IPAM and DNS Provider (Infoblox) (16.3+)

See also: Service Discovery Using IPAM and DNS

IPAM and DNS Configuration

The Avi Controller integrates with Infoblox’s RESTful Web API (WAPI) for both IPAM and DNS services together (Note: Neither DNS-only nor IPAM-only are supported with Infoblox). These API calls are initiated by the Avi Controller and directed to the Infoblox Grid Master IP address, or virtual IP address (VIP), in the case where it has been deployed in a high-availability pair. This integration enables Avi Vantage to automate the allocation of IP addresses as well as the creation and deletion of host objects in DNS as new virtual services (VS) are created/deleted in the Avi environment.

Configuring the IPAM/DNS Profile on Avi Controller

Navigate to Templates -> IPAM/DNS Profiles -> Create.

Name the Profile.

Select “Infoblox IPAM and DNS” as IPAM/DNS type and enter credentials as shown below:

  • IP address: address of the Infoblox appliance
  • Username and password: credentials to access Infoblox
  • WAPI Version: as supported by the Infoblox server
    • The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the WAPI version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/
  • DNS view: as configured in Infoblox (default DNS view is named “default”)
  • Network view: as configured in Infoblox (default Network view is named “default”)
  • Optionally, select a subset of IP subnets and DNS domains to choose from Infoblox:
    • Usable subnet: Pick all or a subset of subnets configured in Infoblox to be used for VIP allocation. If none is specified, Avi Vantage looks at all subnets.
    • Usable domain: Pick all or a subset of the domains configured in Infoblox to be used for DNS purposes. If none is specified, all domains are available during virtual service creation.

infoblox-profile

IPAM and DNS filters (Optional)

It is assumed that all interested subnets and domain names (zones) have been configured in Infoblox server for consumption by Avi Vantage.

Selecting a subset of subnets from Infoblox for IPAM:

infoblox-profile-s

Selecting a subset of domains/zones from Infoblox for DNS:

infoblox-profile-d

User Permissions Required in Infoblox

For the Avi Controller to properly select the next available IP address from available subnets and register host objects in the correct DNS zones, the user defined in the Infoblox IPAM/DNS profile must have Read/Write WAPI access to Infoblox. In the example above, the default Infoblox superuser account ‘admin’ was used. In real production environments, it is a recommended best practice to create a new user account that will have the minimum required access to Infoblox.

Granular access control can be defined using object-level permissions within the Infoblox permissions model for the specific DNS zones and IPAM networks that Avi will be modifying via the Infoblox WAPI. In addition, one can set the “API Only” bit as an allowed interface for configuring Infoblox so that the user cannot log into the admin UI, but is instead restricted solely to API access. In the sample screenshot shown below, a new user group called ‘limited-access-group’ and a new role called ‘limited-access’ has been created. Object-level permissions are then applied to the ‘limited-access’ role and inherited by users that are added to the ‘limited-access-group’.

Infoblox permissions model

Hint: Although API access is all that is required for Avi-to-Infoblox integration to function correctly, it is recommended that GUI access be enabled while testing so that the results of the granular, object-level permissions can be visually verified. After the desired results have been achieved, you can safely disable GUI access for the user defined in the IPAM/DNS profile.

Updated: 2018-01-17 11:33:44 +0000