Configuring NSX-T Firewall with a CI/CD Pipeline

Initial implementation of Noël Boulene’s automated provisioning of NSX-T distributed firewall rules changed NSX-T firewall configuration based on Terraform configuration files. To make the deployment fully automated he went a step further and added a full-blown CI/CD pipeline using GitHub Actions and Terraform Cloud.

Not everyone is as lucky as Noël – developers in his organization already use GitHub and Terraform Cloud, making his choices totally frictionless.

A tip from Noël: don’t fight the tool selection if at all possible. Use whatever everyone else is using.

Apart from storing on-premises security rules in a third-party cloud (assuming you’re running NSX-T on-premises and not in AWS), there’s another slight glitch in Noël’s solution: Terraform instance running within GitHub infrastructure (that’s where the CI/CD pipeline is run) must be able to contact on-premises NSX-T Manager. I know a few people that would get shivers when faced with that idea.

If you happen to be at the opposite end of the spectrum from Noël and have to use on-premises solutions you could get the same job done with:

  • On-premises GitLab deployment, or GitLab CI/CD runners deployed on a host within your organization. Pete Lumbis described the idea in Building Network Automation Solutions online course, and I’m using it for most of my CI/CD pipelines.
  • On-premises Terraform backend using Consul, etcd, Kubernetes, Postgres (relational database), or Swift (OpenStack object storage).

Latest blog posts in CI/CD in Networking series

Add comment