List devices from NetBox by site, role, or tag and run Ansible against them. Auto-allocate IPs from a prefix when a new VM provisions. Reconcile network scan reality with declared inventory weekly. Manage device and contact assignment lifecycle as flow steps, with NetBox as the source of truth.
Make NetBox the inventory source of truth for every flow with an orchestration engine that lists devices by site/role/tag, allocates IPs from prefixes on VM provision, handles drift reconciliation between scan reality and declared inventory, and chains NetBox with Ansible, Proxmox, and ServiceNow. Drop the static hosts file; cut drift detection from quarterly to weekly.
NetBox holds the inventory. Kestra reads it to drive automation, writes back to keep it current, and reconciles it against reality on a schedule. The static Ansible inventory file, the IP spreadsheet, and the who-has-which-rack tribal knowledge all go away. NetBox is the source of truth, flows are the consumers.
device.List fetches devices from NetBox with filters on site, role, tag, status, and custom fields. fetchType STORE writes large results to internal storage for thousand-device fleets, FETCH keeps small results in memory. A ForEach iterates the result and runs Ansible, Terraform, or any plugin task per device using the device's primary IP from NetBox. The static inventory file disappears, NetBox is the inventory.
ipam.AssignIpAddress creates an IP address and assigns it to a device or VM interface. Provide an explicit address, or a prefixId to let NetBox allocate the next available from the prefix. Tags and custom fields stamp the allocation with the requesting flow's execution ID for audit. The static spreadsheet of who-has-which-IP disappears, NetBox tracks every allocation.
device.Create posts a new device with type, role, site slugs, optional rack, position, face, status, tags, and custom fields. device.Update applies PATCH by default (partialUpdate true), or PUT when disabled. The flow that provisions a VM in Proxmox or vSphere also registers it in NetBox. The flow that decommissions removes it. Reality and the declared inventory stay aligned automatically.
site.List enumerates every site in NetBox with optional filters. A ForEach over the result runs per-site flows: backup verification per DC, patch waves per region, audit reports per facility. Adding a new site is a NetBox edit, not a flow refactor or a CI variable update.
contactassignment.Create posts a contact assignment linking a contact and role to a resource object (device, site, VM, circuit, IP) by content type and object ID. Priority accepts primary, secondary, tertiary, or inactive. Use to keep on-call ownership in sync with the rotation, auto-assign vendor contacts to new circuits, or attach a billing owner to every device on provision.
A weekly reconciliation flow runs a network scan (LLDP discovery, SNMP, or hypervisor API), pulls NetBox state via device.List, and diffs the two. Devices in reality but not NetBox auto-create with a review-needed tag. Devices in NetBox but missing from reality open a GitHub issue for the responsible team. The inventory stays trustworthy without manual audits.
Patterns network and platform teams run in production today. Each one shows the flow end to end, with the real plugin classes in play.
device.List filters by role: edge-router, status: active, site: dc-2. A ForEach iterates the result and runs an Ansible playbook against each device, addressing it by the primary IP from NetBox. Per-device results are captured via the Kestra Ansible callback. A single rollup posts to Slack with success counts, failure details, and links to the per-device executions. The static Ansible inventory file goes away.
Adding a device is a NetBox edit. The next flow run picks it up automatically. No PR to the inventory file, no merge conflicts.
Filter by role, site, status, tag, or a custom field. The same flow definition handles a 4-device set or a 400-device set, scoped by the device.List filter.
If one device hits a transient SSH failure, only that ForEach iteration retries. The other devices keep moving.
The Slack message links to per-device executions and lists by site or role which devices need follow-up.
A Proxmox or vSphere VM creation flow needs an IP for the new guest. The flow calls ipam.AssignIpAddress with a prefixId for the target subnet; NetBox allocates the next available IP and tags the allocation with the requesting execution ID. The flow configures the VM's network with the allocated IP. device.Create registers the VM in NetBox with the IP record linked. No spreadsheet, no Slack ping for an IP.
Pass a prefixId, NetBox returns the next available IP from that subnet. The flow does not need to know which IPs are taken.
The IP record's tags include the Kestra execution ID, so an audit later answers exactly which flow run claimed which IP.
The same flow that allocates the IP also registers the device and assigns the billing or on-call owner via contactassignment.Create.
Monthly patch wave. site.List returns every active site (filtered by tenant, region, or tag). Per site, device.List filters by role and status. A nested ForEach runs the patching subflow per device with site context, snapshot before patch, health probe after. Per-site rollup posts to that site's Slack channel. One flow handles dozens of sites and thousands of devices.
Adding a site to NetBox extends the flow's coverage automatically. No flow edit, no schedule update.
Each site's Slack webhook is stored as a NetBox custom field. The flow reads it per iteration and posts to the right channel.
ForEach concurrencyLimit ensures only N sites are patched at once, so a region-wide failure does not roll across the world.
Weekly flow. A network scan (LLDP discovery, SNMP poll, or hypervisor API) returns the actual device list. device.List returns the NetBox declared list. A diff task computes additions (devices in reality but not NetBox) and deletions (devices in NetBox but missing from the scan). Additions auto-create with a review-needed tag for the network team to confirm. Deletions open a GitHub issue against the responsible team's repo.
Stale inventory is the number one cause of automation failures. Weekly reconciliation catches it inside a week.
Auto-created devices are not silently trusted. A review tag flags them for the network team's next standup.
A device missing from the scan is a real incident: hardware failure, decommission, or misconfigured scan. The issue routes to the team that owns it.
| Capability | | pynetbox in custom Python scripts | NetBox Webhooks + Lambda glue | |
|---|---|---|---|---|
| Device list with filters as a flow task | device.List with site/role/tag/status filters, fetchType STORE for large fleets | pynetbox API calls, parsing in Python | Not in scope, webhooks fire outward | netbox_inventory plugin generates a static file |
| IPAM allocate from prefix on demand | ipam.AssignIpAddress with prefixId, tags include execution ID | pynetbox + custom retry | Out of scope | netbox_ip_address with first_available query |
| Device lifecycle (Create + Update) chained with provisioning | device.Create / device.Update as flow tasks alongside Proxmox/vSphere | Custom Python pipeline | Webhook-driven, no provisioning chain | netbox_device tasks in a playbook |
| Site enumeration drives per-site flows | site.List + ForEach with concurrency control | Custom Python loop | Not native | Static inventory per site |
| Contact assignment automation | contactassignment.Create as a flow task | pynetbox call | Not native | netbox_contact_assignment module |
| Drift reconciliation against scan reality | Scan + device.List + diff in one flow definition | Custom comparison script | Webhook listener cannot reconcile from scan | Inventory plugin + manual diff |
| Approval gate before destructive NetBox changes | Pause + resume, named reviewer logged | Custom approval logic | Not native | Manual playbook gate |
| Chain NetBox with Ansible, Terraform, Proxmox, vSphere | Outputs flow into any plugin task | Custom glue code | Multiple webhook + Lambda hops | Ansible-centric, no Terraform chain |
| Self-hosted, air-gapped, OSS edition | Self-hosted by default, NetBox plugin available in Enterprise | Self-hosted | Self-hosted + cloud Lambda | Self-hosted |
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.
Automate infrastructure workflows in Kestra
How Kestra orchestrates NetBox, Ansible, Terraform, Proxmox, and the rest of the stack in one declarative flow.
Pair NetBox with Ansible
Why the NetBox-driven inventory pattern beats a static hosts file for any fleet bigger than a handful of devices.
NetBox plugin reference
Every NetBox task (device.List/Create/Update, ipam.AssignIpAddress, site.List, contactassignment.Create/List) with copy-ready YAML and full property reference.
Run Ansible against every device of a role, allocate IPs from prefixes on VM provision, run patch waves site by site, and reconcile reality with declared inventory weekly. Kestra Enterprise plugin, self-hosted, event-driven.
