Initial implementation of Noël Boulene’s automated provisioning of NSX-T distributed firewall rules changed NSX-T firewall configuration based on Terraform configuration files. To make the deployment fully automated he went a step further and added a full-blown CI/CD pipeline using GitHub Actions and Terraform Cloud.
Not everyone is as lucky as Noël – developers in his organization already use GitHub and Terraform Cloud, making his choices totally frictionless.
Apart from storing on-premises security rules in a third-party cloud (assuming you’re running NSX-T on-premises and not in AWS), there’s another slight glitch in Noël’s solution: Terraform instance running within GitHub infrastructure (that’s where the CI/CD pipeline is run) must be able to contact on-premises NSX-T Manager. I know a few people that would get shivers when faced with that idea.
If you happen to be at the opposite end of the spectrum from Noël and have to use on-premises solutions you could get the same job done with:
- On-premises GitLab deployment, or GitLab CI/CD runners deployed on a host within your organization. Pete Lumbis described the idea in Building Network Automation Solutions online course, and I’m using it for most of my CI/CD pipelines.
- On-premises Terraform backend using Consul, etcd, Kubernetes, Postgres (relational database), or Swift (OpenStack object storage).