Home » Network Infrastructure as Code: Terraform, Pulumi และ GitOps for Networking
Network Infrastructure as Code: Terraform, Pulumi และ GitOps for Networking
Network Infrastructure as Code: Terraform, Pulumi และ GitOps for Networking
Network Infrastructure as Code (NetIaC) คือแนวทางที่ manage network configuration ผ่าน code files แทน manual CLI commands Terraform ใช้ HCL (HashiCorp Configuration Language) สำหรับ declarative provisioning, Pulumi ใช้ general-purpose languages (Python, Go, TypeScript) และ GitOps ใช้ Git เป็น single source of truth สำหรับ desired network state
Traditional network management ใช้ CLI per device — error-prone, ไม่ repeatable และ audit ยาก Network IaC แก้ทุกปัญหา: config เป็น code (version controlled), declarative state (ระบุ desired state → tool ทำให้), review ผ่าน Pull Request, rollback ผ่าน git revert และ CI/CD pipeline สำหรับ automated testing + deployment
IaC Benefits for Networking
| Benefit |
รายละเอียด |
| Version Control |
ทุก config change ถูก track ใน Git (who, what, when, why) |
| Repeatability |
Same code → same result ทุกครั้ง (no manual errors) |
| Review Process |
Pull Request → peer review → approve → merge → deploy |
| Rollback |
git revert → restore previous config state |
| Testing |
Lint, validate, dry-run ก่อน deploy (CI pipeline) |
| Documentation |
Code = documentation (self-documenting infrastructure) |
| Compliance |
Policy-as-code (OPA, Sentinel) → enforce standards automatically |
Terraform for Networking
| Feature |
รายละเอียด |
| Language |
HCL (HashiCorp Configuration Language) — declarative |
| State Management |
State file tracks current infrastructure state |
| Plan → Apply |
terraform plan (dry-run) → terraform apply (execute) |
| Network Providers |
Cisco (ACI, IOS-XE, NX-OS), Palo Alto, Fortinet, F5, Arista, Juniper |
| Cloud Networking |
AWS VPC, Azure VNet, GCP VPC, Cloudflare, Route53 |
| Modules |
Reusable modules สำหรับ common patterns (VPC, subnet, firewall rules) |
| Import |
Import existing infrastructure เข้า state (brownfield) |
Terraform Network Providers
| Provider |
Manages |
ตัวอย่าง Resources |
| cisco-aci |
Cisco ACI fabric |
Tenants, BD, EPG, contracts, L3Out |
| cisco-iosxe |
Cisco IOS-XE devices |
Interfaces, OSPF, BGP, ACLs |
| panos |
Palo Alto firewalls |
Security rules, NAT, zones, objects |
| fortios |
Fortinet FortiGate |
Firewall policies, addresses, VPN |
| bigip |
F5 BIG-IP |
Virtual servers, pools, monitors, iRules |
| aws |
AWS networking |
VPC, subnets, security groups, TGW, Route53 |
| azurerm |
Azure networking |
VNet, NSG, Load Balancer, ExpressRoute |
| cloudflare |
Cloudflare |
DNS records, firewall rules, page rules |
Pulumi for Networking
| Feature |
รายละเอียด |
| Language |
Python, TypeScript, Go, C#, Java (real programming languages) |
| Advantage |
Full programming power: loops, conditionals, functions, testing |
| State |
Pulumi Cloud (managed) หรือ self-hosted backend |
| Preview → Up |
pulumi preview (dry-run) → pulumi up (execute) |
| Network Support |
AWS, Azure, GCP, Kubernetes networking, Cloudflare |
| vs Terraform |
Better for complex logic (if/else, loops) but smaller community for network-specific providers |
GitOps for Networking
| Component |
Role |
| Git Repository |
Single source of truth (desired network state in code) |
| Pull Request |
Propose change → review → approve → merge |
| CI Pipeline |
Lint → validate → plan/preview → test (on merge) |
| CD Pipeline |
Apply changes to network (after CI passes) |
| Drift Detection |
Periodically check if actual state matches desired state |
| Reconciliation |
If drift detected → auto-remediate to desired state |
GitOps Workflow
| Step |
Action |
Tool |
| 1. Branch |
Create feature branch จาก main |
Git |
| 2. Code |
Edit network config (Terraform HCL / Ansible YAML) |
IDE |
| 3. Commit + Push |
Commit changes → push to remote |
Git |
| 4. PR + Review |
Create Pull Request → peer review → approve |
GitHub/GitLab |
| 5. CI: Lint + Plan |
Auto-run: terraform fmt → validate → plan |
GitHub Actions / GitLab CI |
| 6. Merge |
Merge PR to main |
GitHub/GitLab |
| 7. CD: Apply |
Auto-run: terraform apply (or manual approval) |
GitHub Actions / Atlantis |
| 8. Verify |
Post-deploy validation (ping, connectivity tests) |
Custom scripts / Batfish |
Terraform vs Pulumi vs Ansible
| Feature |
Terraform |
Pulumi |
Ansible |
| Type |
Declarative IaC |
Declarative IaC |
Imperative/Declarative CM |
| Language |
HCL |
Python/Go/TS |
YAML + Jinja2 |
| State |
State file (required) |
State (required) |
Stateless (agentless) |
| Network Focus |
Cloud + on-prem (providers) |
Cloud (limited on-prem) |
Strong on-prem (CLI/API) |
| Best For |
Cloud networking, firewall provisioning |
Complex cloud infra |
Device config, operational tasks |
Tools Ecosystem
| Tool |
Purpose |
| Atlantis |
Terraform PR automation (plan + apply from PR comments) |
| Batfish |
Network config analysis + validation (pre-deployment testing) |
| OPA (Open Policy Agent) |
Policy-as-code (validate Terraform plans against policies) |
| Checkov |
Static analysis สำหรับ IaC security (misconfiguration detection) |
| Terragrunt |
Terraform wrapper สำหรับ DRY configurations |
| Nautobot / NetBox |
Network Source of Truth (CMDB) → feed data to IaC |
ทิ้งท้าย: Network IaC = Code → Review → Deploy → Verify
Network IaC Terraform: HCL declarative, plan → apply, wide network provider support Pulumi: real programming languages, complex logic, cloud-focused GitOps: Git = source of truth, PR review, CI/CD pipeline, drift detection Workflow: branch → code → PR → CI (lint+plan) → merge → CD (apply) → verify Combine: Terraform (provisioning) + Ansible (config) + Git (versioning) + Batfish (validation)
อ่านเพิ่มเติมเกี่ยวกับ Network Automation Python และ Network Configuration Management ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
