Written by: Hiruni Perera, Senior Software Engineer at InSyn Information Technologies Pvt Ltd
Modern networks have outgrown the era of manual configuration. As topologies scale into thousands of devices spanning multiple vendors, domains, and customer edges, the old approach of logging into boxes one by one or stitching together loose scripts stops working. It doesn’t scale, it doesn’t survive staff turnover, and every change becomes a chance to break something in production.
Network automation is the answer. But automation built without engineering discipline simply trades one fragile system for another. This article is about how we approach network automation as software engineering: why that discipline matters, what good software design unlocks in practice.
Why network automation needs real software engineering
The first version of almost any automation is a script. A Python file that pushes a config or a cron job that polls a device is often the right tool for a quick, one-off, or low-stakes task. And most automation starts there for good reason. The trouble is that scripts don’t scale past a certain point. The moment automation has to touch many devices, sequence steps that depend on each other, or run unattended against production, a script starts to strain. One fails partway through a change, leaves the network in an inconsistent state, and there’s no clear record of what happened or how to reverse it. The problem isn’t that scripts are bad – it’s that some scenarios demand more than a script can offer.
Treating automation as a software product changes the equation. When automation stops being a script you run once and becomes software you live with, the standard engineering disciplines come into play:
- Version control and review – However automation is written, it evolves continuously, and that evolution needs to be tracked. Version control means you always know what changed and can return to a known-good state when something goes wrong. Review matters just as much: an extra set of eyes catches a risky change before it reaches the network, which is far cheaper than discovering it in production.
- Modularity – Automation that lives as one long script becomes impossible to reason about as it grows. Breaking it into small, independent pieces — discrete steps that can be combined into larger processes — means each part can be understood, reused, and tested on its own. It also means a change in one place doesn’t quietly break something unrelated, which is what makes the system safe to keep extending over time.
- State awareness – Networks are stateful, and automation must respect that. A system that knows the difference between what the network is supposed to look like and what it actually looks like can act deliberately instead of blindly, applying only the changes that are needed and recognizing when reality has drifted from intent. This is what people mean by declarative, desired-state automation, and it’s why idempotency matters: running the same change twice should leave the network exactly where running it once did. Without that, automation is just issuing commands and hoping.
- Handling failure gracefully – In a large network, something failing isn’t the exception. It’s routine. A device is unreachable, a command is rejected, a connection drops partway through. Engineering this means a failure is caught and contained at the point it happens, with a clear signal of what went wrong, rather than the process barreling ahead and leaving the network half-changed. On real gear this is where mechanisms like candidate configurations and commit-confirm earn their keep: a change is staged, applied as a single unit, and rolled back on its own if it can’t be confirmed, so a device never sits in a partial state. Two workflows touching the same device at once is its own failure mode, which is why a change takes a lock rather than trusting that nothing else is happening.
- Security and access control – Automation that can reconfigure the network holds real power, and it needs the controls that go with it: credentials kept in a secrets store rather than buried in scripts, least-privilege access so a task can only touch what it should, approval gates in front of risky changes, and an audit trail of who changed what. The same machinery that makes automation reliable is what makes it safe to hand that much reach to.
- Testing – Changes to automation shouldn’t be proven correct on live infrastructure. The hard part is that you usually can’t reach for the real network to test against, so you build something that stands in for it: virtual devices and simulated topologies it can run against in CI, and dry-run modes that show the diff a change would make before anything is sent. Treating automation as engineered software means its behavior, including how it responds when things go wrong, is exercised and verified before it ever reaches a production device.
- Observability – Automation that runs unattended is only trustworthy if you can see what it did. Structured logging records each step and its outcome, status updates track an operation as it progresses, and a stored history lets you go back through it after the fact. Beyond the automation’s own logs, the same instinct covers metrics and streaming telemetry from the devices themselves, so you’re watching the network’s actual behavior and not just the system’s account of it. When something does go wrong, that visibility turns a guessing game into a quick diagnosis.
Networks are critical infrastructure. When automation goes wrong here, the cost isn’t a stack trace in a log somewhere. It’s downtime, missed SLAs, and customers who notice. That’s why the discipline matters: it’s what turns automation from a risk you tolerate into something you can trust to run on its own.
Good software design is what makes automation last
Keeping automation working is the baseline. Whether it keeps being worth using years from now comes down to how it’s designed. The difference between a tool that solves today’s problem and a platform that keeps solving new ones for years is almost entirely a question of how the software is structured.
A few design principles matter more than the rest in this domain:
- Separate what something does from how it’s done – A request like “provision this service” shouldn’t be wired to the specifics of which backend or device carries it out. Keep those two concerns apart, behind clean interfaces, and you can change the how without disturbing the what: swap an implementation, drop in a test version, or support a new system without rewriting the feature around it. Provisioning a VRF is the same request whether it lands on a box that speaks NETCONF or a legacy one you have to drive over its CLI. The feature asks for the outcome, and the layer underneath works out how to deliver it on that platform. A surprising amount of a system’s long-term flexibility comes down to this one habit.
- Reusable building blocks beat one-off pages – Network tooling produces the same shapes over and over: another form over another entity, another table of another resource. Building each one by hand isn’t just slow; it leaves you maintaining dozens of slightly different versions of the same thing. A small set of well-made, reusable building blocks, the forms, tables, and validation that everything else is assembled from, turns each new capability into an assembly job instead of a rebuild, and keeps the product consistent as it grows.
- Assume things will go wrong, and design for it – Real networks rate-limit you, time out, and return the unexpected. Software written only for the happy path demos beautifully and then falls apart in production. Handling the rough edges, clear errors, sensible behavior when a backend is slow or failing, an interface that stays responsive instead of freezing, is most of what separates something operational from something that merely runs.
- Treat the interface as part of the engineering, not a coat of paint – A topology, a running workflow, or the state of hundreds of devices is almost impossible to reason about as raw data. Presented well, as a diagram, a canvas, or a dashboard, it becomes something a person can understand and act on with confidence. A good interface also builds in the safe path, through validation, sensible defaults, and confirmation where it counts, so the right action is the easy one and a costly mistake is hard to make by accident. The most capable system in the world is worth little if the people who rely on it don’t trust it enough to use it.
In short: the right practices keep automation reliable, good architecture keeps it extensible, and a well-built interface keeps it usable and safe. All three are engineering choices, made deliberately rather than stumbled into.
What this looks like in practice
Good design is easiest to appreciate through what it enables. A few of the features that stand out across our platforms:
- A custom workflow canvas built from micro-tasks. Rather than encoding automation as opaque scripts, engineers compose workflows visually on a canvas. Each workflow is assembled from micro-tasks: small, reusable units of automation, each responsible for one discrete step: connect to a device, collect its running configuration, push a change, validate the result. Operators arrange and connect these tasks to build up larger flows. Because every micro-task is a self-contained, reusable building block, new automation is assembled from proven pieces rather than written from scratch, and the canvas itself becomes a readable record of exactly what the automation does.
- Configurable dashboards and widgets. Dashboards are built from a library of reusable widgets (live status, utilization, alerts, KPIs), so each role gets a view tailored to what it needs to watch. Because the widgets are composable, a new dashboard is an arrangement of existing building blocks rather than a bespoke, hand-built page.
- Traffic and utilization analytics. Network usage is presented through interactive charts, gauges, and heatmaps rather than raw numbers, covering things like top talkers, who’s talking to whom, usage by port and destination, and interface utilization over time. Seeing it visually makes trends and anomalies stand out at a glance, where in a table, they’d stay buried.
- Guided service provisioning. The real substance of network services, things like VRFs, BGP neighbors, static routes, tunnels, and firewall policy, is handled through guided, configuration-driven forms. Validation is built in, so a malformed address or a missing field is caught at the point of entry rather than after it has reached a device and caused a problem.
- Compliance and state monitoring. Through automated data collection, device discovery, and configuration validation, the system continuously checks that the network’s actual state still matches its intended state and flags it when the two drift apart. That closed loop between intent and reality is the heart of what’s often called intent-based networking, and it turns compliance from a periodic manual audit into something that holds true on its own, with a record of every change for when someone asks who touched what.
- Customer self-service. Routine requests like bandwidth upgrades are handled through guided forms rather than rounds of back-and-forth email, so they arrive complete and ready to act on. Customers can also set up the reports and notifications they care about and have them delivered automatically, without needing to ask each time.
What ties these together is the design underneath. Reusable building blocks mean new capability is assembled rather than rebuilt, and a clean separation between the interface and the systems behind it keeps the whole thing testable, resilient, and quick to extend. Good architecture isn’t seen directly; it’s felt as reliability and speed of delivery.
Network automation is only as good as the engineering behind it. Build it with discipline and it can run unattended; design it well and it keeps growing with the network instead of being rebuilt every time something changes; shape it around the people who use it and they’ll actually trust it. Good architecture is what turns raw capability into something a team can extend and rely on over the long term. The tools will keep changing. The engineering is what lasts.
#Networkautomation #automation #software #ai #ainetworkautomation #DevOps #netdevops
