IPAM and DNS Provider (Infoblox)

See also: Service Discovery Using IPAM and DNS

IPAM and DNS Configuration

The Avi Controller integrates with Infoblox’s RESTful Web API (WAPI) for both IPAM and DNS services.

These API calls are initiated by the Avi Controller and directed to the Infoblox Grid Master IP address, or virtual IP address (VIP), in the case where it has been deployed in a high-availability pair. This integration enables Avi Vantage to automate the allocation of IP addresses as well as the creation and deletion of host objects in DNS as new virtual services are created/deleted in the Avi environment.

It is assumed that all interested subnets and domain names (zones) have been configured in Infoblox server for consumption by Avi Vantage. That said, when configuring Infoblox DNS and IPAM profiles, it is possible to be selective, as the next section will show.

Single and Combined Use of Infoblox IPAM and DNS

A restriction on the use of Infoblox as a provider of IPAM and DNS changes with Avi Vantage 18.2.5.

For Releases Prior to 18.2.5

Prior to 18.2.5, choosing Infoblox as the IPAM provider forces one to choose Infoblox as the DNS provider, and conversely. For a given cloud, the permitted Infoblox combinations are those shown in the table below. Note that if Infoblox is chosen as the IPAM provider, the only DNS provider that may be chosen is Infoblox DNS.

IPAM Provider DNS Provider
Infoblox IPAM none
none Infoblox DNS
Infoblox IPAM Infoblox DNS

For Releases 18.2.5+

Starting with Avi Vantage 18.2.5, Infoblox IPAM and Infoblox DNS profiles may be independently defined and configured. For a given cloud, the permitted Infoblox combinations are those shown in the table below.

IPAM Provider DNS Provider
Infoblox IPAM none, Infoblox DNS, Avi Vantage internal
any Infoblox DNS

Configuring an Infoblox DNS Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox DNS.

create an Infoblox DNS profile

Selection of Type causes the Infoblox Profile Configuration fields to appear.

Infoblox Profile Configuration

  • Credentials

    • IP address — Specify the IP address of the Infoblox appliance.
    • Username and Password — Specify the credentials to access Infoblox.
    • DNS view — Specify DNS view as configured in Infoblox (the default DNS view is named “default”).
  • Settings

    • WAPI Version — The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/.
    • Usable Domain — Select all or a subset of the domains configured in Infoblox to be used for DNS purposesfrom the drop-down list. If none is specified, all domains are available during virtual service creation.

Key in fields pertaining to Infoblox DNS

After specifying the necessary details, click on Save.

Configuring an Infoblox IPAM Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox IPAM.

As before, selection of Type causes the Infoblox Profile Configuration fields to appear.

Infoblox Profile Configuration

  • Credentials

    • IP address — Specify the address of the Infoblox appliance.
    • Username and Password — Specify the credentials to access Infoblox.
    • Network View — Specify network view as configured in Infoblox (the default network view is named “default”).
  • Settings

    • WAPI Version — The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/
    • Usable Subnet — Select the usable subnet from the drop-down list to pick all or a subset of the networks configured in Infoblox to be used for IPAM purposes. If none is specified, all networks are available during virtual service creation.

Infoblox

After specifying the necessary details, click on Save.

Credential Verification and Infoblox Network/Domain Selection (18.2.6+)

Starting with release 18.2.6, when configuring/editing Infoblox DNS or IPAM profiles, Avi Vantage first verifies credentials.

Note: This verification is only applied to Infoblox and Azure profiles.

In addition, for Infoblox, the list of input fields for usable subnets (IPAM profile) )and usable domains (DNS profile) has been changed with 18.2.6 to be a list of drop-downs, the options for which are fetched from Infoblox Grid after a successful connection has been made to it.

Configuring an Infoblox IPAM Profile (18.2.6+)

Three fields that are required but not yet entered are indicated by red rectangles below:

alternativetext

The below illustrates Avi Vantage’s behavior when incorrect credentials have been entered and the Connect button has been clicked.

alternativetext

Imagine that valid credentials have been entered, followed by a click of the Connect button (not illustrated). The user would be presented with a new screen, confirming the entered credentials are correct. The Connect button would change to a Change Credentials button, enabling the user to make a change in credentials. The below screen illustrates what appears after such a successful change has been made.

Note: Although a list of subnetworks has been fetched, a Usable Subnet field does not yet appear. To make it appear, the user must first click upon the green Add Usable Subnet text.

alternativetext

The below illustrates yet another use case. The user wishes to edit a pre-existing profile, one to which a subnet has been associated. S/he wants to change the value in the WAPI Version field from 2.0 to 2.7. Because a password has not yet been entered, neither the Connect or Save buttons have turned green. After entering the password, the user would have the choice to click either. Assuming the password is correct, there’d be no requirement to first click on Connect; a correct password followed by a click on Save would be all that is needed.

alternativetext

Configuring an Infoblox DNS Profile (18.2.6+)

The Infoblox DNS Profile editor behaves in similar fashion, except that the user chooses usable domains, as opposed to subnetworks.

alternativetext

User Permissions Required in Infoblox

For the Avi Controller to properly select the next available IP address from available subnets and register host objects in the correct DNS zones, the user defined in the Infoblox IPAM/DNS profile must have Read/Write WAPI access to Infoblox. In the example above, the default Infoblox superuser account ‘admin’ was used. In real production environments, it is a recommended best practice to create a new user account that will have the minimum required access to Infoblox.

Granular access control can be defined using object-level permissions within the Infoblox permissions model for the specific DNS zones and IPAM networks that Avi will be modifying via the Infoblox WAPI. In addition, one can set the “API Only” bit as an allowed interface for configuring Infoblox so that the user cannot log into the admin UI, but is instead restricted solely to API access. In the sample screenshot shown below, a new user group called ‘limited-access-group’ and a new role called ‘limited-access’ has been created. Object-level permissions are then applied to the ‘limited-access’ role and inherited by users that are added to the ‘limited-access-group’.

Infoblox permissions model

Hint: Although API access is all that is required for Avi-to-Infoblox integration to function correctly, it is recommended that Avi UI access be enabled while testing so that the results of the granular, object-level permissions can be visually verified. After the desired results have been achieved, you can safely disable UI access for the user defined in IPAM or DNS profiles.