Automation of network-wide intent verification using the Veriflow API


Humor courtesy of xkcd

Network infrastructure teams are constantly asked to support more business requirements, and do so more quickly, while maintaining high uptime. One of the most difficult aspects of meeting these needs is that the network is very complex, and engineers have no way of quickly and reliably verifying that such network changes don’t have any unintended consequences.

With this in mind, network infrastructure teams today are looking to add more automation to their networks and thus avoid costly and time-consuming manual checks that only verify a small fraction of their network functionality. Veriflow solves that need with a platform that verifies network-wide properties in a non-invasive way across the entire multi-vendor network, and it does so with mathematical rigor. This is a pioneering technology called continuous network verification.

Veriflow collects table state and configurations from routers, switches, firewalls, load balancers, cloud VPCs, and so on, and then analyzes this information to create a mathematically rigorous model of how all possible packets can flow through your network. This is model is predictive, because it can determine what would happen to any data flow, without actually looking at any traffic that’s flowing through your network. After creating this network snapshot, the platform verifies intent (for example, is a service reachable end-to-end as it should be?) in a mathematically comprehensive way.

Veriflow provides a GUI that allows our users to easily get a global view of their network, clearly visualize intent violations, search for objects and paths, and compare any two snapshots of the network, among other features. In the example below, the user entered a search query that shows what would happen to traffic attempting to flow from access layer devices in New York to an application in the primary data center.

Automating assurance of your network

As we’ve described so far, Veriflow automates collection of device state, network-wide modeling across multi-vendor devices, and verification of network-wide intent – all in a way that you can visualize and search interactively.

But as you integrate network automation into your daily workflow, you may find it convenient to query Veriflow’s model via API, so you can incorporate its capabilities into scripts and other platforms.

That’s been a key part of Veriflow’s vision from the beginning, and we built our platform from the ground up to support automation. Veriflow’s functionality is available through a REST API that enables you to run searches, intent verification, and other queries completely independently of the GUI.

Since Veriflow accesses the network devices in an out-of-band and read-only manner, and doesn’t require agents on devices, this is a low-risk way to start introducing more automation into your existing network. Next let’s take a look at a simple but powerful example of using the Veriflow API for network automation.

Rigorous network verification in a few lines of Python

One of the most common issues that has long involved manual tasks is the verification of end-to-end reachability, for example when provisioning a new part of the network or when a user files a ticket that connectivity to a service is broken. This is also arguably the most basic test – after all, the main point of a network is connectivity!

Below is a simple example in Python using the Veriflow API to automate reachability testing between a group of hosts and a server – the same query we saw in the GUI above. We’d like this script to run automatically and notify us of any problem it discovers. Posting these notifications to Slack is easy:

import json
import requests

from vfapi import Veriflow

def notify(websocket, message):
    if websocket is None:
        return
    requests.post(websocket, data=json.dumps({'text':str(message)}), headers={'content-type': 'application/json'})


if __name__ == '__main__':
    veriflow = Veriflow('192.168.33.10', 'vfapi_user', 'vfapi_password')

    resp, ui_url = veriflow.find_path('from ny-acc to prdc-acc-ap')

    if resp['num_open_paths'] == 0 or resp['num_acl_blocked_paths'] > 0:
        msg = 'Alert: reachability violation!<{}|View in Veriflow>'.format(ui_url)
        dest = 'https://hooks.slack.com/services/slack_account_URL'
        notify(dest, msg)

The heart of that code is a Veriflow path query that almost looks like natural language. The Veriflow query language also enables more complex checks than what we’ve shown here, such as for specific classes of traffic, objects, and intermediate hops in the path.

The script uses an appropriate Slack “Webhook URL” obtained from the “Incoming Webhooks” page in Slack to display the notification to the user. Of course, similar notifications can be pushed to another event management system as well.

The “find_path” function is front-ending Veriflow’s REST API. Behind the scenes, the REST version of the main query above looks like this:

https://192.168.33.10/v2/snapshots/3c69e631-e7ee-4835-9cd3-1b300b340898/find/path?query=from%20ny-acc%20to%20prdc-acc-ap

With this script running periodically (e.g., when a new snapshot of the network is posted), we’ll get a notification when it finds something interesting:

If you’d like to visualize the issue, you can follow the link to Veriflow’s GUI.

Power and simplicity together

A key to intent-based networking is that it makes it easy to describe high-level properties, even though the underlying network is complex.

With just a small change, we can modify our reachability query to alert us on a violation of network segmentation, which allows us to assure security across the network infrastructure.

query_str = 'from ny-acc to prdc-acc-db'
resp, ui_url = veriflow.find_path(query_str)
if resp['num_open_paths'] > 0:   # Alert on allowed path

These queries look so simple that it’s easy to miss how powerful they are. There can easily be hundreds or thousands of devices and paths, and millions of combinations of traffic classes along those paths, all involved in creating connectivity or the lack thereof. Checks such as those above could require weeks of manual effort examining individual device tables and configs, and even then, something might be missed.

By querying Veriflow, you can get results in sub-second time with just a few lines of Python. You can also create automated intent checks directly within the Veriflow UI, without using external scripts. Either way, we’d be happy to show you a demo

The user-friendly Veriflow API will allow your network infrastructure to take its first steps into automated network verification, moving from reactive manual tasks to proactive automated assurance. Ultimately, this move reduces the risk of incidents and frees up your team to work on higher-value projects.