1. Home
  2. Blog
  3. Network Security Automation
  4. Automate Security Policy Management for Cisco ACI for Accelerated App Deployment With Ansible & Tufin

Last updated February 15th, 2023 by Roi Alon

The ACI Fabric aims to provide flexible and robust application-centric architecture to help you deploy apps faster and more frequently. As the number of new apps deployed continues to grow, so does the sheer number of access change requests, and the overwhelming number of variables to provision traffic flow access within and through the data center. Implementing the right contracts and relevant firewall rule changes to enable secure access of apps in a timely manner, is challenging.

It’s not only about creating new contracts between EPGs from the same/different tenants, but more often than not, the proces involves modification to the corresponding existing service firewall rules to enable access to non-ACI assets (e.g. on-premise database). For users, this means locating the relevant rules in all multi-vendor firewalls, which are on the required communication paths, pinpointing the necessary changes to the rule/s, and deploying the changes manually without introducing additional risk or network outages. This process becomes complex and laborious, and often takes hours and even days to implement the change.

To help users deal with this common problem and save valuable time on business app deployment process, while eliminating the risk of manual configuration errors, we’re now extending our capabilities to enable our customers to automate policy changes in Cisco ACI and across the rest of the IT environment.

Simplify security policy change management and accelerate app deployment

Tufin Policy Change Automation app for Cisco ACI, the newest app available on the Tufin Marketplace, leverages Ansible, the tool of choice for many organizations for orchestrating ACI Fabric configuration changes, to automate changes to ACI contracts. The app then utilizes Tufin’s unparalleled visibility and automation capabilities to automatically make the necessary modification to related firewall rules to enable the right access for business apps deployed in the ACI Fabric, and across the hybrid environment.

One year ago we introduced our enhanced support for Cisco ACI to enable our customers to centrally manage their ACI and non-ACI environments as one, directly from Tufin. With Tufin Orchestration Suite, users gain full visibility and path analysis for Cisco ACI, and control traffic traversing the Fabric, for accurate and fast anomalies detection, remediation, and network change planning.

Now, with Tufin Policy Change Automation app for Cisco ACI, we’ve enhanced our capabilities and provide the option to automate changes to ACI contracts and firewall rules across the hybrid environment, to enable the required access quickly and efficiently for apps deployed in the ACI Fabric.

Auto-Change Workflow – Where Security is Key

Based on an integration between Tufin and both Ansible Tower and Ansible AWX, the Tufin Policy Change Automation app for Cisco ACI provides a standardized process to automate the entire change process, from submission, to implementation, validation, and reporting, using a multi-step visualized, and customizable workflow. Here’s how the workflow runs:

SecureChange ticket

Alongside the app’s various built-in security controls, such as proactive risk assessment, and implementation verification, we have designed the change workflow to be as transparent as possible. This means that you gain full visibility of the progression in changes made to ACI resources, multi-vendor firewalls, switches, and routers, plus the ability to configure specific conditions for the change, such as enable approvals within the Tufin app to be defined prior to executing an Ansible job. The Tufin app also documents all rule/contract changes for simplified audit and compliance preparation. 

Integrate the Tufin Policy Change Automation app for Cisco ACI with your ITSM solution

The Tufin Policy Change Automation app for Cisco ACI can be integrated into your ITSM workflows to trigger a change within and across your ACI Fabric. Subject to how you design your ITSM process, the Tufin app can trigger a full implementation notification sent directly from the Tufin app to the ITSM. 

Leveraging other Ansible Playbooks

You can also integrate additional customizabl Ansible playbooks to simplify ACI Fabric management. For example, to enable access between additional ACI fabrics, and to automate further attributes, including scope, direction, and more. 

At Tufin, we’re consistently working alongside our customers to seamlessly fit Cisco ACI into their current hybrid networks, without the challenges of configuring and managing contracts and rules manually.  

Free 30-day Trial

Tufin Policy Change Automation app for Cisco ACI is available to Tufin customers for a free 30-day trial, and can be downloaded from the Tufin Marketplace, which offers apps that help users enhance protection, enable faster detection, and deliver intelligent responses across a wide range of security and IT domains. 

If you want to learn more and see Tufin Policy Change Automation app for Cisco ACI in action, join us for this webinar. To download the Tufin Policy Change Automation app for free 30-day trial, click here .

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Try Tufin for Free


In this post:

Background Image