IPAM and DNS Provider (Infoblox)

IPAM and DNS Configuration

The Avi Controller integrates with Infoblox’s RESTful Web API (WAPI) for both IPAM and DNS services.

These API calls are initiated by the Avi Controller and directed to the Infoblox Grid Master IP address, or virtual IP address (VIP), in the case where it has been deployed in a high-availability pair. This integration enables Avi Vantage to automate the allocation of IP addresses as well as the creation and deletion of host objects in DNS as new virtual services are created/deleted in the Avi environment.

It is assumed that all interested subnets and domain names (zones) have been configured in Infoblox server for consumption by Avi Vantage. That said, when configuring Infoblox DNS and IPAM profiles, it is possible to be selective, as the next section will show.

Single and Combined Use of Infoblox IPAM and DNS

A restriction on the use of Infoblox as a provider of IPAM and DNS changes with Avi Vantage 18.2.5.

For Releases Prior to 18.2.5

Prior to 18.2.5, choosing Infoblox as the IPAM provider forces one to choose Infoblox as the DNS provider, and conversely. For a given cloud, the permitted Infoblox combinations are those shown in the table below. Note that if Infoblox is chosen as the IPAM provider, the only DNS provider that may be chosen is Infoblox DNS.

IPAM Provider DNS Provider
Infoblox IPAM none
none Infoblox DNS
Infoblox IPAM Infoblox DNS

For Releases 18.2.5+

Starting with Avi Vantage 18.2.5, Infoblox IPAM and Infoblox DNS profiles may be independently defined and configured. For a given cloud, the permitted Infoblox combinations are those shown in the table below.

IPAM Provider DNS Provider
Infoblox IPAM none, Infoblox DNS, Avi Vantage internal
any Infoblox DNS

Configuring an Infoblox DNS Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox DNS.

Key in fields pertaining to Infoblox DNS

Selection of Type causes the Infoblox Profile Configuration fields to appear.

Infoblox Profile Configuration

  • Credentials

    • IP address — Specify the IP address of the Infoblox appliance.
    • Username and Password — Specify the credentials to access Infoblox.
    • DNS view — Specify DNS view as configured in Infoblox (the default DNS view is named “default”).

    The Infoblox DNS Profile editor behaves in similar fashion, except that the user chooses usable domains, as opposed to subnetworks.

  • Settings

    • WAPI Version — The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/.
    • Usable Domain — Select all or a subset of the domains configured in Infoblox to be used for DNS purposesfrom the drop-down list. If none is specified, all domains are available during virtual service creation.

After specifying the necessary details, click on Save.

Configuring an Infoblox IPAM Profile on Avi Controller

Navigate to Templates > IPAM/DNS Profiles and click the Create button to begin. Name the profile. From the Type pull-down menu, select Infoblox IPAM.

Infoblox

As before, selection of Type causes the Infoblox Profile Configuration fields to appear.

Infoblox Profile Configuration

  • Credentials

    • IP address — Specify the address of the Infoblox appliance.
    • Username and Password — Specify the credentials to access Infoblox.
    • Network View — Specify network view as configured in Infoblox (the default network view is named “default”).
  • Settings

    • WAPI Version — The WAPI version is independent of the version of the Infoblox appliance’s operating system, known as NIOS. To determine the API version being used by Infoblox, access the following URI on the Infoblox Grid Master: https:///wapidoc/

    • Usable Subnet — Select the usable subnet from the drop-down list to pick all or a subset of the networks configured in Infoblox to be used for IPAM purposes. If none is specified, all networks are available during virtual service creation.

      Starting with Avi Vantage version 18.2.8, you can add IPv6 and IPv4 subnet details by clicking on Add Usable Subnet option. The following screen is displayed:

      usable subnets

      You can select either a v4, v6 or both for each row. If both v4 and v6 subnets are populated on a given row, they are paired up for VIP allocation. For instance, if a VIP needs both v4 and v6, then you need to specify both v4 and v6 details.

      Note: Both v4 and v6 should be a part of the same underlying port-group/VLAN for virtual service traffic to not fail.

      If you do not specify any value, then all networks will be available during virtual service creation.

  • Extensible Attributes

    Starting with Avi Vantage version 18.2.8, you can send extensible attributes in the data while requesting an IP from Infoblox. You can input these attributes as key value pairs in the Infobox profile.

    alternativetext

    • Name — Specify the extensible attributes.
    • Value — Specify the key value pairs.

    For instance, you can mention Tenant ID, avi-tenant values in Name and Value fields respectively. Similarly, another set of extensible attributes can be Cloud API Owned and False respectively, and so on.

After specifying the necessary details, click on Save.

Credential Verification and Infoblox Network/Domain Selection (18.2.6+)

Starting with release 18.2.6, when configuring/editing Infoblox DNS or IPAM profiles, Avi Vantage first verifies credentials.

Note: This verification is only applied to Infoblox and Azure profiles.

In addition, for Infoblox, the list of input fields for usable subnets (IPAM profile) and usable domains (DNS profile) has been changed with 18.2.6 to be a list of drop-downs, the options for which are fetched from Infoblox grid after a successful connection has been made to it.

Configuring an Infoblox IPAM Profile (18.2.6+)

The below screenshot illustrates Avi Vantage’s behavior when incorrect credentials have been entered and the Connect button has been clicked.

alternativetext

Imagine that valid credentials have been entered, followed by a click of the Connect button (not illustrated). The new screen is displayed, confirming the entered credentials are correct. The Connect button will change to a Change Credentials button, enabling the user to make a change in credentials. The below screen illustrates what appears after such a successful change has been made.

User Permissions Required in Infoblox

For the Avi Controller to properly select the next available IP address from available subnets and register host objects in the correct DNS zones, the user defined in the Infoblox IPAM/DNS profile must have Read/Write WAPI access to Infoblox. In the example above, the default Infoblox superuser account ‘admin’ was used. In real production environments, it is a recommended best practice to create a new user account that will have the minimum required access to Infoblox.

Granular access control can be defined using object-level permissions within the Infoblox permissions model for the specific DNS zones and IPAM networks that Avi will be modifying via the Infoblox WAPI. In addition, one can set the “API Only” bit as an allowed interface for configuring Infoblox so that the user cannot log into the admin UI, but is instead restricted solely to API access. In the sample screenshot shown below, a new user group called ‘limited-access-group’ and a new role called ‘limited-access’ has been created. Object-level permissions are then applied to the ‘limited-access’ role and inherited by users that are added to the ‘limited-access-group’.

Infoblox permissions model

Note: Although API access is all that is required for Avi-to-Infoblox integration to function correctly, it is recommended that Avi UI access be enabled while testing so that the results of the granular, object-level permissions can be visually verified. After the desired results have been achieved, you can safely disable UI access for the user defined in IPAM or DNS profiles.

Additional References

Service Discovery Using IPAM and DNS