Although no two devices in a network will have identical configurations, they also shouldn’t be completely unique. To ensure the security and consistent operations of devices in a network, most configurations can be standardized.

Some configuration elements that can and should be standardized include DNS servers, NTP servers, routing protocols, QoS policies, AAA servers, security policies, and logging and monitoring settings.

Maintaining consistent configurations according to organizational standards is essential for the security and reliability of the network.

It’s common for network configurations to gradually diverge from standards due to human error, differing interpretations of the standards, and small ad hoc changes that accumulate over time. This is called configuration drift.

Configuration drift can pose significant challenges to network security and operational efficiency but is almost inevitable when managing a large and complex network manually.

Configuration management tools use software to automate various tasks related to configuration management, from deploying initial configurations and configuration changes to enforcing configuration standards.

Configuration management tools manage device configuration from centralized servers instead of on the devices themselves.

Configuration files are stored on the server, and the configuration management server is responsible for applying any changes to the appropriate devices.

Configuration management tools employ configuration templates that define the desired state and structure of device configurations using a standardized format and variables that store specific values unique to each device.

Configuration management tools can also monitor managed devices to enforce conformity to the standards defined in the configuration files on the server.

Ansible is a configuration management tool written in Python. One of its defining features is that it is agentless, meaning it doesn’t require any special software (an agent) to run on the managed devices.

The Ansible control node—a server on which you have installed Ansible—uses SSH to connect to managed devices and configure them.

Ansible uses a push model. Instead of managed devices connecting to and pulling configuration information from the control node, the control node connects to and pushes configurations to the managed devices.

Ansible uses four main types of files:

• Inventory—A YAML file that lists the managed hosts

• Template—Jinja2 files containing configuration syntax and variables that are processed to produce final configuration files for hosts

• Variables—YAML files that list variables and their values

• Playbook—A YAML file that outlines tasks and procedures to manage configuration on the managed devices

Two other key terms are module—a discrete unit of code that can be used by a playbook to perform a specific task—and task—a single operation or action as defined in a playbook.

Terraform is an infrastructure as code (IaC) tool developed by Hashicorp. Whereas Ansible is primarily focused on configuration management, Terraform is primarily a provisioning tool, focused on deploying and provisioning new infrastructure.

Like Ansible, Terraform uses a push model and also doesn’t require a software agent to be installed on the devices it provisions or manages; it takes an agentless approach.

Terraform Core is the central part of Terraform that processes configuration files, manages the state of the infrastructure, and communicates with various providers to provision resources.

Terraform employs a declarative approach in which you define the desired end state for the infrastructure using configuration files rather than specifying the step-by-step instructions for how to achieve that desired state.

Terraform Core compares the desired end state defined in the configuration files to the current state in the Terraform state file and takes the necessary steps to bring the infrastructure in line with the desired end state.

Terraform is written in the programming language Go, but defines and provisions infrastructure using a language called HashiCorp Configuration Language (HCL). HCL is an example of a domain-specific language (DSL)—a type of computer language that is specialized to a particular purpose.

Puppet and Chef are two other prominent IaC tools that, like Ansible, are primarily used for the purpose of configuration management. Puppet and Chef are both written in Ruby.

In contrast to Ansible and Terraform’s push model, Puppet and Chef primarily use a pull model in which the managed devices connect to the management server to retrieve their configurations.

Whereas Ansible and Terraform use an agentless architecture, Puppet and Chef use an agent-based architecture. A software agent must be installed on managed devices.

Like Terraform, Puppet uses a declarative DSL called Puppet DSL to define the desired state of the infrastructure.