Home » Network Infrastructure as Code: Terraform, Ansible, GitOps และ CI/CD for Network
Network Infrastructure as Code: Terraform, Ansible, GitOps และ CI/CD for Network
Network Infrastructure as Code: Terraform, Ansible, GitOps และ CI/CD for Network
Infrastructure as Code (IaC) สำหรับ network เปลี่ยนจาก manual CLI configuration ไปสู่ declarative, version-controlled, automated workflows Terraform จัดการ network resources แบบ declarative, Ansible ใช้ agentless automation สำหรับ configuration management, GitOps ใช้ Git เป็น single source of truth และ CI/CD pipelines ทดสอบ + deploy network changes อัตโนมัติ
Network configuration แบบ manual มี ปัญหาซ้ำซาก: configuration drift, human error, ไม่มี audit trail, rollback ยาก IaC แก้ทุกปัญหาเหล่านี้: config อยู่ใน code (version controlled), deploy ผ่าน pipeline (tested + automated), review ก่อน deploy (peer review), rollback ง่าย (git revert) ผลคือ consistent, reliable, auditable network operations
IaC Approaches
| Approach |
Description |
Tools |
| Declarative |
Define desired state → tool ทำให้ถึง state นั้น (what, not how) |
Terraform, Ansible (partially), Nornir |
| Imperative |
Define steps ที่ต้องทำ (how to do it, step by step) |
Python scripts, Expect scripts |
| Idempotent |
Run หลายครั้ง → ผลเหมือนกัน (ไม่ duplicate changes) |
Terraform, Ansible (most modules) |
Terraform for Network
| Feature |
รายละเอียด |
| คืออะไร |
Declarative IaC tool ที่จัดการ infrastructure ผ่าน HCL (HashiCorp Configuration Language) |
| State |
State file (.tfstate) เก็บ current state → compare กับ desired state → plan changes |
| Plan |
terraform plan → แสดง changes ก่อน apply (preview what will change) |
| Apply |
terraform apply → ทำ changes จริง (create/update/delete resources) |
| Providers |
Network providers: Cisco (ACI, IOS-XE), Palo Alto, Juniper, F5, AWS, Azure |
| Modules |
Reusable code blocks (e.g., VLAN module, BGP module, firewall rule module) |
| Import |
Import existing resources เข้า state (brownfield adoption) |
Terraform Network Use Cases
| Use Case |
Provider |
Resources |
| Cloud Networking |
aws, azurerm, google |
VPC, subnets, security groups, load balancers, VPN |
| Data Center |
aci (Cisco ACI) |
Tenants, VRFs, BDs, EPGs, contracts |
| Firewall |
panos (Palo Alto) |
Security policies, NAT rules, address objects |
| Load Balancer |
bigip (F5) |
Virtual servers, pools, monitors, profiles |
| DNS |
cloudflare, route53 |
DNS zones, records, page rules |
Ansible for Network
| Feature |
รายละเอียด |
| คืออะไร |
Agentless automation tool ที่ใช้ SSH/NETCONF/API สำหรับ configuration management |
| Agentless |
ไม่ต้องติดตั้ง agent บน network devices (ใช้ SSH/NETCONF) |
| Playbooks |
YAML files ที่กำหนด tasks (ทำอะไร, บน devices ไหน) |
| Inventory |
List ของ devices (hosts, groups, variables) |
| Modules |
Network modules: ios_config, nxos_config, junos_config, eos_config, vyos_config |
| Collections |
cisco.ios, arista.eos, junipernetworks.junos, paloaltonetworks.panos |
| Roles |
Reusable task bundles (e.g., role: base_config, role: bgp_peer) |
| Vault |
Encrypt sensitive data (passwords, API keys) ใน playbooks |
Terraform vs Ansible
| Feature |
Terraform |
Ansible |
| Approach |
Declarative (desired state) |
Procedural + Declarative (mix) |
| State |
State file (knows current state) |
Stateless (checks each run) |
| Best For |
Resource lifecycle (create/update/delete) |
Configuration management (push config) |
| Network Use |
Cloud networking, ACI, firewall policies |
Device configuration (IOS, NX-OS, EOS) |
| Language |
HCL |
YAML |
| Idempotent |
Always (state-based) |
Module-dependent (most are) |
| Combined |
Terraform provisions infrastructure → Ansible configures devices (complementary) |
GitOps for Network
| Principle |
รายละเอียด |
| Git = Source of Truth |
ทุก network config อยู่ใน Git repository (desired state) |
| Pull Requests |
ทุก change ผ่าน PR → peer review → approve → merge |
| Automated Deploy |
Merge → CI/CD pipeline → automated deployment to network |
| Drift Detection |
Periodic check: actual state vs Git state → alert if drift detected |
| Audit Trail |
Git history = complete audit trail (who, when, what, why) |
| Rollback |
git revert → pipeline deploys previous config (instant rollback) |
CI/CD Pipeline for Network
| Stage |
Action |
Tools |
| 1. Lint |
Syntax check (YAML, HCL, Jinja2) |
yamllint, ansible-lint, terraform fmt |
| 2. Validate |
Logic validation (variable checks, schema validation) |
terraform validate, ansible –check |
| 3. Test |
Test ใน lab/simulation environment |
Containerlab, GNS3, CML, Batfish |
| 4. Plan |
Show what will change (dry-run) |
terraform plan, ansible –diff –check |
| 5. Approve |
Manual approval gate (for production) |
GitLab approval, GitHub review, ServiceNow |
| 6. Deploy |
Apply changes to production |
terraform apply, ansible-playbook |
| 7. Verify |
Post-deployment validation (ping, traceroute, service check) |
Pytest, Robot Framework, custom scripts |
| 8. Monitor |
Monitor for issues after deployment |
Grafana, Prometheus, SIEM alerts |
Testing Tools
| Tool |
Purpose |
| Batfish |
Network configuration analysis (offline — ไม่ต้อง connect to devices) |
| Containerlab |
Lab environment using containers (cEOS, vSRX, FRR) — fast spin up |
| Suzieq |
Network observability + validation (state verification) |
| pyATS (Cisco) |
Network test framework (parse, test, validate device state) |
| Robot Framework |
Keyword-driven testing (network validation suites) |
ทิ้งท้าย: Network IaC = Version Controlled, Tested, Automated
Network IaC Terraform: declarative, state-based, best for cloud/ACI/firewall resource lifecycle Ansible: agentless, YAML playbooks, best for device configuration (IOS, NX-OS, EOS) GitOps: Git = source of truth, PR review → automated deploy → drift detection → rollback CI/CD: lint → validate → test (Containerlab/Batfish) → plan → approve → deploy → verify Combined: Terraform provisions + Ansible configures + Git stores + Pipeline deploys Benefit: no drift, full audit trail, peer review, instant rollback, consistent operations
อ่านเพิ่มเติมเกี่ยวกับ NETCONF RESTCONF gNMI YANG และ Network Automation Python Netmiko ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
