Infrastructure as code, or IaC, uses automated control scripts to configure, manage and monitor software infrastructure. The scripts are stored in a software code repository, like Git. Automated processes check out the scripts and execute them to create an entire application infrastructure efficiently without manual intervention.
IaC is best implemented in environments where the underlying physical infrastructure is standardized. Adding automated tests enables changes to applications and supporting infrastructure to be easily tested before applying those changes to the production environment. This process is typically known as continuous integration and continuous deployment. It significantly reduces the risk of deploying a defective application update.
What is network infrastructure as code?
IaC for networking involves similar methods to create and maintain the physical (underlay) and virtual (overlay) networks. A network configuration repository, like Git, houses the configuration templates and variables. Automation tools are triggered when the repository changes. The resulting automations check out the new configuration definitions, perform variable replacement and deploy the updated configurations. This is more complex than having a few simple scripts that perform basic automation tasks, so teams should anticipate the effort that will be required.
Adopting network IaC is simpler when the network uses a standardized physical and virtual network. The ideal approach creates a few building-block network segments, like a branch site, data center pod, internet access block, office Wi-Fi segment, etc. The building blocks are interconnected using well-defined interfaces, or links.
This building-block approach has many benefits, such as the following:
- reduced variability;
- easier to create test environments;
- repeatable monitoring and troubleshooting;
- well-defined bill of materials; and
- most importantly, a consistent configuration.
Network teams can certainly develop a full network IaC implementation from scratch, using tools like Python and Ansible, but that's not necessary. The alternative is to use a commercial network configuration automation product's APIs to simplify the effort. Keep in mind that the API approach is essential for integrating multiple controller-based systems used for things like software-defined WAN, data centers, Wi-Fi, security and IP address management.
Network continuous integration and continuous deployment
The ultimate IaC implementation employs a fully automated continuous integration and continuous deployment process. In the software and application world, this process is generally straightforward: Fire up multiple application VMs and some test clients, and run through a set of automated tests. If the tests pass, deploy the application into production.
The networking world often needs physical hardware that includes specific features not available in virtual implementations. Building physical test labs containing this hardware is time-consuming and expensive. Generating test traffic is a challenge, as is creating tests to guarantee the network's correct operation when pushing the configuration updates into the production network. Using standard building-block designs helps mitigate these challenges.
Adopting network infrastructure as code
Most organizations can easily achieve the technical process of adopting network IaC. The real challenge, however, is the culture change. The organization must accept that, in some cases, a site implementation may use a building-block design that's more expensive than a nonstandard option. The reductions in operational cost and risk invariably cover the expense.
Network teams must adopt an IaC mindset that all network changes go through the defined deployment process and that manual changes to the network are not permitted. Network validation tests become absolutely critical to the success of the initiative, and it can be challenging to create sufficiently comprehensive tests.
Note that creating the changes and identifying the test parameters are functions an existing network engineer traditionally performs. The automation element can be provided by commercial products or by an IaC software development team; not everyone needs to have software development skills.
Benefits of infrastructure as code for networks
Adopting network IaC has numerous benefits, including the following:
- Track changes. It's easy to track infrastructure changes because they're made in network configuration templates and variables. This makes it easy to identify and revert a failed configuration change.
- Deploy small changes regularly. An automated process with validation testing makes it easy to deploy small changes on a regular basis. Teams avoid big maintenance windows that incorporate multiple configuration changes, some of which may interact with one another.
- Overall ease. Smaller changes are much easier to understand, easier to automate, easier to test and have fewer side effects.
- Fewer errors. Network IaC eliminates manual processes and corresponding human errors.
- Pre-change state validation. Unit tests validate the pre-change network state, preventing a change from being applied if the network isn't performing as expected.
- Post-change state verification. Unit tests verify that the network's operational state is correct after the change is deployed.
- Test environments. When continuous integration and continuous deployment processes are used, the proposed change is validated in a test environment prior to being deployed into the production network, significantly reducing the risk of a bad change.
The ultimate benefit of network IaC is to the business. First, it significantly reduces the risk of network configuration changes. It also supports Agile business processes that provide the business with a competitive advantage.