Lately I’m learning a new concept called infrastructure as a code (IAC), so I decided to blog about my learning.
What is IAC
What if we can manage our network devices like developers manage code, have version, automatic testing, code verification etc’? IAC tries to change how we manage our infrastructure, and provide the benefits that programmers have to infrastructure.
Why do we need IAC?
Has many network engineers knows if you want to make a change to your network there are steps you need to go through:
- Schedule a maintenance window
- Create and approve a work plan
- Start the maintenance window after hours
- Push the new configuration to the devices (hope you don’t have a typo, didn’t do any mistake etc’)
- Perform testing
- Wait for other teams to complete their changes and testing
- Summarize for tomorrow on call engineers the result
hopefully a few hours into the end of the maintenance window you go home.
I want to go home as fast as possible.
IAC as a built-in tests, consistency, automatic documentation, task lists and more.
In the present role of infrastructure the changes are more frequent and at larger scale, we need to adjust how we do our day to day job, to make the changes more reliable, and faster. We as a infrastructure engineers (Network, System, Storage, Security, etc’) if we want to compete with the public cloud we need to change the way we manage the infrastructure.
The traditional way
Lets examine a simple idea managing VLANs in our data-centers.
Probably we have more than one environment, DC, DMZ and maybe more.
We have an excel spreadsheet or IPAM.
We want to add a VLAN:
- SSH to each network device
- create the VLAN, name it
- allow it on the trunks, and on the access ports
- Check that nothing brakes
- Document the change
The IAC way:
- Add the VLAN to the VLANs DB, choose the environment for the VLAN.
- Deploy the change to a test environment, fire automatic tests.
- Deploy the change to production, fire automatic tests.
- Automatic documentation.
- if the deployments fails rollback to previous version.
Does it means we need to be programmers?
No, you need to have basic programming skills (for loops, ifs etc’), but you don’t need deep knowledge at the programming area, you need to learn how to work with new tools.
Tools skills and concepts
We need to create an inventory contains all the assets we manage and their properties (built in most tools), can be integrated to an existing inventory management (Solarwinds, Prime etc’)
We need a Configuration system that will push the changes to the assets, I’m using Ansible, but there are more like Chef, Puppet and more
The Orchestrator is more advanced, it will enforce the state of the devices, push the configuration, react to changes in the state and more, example Salt.
You will need a repository for code reviewing, keep tracks of changes, etc’, I will use GIT.
I will use an additional tool called NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support).
there are more tools but I think those are the most basic ones.
“We don’t have an API”
A lot of time Network engineers tell me that it’s all good but the infrastructure isn’t ready for it, the network devices doesn’t support APIs, most of the tools are capable of working with the network devices using SSH, it’s less optimal but it works.
“We don’t have a budget for the tools”
There are a lot of open-source tools that you can work with, they works just as good probably you won’t have a fancy GUI, for example you can use Ansible and not Ansible-Tower, You can use Salt without Saltstack etc’
Continue to learn with me starts with Git
So there is an open-source “Ansible-Tower” version called AWX, so for Ansible you can have a fancy GUI for free