AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Build an AAP Self-Service Template: Firewall Rule Change Approval Workflow

By Luca Berton · Published 2024-01-01 · Category: linux-administration

Learn how to design the AAP 2.7 Automation Portal's Network - Firewall Rule Request template for a self-service, approval-gated firewall change workflow.

Firewall rule changes are one of the most sensitive and most requested tasks in any network operations queue. Every change needs a business justification, a security sign-off, and a clean audit trail — yet the actual technical work of pushing the rule to a firewall or Cisco/Arista device is often trivial for automation. Red Hat's Ansible Automation Platform (AAP) 2.7 closes that gap with the new Automation Portal, a self-service template gallery that was demoed live by Fred van Zwieten and Ismail Dhaoui at Red Hat Tech Day Netherlands 2026 in Bunnik on 3 June 2026. In this article we focus on one template from that catalog: Network - Firewall Rule Request, which submits a firewall rule change for an approval workflow.

What the Automation Portal Changes

Before AAP 2.7, requesting a firewall change through automation usually meant knowing which job template to launch in the Automation Controller UI, which survey fields to fill in correctly, and which project or inventory it depended on. That's a lot of tribal knowledge for a service desk agent or a junior network engineer to carry.

The Automation Portal flips this around. It presents a curated gallery of self-service templates, each with a single Start button. The requester never needs to know where the underlying playbook lives, which execution environment it runs in, or how its inventory is scoped — they just pick the template, answer a short set of prompts, and submit.

In the Bunnik demo, the catalog included templates spanning several domains:

CategoryExample templates
Branch operationsAfter Hours Access Report, Network Health Check, WiFi Reset
Cloud provisioningCreate S3 Bucket, Provision AWS EC2 Instance, Request Azure Resource Group
Security patchingCVE Patch, RHEL - Patch Servers (Maintenance Window)
Network change managementBackup Switch Configs, Firewall Remediation, Firewall Rule Request
Firewall Rule Request stands out because, unlike a health check or a backup job, it can't just run and finish — it needs a human decision gate before anything touches production network equipment.

See also: Build an AAP Self-Service Template: Backup Network Switch Configs to Git

Anatomy of the Firewall Rule Request Template

Conceptually, this template is built from four building blocks that already exist in AAP: a survey, a job template, an approval node in a workflow template, and role-based access to scope who can request and who can approve.

1. The survey. This is what the requester actually sees in the Automation Portal. It should stay short and business-oriented — source, destination, port/protocol, business justification, and a ticket reference are typically enough. Every technical detail (device credentials, target firewall platform, execution environment) stays hidden behind the template.

2. The approval node. In a workflow job template, an Approval node pauses execution and notifies designated approvers — via email, Slack, or ServiceNow depending on how notifications are configured — until someone approves or denies the request, or it times out.

3. The change job. Once approved, the workflow proceeds to the actual Ansible job that pushes the rule to the target firewall or applies it through a network module for the platform in use.

4. RBAC scoping. The Automation Portal only shows templates the logged-in user has execute access to, and only surfaces the approve action to users in the appropriate approval team — so a requester can submit but not self-approve.

Example Workflow Definition

Below is an illustrative workflow job template definition showing how the pieces fit together conceptually. Node names and variable names are illustrative — they show the pattern, not a documented API response from AAP.

---
- name: Network - Firewall Rule Request workflow
  hosts: localhost
  gather_facts: false
  vars:
    fw_source: "{{ survey_source_network }}"
    fw_destination: "{{ survey_destination_network }}"
    fw_port: "{{ survey_port }}"
    fw_protocol: "{{ survey_protocol }}"
    fw_justification: "{{ survey_business_justification }}"
    fw_ticket_ref: "{{ survey_ticket_number }}"

  tasks:
    - name: Log the incoming firewall rule request for audit trail
      ansible.builtin.debug:
        msg: >-
          Rule request {{ fw_ticket_ref }}:
          allow {{ fw_protocol }}/{{ fw_port }}
          from {{ fw_source }} to {{ fw_destination }}
          — justification: {{ fw_justification }}

    - name: Validate requested port is within allowed change range
      ansible.builtin.assert:
        that:
          - fw_port | int >= 1
          - fw_port | int <= 65535
        fail_msg: "Requested port {{ fw_port }} is outside the valid range."

    - name: Apply the approved firewall rule change
      ansible.builtin.include_role:
        name: firewall_rule_apply
      vars:
        rule_action: allow
        rule_source: "{{ fw_source }}"
        rule_destination: "{{ fw_destination }}"
        rule_port: "{{ fw_port }}"
        rule_protocol: "{{ fw_protocol }}"
      when: workflow_approval_status == "approved"

In the actual AAP workflow visualizer, the ansible.builtin.assert validation and the rule-application play would sit in separate nodes connected by an Approval node, so the change job only fires after a human approves the request in the Automation Portal or the Controller UI.

See also: Build an AAP Self-Service Template: Branch Network Health Check

Designing the Survey for Self-Service Users

Because the requester in the Automation Portal is often not a network engineer, survey design matters as much as the playbook itself. A few practical guidelines:

  • Use plain-language field labels ("Which server or network needs access?") instead of raw variable names.
  • Constrain free-text fields wherever possible — dropdowns for protocol (TCP/UDP), regex validation for IP/CIDR fields.
  • Make the business justification and ticket reference mandatory fields so the approval node has context to act on.
  • Keep the survey to the minimum fields needed for a decision; push everything else (credentials, target device selection logic) into the job template's own variables.

Approval, Auditability, and Least Privilege

The value of routing this through a workflow approval node rather than a "just run it" job template is threefold:

  1. Separation of duties — the person requesting the change is never the person approving it, satisfying common change-management and compliance controls.
  2. Full audit trail — every request, its survey answers, the approver's identity, and the timestamp of approval or denial are recorded in the AAP job history.
  3. Consistent execution — because the actual firewall push always runs through the same job template and execution environment, there's no risk of an engineer running an ad hoc, unreviewed script against production firewalls.
This same pattern — self-service request plus approval gate — is what separates Network - Firewall Rule Request from its sibling template, Network - Firewall Remediation, which corrects a misconfiguration and does not require the same upstream sign-off since it's restoring a known-good state rather than introducing a new access path.

Key Takeaways

  • AAP 2.7's Automation Portal gives operators a one-click, self-service gallery of templates — no need to know where a playbook lives or how to configure it.
  • The Network - Firewall Rule Request template pairs a business-friendly survey with a workflow approval node, so firewall changes go through a human sign-off before execution.
  • A well-designed survey keeps technical complexity out of the requester's view while still capturing everything the approver and the audit trail need.
  • Approval nodes, RBAC scoping, and consistent execution environments together deliver separation of duties and a clean compliance story for network change management.
  • This template complements Network - Firewall Remediation and Network - Backup Switch Configs, forming a broader network change-management set inside the same self-service catalog shown at Red Hat Tech Day Netherlands 2026.

Category: linux-administration

Browse all Ansible tutorials · AnsiblePilot Home