As practitioners of network automation, we generally like to find ways to decrease the mean-time-to-delivery (MTTD) of a network change, and do so in a way that ensures a reliable and stable configuration being applied. Sometimes, these automated changes are kicked off using a self-service portal; sometimes based on a periodic scanning of APIs; or sometimes just as part of an Infrastructure as Code (IaC)-based script being run against one or more targets. However, any time these changes must be manually initiated, there is a period of time that exists between when the change is requested and when the change is actually implemented. This is completely dependent on someone “kicking off” the process.

In a perfect world, we’d want this time-to-delivery to be zero. The infrastructure would be aware of applications moving on or off the network, and would implement the correct network policy automatically. Sounds pretty far-fetched. But, it’s actually possible using some off the shelf tools available from HashiCorp, a few configuration files, and a middleware binary.

In the following scenario, we’ll be using an API-enabled datacenter fabric, provided by Application Centric Infrastructure (ACI), as the target infrastructure. This solution will cause the infrastructure to add or remove applications from an ACI endpoint security group (ESG). However, this change will not occur when the application host is live, but when the app itself is actually functioning.

How Does It All Work?

Consul-Terraform-Sync (also referred to as Network Infrastructure Automation by HashiCorp) connects several different HashiCorp tools in a way that can drive automation within a given network platform.

The automation is initiated when some application or service is brought online within the compute environment attached to the network. It registers to Consul (HashiCorp’s service discovery and liveliness application), something application developers build natively into their apps when Consul is in use within the network.  Once this application is determined to be alive, information is gathered from Consul by a middleware binary – the Consul-Terraform-Sync application.  This binary will feed the reported information from Consul and use it to create variables that can be referenced by a Terraform HCL file.  The resultant completed HCL is applied using Terraform (which is invoked by the middleware binary) to apply the desired end-state to our target. (In this case, define the application as part of an ESG).

Quinn ACI

More instances of the application will be added to the ESG automatically, as long as the application registers with Consul as part of the same service group.

Quinn ACI


Quinn ACI

Additionally, if an underlying process supporting the application fails (e.g., the nginx process supporting a web application) and the application can no longer support users, this application failure will be reflected within Consul, even though the platform hosting the application (a server, container, etc) is still alive. These health checks can be as simple or as complex as required to fully test the application’s availability. This gives application developers complete control over what constitutes a “working” app (and when the network changes will occur to support the app).

Quinn ACI

Everybody Wins

By creating event-driven automation, focused on the reachability and liveliness of applications, the network can work at the speed of the application developer. And, the consistency of each change is guaranteed because the automation is bounded and templated.

  • Network teams are happy because there is no ability to introduce human error through manual configurations and application development.
  • Operations teams are happy because “it’s no longer the network.”

The end result – applications are kept secure as they are dynamically scaled across the infrastructure as needed.

How Do I Get Started?

If you’d like to play with the solution, either with your own fabric or using the ACI Reservable DevNet Sandbox, a code repository can be found in the CiscoDevNet GitHub organization.  Finally, if you’d like the in-depth details and want to follow a prescriptive path, check out this HashiCorp Consul-Terraform-Sync with ACI and ESG Learning Lab.

Seeing really is believing. So for you visual learners, I sat down with Matt and Kareem to record a Snack Minute video (below), and demonstrate how this automation and integration solution works.

Learn how to use Consul-Terraform-Sync to Automatically Provision Infrastructure.


Learn more about Cisco Application Centric Infrastructure (ACI) programmability and developer resources. If you’re looking to get started, or already using Consul-Terraform-Sync and have a question, be sure to drop me a comment below, or reach me on Twitter @qsnyder.  I’d love to hear how you’re using this in your networks!

We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel



Quinn Snyder

Senior Technical Advocate

Learning & Certifications