Skip to content

Ansible & DDI Automation: Connecting Compute and Network Teams

November 24, 2021 | Written by: Surinder Paul | , ,

Ansible as a solid automation foundation

Ansible is a great open source software for managing server fleets with regards to their installation and configuration. With Ansible able to exchange with a DDI solution (DNS, DHCP and IPAM), the compute teams can use automation to keep the global repository up to date, and use it for all the valuable data in the IP plan and associated metadata. This collaboration between DDI and Ansible raises automation of compute resources and helps ops teams globally to better serve their customers.

Complementary to Terraform, which is very good at infrastructure as code, Ansible excels in configuration management and has the ability to keep a large number of servers up to date in order to run a coherent configuration set (e.g. performing upgrades, applying patches, changing global security parameters). More recently, Ansible has been extended to perform configuration actions on specific devices like networking components. Most of the time the Ansible playbooks have to use and manipulate IP information such as subnets, addresses and DNS records. This can potentially be done using separated repositories, but when you need to manage a large set of assets it is recommended to use a central IP repository which can act as the “source of truth”.

Ansible and DDI for better automation and visibility

The concept of Network Source of Truth is well supported by the DDI solution once it can be easily integrated through API and can extensively use actionable metadata. Since Ansible is now able to manage not only servers but also a vast variety of networking and security components using their API, it makes sense for the DDI central repository to be included in the global configuration process. This is the purpose of Ansible collections for EfficientIP SOLIDserver. This Ansible collection is now proposed as an open source module that anyone may improve, use and fix whenever it is required.

The current module covers the management of IP addresses within the IPAM, for both versions IPv4 and IPv6. You can therefore create, list, change and delete IP addresses and take advantage of DDI automation for maintaining DNS records related to the modified networks. Creation of an IP address in the IPAM can be a task that is performed before starting a server, we then will assign the reserved address to the server. The action can also be performed after the creation of the server in order to reflect the IP address used by the server. The first solution eases organization of the IP plan by the usage of subnets and pools in which the network objects will be correctly picked. Provisioning the IP plan in the IPAM is performed in advance as part of overall planning and eases all future deployments.

The Ansible Collection is currently in process of being integrated as a default component of the Ansible product. In the meantime, we make it accessible to anyone directly on our repository.

Some examples

We will see some few examples of the Ansible playbook grammar that can be used to exchange with the SOLIDserver. It generally requires just a simple task to add to any running playbook in order to use or update the IPAM.

Example 1: ask the IPAM for a free IP address that would be later assigned to a server

The main use case for such a playbook is to ask the IPAM for a free IP address that would be used afterwards to be assigned to a server (started in a cloud environment for example).

- name: add dynamic IP address in the IPAM
      community.efficientip.solidserver_ipam_ip:
      space: Local
      subnet: 192.168.16.0/23
      pool_name: test-servers
      hostname: test-crm-db-secondary
      ip: dynamic
      class_parameters:
           ticket: 9245
           app: crm
           owner: qa-john
      update: true
      state: present
      provider: "{{ solidserver }}"

Here we specify both the IPAM space (Local) and the network subnet (192.168.16.0/23) in which we would like to have the IP address, as well as the pool (test-servers) used to organize the IP plan. A pool is a subset of a network range without the need to be aligned to a power of 2, it is very useful to organize one network structure but even more so on a template applied to multiple networks.

You can also see that we asked for some metadata (ticket, owner and app) to be applied to the requested IP address. That would ease filtering and searching in the IPAM afterwards. As for any task executed in an Ansible playbook, we can extract from the result valuable information to be used in the following tasks, in this case we would extract the IP address that is associated with this resource (test-crm-db-secondary).

Example 2: create a static IP address & update the inventory

In this scenario, the Ansible playbook has performed some tasks to create an instance in a specific cloud and this instance has been associated with an IP address. The purpose of this task is to update the IPAM accordingly in order to keep the information.

- name: add IP address 192.168.1.4 to the IPAM
         community.efficientip.solidserver_ipam_ip:
         space: Local
         subnet: 192.168.1.0/24
         hostname: test-crm-fo
         ip: 192.168.1.4
         class_parameters:
             ticket: 9245
             app: crm
             owner: qa-john
         update: true
         state: present
         provider: "{{ solidserver }}"

Here, the address is known from another process or Ansible task and we directly ask for the creation of the IP address (192.168.1.4) in the IPAM with the specific metadata (mentioned in the class_parameters section). We specify the space and the subnet, since we can have multiple independent spaces with the same IP plan and multiple imbricated subnets that may contain the specified IP address. The setting of the update parameter to true allows the IP address to be updated if already present in the IPAM. That means we can have multiple tasks in the same playbook on the same object without any issue.

Example 3: delete an IP address, updating the DDI repository

Deletion of the resource in the IPAM is a very important task to perform at the same time that the compute instance is effectively decommissioned. This allows the repository to stay accurate and resources to be reused if needed.

- name: delete IP address 192.168.1.4 to the IPAM
         community.efficientip.solidserver_ipam_ip:
         space: Local
         subnet: 192.168.1.0/24
         hostname: test-crm-fo
         ip: 192.168.1.4
         state: absent
         provider: "{{ solidserver }}"

In order to suppress an IP address (or any information) from the IPAM, we just need to use the state field in the task associated with the information and set it to “absent”. If the information is found in the IPAM it will be deleted. If it is not present, nothing will be done.

These simple examples have been extracted from the source repository where you can find the Ansible collection for EfficientIP SOLIDserver, we will add new ones each time we add a new feature to the module.

Why use EfficientIP DDI together with Ansible?

Ansible has some interesting features and provides a lot as an automation and configuration management tool. Having it plugged to the EfficientIP’s DDI solution will help all IT teams to better understand what has been deployed, how it is configured (thanks to extensible metadata) and how the IP network is being used. The addition of a simple task to any playbook is not a complex action and thus very easy to perform by compute teams. It can indirectly serve the global automation of many other teams’ tooling systems where the IP address is a key – like a SIEM or a security solution – thanks to event automation and ease integration of the SOLIDserver to its ecosystem.

In general, using Ansible with IPAM tasks included will provide:

  • better sharing of information between server and network teams for their respective operations
  • automatic management of DNS records attached to IP addresses, including aliases, thanks to internal DDI automation between the IPAM and DNS
  • an accurate IPAM repository for many reporting and automated tasks: all other IT tools connected to the DDI repository can be informed through event notification or browse the information in the listing – inventory, control, security informationeasy ticket information enhancement for AIOps and SIEM tools relying on an accu
  • rate repository of IP information, especially in environments with extremely dynamic compute resources

Simplify & Secure Your Network

When our goal is to help companies face the challenges of modern infrastructures and digital transformation, actions speak louder than words.