search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.15k stars 2.58k forks source link

Add "consumers" to service objects in IPAM #9899

Closed empusas closed 2 years ago

empusas commented 2 years ago

NetBox version

v3.4

Feature type

Change to existing functionality

Proposed functionality

I was struggling with the IPAM/Services for a while. But meanwhile i think it is really useful. You can get the data from FW logs, via ansible/netstat or from nmap/nessus scans. I think what would be a really useful addition would be to add a "consumer" list field to the service object. That way we could also track who is using this service, at least what IP addresses.

Use case

Quite often there is a demand to identify the affected services or accounts if a system goes down(for maintenance or other reasons). There are a few commercial products who try to address this, like a module for Service Now. I think there are many use cases, from my experience quite often FW logs and other data sources get analyzed to figure out the communication relations between IT systems. Also from my experience this is often done only in case of actual need, not proactively and also often not stored/updated anywhere.

Database changes

There are two viable options to enhance the service object.

  1. Would be to create a ManyToMany relation with IP addresses. That would require that all sources that use the service are created in Netbox. An automation to populate the "consumers" list would have to handle that a unknown source will be created.
  2. PostgreSQL offers the Array field. That would allow to store a list of IP addresses/hostnames in String format.

External dependencies

No response

bluikko commented 2 years ago

I think this feature could open up interesting use cases, such as generating firewall configuration from NetBox data.

empusas commented 2 years ago

I was more thinking in the other direction, to document what is going on in a brownfield environments. I did many data center migrations in my career and there was never a reliable documentation about the communication between systems. I assume that many migrate to cloud now and have the same problem. Then such documentation could indeed be used to create new firewall rules in the target environment and check routing etc.

bluikko commented 2 years ago

It seems that Nautobot has implemented this (and the firewall config side of it). They seem to have a plug-in "application dictionary" that implements all of it. I wonder if any of that is usable, or they have some restrictive license on it.

jeremystretch commented 2 years ago

This sounds like the sort of thing that would best be implemented as a plugin. Maybe you'd be interested in developing something as a proof of concept. As a core feature though I'm afraid this is far too vague for us to take on.