CYGNA LABS DDI White Paper

Contents hide
1 About Cygna Labs
2 Introduction
3 Services Orchestration and Automation
4 DDI Services Orchestration and Automation Platform
5 Cygna Labs DDI Orchestration and Automation Platform
6 DDI Automation Use Cases
7 DDI Services Orchestration and Automation Benefits
8 Summary
9 Customer Support
10 Documents / Resources
10.1 References

About Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI vendors. Many Fortune 100 customers rely on Cygna Labs’ DDI products and services, in addition to its industry-leading security and compliance solutions to detect and proactively mitigate data security threats, affordably pass compliance audits, and increase the productivity of their departments. For more information, visit https://cygnalabs.com.
© 2024 Cygna Labs Corp. All Rights Reserved.

Introduction

The breakneck pace of IT network evolution over the past decade has exacerbated challenges network managers face in keeping up with real time changes across networks, applications, and security defenses. The increasing adoption of cloud applications and networking, increasing quantities and types of network-connected devices, and sprawling network domains not only into cloud services but to Internet of Things (IoT) deployments and to remote and mobile workers, have led to skyrocketing complexity in enterprise network topologies.
Foundational to each of these initiatives, DHCP-DNS-IPAM (DDI) solutions provide services initialization with network and application navigation capabilities required of nearly every network, service, and application scenario. DDI solutions also provide critical visibility into network and user activity as well as defenses against denial of service, malware C2 access, and data exfiltration attacks.
Recognizing the potential benefits of automating capabilities across networks, applications, and security, Gartner has coined the phrase “Services Orchestration and Automation Platforms” (SOAP) to characterize solutions for IT teams to simplify provisioning and management of new or changed topologies, services, and applications. These SOAP platforms seek to orchestrate services to streamline IT and business processes and to automate services through the execution of defined workflows to perform IT services functions.
This white paper provides an overview of IT services orchestration and automation systems as defined by Gartner and explores relevant DDI management capabilities and features and concludes with an introduction to Cygna Labs DDI SOAP features and capabilities.

Services Orchestration and Automation

Gartner research found that implementing automation and accelerating cloud adoption were the top two IT cost optimization approaches for those seeking to lower costs . Certainly, the automation of tasks reduces manual effort which streamlines task completion time and reduces the potential for manual errors. Gartner identified the following key capabilities required of Services Orchestration and Automation Platforms (SOAPs):

Workflow Orchestration
SOAP systems should provide a unified graphical interface to enable the design of workflows spanning on-prem and cloud. With the popularity of Python for DevOps these days, it’s interesting that Gartner recommends a graphical interface. This is likely due to the advantages of graphical interfaces to visualize workflow design and to more easily communicate workflows to peers and managers. Additionally, a graphical design palette can simplify workflow maintenance. APIs change as may flow logic and it may be easier to update a graphical flow as opposed to diving into Python code to decipher the original programmer’s logic, especially if that individual had moved on to another position.
Event Driven Automation
Workflows should enable initiation not only by administrator button clicks but by reception of triggers or events from third party systems. Receptivity to external triggers automates workflow execution, removing human action or inaction, bypassing potential delays in assessing triggers and initiating defined processes. In some cases, human analysis is certainly required, but for those for which a deterministic action is defined, automating such triggers improves responsiveness.
Self-Service Automation
Many IT service requests are relatively simple to fulfill but they require the time and attention of resource-starved IT groups. Empower end users to submit such requests to initiate defined workflows to automate request fulfillment while retaining IT visibility and control through workflow actions to update relevant IT systems. Publication of pre-defined user transactions can be posted on an intranet site to enable users to submit requests, many of which can be fulfilled immediately, while some may require “reservation” of network or application resources pending IT team review and approval. Such requests may leverage workflows that notify approvers to expedite the overall process.
Scheduling, Monitoring, Visibility, Alerting
Surrendering full control of methodical, manual workflow execution, not to mention triggering of flows by third party systems, and even end users, may instill fears of losing visibility and control of the IT environment. The IT ecosystem supported by SOAP systems must therefore provide tracking of transactions, visibility to current states, and notification of errors or issues.
Resource Provisioning
As we related earlier, a given resource provisioning action impacts several components, and nearly always, DDI. For example, provisioning a new server on-prem or in the cloud may entail the loading of a company approved operating system, with security software, applications, least privilege user accounts, and one or more IP addresses and DNS names. Automating such processes transforms a multi-step manual process involving several teams into a single API call to initiate the corresponding workflow, reducing provisioning time and potential errors.
Managing Data Flows
The ability to manage data flows is necessary to accommodate changes in downstream APIs, in systems involved in the workflow, and in the business process itself. As mentioned earlier, as powerful as Python is, performing updates and maintenance may be simpler using a visual graphical interface. In addition, the use of common modules across workflows to perform analogous tasks reduces maintenance effort in updating one flow vs. a number of flows using the module’s logic.

DDI Services Orchestration and Automation Platform

Considering the fundamental role of DHCP, DNS, and IPAM in providing the glue between user and infrastructure device network connectivity and user access to applications across data center, cloud, and beyond, it’s clear that DDI ingredients are a necessity to most if not all IT workflows. Whether it’s creating a subnet, assigning an IP address, configuring DHCP or adding a resource record to DNS, one or more of these or other DDI-centric tasks may be necessary within broader IT provisioning and management workflows.
So why not just include DDI workflow tasks and steps within the flows of a generic SOAP platform? It turns out that the DDI world is very complex in its own right and context is critical. By incorporating a DDI-centric SOAP system, the broader IT SOAP system can treat DDI functions as transactions, leaving it to the DDI system to identify necessary conditions for completing the transaction. For example, consider these use cases illustrating the benefits of utilizing a DDI-centric SOAP platform:
  • Provisioning a subnet within a cloud Virtual Private Cloud (VPC) in a public cloud service. The subnet allocated should not necessarily by “next in the list”. Under a hierarchical address plan, as recommended by the IETF, address block assignments align with network and routing topology. Different public cloud region deployments may likely connect to your enterprise network via different WAN or SDWAN routers. Using a DDI SOAP system, the IT SOAP may request a subnet for region X and the DDI system should be able to identify and assign a hierarchically aligned subnet.
  • Assign an IP address for a new server being prepared for production. In the case of a data center or on-premises deployment, IP address assignment is dictated by the subnet(s) provisioned at the site to which the server is being deployed. The IT SOAP system may request the next IP address at site X and the DDI SOAP system should return an available site-relevant IP address. Private or public cloud system IP address deployments typically involve an API call to identify available IP addresses and to perform the assignment and the DDI SOAP system should be able to perform the appropriate operation.
  • Add a DNS resource record for a new cloud virtual machine. Configuring one or more DNS resource records for a new virtualized network function facilitates user navigation to the device as well as service chaining elasticity. In many cases, the DDI SOAP system can create default resource records for new devices upon IP address assignment. In the absence of the DDI SOAP system, the IT SOAP system would need to create the resource record(s) within the relevant DNS domains.
  • Create a DHCP configuration for a network boot device. Some Internet of Things (IoT) devices, such as those used on factory lines, are simple devices that leverage DHCP or DHCPv6 to obtain not only an IP address but additional unitization parameters for booting and operations. Configuration of these parameters accurately may be challenging for an IT SOAP system, which a DDI system should allow grouping of certain DHCP options for simpler association for different device types.

Cygna Labs DDI Orchestration and Automation Platform

Cygna Labs Cloud Automation Appliance (CAA) is a DDI-centric Services Orchestration and Automation Platform. Our CAA provides a graphical workflow creation interface based on NodeRed to enable drag-and-drop workflow creation. The system ships with canned “nodes” corresponding to Cygna DDI systems including both VitalQIP and IPControl, which can be dragged onto the workflow palette and wired in for inclusion in broader workflows. Workflows can be initiated by a user-definable REST endpoint that can be evoked by a third-party system. Canned workflows are also shipped with the system to enable easy DDI integration with ServiceNow, Cisco DNA Center, Terraform, Aura/vRealize, AWS, Azure, GCP and Oracle Cloud.
These workflows facilitate coordinated updates of orchestration systems, Cygna DDI systems, and public/private cloud systems, i.e., they orchestrate and automate DDI flows to facilitate IT automation. In reviewing the SOAP requirements outlined by Gartner as described earlier, the CAA meets these requirements fully.
  • Workflow Orchestration – the CAA provides a graphical workflow design interface as shown in Figure 1 to ease creation of workflows, passing parameters between nodes, and making third-party REST calls, among other functions.
  • Event Driven Automation – workflows are initiated through REST calls to the CAA, which may originate from broader IT SOAP or other IT systems or from your Cygna DDI system. This feature oers a full cycle flow possibility with a DDI system detected address utilization threshold, enabling the provisioning of additional address capacity.
  • Self-Service Automation – the CAA facilitates integration with IT portals via its REST endpoints to allow associates to submit requests for IT resources including IP addresses and DNS names for example.
  • Scheduling, Monitoring, Visibility, Alerting – external notifications can be built into workflows if desired and recent changes for Cygna DDI systems can be viewed in terms of subnet, IP, DHCP and DNS changes.
  • Resource Provisioning – the CAA automates context-appropriate provisioning of subnets, IP addresses and DNS information required as standalone tasks or as components of broader IT workloads.
  • Managing Data Flows – grouping tasks into CAA sub-flows enables reuse of these for customer-defined or edited flows.

Figure 1 – Cygna Labs CAA DDI Workflow Design

Figure 1 illustrates the CAA user interface. Pre-defined nodes are available in the left pane to drag onto the workflow design palette in the center of the screen. The right pane provides details such as input and output parameters for a given node selection, as well as workflow history tracking and debugging. Double-clicking a node provides node properties and to manipulate the corresponding node function or parameters. Tabs along the top of the palette enable selection of other workflows. You can edit supplied workflows to your specifications or create your own workflows.

DDI Automation Use Cases

This section summarizes some basic uses cases for which illustrate the utility of the Cygna Labs CAA for DDI orchestration and automation.

Private Cloud Scenarios
Cygna Labs’ CAA automates and manages orchestrator functions related to IP address and DNS name assignment.
In the context of this white paper, the term orchestrator refers to any northbound system that incorporates DDI functions within its orchestration tasks and includes such systems as ServiceNow, Aria, Terraform, puppet, and other similar platforms. Thus, when a virtual machine is created or destroyed, the orchestrator may be configured to invoke a CAA API call to either assign or free up the corresponding VM IP address and DNS resource records.
Figure 1 illustrates this basic process for a simple private cloud scenario where IPControl or VitalQIP is authoritative for IP address assignment. The orchestrator calls the CAA REST endpoint, and the CAA requests a relevant, available IP address with associated DNS information from a Cygna DDI system, which performs the assignment and updates its database. The information is passed back to the CAA then back to the orchestrator as results to the original REST call. In addition, the orchestrator and/or the CAA could be configured to interface with other systems required for the workflow such as asset or network management systems. This provides a fully automated, hands-free mechanism for robust address assignment for private cloud as a simple workflow of its own or as part of a broader IT workflow involving other
tasks and systems.

Public Cloud Scenarios

The CAA supports public cloud interaction in a similar manner. Cygna DDI systems can serve as the authoritative source for subnet provisioning to the public cloud system as in the private case, but the individual IP address assignments can usually either be assigned during instantiation of a virtualized network function (e.g., within the same API request) or automatically assigned by the public cloud system. In either case, it’s necessary to discover the IP address assignments and availability via the cloud system API regarding, as other users or systems could be assigning IP addresses and during VNF destruction, the assigned IP address may lag in being freed up by the cloud system.
In the provisioning case where an IP address is desired to be assigned during the instantiation API call, the CAA can discover the IP addresses assigned and available on the relevant VPC subnet and request the Cygna DDI systems to reserve the next available. In the case where the public cloud system is auto assigning each IP address, regular discovery should be performed to track-assignments in the Cygna DDI system so that IP inventory is accurate. This tracking is performed using discovery or “get” API calls to the respective cloud system and updating the DDI database.

Regular VPC subnet discovery is also useful for monitoring IP address utilization tracking. User-definable thresholds enable alerting of administrators of the need to allocate more IP address capacity or alternatively to trigger the automated allocation of supplemental capacity without user intervention. Subnets allocated via the CAA or the Cygna DDI user interfaces do not require explicit specification of the subnet address. Cygna DDI systems track your overall address space and associated allocations and remaining free space. Automated subnet allocation may use a “best fit” approach and for IPv6 blocks additionally sparse and random allocation methods. Figure 3 illustrates an example flow for provisioning a subnet within a cloud VPC.

In this scenario, an orchestrator initiates a REST call to the CAA. This REST endpoint could also be called by a Cygna DDI callout indicating a high address utilization within the VPC. The VPC and the allocation size can be specified in the API call, and the CAA would request a subnet of the corresponding size within the associated VPC. Upon assignment and return of the subnet address to the CAA, the CAA provisions the subnet in the corresponding VPC via the cloud API. The cloud API returns indication of success along with the cloud-assigned subnet identifier. The CAA then appends this identifier to the subnet in the Cygna DDI system to provide this linkage natively in Cygna DDI. Successful results are then passed back to the originator.
Cygna DDI systems track allocations and remaining free space across your diverse enterprise network so successive allocations can be made easily and accurately with a single mouse click, API call, or via the CAA. Subnet templates also enable definition of IP address assignments or reservations. DHCP pools can be templated within subnets to auto-define DHCP pools within subnets for DHCP deployments (not all cloud systems permit DHCP traffic). Templates not only simplify allocation but promote consistency of address assignments within subnets for administrative and troubleshooting purposes.
In summary, with Cygna DDI systems configured to proactively monitor address availability, you can confidently create and destroy VMs dynamically based on your services and capacity needs. Using an orchestrator plug-in or other automation tool, the actual VM creation process obtains an available IP address from Cygna DDI via the CAA, which automates the process and retains the tracking of IP address assignments within the holistic DDI repository. Cygna DDI systems also automate DNS resource record creation as well based on naming policies so that DNS too can be updated without human intervention. The overall process yields a virtually hands-free integration of critical network services initialization within the process of VM instantiation.

Other IT Scenarios

Automating private and public cloud IP addresses, subnets and DNS information optimizes DDI efficiencies, but many organizations manage network and compute resources beyond those in the cloud. This includes branch or remote offices, SD-WAN Internet breakout sites and even good old data centers. The CAA provides automation capabilities for these environments as well, enabling you to fully automate DDI across your diverse network topology.

With its easy to use graphical drag-and-drop interface, numerous canned flows and nodes on which administrators can expand and build new flows, DDI automation can integrate with other systems across your entire IT ecosystem. For example, the provision of a subnet on a router interface in a Cygna DDI system can trigger a callout to the CAA which in turn may update a router configuration system with the corresponding subnet information, streamlining this provisioning process. Cygna DDI systems support several callout events which can be configured to trigger CAA flows to update other business or operations support systems, network elements or even send notifications of triggered events.

Empowering End Users

You can enhance your IT services portal to empower end users to submit requests for IP addresses and DNS information for new devices. For example, a user may request a static IP address for a new printer. A portal page could be created which would trigger a REST call to a CAA endpoint to trigger a flow to assign the next IP address on the subnet where the user is located, providing instant results, with tracking in the Cygna DDI system. This enables IT to provide rapid services provisioning without the need to engage manual IT effort for trivial tasks. The IP information is updated automatically, and IT staff can be notified if desired or may review audit logs to spot check address assignments as desired.

Cygna DDI as DNS Orchestrator

Cygna DDI systems natively support leading cloud DNS services including Amazon Route 53, Azure DNS and Google DNS. Cygna DDI can manage DNS zones and resource records on these systems as a native DNS vendor like it does ISC BIND and Microsoft. This enables administrators to manage internal and external DNS holistically within a single system and user interface. Administration can also be delegated in a granular fashion to enable other administrators to manage providers’ DNS services, specific DNS zones on those providers and a subset of resource record types.

DDI Services Orchestration and Automation Benefits

Implementing a disciplined and automated DDI foundation as a core component of your network management and cloud deployment strategy enables you to achieve the following benefits:

  • Faster VM/VNF provisioning – Whether using DHCP, an orchestrator plug-in, IT SOAP system, and/or a public cloud platform, the provisioning process need not pause to assign and IP address and update DNS. The Cygna Labs CAA solution supports each form of core network services automation for rapid provisioning, supporting the cloud’s agility benefit to organizations. The CAA and Cygna DDI systems support underlying discovery and capacity management functions to provide further assurance of IP address availability and integrity during the provisioning process.
  • Improved provisioning accuracy – Automation via DHCP or the CAA provides more accurate provisioning.
    The requestor for an IP address need only issue the request and leave it to the CAA to identify a free address for assignment. The requestor need not attempt to identify an address on its own and request it; the requestor can request the CAA identify, discover and/or obtain the IP address assignment and to maintain the IPAM repository in the Cygna DDI system.
  • Reduced manual effort – Automation reduces manual effort, which can reduce time intervals, opportunities for erroneous manual entry and staff costs.
  • Simpler troubleshooting – With all your IP address information secured in a robust repository including all assignments and discoveries recorded, the Cygna DDI database serves as the IP address plan of record which provides critical information during troubleshooting. Subnet and IP address templates also promote consistency of IP address assignments which further reduces confusion and aids in rapid troubleshooting.
  • Integrate DHCP/DNS/IPAM (DDI) processes – As we’ve seen in discussing the functional integration of assigning IP addresses, updating the IP address repository then adding the IP address-to-name association in DNS, the core network services of IPAM, DHCP and DNS are tightly inter-related. Integrating these services under a single DDI management system facilitates automation and robustness of IPAM data.
  • Centralized DDI for your entire network – depending on the expanse of your network you likely have non-cloud network components you need to manage, like subnets in remote offices for example. Cygna DDI systems enable you to manage all of your IP space holistically, integrating the view of cloud IP space and non-cloud IP space through a single pane of glass.
  • Segment administrative authority – Different administrators may be responsible for certain subsets of the network or subsets of functions like DHCP or DNS for example. Cygna DDI systems support very granular administrator roles to define the scope of control accordingly. Even cloud orchestrator systems and the CAA can be constrained to the span of their reach when calling the API to just the cloud environment. Likewise, individual administrators or groups can be constrained in multiple dimensions.
  • Virtualized DHCP and DNS network functions – Cygna Labs offers virtual appliances for DHCP and DNS services, as well as the centralized Cygna DDI systems itself and the CAA. As your need for elasticity for these core network services dictates, these appliances can be instantiated and destroyed across your VMware, KVM, AWS, and/or Azure infrastructure.
  • Bottom line: lower cost – DDI orchestration using Cygna DDI and CAA systems can help you lower your costs for cloud and overall IT administration though automation, less manual staff effort, fewer errors to troubleshoot, and higher customer or constituent satisfaction through rapid, accurate provisioning. This approach mirrors and supports those benefits of the cloud itself with agility, elasticity and lower costs.

Summary

  • Workflow Orchestration – the CAA provides a graphical workflow design interface to ease creation of workflows, passing parameters between nodes, and making third-party REST calls, among other functions.
  • Event Driven Automation – workflows are initiated through REST calls to the CAA, which may originate from broader IT SOAP or other IT systems or even from your Cygna DDI system for full-cycle self-managing DDI capacity.
  • Self-Service Automation – the CAA facilitates integration with IT portals via its REST endpoints to allow associates to submit requests for IT resources including IP addresses and DNS names for example.
  • Scheduling, Monitoring, Visibility, Alerting – external notifications can be built into workflows if desired and recent changes for Cygna DDI systems can be viewed in terms of subnet, IP, DHCP and DNS changes. Cygna DDI Guard and IPAM Auditor provide additional levels of DDI visibility with drill-down to specific DHCP and DNS packet data.
  • Resource Provisioning – the CAA automates context-appropriate provisioning of subnets, IP addresses, DHCP, and DNS information required as standalone tasks or as components of broader IT workloads.
  • Managing Data Flows – CAA’s graphical interface provides an intuitive perspective of flow logic, and grouping tasks into CAA sub-flows enables reuse of these for customer-defined or edited flows.

Customer Support

Documents / Resources

CYGNA LABS DDI White Paper [pdf] User Guide
DDI White Paper, White Paper, Paper

References

Leave a comment

Your email address will not be published. Required fields are marked *