Automating Cloud IPAM by Example

Automation is a hot topic within IT organizations these days, as well it should be. Automation offers tangible benefits in terms of reducing costs, increasing agility, diminishing manual efforts and minimizing human errors while performing a process. I recommend considering IP address management (IPAM) tasks within your automation design as I proposed in a prior post, given IPAM's tentacles menacingly reaching into virtually every IP device initialization, movement or decommissioning process. But how does one go about designing automation?

Consider that you can automate a process if it consists of a repeatable set of discrete tasks required to perform a function or unit of work. Some tasks may be performed in parallel with others and most tasks require input values provided by or derived from prior tasks to begin. Documenting the tasks required and the sequence or flow of tasks, i.e., as a workflow or flowchart, is a prescribed first step. Once you've laid out the basic flow, identify which organization and systems are responsible for performing, approving and tracking each task. Then determine the set of information required to execute a given task within the flow. Of course this information must be either produced during the execution of the flow or provided as input parameters to the overall flow, so be sure to tabulate the source for each task's input parameters.

In general, the more tasks, management systems and organizations involved within the workflow, the more complex it is. Sometimes in documenting a flow, one may notice a more expeditious sequence of tasks, which affords a potential side benefit to documenting your processes. Complexity generally results in a longer time to complete the overall workflow and a greater need for overall process coordination. This is especially true when task hand-offs between organizations or process owners within the overall workflow are required. In many cases, these hand-offs have traditionally been conducted manually, communicated via phone, email, or process review meetings as necessary. These forms of communications are typically ad hoc in nature and add additional time and variability to the defined tasks within the workflow, so it's advisable if possible to attain approval from involved parties to the extent possible before initiating the overall workflow to eliminate interruptions and delays.

 Let's consider a simple workflow example to illustrate these concepts: I'd like to automate the provisioning of a subnet from my private address space to my virtual private cloud (VPC) with my public cloud service. Since I'm provisioning a subnet from my own private address space, my IPAM system should be authoritative for the assigned subnet. (This is unlike the case when I instantiate a virtual machine, where typically the cloud service is authoritative for address assignment. The point is to maintain flexibility in defining your workflows). So my basic subnet provisioning flow comprises checking my IPAM system for an available subnet relevant to my address plan, allocating the subnet within my VPC using my cloud provider's console, then synchronizing any cross-referential information such as cloud-assigned metadata for the subnet back in my IPAM system. Sounds simple enough.

Next, let's drill down one layer and map out these steps along with inputs and outputs as illustrated in the figure below. To begin the process, I need to know where within my VPC I need to provision a subnet and of what type (IPv4/IPv6) and CIDR size. I can login to my IPAM system and determine what subnet block(s) is/are available depending on how your IPAM system represents your cloud address space, e.g., by availability zone (AZ) for AWS. Most Diamond IP customers represent VPCs and AZs (and analogous cloud system structures for other cloud providers) using containers within our IPAM system, IPControl. Navigate to the given container for example and simply click the add child block menu to allocate a block of the desired type and size automatically, or enter the subnet address manually (though this blog is all about automation!).



Once you've identified and reserved the automatically-allocated subnet address, you can swivel to your cloud console and provision the subnet of the given address within the corresponding cloud structure. The cloud system may assign a subnet ID and other meta data for the subnet, so it's a good idea to track this in your IPAM system for cross-referencing purposes. So you can log back into your IPAM system and update the subnet information. The process then completes with the successful provisioning of a subnet of the desired type and size within the cloud system, all tracked in your IPAM system.

Now that we've mapped out the basic process, another pass with an added layer of detail is likely required to specify individual parameters mapping to system-supported API calls for each step. Once you've documented your workflow to this level, you need to define how to orchestrate the flow, accepting outputs from one system, mapping them into and adding parameters for calls into the next. 

At Diamond IP, we recognize the benefits automation brings, particularly with setting the foundation of your services with IPAM. We can help you automate and orchestrate your IPAM related workflows using our Cloud Automation Appliance's (CAA's) drag-and-drop graphical user interface based on NodeRed. We supply primitives for our API calls as well as those for several public cloud providers that you can drag onto your workflow palette to define your own flows specific to your particular processes. 

You can also install published NodeRed modules to incorporate interfaces and interactions with other systems to expand your automation to other critical IT systems and functions. You can even incorporate base flows into broader flows, automating more complex multi-system flows. This code reuse saves time in creating flows, provides consistency in how flows perform given actions, and reduces maintenance by retaining a single place to apply fixes.

This figure represents our simple cloud subnet allocation flow example as managed using our CAA. As you can see, the graphical flow interface maps to our earlier flowchart and is relatively easy to digest, edit, and communicate. We supply several API primitives natively for our IPControl IPAM system as well as for other cloud systems, and  we also supply a set of sample workflows you can tweak to your desired flows. Please contact us for a free demo and to learn more.

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more