NetDevOps Concepts – Infrastructure as Code

Blog Detail

Welcome to the third in our series of posts about NetDevOps concepts! We have previously done an introductory post, as well as one on the concept of Minimum Viable Product, so be sure to check those out if you haven’t already!

In this post we’re going to dive into the concept of Infrastructure as Code or IaC, and how it can be applied to your network.

Infrastructure as Code is a commonly used DevOps term for managing or provisioning equipment in your infrastructure via an automated and repeatable process. This means that your infrastructure is always maintained in a known and pre-defined state, which allows you to utilize and enforce best practices across your entire infrastructure with ease.

In addition, adhering to Infrastructure as Code principles ensures that your infrastructure is less prone to unexpected or unplanned changes. Even if someone did change the infrastructure manually, and cause a negative impact, you are able easily and immediately re-apply the known/good state to restore service.

Your security team will thank you as well, because being able to uniformly ensure that good, secure, configurations are in place on your equipment makes their jobs tremendously easier.

The Pillars of Infrastructure as Code

In order to build an Infrastructure as Code based NetDevOps solution in your own network, it is essential to understand the key underlying components, or pillars, of Infrastructure as Code. A firm grasp on the pillars, how they interact, and which tools belong in which pillar, will allow you to craft a powerful and robust IaC solution in your environment.

Infrastructure as Code is usually built upon four key pillars.

  1. Source of Truth (SoT) – SoT is often a combination of the following components:
  2. CI/CD – CI/CD stands for Continuous Integration and Continuous Deployment or Delivery and describes systems used to manage and execute the changes to, or deployment of, your infrastructure.
  3. Tests – Tests allow you to go forward with the faith that changes executed by this process will be successful and not cause unwanted or unintended changes to your infrastructure.
  4. Deployment and Configuration Tools – These tools are varied and can take many forms depending on the IaC system being built. For NetDevOps these will frequently be tools or systems that can talk to the management plane of the network (via SSH or HTTPS) to implement changes.

If we were building the Infrastructure as Code “house”, consider Source of Truth to be the blueprints. The CI/CD system is the Foreman or General Contractor overseeing construction, and Tests are the Building Inspector. Your Deployment and Configuration Tools are the Electrician, Plumber, and Carpenter who build the house!

There are many potential combinations of Source of Truth, CI/CD, Testing and Deployment tools, so don’t worry if the possibilities initially seem overwhelming. For example, Source of Truth and CI/CD will have entire dedicated articles in this series. To assist with becoming more familiar with the tools available to you, at the end of this post we have collected an Appendix called “Lay of the Land” with tools in each of these pillars and links for further research.

An Example of the Pillars in Action

If we think about the IaC pillars, we can construct an example scenario using them to illustrate each pillar’s purpose in an overall Infrastructure as Code deployment.

A system built on these pillars often utilizes configuration and metadata files, kept in a Source Control system such as Git, to generate device configurations based on facts kept in a System of Record/DCIM such as NetBox. Together these elements form the Source of Truth for a portion of the infrastructure. Engineers would make changes to a file or files in Git to describe the desired changes to the state of the infrastructure. Prior to these changes being implemented on the infrastructure, they would require a peer review, and for any tests run by the CI/CD system to pass.

When these proposed changes are made to the relevant area of your Source of Truth, a CI/CD tool such as Jenkins will detect or be notified of the changes. The CI/CD tool will then execute a series of steps (often called a “pipeline”) to properly test these proposed changes to the infrastructure.

Inside the pipeline, tests are executed before any infrastructure changes are made, to validate their potential for success and any impact they may cause. Simple tests are commonly used to validate (or “lint”) that the changed files themselves are syntactically and logically valid. In addition, in a Network IaC pipeline, tests are often run with a tool such as Batfish which can analyze and understand network device configuration. These advanced tests allow you to validate potential changes will not affect an unexpected element of your network. They allow you to, in advance of touching the network itself, be confident that these changes will not cause adverse impact or unintended security policy changes. Pass or fail, the status of these tests are reported back to Git for display, or can be passed to a chat platform such as Slack.

If the tests are successful, and in this example the changes are approved and merged in Git, the changes are then able to implemented via a Deployment Tool, such as Terraform or Ansible (or both), or even plain Python. This step does not have to happen immediately, and the pipeline in your CI/CD tool can easily be made to wait until a pre-determined change window to execute the pending changes. Once the pipeline is ready to deploy the changes or infrastructure itself, the Deployment Tool will deploy or configure elements of your infrastructure based upon the changes recorded, approved, and tested, from the Source of Truth.

And finally, tests are executed once again to determine the success of the deployment actions. If these tests fail, they can either rollback the executed changes, or alert an engineer that some sort of intervention is needed via a message in Slack.

Network Infrastructure as Code

When speaking specifically about bringing Infrastructure as Code into the NetDevOps world, there are two common types of use cases.

The first type is utilizing IaC to deploy virtual network infrastructure itself. This would include for example, automatically provisioning an AWS VPC to terminate VPNs for your organization or spinning up a virtual firewall appliance in ESX.

The second type is utilizing IaC to deploy configurations to your existing network infrastructure (including physical equipment). This could be keeping the list of your BGP peers in a file in Source Control, and then applying the appropriate configuration to the routers in your network when changes are made to this file.

Determining which of these two areas you wish to work on first will be up to you, although most commonly in enterprise networks we see the later pursued (configuration of physical equipment) as it is the largest opportunity to have an impact on day-to-day operations. Removing the need to manually configure VLANs, and simply making a change to a file under Source Control with a CI/CD tool doing the rest, is extremely attractive to many organizations.

Infrastructure as Code and You

If you are feeling a little dazed and confused by all the ways that you can potentially bring Infrastructure as Code principles into your network, you’re not alone. There are many websites, blogs, or YouTube videos that can take you through the next steps on your NetDevOps journey. Or, you could always drop an email to us here at Network to Code as this is our bread and butter, and we’d be more than happy to help you take the next steps.

-Brett


Appendix: Lay of the Land

This is a listing (in no specific order) of commonly used tools in each of pillar to help you begin to organize them in your mind. It is worth noting two things about the below list. First, this is by no means exhaustive and intended simply to help you orient yourself among the plethora of tools that exist in each pillar. Wikipedia has long lists of common Source Control softwareopen-source configuration management tools, and other Infrastructure as Code Tools if you wish to dive deeper.

Secondly, some tools (such as Github or GitLab) appear in multiple pillars below as they provide multiple areas of functionality. This has happened more often in the past few years as, for example, closer integrations of Source Control and CI/CD have become standard features. Nothing is written in stone that says simply because you utilize GitHub for Source Control, you also have to utilize it for CI/CD. Evaluate each tool based on its strengths as well as you and your organization’s experience/familiarity with it.

Source of Truth

Given that a Source of Truth in practice is usually aggregated from several places, I’ve broken it out below into sections for Source Control and for Systems of Record. The relevant Systems of Record in an enterprise environment are often CMDB/DCIM (Configuration Management Database/Data Center Infrastructure Management) tools, so those are covered below.

Source Control

While Git is, by far, the most commonly used Source Control system (with many different services and implementations as shown below), it is good to understand some of the other Source Control tools available as well.

System of Record

Frequently in the System of Record category, there will be multiple of these inside a large organization. Not all elements of the network infrastructure are represented in each system, and some may be syncing data between themselves. In addition, while a CMDB or a DCIM serve different purposes in an environment, there is overlap in the data they may have, and thus can fill some of the same role in an Infrastructure as Code deployment. Some large enterprises have even built their own DCIM or CMDB tools in house, and integration with those tools will vary widely.

CI/CD

There is no clear winner in the CI/CD pillar, so we would recommend learning if one of the below is in existing use inside your organization and attempt to leverage it for your purposes.

Deployment and Configuration Tools

This pillar is very diverse, as the Deployment and Configuration tool you choose largely depends upon your use cases. It can be driven by what type of infrastructure you’re wishing to deploy/configure, how you wish to configure it, or even existing familiarity with a given tool.

It is worth calling out that there are a series of Python tools/libraries that are commonly utilized (frequently in combination) for building custom configuration tools for network equipment as well:

Testing Tools and Frameworks

Testing can take on many varieties and flavors, but for Network Infrastructure as Code the tools you use largely fall into three camps.

First are tools that lint/validate the configuration or code files themselves statically. That means tools which examine the contents of each file and insure, for example that the file claiming to be YAML formatted, really is valid YAML.

Second are tools that spin up infrastructure to allow you to test a simulacrum of your network. These tools, commonly used for training and educational opportunities, were traditionally the main way network changes were validated before the third category appeared.

Third, and the most exciting, are tools that validate the logic of the configuration changes you are attempting to make. These tools will actually analyze the change you are making and it’s potential impact to other elements of your infrastructure.



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

NetDevOps Concepts – Minimum Viable Product

Blog Detail

Welcome to the second in our series of posts about NetDevOps concepts! Don’t forget to go back and check out the introductory post if you haven’t already. This post is all about minimum viable product or MVP. MVP is a product management and software development concept that has made its way over into the NetDevOps world. It involves producing a product or solution that meets the minimum goals and milestones for success, then allowing for user/operator feedback to direct and inform future development. Only after delivering something focused and successful as the MVP do you build iteratively upon your previous work, guided by the received feedback, to add features or enhancements. The key to remember with this concept is that it is not just “minimum product,” it is minimum viable product.

What is Viability?

If we are going to talk about a minimum viable product to achieve your NetDevOps goals, we need to talk about the concept of viability in a software project. Specifically for our use cases in NetDevOps, viability means a product or solution that can deliver the requested outcome consistently and in an automated fashion. For example, say that your initial goal is to programmatically manage VLAN reservation and deployment on switches in your data centers. A viable solution to this problem would not just reserve the VLAN, it would also need to deploy the configuration to the switches themselves. The solution would not be considered viable if only half of this goal is completed, perhaps just assignment of the VLAN but not the configuration.

As another example, say that your goal was to generate a report that listed all network devices with non-compliant AAA configurations. If you built a solution which generated the report, but also automatically remediated the non-compliant configurations, you have created a viable solution. However, it is not the minimum viable solution. While remediating the non-compliant devices may be the logical next step after identifying and reporting on them, it is not in the original goal. And as a result, you’ve performed work that was not scoped or planned for this stage of the project, and potentially misdirected time and effort that could be better spent elsewhere.

Many projects undertaken by engineers venturing into network automation and NetDevOps rapidly veer into the second example and attempt to “boil the ocean.” I have been guilty of this in the past, and given the chance to do some of my earliest automation projects again, I would dramatically reduce the scope and focus on delivering a concise and successful outcome for one use case. Then, once I had laid the groundwork for my MVP, I could build on that success to scale up rapidly to tackle additional use cases or workflows.

Defining the Minimum Viable Product

Accepting that building an MVP and iterating on it is a successful strategy to build your NetDevOps platform and tooling, one commonly asked question is “How do you scope the minimum viable product?” While every network is different in some ways, here are some simple ideas to help you determine what the minimum viable product might be for applying NetDevOps methodologies to your network infrastructure. If you are already well along with implementing NetDevOps concepts in your network, perhaps each time you look at including an additional workflow into your processes, consider the below and plan accordingly. While this is by no means an authoritative blueprint, it is meant to present the some ideas and concepts to keep in mind when thinking about minimum viable product on your NetDevOps journey.

Start Small

Perhaps your network only has 50 devices in it, or maybe your network has 50,000. Either way, you must always start small. Chose a handful of network devices that you can manipulate at will. When scoping what your minimum viable product will solve for a given problem, consider what portion of the network you could live without. If the answer to the question, “What would happen if I took these devices down?” makes you sweat, probably do not start on those devices.

If your goal is, for example, to enforce a known/golden configuration on all user facing switch ports in your office environment, choose whatever qualifies as small for your environment (maybe a single office building or floor or even closet), and begin with those.

Small Isn’t The Same As Simple

Evaluate the pieces of technology you’ll need to execute this plan, and start to build them out. Remember that just because we are “starting small” and building a minimum viable product, doesn’t mean there isn’t the potential for a considerable level of effort.

Perhaps you might need to:

  • Acquire Linux VMs for jump hosts, development environments, and application servers.
  • Build/configure a CI/CD tool such as Jenkins.
  • Set up a local Git server to hold your code, configurations, and any other data needing source control.
  • Establish a device inventory or Source of Truth such as NetBox.
  • Set up an Ansible AWX server to execute your built playbooks.

These are not necessarily trivial steps, depending on your organization and the skills present there. Targeting a small group of devices in your MVP, and clearly scoping the requirements, will allow you to focus on acquiring any newly needed skills along the way as you build this infrastructure.

Scale Fast

When you have built the tooling to successfully control the switch ports on your initial batch of devices, you can begin to expand your scope to include additional closets/floors/buildings in ever increasing batches. I have found that starting with a group of 10 to 15 devices and roughly doubling that total each time you feel comfortable to automate against more devices, can quickly bring even the largest fleets under management of your NetDevOps tooling.

Working in this iterative fashion helps build up confidence in your tooling and infrastructure, not just from yourself or your team, but from the business at large. Everyone has heard some horror story about network automation run amok and bringing down a business, and that organization swearing never to try automation again. By starting small and building a highly tested and trustworthy MVP, you can begin to build trust among even the crustiest of CIOs.

MVP Include Tests

Say that you have configured tooling to automatically apply the known “golden” configuration to your users’ switch ports; however, a new version of the network device operating system utilizes a slightly different syntax. How do you know this is a problem prior to breaking network access for thousands of users? Testing, testing, testing!

Even if you are building something simple and small, you must include tests at both the code level (unit tests) as well as at the network level (integration testing). Having a well thought out, automated, and fully implemented test plan is absolutely crucial to being able to trust your NetDevOps infrastructure, processes, and workflows. Without testing in place, you are simply hoping that nothing will ever change on your network, and we all know that is simply wishful thinking.

Minimum Viable Product

Setting out from the beginning to build a solution as described above may be beyond your current skill set. Even if it is something you have skills or experience with, it may be more than you have time for all at once. Breaking it into deliberate, functional pieces and working towards a minimum viable product will allow you to deliver functionality quickly, and rapidly build your skill set along the way. In practice, sometimes it may not be that clean-cut, and you certainly may need to adjust your goals or targets and increase the scope of the project.

Bear in mind, even if you have to moderately increase the scope of your project outside the originally planned MVP, that you will still be delivering a focused and successful outcome with measurable value to your business. Once you have proved your NetDevOps chops to your business at large via a minimum viable product, they will be more inclined to trust you to automate larger and more impactful portions of the network environment.


Conclusion

If this all sounds wonderful but outside the realm of the possible, remember that everything I talked about above is completely possible. These are the kinds of problems that we at Network To Code help our customers and partners tackle every day.

-Brett



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

NetDevOps Concepts – An Introduction

Blog Detail

As the networking industry moves to embrace NetDevOps, there are often many terms used that network practitioners are unfamiliar with. This can lead to many people feeling unsure about what role a new technology could play in their organization, or even being afraid to ask for clarity about a discussed concept. In fact, there are a few questions we see asked time and time again.

“What is CI/CD, why would it have a pipeline, and what does that have to do with my network?”

“What does IaC or SoT mean?”

Or even, “What is NetDevOps anyway and why should I care?”

In this series of blog posts, we will delve into NetDevOps in a way that ensures you have familiarity and a basic understanding of what NetDevOps is, as well as some of the key components. We will also talk briefly about how, and why, you might apply a some of these concepts to operating your network.

What is NetDevOps?

Many fantastic blog posts and presentations discussing what NetDevOps is as a philosophy exist, and I won’t revisit all of their points here. Suffice to say that NetDevOps brings key concepts from the DevOps movement, which we’ll talk about deeply in subsequent blog posts, and applies them to operating and building networks.

With the proper application of NetDevOps concepts, you no longer have to think about your network as static, rigid, and fragile. Instead, you can start to treat it as something flexible and responsive to your desires or business needs. Some examples of these concepts include:

  • Continuous Integration/Continuous Deployment (CI/CD)
  • Infrastructure as Code (IaC)
  • Source of Truth (SoT)
  • Minimum Viable Product (MVP)
  • ChatOps

As for seeing these concepts in action, let us say that you need to deploy a new site to your corporate VPN. Without a NetDevOps approach to managing your network, you could spend a week fighting by hand to build the proper IKE/ISAKMP settings for the tunnel and documenting the site in your systems, applying changes, and then testing to ensure everything is functional.

However, if you are using a few key NetDevOps concepts to manage your network, your process could look more like this:

  • Message new vpn site to @my_netdevops_bot in your chat application (Slack/MS Teams/Webex Teams)
  • Fill in the site name, equipment type, and other metadata as prompted by the bot.
  • @my_netdevops_bot uses that information to:
    • Create the site in your Source of Truth (SoT)
    • Merge a Jinja template with the relevant data from your SoT
    • Present you with the rendered configuration in chat application
  • Upon approval of the change, @my_netdevops_bot will connect to the devices, and deploy these configuration changes
  • @my_netdevops_bot then queries the network (or other systems such as monitoring systems) to determine if the change was successful and present you with confirmation in chat.
    • If the change failed for some reason, @my_netdevops_bot can then start to troubleshoot some basic things on your behalf and present that information to you as well.

This is not a far-fetched or cutting edge example, this is just one of the many ways in which we see the application of NetDevOps concepts on a daily basis across all types of organizations.

“But…”

Usually, about this point in the conversation, there is a “But…” lurking off in the wings. Some greatest hits include, “But my network is too old” or “But my network is too unique.” My personal favorites are, “But my network is too large/too small!” as if there was a mythical Goldilocks zone where these concepts apply. The list goes on, but for almost every exception raised, there is an answer. Most of these can be addressed by two main responses.

First, no one is suggesting that you go directly from zero to the scenario described above. Embracing a NetDevOps mentality and approach to your network operations is an iterative process. Applying just a few of these concepts (and not all of them) to a single small element of your network is the best way to begin your NetDevOps journey. Even small, simple steps can pay large dividends. If you are manually generating device configurations, start to look at building a templating system for your device configurations and keeping it as code in a Git repository. This first step of only generating the configurations, leaving the engineer to actually qualify and apply them, can pave the way for many other steps in the future. Even in and of itself, simple configuration generation from a template can provide time savings and operational wins by removing human error and ensuring there is a single standard configuration.

Secondly, no network is too special to take advantage of these concepts. Is your network very large and complicated? Is literally every single component unique? Pick a single place in your network to start implementing a Source of Truth (such as NetBox). Having the data in an easily accessible API and/or GUI, and in a known standard format, will show value immediately for any other concepts you wish to apply. Does your network lack coherent standards? Start to enforce them on a single item of configuration, such as the AAA configuration, via Infrastructure as Code principals. Ensuring that the AAA configuration on all devices is a known/expected value at all times is extremely valuable from an operational and security perspective. Your compliance auditors will thank you!

Each of the above strategies relies on the concept of a Minimum Viable Product. When you start to embrace NetDevOps concepts for operating your network, do not expect to solve all of your problems in the first try. Pick one straightforward problem to solve. Build your solutions and tooling to solve that problem, then begin using it in your day-to-day work. If it is successful, look at adapting your tools to solve additional problems. As described above, perhaps you tackle only the AAA configuration first. When that is fully managed in a Source of Truth, and as code instead of raw device configuration, you can expand to managing the SNMP configuration on all your devices as well. Next, you could tackle management ACLs to your devices or NTP and DNS settings, really it’s up to what makes sense in your network. In this way you will rapidly expand the portions of your network that are being managed via NetDevOps.

Next Steps

This is the first in a series of posts on NetDevOps concepts, and I highly recommend staying tuned for the subsequent posts where we dive into some of these concepts in greater detail. We’ll have use cases and examples for each of them, including how to tie these all together into a coherent network automation strategy in the end.


Conclusion

If you’re impatient, you can always reach out to info@networktocode.com for more information on our services and training to help you take the next steps on your NetDevOps journey.

-Brett



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!