Network as Code: Designing Declarative, Intent-Based Infrastructure at Scale

Published: December 2025
Estimated reading time: 22 minutes

In a world increasingly defined by complexity and speed, network engineering is undergoing a foundational transformation. The traditional models of CLI-driven configuration and manual provisioning are giving way to a new paradigm: Network as Code (NaC). Much like its cousin, Infrastructure as Code (IaC), NaC introduces the principles of declarative design, automation, and repeatability to the domain of networking.

The Promise of Declarative Networking

Instead of scripting individual device configurations, declarative networking allows engineers to define the desired end-state of a network — the topology, the intent, the policies — and let a controller or orchestrator realize that state. This approach offers scalability, reduces human error, and aligns network engineering with DevOps best practices...

From CLI to Code: The Evolution of Network Engineering

For decades, network engineers have relied on command-line interfaces (CLIs) to configure devices one at a time. This model, while powerful, is prone to human error, difficult to scale, and inconsistent across platforms. As networks grow in complexity—spanning data centers, branch offices, cloud providers, and remote endpoints—the limitations of CLI-driven provisioning become painfully evident.

Enter Network as Code (NaC): a paradigm that applies the principles of software engineering—version control, testing, modularity, and automation—to the management of network infrastructure. Just as DevOps transformed the way software is deployed, NaC is reshaping the way networks are designed, implemented, and operated.

Declarative vs Imperative: A Shift in Thinking

At the heart of Network as Code lies a fundamental shift: from imperative to declarative intent. In imperative models, engineers specify exactly how to achieve a configuration state. Declarative models, by contrast, define the desired outcome, leaving it up to an engine or controller to figure out how to reach that state.

This abstraction has significant advantages. Declarative definitions are easier to reason about, less prone to misconfiguration, and more conducive to automation. Tools like Cisco NSO, Ansible, Terraform for networking, and Apstra leverage this approach to allow engineers to describe the network in high-level terms—topologies, policies, SLAs—and automatically generate device-level configurations.

GitOps for Networks: Version Control, Validation, and Velocity

Network as Code is tightly coupled with GitOps principles. Instead of pushing changes directly to production devices, engineers commit declarative configurations to a Git repository. Automation pipelines validate the configuration, test it in lab environments, and eventually apply it to production via CI/CD-style workflows.

This enables auditable change management, easier rollbacks, and a tighter feedback loop between intent and reality. The network becomes programmable infrastructure, governed by the same tooling that drives modern application delivery.

Tooling Landscape: Open Source and Commercial Options

The tooling ecosystem for Network as Code has exploded in recent years. Some of the most prominent tools include:

• Ansible: Popular for its YAML-based playbooks and broad vendor support.
• Nornir: A pure Python automation framework allowing engineers to write customized logic.
• Cisco NSO: A commercial service orchestration platform supporting multi-vendor, model-driven configuration.
• Juniper Apstra: A powerful intent-based networking platform for data center fabrics.
• Terraform with provider plugins: Enables infrastructure and network configuration as code.

Each has its strengths and trade-offs, but the unifying thread is the embrace of declarative definitions and automation pipelines.

Challenges: State Drift, Abstraction, and Idempotency

Despite its promise, Network as Code is not without challenges. Declarative models depend on accurate state representation—a mismatch between intent and actual device state can lead to misconfigurations. This “state drift” must be detected and resolved automatically, or it risks eroding trust in the system.

Abstraction layers, while helpful, can hide critical details. For instance, intent-based policies must eventually translate to precise ACLs, QoS settings, or route maps. If these translations are opaque or incorrect, the result can be broken connectivity or security exposure.

Idempotency—ensuring repeated application of a config yields the same result—is another hurdle, especially with legacy devices or inconsistent APIs. Successful implementations require rigorous validation and often vendor-specific tweaks.

Case Study: WAN Orchestration Using Network as Code

Imagine a mid-sized enterprise with 80 sites across New Zealand and Australia. Traditionally, WAN configurations for MPLS and IPSec failover would be manually updated per-site, per-router. With Network as Code, a central template defines the topology, link preferences, and failover logic. A YAML file per site defines its variables: IP blocks, site codes, router hostnames, etc.

A GitOps pipeline validates syntax, simulates the changes, and pushes them to the SD-WAN controller (e.g., Cisco vManage or Fortinet’s FortiManager). Within minutes, the new site is fully onboarded—compliant, secure, and visible in the monitoring platform.

Case Study: Campus Access Automation with Intent-Based Models

In large campus environments, port configurations for access switches are notoriously error-prone. Network as Code allows the team to define profiles for device types (IP phones, laptops, printers) and associate them with VLANs, port security, and authentication policies.

When a new floor is added to the building, a simple declarative file assigns the switch name, port numbers, and device roles. The automation framework applies these configurations via NETCONF/RESTCONF or API to the switches, reducing deployment times from hours to minutes.

Case Study: Data Center EVPN-VXLAN Fabric with Apstra

For enterprises or service providers deploying EVPN-VXLAN fabrics, Apstra provides an intent-based platform where engineers define the required topology (spine-leaf), VLAN pools, routing domains, and service endpoints. The platform automatically builds BGP EVPN overlays, configures loopback addresses, and deploys validated configurations to Arista, Juniper, or Cumulus switches.

Changes to the topology, such as adding a leaf switch or tenant VLAN, are made declaratively and validated against the existing intent before deployment—ensuring fabric consistency and uptime.

Start Small: How SMBs Can Adopt Network as Code

You don’t need to overhaul your entire network to adopt NaC. Many SMBs start with:

• Backing up current configurations using Git.
• Writing Ansible playbooks for standard changes (e.g., adding VLANs).
• Implementing linting and validation tools like Batfish or pyATS.
• Automating low-risk zones first, such as guest Wi-Fi or lab switches.

Over time, you build confidence, documentation, and modular templates that can scale. The key is repeatability and visibility—replacing tribal knowledge with source-controlled logic.

Key Lessons Learned from Early Adopters

• Not all devices are equal: Legacy gear may not support APIs or structured data models.
• Document everything: Treat documentation as code—versioned and linked to deployments.
• Abstract the right things: Too much abstraction leads to errors; too little hurts productivity.
• Practice DRY (Don't Repeat Yourself): Modular roles, templates, and variables reduce config duplication.

What the Future Holds

As vendors adopt YANG models, open APIs, and cloud-native architectures, the barrier to full declarative control continues to fall. We’ll see closer alignment between security (e.g., zero trust), identity, and network policies—all expressed as code.

AI and ML will play a greater role in validating configurations and recommending remediations. Simulation tools will become standard, giving engineers confidence before deploying changes. Eventually, “networking” as a discipline will converge with platform engineering, DevOps, and cloud-native tooling.

Conclusion: Redefining the Network Engineer

Network as Code isn’t just a new toolkit—it’s a new mindset. It demands collaboration, curiosity, and a willingness to embrace software principles in a traditionally hardware-centric world. But the payoff is enormous: scalable operations, predictable deployments, faster troubleshooting, and better alignment with business needs.

Whether you’re managing a branch network, a national ISP, or a hybrid multi-cloud deployment, the declarative, intent-based future is already here. The question is no longer “if” your team will adopt Network as Code—but “how soon.”

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 30 years of experience in IT and consulting, he helps organizations maintain stable and secure environments through proactive auditing, optimization, and strategic guidance.
LinkedIn Profile