IPAM and DNS Provider (Infoblox)

See also: Service Discovery Using IPAM and DNS

IPAM and DNS Configuration

The Avi Controller integrates with Infoblox’s RESTful Web API (WAPI) for both IPAM and DNS services.

Note: Prior to release 17.1.2, neither DNS-only nor IPAM-only were supported with Infoblox. Starting with release 17.1.2, they can be independently configured.

These API calls are initiated by the Avi Controller and directed to the Infoblox Grid Master IP address, or virtual IP address (VIP), in the case where it has been deployed in a high-availability pair. This integration enables Avi Vantage to automate the allocation of IP addresses as well as the creation and deletion of host objects in DNS as new virtual services are created/deleted in the Avi environment.

It is assumed that all interested subnets and domain names (zones) have been configured in Infoblox server for consumption by Avi Vantage. That said, when configuring Infoblox DNS and IPAM profiles, it is possible to be selective, as the next section will show.

Configuring an Infoblox DNS Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox DNS.

create an Infoblox DNS profile

Selection of Type causes the Infoblox Profile Configuration fields to appear.

  • IP address: address of the Infoblox appliance
  • Username and Password: credentials to access Infoblox
  • API Version The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/
  • DNS view: as configured in Infoblox (the default DNS view is named “default”)

Key in fields pertaining to Infoblox DNS

Click Next.

Key in fields pertaining to Infoblox DNS

Optionally, select a Usable domain (or domains): Pick all or a subset of the domains configured in Infoblox to be used for DNS purposes. If none is specified, all domains are available during virtual service creation.

When done selecting usable domains, click Save.

Configuring an Infoblox IPAM Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox IPAM.

As before, selection of Type causes the Infoblox Profile Configuration fields to appear.

  • IP address: address of the Infoblox appliance
  • Username and Password: credentials to access Infoblox
  • API Version The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/
  • Network View: as configured in Infoblox (the default network view is named “default”

Infoblox

Click Next.

Optionally, use the Usable Subnet pull-down menu to pick all or a subset of the networks configured in Infoblox to be used for IPAM purposes. If none is specified, all domains are available during virtual service creation.

When done selecting usable subnets, click Save.

User Permissions Required in Infoblox

For the Avi Controller to properly select the next available IP address from available subnets and register host objects in the correct DNS zones, the user defined in the Infoblox IPAM/DNS profile must have Read/Write WAPI access to Infoblox. In the example above, the default Infoblox superuser account ‘admin’ was used. In real production environments, it is a recommended best practice to create a new user account that will have the minimum required access to Infoblox.

Granular access control can be defined using object-level permissions within the Infoblox permissions model for the specific DNS zones and IPAM networks that Avi will be modifying via the Infoblox WAPI. In addition, one can set the “API Only” bit as an allowed interface for configuring Infoblox so that the user cannot log into the admin UI, but is instead restricted solely to API access. In the sample screenshot shown below, a new user group called ‘limited-access-group’ and a new role called ‘limited-access’ has been created. Object-level permissions are then applied to the ‘limited-access’ role and inherited by users that are added to the ‘limited-access-group’.

Infoblox permissions model

Hint: Although API access is all that is required for Avi-to-Infoblox integration to function correctly, it is recommended that GUI access be enabled while testing so that the results of the granular, object-level permissions can be visually verified. After the desired results have been achieved, you can safely disable GUI access for the user defined in IPAM or DNS profiles.

Updated: 2018-01-20 12:43:08 +0000