a versatile container platform for massive rapid deployments of both cloud-native and traditional application workloads. This includes Windows applications, Linux services and legacy Java components.

The Apprenda platform natively integrates with ACI and provides rapid containerization of applications including both those of today and tomorrow, along with automation of network isolation. There is also a third type of applications that benefit from the automation offered by the ACI-Apprenda integration. Some business-logic-heavy older services may be deemed not worth the effort of refactoring into cloud-native patterns. They are left as is, or turned into services which the emerging cloud-native components can consume. This type of workload is also accounted for by ACI and Apprenda.

Using the traditional methods of network security for continuous application deployments (and mixed-era apps, especially) is not a trivial undertaking. It requires lengthy meetings between network admins, IT admins and developers (people who generally do not speak the same language). Solutions are typically manual, or based on custom and short-lived scripting, which renders them inherently inefficient and error-prone.

Apprenda uses Contiv container networking layer to dynamically create policies and contracts between the workloads to propagate them further to APIC.

Apprenda – ACI integration addresses the following two major use cases.

Day 1 scenario: It simplifies the process of attaching and configuring ACI fabric to the Apprenda platform and Kubernetes clusters

The process of enabling Apprenda on the ACI fabric is fully automated. A platform operator (typically an IT admin) can use the ACI initialization tool, built into the Apprenda Operator Portal.

All the operator needs to do is provide connection information and credentials to the Contiv API server and the APIC. Once these sets of credentials are saved, the operator pushes the Initialize button. From there, the automated process requires only seconds to complete, sparting everyone from the need for lengthy meetings, delays and human errors. Within seconds the platform becomes a part of the ACI-Contiv fabric. The Apprenda configuration in ACI is based on two tenants.

The ACP-VMW tenant has the EPG and contracts that protect the core Apprenda platform. The other tenant –Default – is for the Kubernetes cluster.

The automated setup process also creates a bridge between the two tenants and an external contract. This external contract will be attached to all workloads that are subsequently deployed to the platform so that they can communicate with the platform core services and vice versa.

Automated Secure Deployment. The integrated solution also reduces complexities of securing individual applications and their components during continuous deployment processes.

Apprenda provides an abstraction layer for developers and product management to communicate business requirements and application SLAs to the infrastructure layers prior to making the application live. The platform takes these requirements and translates them into specific commands to, for example, trigger network segmentation and isolation. During the configuration phase, the developer has the opportunity to tell Apprenda how the app has to be protected at the network level by ACI and Contiv. There is only one value that needs to be set – Network Isolation Mode. This value ultimately triggers the automation of network policies. There are 3 values available to pick from:

  • Isolated – to make the app its own island, fully isolated from everything else on the platform.
  • Development team – allows all apps of a single development team (an Apprenda tenant) to communicate with each other, but remain isolated from other applications on the platform.
  • Custom – allows for the isolation of groups of apps based on various ad hoc criteria. For example, this mode can be used to establish secure communication paths between the cloud-native and legacy components.

In addition to truly securing applications (both existing and cloud-native), this solution also provides comprehensive performance monitoring of deployed applications. The Apprenda container platform integrates with AppDynamics to automatically include containerized applications in the org-wide performance monitoring solution. At deployment time, based on configurable rules, the platform injects necessary configurations into various types of guest applications to register them with AppDynamics.

As the result, both new and existing apps can also be monitored by a single tool in a consistent and frictionless way.

Watch the video below for a demonstration of the integrated solution!

Atos Apprenda Support