IPAM-As-Code

IP Address Management (IPAM) is often considered a necessary evil by most IT and Operations Engineers. Every time a new virtual instance in the cloud or on prem is instantiated, or an old fashioned server is deployed, both an IP address and DNS name need to be assigned...every time. Of course, the assigned IP address must be unique at least within a given routing domain, and the DNS name must be uniquely resolvable to enable users and other machines to connect with it. Beyond their respective uniqueness requirements, these core configuration elements must also be relevant to their respective deployment realms, such as subnet and DNS domain, so just any old assignment won't do. In addition, with the speed of today's business demanding a highly dynamic rate of change in creating, realigning or destroying virtual instances across a multi-cloud network, the assignment process must be always available and instantly responsive to not impede your business velocity.

While assigning IP addresses and DNS names using manual methods such as spreadsheets is doable albeit cumbersome if not error-prone when addressing the first two requirements for uniqueness and context, they collapse under the third requirement for highly available and highly responsive assignment performance. An automated IP and DNS assignment process is needed with the ability to modularly plug into your IT and Operations flows to successfully meet this third requirement, not to mention the first two. Clearly a performant, scalable API-driven solution with a reliable repository is required to fortify your infrastructure-as-code approach, supplying IPAM-as-code capabilities. 

When using terraform, Ansible, Service Now or any infrastructure or provisioning system, the incorporation of the IP and DNS assignments eliminates the manual process of consulting a spreadsheet or even non-integrated IPAM repository. These systems can request an IP and DNS assignment during flow execution by invoking your IPAM system's API, virtually obscuring your IPAM system to the joy of most IT and Operations Engineers! Finally, no more IPAM! 

Well, not so fast. While the mundane process of manual assignment vanishes, you'll still require visibility and some controls. You'll need to be able to track assignments and to assure adequate addressing capacity for each of your addressing domains. For example, you may need to manage assignments and capacity across multiple public cloud services, internal data centers, branch offices, SDWAN-connected sites, and remote and home workers. With a comprehensive IPAM solution you can maintain a cross-domain perspective spanning these diverse network environments through a single pane of glass, all while evanescing during the provisioning process.

IPControl from Diamond IP is a performant, scalable, REST API-driven solution with a reliable repository and a pervasive perspective to enable you to plug into any programmable API environment for automation, while providing comprehensive IP and DNS visibility. Diamond IP solutions offer the broadest, most flexible IPAM solutions, from enabling IPAM-as-code as highlighted here, to IPAM-as-service with our managed services and everywhere in between as well as extensive DNS security solutions. Please contact me to learn more about how to make your IPAM disappear!

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more