Back
Lesson 2 of 5

CI/CD Pipelines for Network Changes

CI/CD Pipelines for Network Changes

Introduction

Manual network operations remain a leading cause of outages, security breaches, and revenue loss across organizations of every size. Industry research shows that over 80 percent of network problems are caused by misconfiguration, more than 15 percent of security breaches stem from cloud misconfiguration, over 9 percent of revenue can be lost from exploitable misconfigurations, and roughly 25 percent of support cases are tied directly to misconfiguration. The root causes are consistent: lack of version control, manual processes, and lack of validation and testing.

CI/CD pipelines offer a proven way to address every one of these challenges. By treating network configuration as code, committing it to version control, and automating the build, validation, and deployment lifecycle, teams consistently achieve faster configuration changes, higher change success rates, and faster adoption of new technologies. Organizations that have adopted Infrastructure as Code practices report up to five times faster configuration changes, greater than 98 percent change success rates, and two times faster implementation of new technologies.

In this lesson you will learn what CI/CD pipelines are in the context of network automation, how a pipeline is structured from code commit through deployment, the role of a Network Source of Truth, and how to apply these concepts to real-world network infrastructure including SD-WAN environments.

Key Concepts

The Automation Maturity Curve

Network automation does not happen overnight. Organizations typically move through a progression of maturity stages, each adding more value and scale.

StageDescription
Ad-hoc scriptingEngineers run one-off scripts and tools, device by device
Re-usable frameworksCentrally managed frameworks and templates accelerate delivery
CI/CD PipelinesModel-driven configuration lifecycle with service CRUD automation in one place
Workflow Automation / OptimizationBusiness-level intent, dynamic optimization based on real-time state and data analytics

Most organizations today sit in the ad-hoc scripting stage. According to market research, only 33 percent of respondents indicated that more than 25 percent of their network activities are automated. The goal of CI/CD pipelines is to move teams firmly into the model-driven automation stage, where configuration changes are repeatable, validated, and version-controlled.

Infrastructure as Code

Infrastructure as Code (IaC) is the practice of defining and managing infrastructure through declarative configuration files rather than manual CLI sessions. IaC directly solves the three core challenges of manual network operations:

Manual Operations ChallengeIaC Solution
Lack of version controlDeclarative configuration stored in source control
Manual processesDigitized, automated processes
Lack of validation and testingFull validation and testing built into every change

The concept extends into more specific domains. Network as Code applies IaC principles specifically to network infrastructure. Depending on the platform, this can encompass SD-WAN, ACI, NDFC, Catalyst Center, SDA, Meraki, ISE, and VXLAN environments, all managed through the same code-driven workflow.

Network Source of Truth

A Network Source of Truth (NSoT) defines the intended state of the network represented as structured data. It acts as a single, consistent data set and becomes the authoritative reference for the network. All automation is driven by the data in the NSoT.

An NSoT typically covers several key domains:

  • Inventory -- devices, hardware models, serial numbers
  • DCIM -- data center infrastructure management, rack layouts, power
  • IPAM -- IP address management, prefixes, VLANs
  • Configuration -- intended device configurations
  • Network Properties -- ASNs, VPNs, routing policies
  • Circuits -- WAN links, provider information

Important: Adopting an NSoT requires a significant mental shift for network engineers, moving away from describing the network in design documents and diagrams. Instead, the NSoT becomes the single authoritative reference, and its data drives all network automation.

A well-designed NSoT platform provides a comprehensive network data model, is API and integration first with support for REST, GraphQL, event streams, and webhooks, and offers massive extensibility through plugins, custom scripts, and custom fields.

Data Models and Separation of Data from Code

A data model describes the structure and format of the input data used by automation pipelines. A critical principle in CI/CD for networking is that data is separated from code. The automation logic (code) stays generic and reusable, while the network-specific values (data) are defined in structured files such as YAML.

For example, an SD-WAN data model might define prefix lists in YAML format:

sdwan:
  feature_profiles:
    policy_object_profile:
      ipv4_data_prefix_lists:
        - name: ipv4_dpl_private
          prefixes:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
      ipv6_data_prefix_lists:
        - name: ipv6_dpl_private
          prefixes:
            - fc00::/7

This separation means the same pipeline code can deploy configurations to any environment simply by changing the data files, without modifying automation logic.

How It Works

The CI/CD Pipeline Workflow

A CI/CD pipeline for network changes follows a structured, multi-stage workflow. Each stage must pass before the next one begins, providing built-in safety and validation.

SD-WAN as Code Workflow Example:

  1. Declare -- NetDevOps engineers define the desired network state in declarative configuration files (YAML, JSON, or similar). These files describe what the network should look like, not the step-by-step commands to get there.

  2. Commit and Validate -- Engineers commit changes to a source control system. Pre-change validation runs automatically to verify that the data conforms to the data model, values are within acceptable ranges, and there are no conflicts with existing configuration.

  3. Deploy and Test -- The pipeline deploys the validated configuration to the network infrastructure, optionally through the SD-WAN Manager API or equivalent controller. Post-change testing verifies that the deployment matches expected results.

  4. ITSM Approval and Governance -- Integration with IT Service Management platforms provides approval gates and governance controls before or during deployment.

Full-Stack Automated Deployment Pipeline

For larger environments, a complete IaC CI/CD pipeline extends across the entire infrastructure stack. Here is how a seven-stage pipeline operates:

StageActionDescription
1Deploy fabricProvision the network fabric (e.g., ACI)
2Deploy bare metal hostsProvision physical servers and compute
3Validate against expected resultsAutomated tests confirm deployment matches intent
4Deploy VMs and applicationsProvision virtual machines and application workloads
5Validate against expected resultsSecond validation confirms application-layer health
6Full-stack visibilityMonitoring confirms end-to-end health across infrastructure
7Compliance checkAutomated compliance verification against policies

The pipeline engine orchestrates every stage. Source code is stored in version control, and the pipeline engine triggers each step automatically on commit. If any validation stage fails, the pipeline halts and engineers are notified before a bad change reaches production.

Best Practice: Always include at least two validation stages in your pipeline -- one after infrastructure deployment and one after application deployment. This layered approach catches issues at the earliest possible point.

The Role of Source Control

Source control is the foundation of every CI/CD pipeline. Every configuration change is tracked, versioned, and auditable. If a deployment causes problems, engineers can instantly roll back to a previous known-good state. This directly eliminates the "lack of version control" problem that plagues manual network operations.

Configuration Example

Defining Network Data for a Pipeline

The first step in any CI/CD pipeline is defining the intended state as structured data. Below is an example of declaring IPv4 and IPv6 prefix lists for an SD-WAN policy object profile:

sdwan:
  feature_profiles:
    policy_object_profile:
      ipv4_data_prefix_lists:
        - name: ipv4_dpl_private
          prefixes:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
      ipv6_data_prefix_lists:
        - name: ipv6_dpl_private
          prefixes:
            - fc00::/7
  • The sdwan key is the top-level identifier for the SD-WAN domain.
  • feature_profiles groups all feature-level configurations.
  • policy_object_profile contains reusable policy objects such as prefix lists.
  • Each prefix list has a name and a list of prefixes in CIDR notation.
  • The ipv4_dpl_private list covers RFC 1918 private address space: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
  • The ipv6_dpl_private list covers unique local addresses: fc00::/7.

This data file is committed to source control. When the pipeline runs, automation code reads this file, validates the structure, and pushes the configuration to the SD-WAN Manager API for deployment.

Pipeline Stage Validation

After deployment, the pipeline validates results automatically. A validation stage checks that the deployed configuration matches the declared intent. If the prefix lists above were deployed, the validation stage would confirm that exactly three IPv4 prefixes and one IPv6 prefix exist in the policy object profile, with the correct CIDR values.

Note: Pre-change validation catches syntax and structural errors before deployment. Post-change testing confirms the network actually matches the intended state. Both are essential for achieving that greater than 98 percent change success rate.

Real-World Application

When to Use CI/CD Pipelines for Network Changes

CI/CD pipelines are most valuable in environments where:

  • Frequent changes are required across multiple devices or sites
  • Consistency is critical -- the same configuration must be applied identically across dozens or hundreds of locations
  • Compliance and audit requirements demand a full history of who changed what, when, and why
  • Multiple teams collaborate on network infrastructure and need a controlled process to avoid conflicts
  • Rollback capability is essential for minimizing the blast radius of failed changes

Common Deployment Scenarios

  • SD-WAN deployments -- Managing feature profiles, policy objects, and device templates across branch offices using declarative YAML files and controller APIs
  • Data center fabric automation -- Deploying and validating fabric configurations, then layering compute and application workloads on top with full-stack visibility
  • Cross-domain automation -- A single pipeline that spans switching, routing, firewalls, and controllers, validating each domain before proceeding to the next

Design Considerations

  • Start with a Network Source of Truth. Your pipeline is only as good as the data that feeds it. Invest time in building a comprehensive, accurate NSoT before building pipeline automation.
  • Separate data from code. Keep network-specific values in YAML or JSON data files and keep automation logic in reusable scripts and playbooks. This makes your pipelines portable and maintainable.
  • Include governance gates. Integrate ITSM approval workflows into your pipeline so that changes go through proper change management before reaching production.
  • Validate at every stage. Never skip validation. Automated pre-change and post-change testing is what separates a reliable pipeline from a risky script.
  • Build incrementally. Move through the automation maturity curve step by step. Start with ad-hoc scripts, graduate to reusable frameworks, then build full CI/CD pipelines.

Summary

  • Manual network operations are the leading cause of misconfiguration, responsible for over 80 percent of network problems, yet only 33 percent of organizations automate more than a quarter of their network activities.
  • Infrastructure as Code solves the core challenges of manual operations by introducing declarative configuration, digitized processes, and full validation and testing, delivering up to five times faster changes and greater than 98 percent success rates.
  • A Network Source of Truth is the authoritative, structured data set that defines the intended state of the network and drives all automation.
  • CI/CD pipelines follow a structured workflow: declare the intended state, commit and validate, deploy and test, with governance gates throughout. Separating data from code keeps pipelines reusable and maintainable.
  • Full-stack pipelines extend across fabric, compute, applications, monitoring, and compliance, with validation stages after each layer to catch issues early.

Next, continue building your automation skills by exploring workflow automation and optimization, where business-level intent and real-time analytics drive dynamic network changes beyond what static pipelines can achieve.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security