Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Download as PPTX, PDF0 likes506 views
This document discusses using Ansible for automation across various IT use cases. It provides examples of how Ansible can be used for infrastructure orchestration, patch management, network automation, and managing various network devices and platforms including Cisco, Palo Alto, and Fortinet devices. It also provides examples of playbooks for tasks like provisioning servers, configuring firewall rules, and checking for configuration drift. Overall it promotes Ansible as a simple, agentless, and extensible automation tool that can automate technologies across IT operations, DevOps, security and more.
![22
---
- name: configure ios interface
hosts: ios01
tasks:
- name: collect device running-config
ios_command:
commands: show running-config interface GigabitEthernet0/2
provider: “{{ cli }}”
register: config
- name: administratively enable interface
ios_config:
lines: no shutdown
parents: interface GigabitEthernet0/2
provider: “{{ cli }}”
when: ‘”shutdown” in config.stdout[0]‘
- name: verify operational status
ios_command:
commands:
- show interfaces GigabitEthernet0/2
- show cdp neighbors GigabitEthernet0/2 detail
waitfor:
- result[0] contains ‘line protocol is up’
- result[1] contains ‘iosxr03’
- result[1] contains ’10.0.0.42’
provider: “{{ cli }}”
PLAYBOOK EXAMPLE: CISCO AUTOMATION](https://image.slidesharecdn.com/01ansibleautomation-enterpriseusecases-211027140825/85/Ansible-Automation-Enterprise-Use-Cases-Juncheng-Anthony-Lin-22-320.jpg)
![23
---
- hosts: all
connection: local
gather_facts: no
tasks:
- name: Set the system attributes
net_system:
hostname: "{{ net_hostname }}"
domain_name: "{{ site_domain_name }}"
name_servers: "{{ site_nameservers }}"
domain_search: "{{ site_domain_search }}"
[switches]
c3850-1 ansible_host=192.168.12.3 ansible_network_os=ios
c3560-1 ansible_host=192.168.12.2 ansible_network_os=ios
j2300-1 ansible_host=192.168.12.4 ansible_network_os=junos
[network:children]
switches
PLAYBOOK EXAMPLE: AUTOMATION ACROSS MULTIPLE
DEVICES](https://image.slidesharecdn.com/01ansibleautomation-enterpriseusecases-211027140825/85/Ansible-Automation-Enterprise-Use-Cases-Juncheng-Anthony-Lin-23-320.jpg)
![25
PLAYBOOK EXAMPLE: CONFIG DRIFT
tasks:
- name: diff the running against the intended config
nxos_config:
diff_against: intended
provider: "{{ provider }}"
intended_config: "{{ lookup('file', 'backup.txt') }}"
# ansible-playbook intended_vs_running.yml --diff
PLAY [n9k] *******************************************************************
TASK [diff against the startup config] ***************************************
--- before
+++ after
@@ -50,8 +50,6 @@
no switchport
ip address 5.5.5.5/24
interface Ethernet1/6
- no switchport
- ip address 6.6.6.6/24
interface Ethernet1/7
interface Ethernet1/8
interface Ethernet1/9](https://image.slidesharecdn.com/01ansibleautomation-enterpriseusecases-211027140825/85/Ansible-Automation-Enterprise-Use-Cases-Juncheng-Anthony-Lin-25-320.jpg)
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
- 1. Ansible Automation - Enterprise Use Cases Anthony Lin Cloud Automation Specialist, SEATH, Red Hat
- 2. 2 Automation happens when one person meets a problem they never want to solve again
- 3. 3 FOR I.T. ORGANIZATIONS, THE RISE IS INEVITABLE TOOLS CHANGE COMPLEXITY EXPECTATIONS
- 4. 4 AUTOMATION MAKES THE RISE MANAGEABLE TOOLS CHANGE COMPLEXITY EXPECTATIONS
- 6. 6 WE’RE NOT JUST SOLVING PROBLEMS TODAY IT OPS
- 7. 7 BUT EMPOWERING YOUR TEAMS FOR THE FUTURE IT OPS DEVOPS SECURITY INFRASTRUCTURE NETWORK
- 8. 8 ITSM Provisioning Infra- Server - Install OS - Harden OS - Storage - Network Infra- Middleware - Install Database - Install IIS - Install Java - Harden - Middleware Config Management Server Configuration Setting - Changes (Infra) - System (e.g. OS) - Network - Storage - Database Apps Server Config Changes - Middleware - Database Patch Management - Verify Patches - Apply Patch - Status Verification - Health Check - Backup for Security & Network Devices - VLAN Creation - Network Status Security & Governance Network Admin Planned Activities - Policy Enforcement - Hardening Unplanned Activities - Audits - Urgent Vulnerability Patch Daily Activities - Health Check - Rights Management User Requests Applications Application Performance Management Manual Manual
- 9. 9 ITSM Provisioning Infra- Server - Install OS - Harden OS - Storage - Network Infra- Middleware - Install Database - Install IIS - Install Java - Harden - Middleware Config Management Server Configuration Setting - Changes (Infra) - System (e.g. OS) - Network - Storage - Database Apps Server Config Changes - Middleware - Database Patch Management - Verify Patches - Apply Patch - Status Verification - Health Check - Backup for Security & Network Devices - VLAN Creation - Network Status Security & Governance Network Admin Planned Activities - Policy Enforcement - Hardening Unplanned Activities - Audits - Urgent Vulnerability Patch Daily Activities - Health Check - Rights Management User Requests Application Performance Management API API Provisioning Config Management Patch Management Network Admin Applications
- 10. 10 Ansible Automation SIMPLE AGENTLESS EXTENSIBLE
- 11. 11
- 12. 12 CLOUD VIRT & CONTAINER WINDOWS NETWORK DEVOPS MONITORING ANSIBLE AUTOMATES TECHNOLOGIES YOU USE More than 1,200 Integrations AWS Azure CenturyLink Digital Ocean Google OpenStack Rackspace +more Docker VMware RHV OpenStack OpenShift +more ACLs Files Packages IIS Regedits Shares Services Configs Users Domains +more Arista A10 Cumulus Bigswitch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch +more Jira GitHub Vagrant Jenkins Bamboo Atlassian Subversion Slack Hipchat +more Dynatrace Airbrake BigPanda Datadog LogicMonitor Nagios New Relic PagerDuty Sensu StackDriver Zabbix +more STORAGE NetApp Red Hat Storage Infinidat +more
- 13. 13 ● The AWX Project -- AWX for short -- is an open source community project, sponsored by Red Hat, that enables users to better control their Ansible project use in IT environments ● AWX is the upstream project from which the Red Hat Ansible Tower offering is ultimately derived ● AWX provides a web-based user interface, REST API, and task engine built on top of Ansible ● AWX is designed to be a frequently released, fast-moving project where all new development happens ● Ansible Tower is produced by taking selected releases of AWX, hardening them for long-term supportability, and making them available to customers as the Ansible Tower offering ● This is a tested and trusted method of software development for Red Hat, which follows a similar model to Fedora and Red Hat Enterprise Linux
- 15. 15 Provision RHEL VMs Search for Available IPs Create DNS Entry Deploy Web App & Perform Validation Test Configure Load Balancer Configure Firewall Policies REST API
- 16. 16
- 17. PATCH MANAGEMENT
- 20. 20 DAILY HEALTH CHECKS Scheduled by Ansible Tower to check for CRC errors, log errors and integrate with NOC/ITSM CONFIGURATION MANAGEMENT Infrastructure as code. Simplify firewall rules creation, VLAN creation, ACL rules or BGP routing using Ansible Tower survey form CONFIGURATION DRIFT Scheduled task in Ansible Tower to check for drift by comparing against baseline configuration PATCH MANAGEMENT Use Ansible to deploy new firmware SECURITY & COMPLIANCE CHECKS Check for CVE and ensure security policies, such as disabling telnet, are applied DYNAMIC DOCUMENTATION Generate dynamic documentation and audit reports COMMON NETWORKING USE CASES
- 21. 21 - name: Update Palo Alto Firewall panos_security_rule: ip_address: "{{ firewall_node }}" username: "{{ paloalto_username }}" password: "{{ paloalto_password }}" operation: "{{ firewall_operation }}" rule_name: "{{ rule_name }}" source_ip: "{{ srcipaddress }}" source_user: 'any' destination_ip: "{{ dstipaddress }}" category: 'any' application: "{{ application }}" service: "{{ service }}" hip_profiles: 'any' action: "{{ firewall_action }}" devicegroup: "{{ device_group }}" PLAYBOOK EXAMPLE: PALO ALTO SECURITY RULE
- 22. 22 --- - name: configure ios interface hosts: ios01 tasks: - name: collect device running-config ios_command: commands: show running-config interface GigabitEthernet0/2 provider: “{{ cli }}” register: config - name: administratively enable interface ios_config: lines: no shutdown parents: interface GigabitEthernet0/2 provider: “{{ cli }}” when: ‘”shutdown” in config.stdout[0]‘ - name: verify operational status ios_command: commands: - show interfaces GigabitEthernet0/2 - show cdp neighbors GigabitEthernet0/2 detail waitfor: - result[0] contains ‘line protocol is up’ - result[1] contains ‘iosxr03’ - result[1] contains ’10.0.0.42’ provider: “{{ cli }}” PLAYBOOK EXAMPLE: CISCO AUTOMATION
- 23. 23 --- - hosts: all connection: local gather_facts: no tasks: - name: Set the system attributes net_system: hostname: "{{ net_hostname }}" domain_name: "{{ site_domain_name }}" name_servers: "{{ site_nameservers }}" domain_search: "{{ site_domain_search }}" [switches] c3850-1 ansible_host=192.168.12.3 ansible_network_os=ios c3560-1 ansible_host=192.168.12.2 ansible_network_os=ios j2300-1 ansible_host=192.168.12.4 ansible_network_os=junos [network:children] switches PLAYBOOK EXAMPLE: AUTOMATION ACROSS MULTIPLE DEVICES
- 24. 24 PLAYBOOK EXAMPLE: FIRMWARE CHECK --- - hosts: cisco connection: local gather_facts: False vars: desired_version: "7.0(3)I7(1)" tasks: - name: gathering nxos facts nxos_facts: provider: "{{login_info}}" - name: create HTML report template: src: report.j2 dest: /var/www/html/generated_report.html delegate_to: localhost run_once: true
- 25. 25 PLAYBOOK EXAMPLE: CONFIG DRIFT tasks: - name: diff the running against the intended config nxos_config: diff_against: intended provider: "{{ provider }}" intended_config: "{{ lookup('file', 'backup.txt') }}" # ansible-playbook intended_vs_running.yml --diff PLAY [n9k] ******************************************************************* TASK [diff against the startup config] *************************************** --- before +++ after @@ -50,8 +50,6 @@ no switchport ip address 5.5.5.5/24 interface Ethernet1/6 - no switchport - ip address 6.6.6.6/24 interface Ethernet1/7 interface Ethernet1/8 interface Ethernet1/9
- 27. 27 PALO ALTO INTRUSION USE CASE Threat Prevention logs Malware and phishing logs Correlated Event logs System logs Data filtering logs Traps logs … ... 10.5.3.1 Compromised Dynamic Address Group Policy Source Action Quarantine Dynamic Address Group Deny All 1. Granular log filtering 2. Automated actions on the NGFW HTTP/HTTPS AUTO-TAG 3. Trigger API call to ITSM to alert NOC about the threat Brute Force Attack Alert Received Host is 10.5.3.1 HTTP/HTTPS 4. Operator trigger Ansible workflow to quarantine 10.5.3.0/24 subnet
- 28. 28 CISCO AND FORTINET MANAGEMENT
- 29. 29 GETTING STARTED ● E-Books (Part 1, Part 2) ansible.com/ebooks ● Network Automation Workshop Road Show ansible.com/workshops ● Events: Automates, Meetups, and best of all ... ansible.com/automates
- 30. THANK YOU