Workload VPN intent deployment

Deploying a workload VPN intent creates a functioning instance of the workload VPN intent as an overlay to your fabric.

Before you can deploy your workload VPN intent, you must have saved the workload VPN intent and generated its configuration.

Deploying the workload VPN intent involves the following procedures:

The system also supports the auto-deployment of workload intents. For example, you can use the Fabric Services System REST API to create workload intents that are automatically deployed, without having to add them to the deployment pipeline and then deploying them from the pipeline queue.

System checks before workload intent deployment

The following circumstances can prevent you from deploying a workload VPN intent:

If any of the nodes within the associated fabric intent are unavailable (that is, not in a Ready state), you cannot deploy the workload VPN intent.
In such a case, you must correct the node state. When all nodes are back in a Ready state, you can proceed with the deployment of your workload VPN intent.
If any of the nodes that belong to a workload VPN intent are already under deployment by another workload VPN intent, you must wait until the deployment of the previous workload VPN intent has completed.
During the deployment of a workload intent, although the system checks whether the referenced interfaces are in the underlay intent, ensure that you do not remove interfaces that are being used in a workload intent from the underlay interfaces.

Automatic deployment of global profiles referenced in a workload intent

For workload VPN intents that reference a global profile (ACL or QoS profile), after you generate the workload intent configuration and deploy the workload intent, the system:

checks if a new version of the workload intent is required and, if needed, creates one
adds the global profile associated with the workload intent to the deployment pipeline and deploys it
adds the workload intent to the deployment pipeline

Adding a workload VPN intent to the deployment pipeline

You must have saved the workload VPN intent and generated its configuration.

Click to open the main menu and select Workload VPN Intents.
Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
Find the workload VPN intent that you want to deploy from the displayed list and click at the end of its row.
Select Open from the drop-down list.
Click to deploy.
Click ADD TO PIPELINE.
The system adds the workload VPN intent to the deployment queue for the region and updates the status of the workload VPN intent to Queued for deployment.

Deploying a workload VPN intent from the deployment pipeline

After you add a workload VPN intent to the deployment pipeline, it remains there until you tell the system to proceed with the deployment.

Click to open the main menu and select Workload VPN Intents.
Use the Region Selector at the top of the page to select the region containing a workload VPN intent.
Find the workload VPN intent that you want to deploy, then click at the end of its row.
Select Deployment Pipeline from the actions list.
Find the workload VPN intent in the deployment pipeline list and click at the end of its row.
From the resulting actions list, select Deploy.
You can view the progress of the software update deployment from the Deployment Pipeline page.
If deployment fails, the failure is reported as follows:
- queue status: reports Error with detailed status reason
- fabric intent: reports Deployed and shows a new entry in the Event log showing that the Workload deployment failed
- workload VPN intent: reports Failed
  
  In the workload VPN intent Design view, the system also highlights deployment issues in the status bar by adding a red circle to the fabrics affected by the deployment error and with entries in the events log.