Introduction
Network automation has evolved from a nice-to-have to an essential skill for modern network engineers. As networks grow more complexโwith cloud infrastructure, distributed architectures, and rapid changesโmanual configuration simply cannot keep pace.
Ansible and Terraform have emerged as the leading tools for network automation. Ansible excels at configuration management and task automation. Terraform provides infrastructure provisioning and state management. Together, they address the full spectrum of network automation needs.
This comprehensive guide explores network automation with Ansible and Terraform in depth: core concepts, implementation strategies, practical examples, and best practices. Whether you’re beginning your automation journey or looking to deepen your expertise, this guide provides essential knowledge.
Understanding Network Automation
Why Automate Networks?
Network automation addresses several challenges that manual operations cannot.
Speed and consistency enable rapid deployment and modification of network configurations. What takes hours manually can be accomplished in minutes automatically.
Reduced errors eliminate configuration drift and mistakes that occur with manual changes. Automated configurations are repeatable and version-controlled.
Improved documentation serves as documentation by default. Automation code describes the intended state, providing clear documentation.
Faster troubleshooting enables rapid deployment of known-good configurations. When issues occur, automated rollback restores services quickly.
Types of Network Automation
Network automation spans several categories.
Configuration management maintains consistent configurations across devices. It ensures all devices match the intended state.
Provisioning creates new network resourcesโVLANs, interfaces, VRFsโautomatically.
Compliance verification checks configurations against defined policies, identifying drift and violations.
Orchestration coordinates complex workflows across multiple systems and teams.
Ansible for Network Automation
Ansible Fundamentals
Ansible is an automation engine that uses YAML-based playbooks to define desired states. It connects to devices and executes tasks to achieve the desired configuration.
Ansible operates agentlesslyโdevices don’t require Ansible software installed. It uses SSH (or other connection methods) to communicate with network devices.
The key components include: inventory (defining managed devices), modules (executing specific tasks), playbooks (defining automation workflows), and variables (parameterizing configurations).
Network-Specific Ansible Modules
Ansible provides numerous network modules for various vendors and platforms.
Cisco IOS modules include ios_config, ios_command, and ios_facts for IOS and IOS XE devices.
Juniper Junos modules use junos_config and junos_command for Junos devices.
Aruba, F5, Palo Alto, and others have dedicated modules.
Generic modules like netconf and cli_command provide vendor-agnostic options.
Ansible Playbook Example
---
- name: Configure Network Devices
hosts: switches
gather_facts: no
connection: network_cli
vars:
dns_servers:
- 8.8.8.8
- 8.8.4.4
ntp_servers:
- 10.1.1.1
- 10.1.1.2
tasks:
- name: Configure hostname
ios_config:
lines:
- hostname {{ inventory_hostname }}
parent: global
- name: Configure DNS servers
ios_config:
lines:
- ip name-server {{ item }}
parents: ip name-server
loop: "{{ dns_servers }}"
- name: Configure NTP servers
ios_config:
lines:
- ntp server {{ item }}
loop: "{{ ntp_servers }}"
- name: Configure management interface
ios_config:
lines:
- ip address {{ mgmt_ip }} {{ mgmt_mask }}
parents: interface GigabitEthernet0/0
Ansible Tower and AWX
Ansible Tower (Red Hat’s commercial offering) and AWX (the open-source upstream) provide enterprise features: role-based access control, job scheduling, and graphical interface.
These platforms enable: credential management (securely storing passwords and keys), workflow orchestration (coordinating multiple playbooks), and audit trails (tracking who changed what).
Terraform for Network Automation
Terraform Fundamentals
Terraform is an infrastructure as code tool that creates, modifies, and destroys infrastructure resources. Unlike Ansible’s configuration management, Terraform focuses on provisioning.
Terraform uses a declarative language called HCL (HashiCorp Configuration Language). You define the desired state, and Terraform determines what actions to achieve that state.
The key concepts include: providers (interfaces to APIs), resources (infrastructure components), data sources (read-only information), and state (tracking managed resources).
Network Providers
Terraform supports numerous network platforms through providers.
AWS network resources include VPCs, subnets, security groups, and route tables.
Azure network resources include virtual networks, network security groups, and Azure Firewall.
GCP network resources include VPC networks, firewall rules, and cloud routers.
Vendor-specific providers support Cisco, Juniper, F5, and others.
Terraform Configuration Example
# Provider configuration
provider "aws" {
region = "us-east-1"
}
# VPC resource
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "main-vpc"
}
}
# Subnet resources
resource "aws_subnet" "public_1" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = true
tags = {
Name = "public-subnet-1"
}
}
resource "aws_subnet" "private_1" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.10.0/24"
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
}
}
# Internet Gateway
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main-igw"
}
}
# Route Table
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = {
Name = "public-route-table"
}
}
resource "aws_route_table_association" "public_1" {
subnet_id = aws_subnet.public_1.id
route_table_id = aws_route_table.public.id
}
Terraform State
Terraform maintains state to track managed resources. This state maps real-world resources to your configuration.
Local state stores state in a file. Remote state stores state in a remote backend like S3, which enables team collaboration.
State management is critical. Consider: enabling state locking to prevent concurrent modifications, using remote state for team environments, and backing up state files for disaster recovery.
Combining Ansible and Terraform
Complementary Use Cases
Ansible and Terraform address different automation needs and work well together.
Terraform provisions infrastructure. Ansible configures operating systems and applications.
Common patterns include: Terraform creates network resources; Ansible applies detailed configuration.
The workflow typically involves: Terraform deploys network components, then Ansible configures devices.
Integration Approaches
Several approaches integrate Ansible and Terraform.
Terraform’s local-exec provisioner runs Ansible after resource creation.
Terraform output passes data to Ansible through inventory generation.
Ansible calls Terraform through the ansible-tower or manually-triggered workflows.
Example Workflow
# Terraform main.tf (excerpt)
output "switch_ips" {
value = [for s in aws_instance.switch : s.private_ip]
}
# Ansible inventory template
[switches]
{% for ip in switch_ips %}
{{ ip }}
{% endfor %}
Implementation Best Practices
Version Control
Store all automation code in version control. This provides: change history, code review capabilities, and rollback support.
Git is the standard choice. GitHub, GitLab, or Bitbucket provide collaboration features.
Modular Design
Create reusable components rather than one-off scripts.
Ansible roles encapsulate related tasks, handlers, and variables. Terraform modules group related resources.
This approach enables: easier testing, simpler debugging, and faster development.
Testing
Test automation before production deployment.
Ansible linting validates playbook syntax and best practices. Molecule tests Ansible roles against different environments.
Terraform validate checks configuration syntax. terraform plan previews changes before applying.
Secrets Management
Never store credentials in code. Use secrets management solutions.
Ansible Vault encrypts sensitive data within playbooks.
HashiCorp Vault integrates with both Ansible and Terraform.
Cloud provider secrets services (AWS Secrets Manager, Azure Key Vault) work with respective Terraform providers.
Documentation
Document automation code and processes.
README files explain what automation does and how to use it.
Inline comments explain complex logic.
Runbooks document manual procedures for automation failures.
Network Automation Patterns
Zero-Touch Provisioning
Zero-touch provisioning (ZTP) automates device deployment from initial power-on.
The typical flow includes: device boots with ZTP, retrieves configuration from network server, applies configuration automatically, registers with management platform.
Ansible and Terraform can provide the configuration that ZTP retrieves.
Configuration Backup
Automated configuration backup ensures you can recover from failures.
Ansible playbook example:
---
- name: Backup Network Configurations
hosts: all
gather_facts: no
connection: network_cli
tasks:
- name: Backup running config
ios_config:
backup: yes
register: backup
- name: Save to centralized location
copy:
content: "{{ backup.backup_file }}"
dest: "/backup/{{ inventory_hostname }}-{{ '%Y%m%d'|strftime }}.cfg"
Compliance Automation
Automated compliance checking identifies drift from desired state.
Ansible can query device configurations and compare against policy. Results generate reports for review.
Common compliance checks include: password policy enforcement, unused accounts, and permitted services.
Challenges and Considerations
Learning Curve
Ansible and Terraform require new skills for network engineers. Plan for training and practice time.
Start with simple automations and expand gradually. Don’t try to automate everything at once.
Network-Specific Challenges
Network devices have unique considerations.
Vendor differences mean modules vary between platforms. Plan for platform-specific code.
Some network devices have limited API capabilities. Ansible may need to use CLI commands.
Network testing is complex. Validate automation in lab environments before production.
State Management
Terraform state must be carefully managed. State drift can cause unexpected changes.
Use remote state for production. Enable state locking. Carefully review terraform plan output.
The Future of Network Automation
AI and Machine Learning
AI is beginning to influence network automation. Areas include: anomaly detection in network behavior, automated troubleshooting recommendations, and predictive capacity planning.
Network engineers will increasingly work with AI-assisted tools rather than manual configuration.
Intent-Based Networking
Intent-based networking (IBN) defines desired outcomes, with systems implementing and enforcing those intentions.
Ansible and Terraform align with IBN principles. They define desired states that the system achieves.
GitOps for Networks
GitOps applies Git-based workflows to infrastructure management. Changes are made through pull requests, reviewed, and automatically applied.
This approach brings software development practices to network operations.
External Resources
- Ansible Network Automation - Official Ansible docs
- Terraform Registry - Provider documentation
- Ansible Galaxy - Community roles and modules
- HashiCorp Learn - Terraform tutorials
Conclusion
Network automation with Ansible and Terraform addresses the challenges of modern network operations. These tools enable speed, consistency, and reliability that manual processes cannot match.
Ansible excels at configuration management and task automation. Terraform provides infrastructure provisioning and state management. Together, they cover the full automation spectrum.
Implementation requires planning, skill development, and incremental adoption. Start with simple automations, build expertise, and expand gradually.
The future of network engineering increasingly involves automation skills. Developing these capabilities prepares you for the evolution of the profession.
Invest in automation nowโyour future self will thank you.
Comments