← Blog

Using NetBox as the Authority for a Hybrid Platform Foundation

A practical field note on using NetBox as the source of truth for IPAM, VM inventory, service metadata, and cloud deployment metadata before platform services are layered on top.

Most hybrid infrastructure environments do not start with bad automation. They start with scattered intent.

One spreadsheet has the IP plan. A Terraform state file has the last VM output. An Ansible inventory has a slightly different hostname. A diagram has the network shape that existed three changes ago. Everyone knows the system is supposed to have a source of truth, but in practice the source of truth is whoever last touched the environment and still remembers why.

That model works until the platform has to grow across on-prem and cloud. It breaks faster when the next layer depends on reliable network and deployment metadata: Kubernetes, PostgreSQL HA, WAN extension, cloud recovery, or regulated platform operations.

This is where NetBox is strongest. It is not just a place to record what exists. Used properly, it becomes the authority that later automation has to consume.

NetBox IPAM prefixes for management, data, and workload networks in the authoritative platform foundation.
NetBox IPAM records for the management, data, and workload prefixes used by the platform foundation.

The problem before NetBox was authoritative

One verified surface starts with a familiar platform shape: Proxmox for compute, VLAN-backed network segments, a small set of foundation services, and later layers that need to build on top of that baseline.

That surface is useful because it produces screenshots and checks, but it is not the limit of the model. The same problem appears in VMware estates, Kubernetes or RKE2 clusters, cloud VMs, managed database endpoints, and network attachments that all need to be understood through one platform record.

The immediate problem is usually not creating infrastructure. That part is solvable with Terraform, Ansible, provider APIs, or a few scripts. The harder problem is knowing which addressing and metadata model every later step should trust.

If the Kubernetes blueprint needs three nodes, where should their IPs come from?

If PostgreSQL HA needs service metadata, where should that relationship be recorded?

If an Azure or GCP deployment creates platform capacity, where does the deployment metadata live after the apply finishes?

If a WAN or DR scenario depends on the same management, data, and workload networks, how does it avoid carrying its own copy of the network plan?

Without an authority, every workflow starts to smuggle in its own assumptions. The VM module has one view of the network. The inventory has another. The operator has a third. None of those are malicious. They are just local answers to a system-level problem.

The foundation model

The cleaner model is to establish the platform foundation first, then make everything above it consume that foundation.

In this setup, NetBox owns:

  • prefixes
  • IP addresses
  • VM inventory
  • service metadata
  • provider linkage where it helps operators trace deployed resources back to their source
  • tags that describe governance concerns such as foundation service, source-of-truth authority, HA requirement, or DR protection

The execution tools own implementation. Proxmox SDN owns a segmented network baseline when that is the selected surface. Cloud providers own their native resources. Kubernetes owns cluster reconciliation. NetBox is the common authority those layers can report into and consume from.

The automation layer is responsible for making those sides agree, then refusing to proceed when the expected authority is missing or inconsistent.

The sequence looks roughly like this:

1. Publish the shared network and placement baseline.
2. Bring NetBox online, or connect to the existing NetBox authority.
3. Export prefixes, VM records, service records, provider links, and deployment metadata into NetBox datasets.
4. Verify NetBox API reachability, prefix state, service records, and target state.
5. Allow Kubernetes, PostgreSQL, WAN, and DR blueprints to consume the same authority.

That is the important boundary. NetBox is not treated as a reporting target at the end of the run. It is part of the control path.

In HybridOps, the NetBox export contract is deliberately wider than one hypervisor. The export tooling already defines targets for:

onprem-proxmox
onprem-vmware
cloud-azure
cloud-gcp
cloud-hetzner

That makes the model more useful than a Proxmox-only pattern. The same operating rule can apply to VM estates, Kubernetes foundation services, cloud deployment metadata, and platform workloads that need one authoritative view.

What NetBox records in the foundation

For the reference environment, the first useful records were not exotic. They were the records that tend to drift first in real infrastructure:

  • the management, data, and workload prefixes
  • foundation VMs and their cluster context
  • the primary IPs attached to those VMs
  • the NetBox UI/API service
  • the PostgreSQL core service used by the foundation
  • provider or external identifiers where the export hook exposes them
  • governance tags that explain why the service exists and how it should be treated

That last point matters more than it looks.

NetBox VM inventory showing foundation virtual machines, IP addresses, cluster assignment, and status.
Foundation VM inventory in NetBox, including primary IPs and status.

An IP address by itself is useful. A VM record is useful. But a service record that says “this VM provides the NetBox UI/API on this TCP port, and it is a platform foundation service” gives later operators a much better answer during review or recovery.

The same is true for cloud metadata. Not every cloud object belongs in NetBox. But deployment metadata that operators use to understand ownership, addressability, service role, or recovery posture should not be trapped inside a provider-specific output file.

That is where the NetBox export hook matters. When the deployment is outside the local foundation, the useful facts can still be pushed back into the same authority. Operators are not left with one truth in NetBox, another in cloud state, and a third in a run log.

The point is not to turn NetBox into a dumping ground for every possible fact. The point is to record the facts that automation and operators need to agree on.

What changed operationally

The main improvement was not speed. It was confidence.

Before NetBox became authoritative, a downstream workflow could only assume the network baseline existed. After NetBox became authoritative, the workflow could check.

For example, an RKE2 blueprint should not invent addresses for nodes. It should consume shared NetBox prefixes and fail early if the authority is not ready. A VMware-backed cluster, an Azure or GCP recovery target, or a PostgreSQL HA path should not leave ownership, addressability, and service metadata scattered between provider state files and run logs. The metadata should fit into the same recorded model.

That gives the platform a simple rule:

If the baseline is missing from NetBox, the next layer is not ready to run.

This kind of friction is useful. It is much cheaper to fail before provisioning than to discover after deployment that three tools disagreed about the same address space.

What this is not

This is not an argument that NetBox should run every part of the platform.

NetBox should not become a hidden orchestration engine. It should not replace Terraform, Ansible, Kubernetes, or the systems that actually apply changes. The value is the boundary: NetBox holds the authoritative infrastructure record, while execution tools consume that record and produce evidence that they followed it.

That separation keeps the model understandable. When something is wrong, the team can ask a direct question:

“Is NetBox wrong, or did the implementation fail to match NetBox?”

That is a much better question than:

“Which copy of the inventory do we believe today?”

Evidence matters

A source of truth only earns trust if it can be checked.

In the HybridOps reference environment, the published screenshots come from the first verified foundation surface because that is where the current visual evidence exists. The wider contract is hybrid: NetBox export targets also exist for VMware, Azure, GCP, and Hetzner surfaces.

The walkthrough verifies NetBox reachability, IPAM prefix state, VM inventory, service records, and network state before treating the platform baseline as ready. Screenshots are useful here because they show the actual NetBox records, not only the automation code that claims to create them.

NetBox service record for the NetBox UI and API, showing parent VM, TCP port, source-of-truth description, and governance tags.
Service metadata for the NetBox UI/API.
NetBox service record for PostgreSQL core, showing parent VM, TCP port, platform foundation description, and governance tags.
Service metadata for the PostgreSQL core backend.

The strongest checks were simple:

  • NetBox API is reachable.
  • Prefixes exist with the expected role and status.
  • Foundation VMs are registered.
  • Service records point at the right parent VM and port.
  • Target network or cloud export state is recorded.
  • Downstream blueprints consume the same baseline.

That is not glamorous, but it is the kind of evidence that makes an infrastructure foundation easier to trust.

The lesson for NetBox users

The practical lesson is straightforward: decide whether NetBox is the authority or merely a record.

If NetBox is only updated after changes happen, it will eventually become stale. If every tool can carry its own version of the network plan, drift is built into the operating model. If operators can bypass NetBox during urgent work and reconcile later, “later” will eventually become “never.”

The better pattern is to move intent upstream.

Allocate the address before provisioning. Register the service model before relying on it. Make automation read from the authority before it applies changes. Make missing records fail early enough that nobody has to clean up half-built infrastructure.

That is where NetBox changes from documentation to infrastructure control discipline.

It does not remove the need for good automation. It gives the automation a stable truth to consume.

Book a call

Share a little context so we can make the session useful from the start.