NetBox Validation
NetBox Validation is your safety net for network changes and the critical guardrail that makes automated and agentic infrastructure management trustworthy. It combines three complementary engines to catch problems before they become outages:
-
Intent validation checks whether NetBox data complies with organizational policies -- redundancy requirements, addressing standards, topology constraints, security rules. These are cross-object, fleet-wide checks that evaluate relationships across devices, interfaces, cables, IPs, and VRFs.
-
Config analysis performs offline structural analysis of rendered device configs -- reachability verification, routing loop detection, BGP session compatibility, ACL correctness, and differential comparison between proposed and current configs. Available to Premium tier customers.
-
Graph analysis builds an infrastructure dependency graph from NetBox's data models to evaluate physical resilience -- power chain redundancy, blast radius computation, single points of failure, and shared failure domain detection. Available to Premium tier customers.
Together they answer: "Is this change safe to deploy?" and "What breaks if this fails?"
None of the engines touch the live network. Intent checks query the NetBox data model directly. Config analysis renders configs from NetBox templates and analyzes them offline, currently via a Batfish-based analysis engine. Graph analysis builds its dependency graph from NetBox's data models. The result: instant feedback on proposed changes, no SSH, no device credentials.
Guardrails for Agentic Infrastructure Management
As AI agents take on operational tasks -- provisioning devices, adjusting BGP configurations, rebalancing power -- the stakes of unvalidated changes increase. NetBox Validation provides the trust layer that enables agents to safely operate on infrastructure:
- An agent creates a branch with proposed changes
- Validation runs automatically, evaluating the changes against all applicable policies
- If checks fail, the agent can read the findings, self-correct, and re-validate
- Only when all checks pass does the agent create a change request for human review
- After approval and merge, post-merge validation confirms the change in the main context
Without validation guardrails, agentic network automation is too risky to deploy. With them, agents operate within the same policy framework as human engineers -- with the same checks, the same compliance requirements, and full audit trails.
Three Engines, One Framework
| Engine | What It Checks | Requires |
|---|---|---|
| Intent | NetBox data compliance -- addressing, redundancy, topology, security, completeness | NetBox 4.5+ in NetBox Cloud |
| Config | Rendered config analysis -- routing, reachability, ACLs, differential changes | Config analysis engine (Premium) |
| Graph | Infrastructure resilience -- power chains, blast radius, failure domains, SPOFs | NetBox data model (Premium) |
All three engines produce the same output -- identical results, findings, and compliance scores regardless of engine. 93 built-in checks ship with the product, plus support for no-code declarative checks.
How It Differs from Custom Validators
NetBox has built-in Custom Validators that enforce rules at save time -- blocking writes that violate constraints. These are valuable for per-field enforcement ("every device must have a platform"). NetBox Validation focuses on what custom validators cannot do:
| Custom Validators | NetBox Validation | |
|---|---|---|
| Single-field enforcement | Blocks at save time | Not our scope |
| Cross-object relationships | Single object only | Yes |
| Fleet-wide evaluation | One save at a time | Yes |
| Branch-aware pre-change validation | No branch concept | Yes |
| Compliance scoring and trend tracking | Binary pass/block | Yes |
| On-demand auditing across scoped device sets | Fires on save only | Yes |
| Policy-based scoping (by site, role, platform) | Config file only | Yes |
Recommended approach: Use custom validators for data quality at entry time. Use NetBox Validation for fleet-wide compliance auditing, pre-change workflows, and compliance tracking.
How It Fits in the Stack
| Product | Question It Answers | When | Direction |
|---|---|---|---|
| Validation | "Is this change safe? Does the data comply with policy?" | Before deployment | NetBox data + configs -> policy rules + structural analysis |
| Assurance | "Does the live network match NetBox?" | After deployment | Network -> NetBox (drift detection) |
| Observability (coming soon) | "Is the network healthy?" | Ongoing | Network -> metrics -> alerts |
These are complementary. Validation catches problems before they reach the network. Assurance catches drift after deployment. Observability monitors ongoing health.
What's Next
- Getting Started -- Run your first validation in minutes
- Core Concepts -- Understand policies, rules, runs, results, findings, and scores
- Workflows -- Pre-change validation, continuous compliance, finding management
- Engines -- Deep dive into intent, config, and graph engines
- Policy Packs -- Install pre-built policy packs including compliance frameworks
- Check Reference -- All 93 built-in checks with parameters
- API Reference -- REST API endpoints and agentic integration
- Scaling Best Practices -- Policy design and infrastructure sizing for large deployments
- FAQ -- Common questions