IntegrationsNetwork source of truth (Nautobot)

38. Network source of truth (Nautobot)

Connect your network’s source of truth, then let Daalu detect drift and write fixes back — through proposals, never silently.

If you operate a real network, Nautobot is probably already your source of truth. This chapter covers how to connect it and what you get once it’s in.

Two paths: bring your own Nautobot (BYO), or let Daalu host one for you — a dedicated, fully isolated instance with its own database, its own admin user, and its own URL at <your-slug>.sot.daalu.io. The hosted path is not a shared Nautobot with logical tenancy; every customer gets a separate stack. And if you’ve enrolled a federation tunnel for your cluster, you can ask for that Nautobot to run inside your own cluster, so your network inventory sits at rest on storage you control.

At a glance

What it connectsNautobot — devices, interfaces, IPAM, tags, custom fields; the basis for drift detection
Auth modelNautobot API token (read+write recommended); reachable directly over HTTPS or through a federation tunnel
Where to set it upManaged Infra → Source of Truth → Add → Nautobot

What you need

  • A Nautobot installation reachable from Daalu — either directly over HTTPS, or through a federation tunnel if it lives behind your firewall.
  • A Nautobot API token with read+write on the models Daalu uses: dcim.device, dcim.interface, ipam.ip_address, extras.tag. Read-only works but limits Daalu’s ability to write back.
  • A Daalu admin role to configure the integration.

Setup

  1. Managed Infra → Source of Truth → Add → Nautobot.
  2. Enter:
    • Base URL — e.g. https://nautobot.acme.io.
    • API token — paste it.
    • Friendly name — for your reference.
    • Reachable via federation tunnel? — tick if Daalu can’t hit it directly.
  3. Daalu probes Nautobot with GET /api/dcim/devices/?limit=1. On a 200, the integration goes green.
  4. Daalu kicks off the initial inventory sync. Depending on fleet size, this takes 30 seconds to 10 minutes.

What gets imported

After the initial sync, Daalu has a mirror of:

  • Sites — each as a record.
  • Devices — hostname, vendor, model, role, site, serial, asset tag.
  • Interfaces — per device, with attached IPs.
  • IPs and prefixes — the IPAM tree.
  • Tags — used in alert routing and queries.
  • Custom fields — imported as-is for surfacing in the UI.

Note: This is a mirror, not a takeover. Nautobot stays the source of truth. Daalu reads on a schedule (every 15 minutes) and writes back only through change proposals.

Reconciliation

The reconciler agent uses this integration to detect drift:

  1. Pull the intended config from Nautobot for each device.
  2. Connect to the device via its driver (NAPALM, scrapli, or netmiko, depending on vendor).
  3. Compare live config to intended.
  4. If they differ, write a kind=drift change proposal.

Per-device connection details — SSH key vs password, jump host, port, vendor-specific driver — live in Nautobot’s secrets/credentials model, which Daalu reads on demand.

Writing back

Two write paths, both gated on change proposals:

  • Apply intended to device. The standard fix when drift is unintentional. The executor pushes the Nautobot-intended config to the box.
  • Update Nautobot to match device. When the device-side change was deliberate. The executor patches Nautobot to record reality.

Webhooks (optional but recommended)

To keep Daalu’s mirror fresh between scheduled syncs, have Nautobot POST webhooks to Daalu on object changes.

  1. Daalu shows the webhook URL on the integration detail page (e.g. https://ops.daalu.io/api/v1/sot/webhooks/<your-slug>) along with a shared secret.
  2. In Nautobot, Extensibility → Webhooks → Add with that URL, the secret in the HMAC field, and the object types you want pushed.
  3. From then on, the mirror is event-driven and the scheduled sync becomes a safety net.

Per-tenant secrets

The executor needs device credentials to push config. Two options:

  • Use Nautobot’s credentials store. Daalu reads Nautobot secrets on demand. Simpler if you’re already there.
  • Configure credentials in Daalu. Settings → Tenant → Device credentials. Useful when Nautobot doesn’t hold the secret you need.

Either way, secrets are encrypted at rest and never logged.

Limitations and roadmap

  • Nautobot only. NetBox is not supported.
  • Vendor drivers: Cisco IOS / NX-OS, Arista EOS, Juniper Junos, Nokia SROS out of the box; others via NAPALM community drivers, with the usual caveats.
  • Config diff is text-based today, not structural. We’re working on structural diffs for major vendors; for now the diff is the one your eyes are used to reading.

Troubleshooting

  • 401 Unauthorized — token wrong or revoked.
  • 403 Forbidden — the token’s user lacks read on a needed object type.
  • Slow initial sync — large inventories take a while. Watch the detail page; “Running” with a progress count is expected.
  • Reconciler reports drift but the UI shows a match — usually a normalization issue. Check Settings → Reconciliation → Normalization rules.

Next: Chapter 39 — Observability integrations

Notifications (Slack, PagerDuty, email)Observability integrations (Prometheus, Grafana, Loki, Thanos, OpenSearch)