• Create a CloudEOS IP Fabric in a Cloud Provider Using Terraform and CloudVision as-a-Service

 
 
Print Friendly, PDF & Email

Objective

The goal of this document is to guide you through the setup of CloudEOS in AWS and/or Azure using CloudVision as-a-Service and the Terraform CloudEOS examples in the Arista GitHub repository.

Obtain a CloudVision as-a-Service Account

Work with an Arista account team member to procure a CloudVision as-a-Service account.

Download and Install Terraform

From www.terraform.io, download Terraform 13 or above.  It is best to place the terraform binary file in the PATH of your workstation for ease of use.

Download and Install Cloud Provider CLI

For AWS Cloud Deployment

For an AWS demonstration environment, download and install AWS CLI v2 (https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) and ensure you can login to AWS through the command line on your workstation.

  • If you are using a personal or trial AWS account, follow the AWS installation and connectivity instructions to enable communications to AWS.
  • If you are using a corporate AWS account, it may be necessary to work with your IT department to install the AWS CLI and understand how to enable CLI communications to AWS.

For Azure Cloud deployment

For an Azure demonstration environment, download Azure CLI (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) and ensure you can login to Azure through the command line on your workstation.

  • If you are using a personal or trial Azure account, follow the Azure installation and connectivity instructions to enable communications to Azure.
  • If you are using a corporate Azure account, it may be necessary to work with your IT department to install the AWS CLI and understand how to enable CLI communications to Azure.

Cloud Provider Portal Actions

For AWS Cloud Deployment

  • Accept terms and conditions for using CloudEOS through the AWS Marketplace. 
    1. Log into the AWS portal and search for “marketplace”.
    2. From the AWS Marketplace, search for Arista.
    3. Choose the “Arista CloudEOS Router (PAYG)” selection and accept any subscriptions available.

For Azure Cloud Deployment

  • Accept terms and conditions for using CloudEOS through the Azure Marketplace. 
    1. Log into the Azure portal and click on “marketplace”.
    2. From the Azure Marketplace, search for Arista.
    3. Choose the “Arista CloudEOS Router (PAYG)” selection and accept any subscriptions available.

Download CloudEOS Example Repository

Download the CloudEOS Example repository which are sample topologies that are already built and ready for deployment.  

The repository is available at https://github.com/aristanetworks/CloudEOS

On the site, click on the green Code button to either Download a zipped file or clone the repository. 

CloudVision as-a-Service Items to Complete

Create a Container

When CloudEOS is deployed using Terraform, a CloudVision container name needs to be specified as a Terraform input. This CloudVision container should have a username/password attached to it through CloudVision configlets. This configuration will be merged with the configuration that CloudVision generates and will be pushed to the CloudEOS devices. The user must first create a CloudVision container before deploying CloudEOS from Terraform. To create the container and configuration:

  1. Create a New Container from CVP directly under the ‘Tenant’ Container.  Do this by 
    1. Right clicking on the ‘Tenant’ container
    2. Select Add->Container
    3. Enter a name you would like to use.  
    4. Click ‘OK’
  2. Click ‘Save’ (Without Clicking “Save” the container will be created but not active)

Configure instances’ username/password 

Create Configlet

Create a Configlet that will be used for logging into your CloudEOS instances.  The configlet will simply contain a username/password.

  1. To create a Configlet, go to Provisioning->Configlets.
  2. In the upper right corner of the Configlets table, click on the ‘+’ drop down and select Configlets
  3. Provide a name for the configlet and add the username configuration command with role as network-admin and secret password. An example of this for username test1234 is:
    username test1234 privilege 15 role network-admin secret arista

    You may wish to use an encrypted password that is available from another Arista instance or physical device.  You can simply copy the username command from that configuration and paste it into the Configlet as seen below.


    Click save at the bottom for the configlet to be saved.

Attach the Configlet to the Container Created

  1. From the ‘Network Provisioning’ tab, select the container you created and attach the configlet.  To do this, right click on the container, and go to ‘Manage->Configlet’
  2. Search for the configlet that you created, select this configlet, and click ‘update’
  3. Click on ‘Save’ to save the configlet-to-container attachment.

Generate the CloudVision as-a-Service Token for CloudEOS Onboarding

A CloudVision as-a-Service Service Account token is required for terraform to authenticate with CloudVision as-a-Service and will be configured in the input_vars.tfvars file discussed in the section below. The following are the steps to generate the Service account token from CloudVision as-a-Service GUI

  1. Go to the Settings page by clicking on the gear in the upper right corner of the CloudVision as-a-Service GUI. Under the “Access Control” tab that will appear on the left, select “Service Accounts”.
  2. Click on “Add Service Account” and fill in the details. Choose Roles as “cloud-deploy” to get the right permissions to deploy CloudEOS resources. Click on “Save”.
  3. You can view the Service Account you just created under the list of Service accounts.
  4. To generate a token for the service account, select your service account name, and click on “Add Token To Service Account”.
  5. Under the “Generate Service Account Token” section, fill in the Description and desired validity of the token and click on “Generate”.
  6. Copy the generated token and set it as the service_token attribute in CloudVision as-a-Service configuration in the CloudEOS/examples/*/input_vars.tfvars file.
  7. You can view the generated token information as below. You may choose to remove the token before validity expires by clicking on “Remove Token” option.

 

Edit input_vars.tfvars File

CloudEOS Repository Structure

Before editing any files in the CloudEOS repository, it will be helpful to understand the directory structure.  The directory structure for the example topologies is shown below:

Each example topology contains multiple Terraform files that describe how the topology will be instantiated.  In the top level directory for each example, there is a master variable file called input_vars.tfvars.  This contains all the variables for the setup of the topology, and several of the variables need to be modified.  Use Notepad++ or an equivalent text editor to edit the text file.

For AWS Cloud Deployment

For the AWS cloud deployment, open the input_vars.tfvars file, and edit the following parameters:

  1. Edit the topology variable to name your topology.
  2. Edit the CloudVision as-a-Service section and populate the following variables:
    1. server – this should be the name of the server given for you to access CloudVision as-a-Service
    2. service_token – the service token was created in the steps above and should be placed in this location between the quotes (“”)
  3. Edit the keypair_name variable and add the keypair you created in each region between the quotes (“”)
  4. Edit the clos_cv_container and wan_cv_container, and choose the name that was used for the container created in CloudVision as-a-Service where the configlet was applied.
  5. For topologies with high availability enabled, there will be a aws_iam_instance_profile variable present which needs a value.  This is an IAM profile that is pre-configured in AWS. To configure the IAM profile, refer to the  “AWS Specific Cloud IAM Role Configuration” in the CloudEOS documentation guide here:  https://www.arista.com/en/cg-veos-router/veos-router-cloud-high-availability#concept_40224A6DE8914404AB12024F60E8C77E

Your input_vars.tfvars file may contain items such as the following after updating the variables mentioned above

topology = "AWS-demo"

cvaas = {
  domain : "apiserver.arista.io",
  server : "www.customer.arista.io",
  service_token : "jZSBBY2NvdW50IiwiZHN..." #mandatory
}

keypair_name = {
  us-west-1 : "demo-keypair", #mandatory
  us-east-1 : "demo-keypair", #mandatory
  us-east-2 : "demo-keypair", #mandatory
}

clos_cv_container = "AWS-demo"
wan_cv_container = "AWS-demo"

 

For Azure Cloud Deployment

For the Azure cloud deployment, open the input_vars.tfvars file, and edit the following parameters:

  1. Edit the topology variable to name your topology. NOTE: Azure and multi-cloud deployments should not have a topology name that is more than 5 characters long as a character limit will be exceeded in Azure, and the build will fail
  2. Edit the CloudVision as-a-Service section and populate the following variables:
    1. server – this should be the name of the server given for you to access CloudVision as-a-Service
    2. service_token – the service token was created in the steps above and should be placed in this location between the quotes (“”)
  3. Edit the clos_cv_container and wan_cv_container, and choose the name that was used for the container created in CloudVision as-a-Service where the configlet was applied.

Your input_vars.tfvars file may contain items such as the following after updating the variables mentioned above

topology = "Azure-demo"

cvaas = {
  domain : "apiserver.arista.io",
  server : "www.customer.arista.io",
  service_token : "jZSBBY2NvdW50IiwiZHN..." #mandatory
}

clos_cv_container = "Azure-demo"
wan_cv_container = "Azure-demo"

azure_regions = {
  region1 : "westus2"
}

Deploy Resources

To run a specific topology, enter the appropriate directory.  For this example, we are going to be in the aws_tworegion_cloudha directory.  In the repository, the directory path is:

CloudEOS/terraform/examples/aws_tworegion_cloudha/

While deploying VPC’s it is necessary to maintain a specific topology.  For this reason, and to allow for modularity, there are three different types of directories possible in each topology.  The “topology” directory consists of the topology’s Route Reflector(s), the “edge” directory contains the definition of the Edge VPC/VNET and CloudEOS Edge devices, and the “leaf” directory contains the Leaf VPC/VNET definition and the CloudEOS Leaf devices.  

To launch the topology login to the cloud provider, go into each directory starting with topology, and issue the commands in the order shown below: 

(Note: There are some examples that do not have a topology folder, in that case start with deploying the edge)

  1. Login to the cloud provider through the cli.
  2. Enter the topology directory and execute the following commands
    1. terraform init
    2. terraform plan -var-file=../input_vars.tfvars
    3. terraform apply -var-file=../input_vars.tfvars --auto-approve
  3. Enter the edge/ directory and execute the following commands
    1. cd ../edge/
    2. terraform init
    3. terraform plan -var-file=../input_vars.tfvars
    4. terraform apply -var-file=../input_vars.tfvars --auto-approve
      

      NOTE: (Azure only): The Terraform file asks for a username/password which will be used to login to the CloudEOS instance ( Password requirements are at least 8 characters long and must contain at least 1 Upper case character, 1 numeric character, and Lower case characters.  The link below contains more information on the password if needed: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm 

  4. Enter the leaf/ directory and execute the following commands
    1. cd ../leaf
    2. terraform init
    3. terraform plan -var-file=../input_vars.tfvars
    4. terraform apply -var-file=../input_vars.tfvars --auto-approve

Explore the Topology

Explore CloudVision as-a-Service

Multi-Cloud Dashboard

The Multi-Cloud Dashboard found in CloudVision as-a-Service provides a view of the health of the topology that was deployed.  To get to the Multi-Cloud Dashboard, click on Devices and then “Multi-Cloud Dashboard” on the bottom left of the window.
From here, you can view the resources in the cloud.  AWS is the default view, but if you deployed in Azure, you can select Azure.  As highlighted In the view below, it is possible to see all the VPCs deployed for the topology.  For the AWS Two Region HA topology, a Route Reflector is deployed in its own VPC, two Edge VPCs are created (one for each region), and four Leaf VPCs are created (one for each pair of Leafs).

Note also that the Mult-Cloud Dashboard indicates in what region the VPC was deployed, and the VPC name maps to the AWS console as seen below.

Next, by clicking on one of the VPCs, it is possible to see the status of the devices in that VPC.  Clicking on one of the Edge regions shows the health of the edge device and whether or not the configuration of the devices was successfully deployed.

By clicking on the device listed, you will be taken to the devices view and can see any of the telemetry metrics you would normally see for an instance.  Check out the configuration to see what configuration was deployed to the instance.

Going back to the VPC view under the Multi-Cloud Dashboard, it is possible to look at the connections between the regions as well as the connections between the Edge and the Leafs in that region.  First, by clicking on the “WAN Connectivity” tab, it is possible to see the health of the connections between regions as well as the Uptime, Latency, Jitter, Packet Loss, and Bandwidth of each connection.  This may be helpful in troubleshooting problematic flows or checking on the general health of the deployment.  By default, the topology will load balance across all equal paths, and a balanced bandwidth should be seen for any traffic because of this.

Now click on the “Regional Connectivity” tab.  This provides the same type of information as the WAN Connectivity tab but for connections from the Leafs to the Edges for each Region.  It is possible to see the same Uptime, Latency, Jitter, Packet Loss, and Bandwidth for traffic flows between the Leaf and the Edge devices.

Topology View and Cloud Segments

One of the powerful aspects of CloudVision and CloudEOS is the ability for CloudVision to understand the topology of the CloudEOS devices by looking at a number of items that are streamed from the CloudEOS routers.  Below is a portion of the view of the AWS Two Region HA topology as seen by CloudVision.  It is showing the actual connections between devices, and, by clicking on a device, the dotted lines between the routers will be highlighted and represent the overlay connections as seen in the WAN and Regional Connectivity.

From this view, it is possible to also see a number of overlay items of interest, and one to highlight is the segmentation view.  By selecting this view from the Overlay dropdown menu on the left of the page, it is possible to see the segments in the topology.  After selecting segments from the dropdown, for the AWS Two Region HA topology, the default, dev, and prod segments are indicated by different colors surrounding the devices. As an example, the dev segments are shown below for Region 3.

Login to Instances

Once the topology is deployed, explore the network that has been created by connecting to one of the edge devices first.  The public IP address of the edge devices can be obtained several ways, two of which are discussed below:

  1. Change the directory back into the edge directory and issue the command “terraform output at the prompt. This will provide the IP address for the edge devices in your topology.  
  2. Login to the cloud provider portal and navigate to one of the Edge CloudEOS instances, and obtain the public IP address of that instance.

Now that you have the public IP address, ssh to the edge device using the username/password that you placed into the CloudVision as-a-Service Configlet earlier.  

Once in the environment, if you did not modify the IP addressing used in the input_vars.tfvars file, use the diagrams in the repository to move from edge to leaf to host using the IP addresses shown in the diagrams. 

For example, in the Azure One Region Multiple Leaf topology, once connected to the edge, ssh to Leaf1 CloudEOS1 by issuing the command “ssh -l <username> 16.0.0.101 where username is the username you used in the configlet you created.  

Once in the leaf, you can also ssh to the host as well. NOTE: For an Azure environment, the host username/password will be what you provided when prompted by the Terraform build.  For an AWS environment, the username/password for the host is “cloudeos/cloudeos1234!”.

Destroy Resources

The last thing you will want to do when finished is delete the topology.  Do not forget to destroy the topologies at the end of your test or you will continue to incur public cloud costs. 

Enter every directory in the opposite order for deleting resources

  1. Enter the leaf/ directory and execute the following commands
    1. cd ../leaf
    2. terraform destroy -var-file=../input_vars.tfvars --auto-approve
  2. Enter the edge/ directory and execute the following commands
    1. cd ../edge
    2. terraform destroy -var-file=../input_vars.tfvars --auto-approve
  3. Enter the topology/ directory and execute the following commands
    1. cd ../topology
    2. terraform destroy -var-file=../input_vars.tfvars --auto-approve
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: