Mantra Networking Mantra Networking

Batfish: PyBatfish SDK

Batfish: PyBatfish SDK
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Core Components
  • Installation
  • Basic Usage
  • Common Questions & Analysis
  • Automating with PyBatfish
  • Supported Analyses (Samples)
  • Example: CI/CD Integration
  • Best Practices
  • Conclusion

Overview of Batfish PyBatfish SDK

What Is the Batfish PyBatfish SDK?

Batfish PyBatfish SDK is a Python library that serves as the programming interface to the Batfish network analysis engine. Batfish itself is an open-source tool designed for modeling, validating, and troubleshooting computer network configurations—without interacting directly with network devices. The PyBatfish SDK lets engineers automate the process of loading device configs, querying network intent, validating changes, and extracting insights using Python code.

Why Should You Know About It?

  • Proactive Validation: PyBatfish helps you catch misconfigurations, security vulnerabilities, or policy violations before changes hit production—reducing the risk of outages.
  • Automation: It easily integrates with your existing Python-based automation scripts and CI/CD pipelines, making network validation part of your workflow rather than a manual task.
  • Comprehensive Analysis: Batfish models multi-vendor networks, allowing you to ask questions about routing, ACLs, reachability, protocol status, change impact, and more—all from a single platform.
  • Data-Driven Decisions: Results are returned as Pandas DataFrames, enabling rich filtering, analysis, and automated reporting to support compliance and operational excellence.

How Does It Work?

  • Snapshot-Based Modeling: You collect your device configuration files, topologies, and related artifacts into a snapshot—a point-in-time view of your network.
  • Service Architecture: The Batfish analysis engine runs in the background (often as a Docker container), waiting to receive and process network snapshots.
  • Python Interface: Using PyBatfish, you establish a session with the Batfish service, upload your snapshot, and issue network "questions" using intuitive Python functions.
  • Interactive Queries: The SDK supports a wide variety of questions, such as: "Which BGP sessions are down?", "Are routes consistent across all devices?", and "Can traffic reach from point A to B under these policies?"
  • Automated Feedback: Responses are returned as structured data, enabling integration into automation tasks, alerting, or compliance frameworks.

In summary, Batfish PyBatfish SDK bridges the gap between manual network validation and automated, scalable, and reliable network analysis—empowering engineers to move faster, identify issues before users are affected, and enforce organization-wide best practices in network management.

Core Components

Below are the main building blocks that make the PyBatfish SDK function for network validation and analysis:

  • Batfish Service: This is the core analysis engine, commonly run in a containerized environment (such as Docker). It handles parsing, modeling, and answering analytical network questions.
  • PyBatfish SDK: Acts as the Python interface to the Batfish engine, allowing users to submit network snapshots and programmatically retrieve analysis results from within their Python environment.
  • Network Snapshot: Represents a collection of device configurations, topologies, and supplemental files loaded into Batfish for analysis. Each snapshot functions as a point-in-time view of your network.
  • Batfish Questions: Predefined analysis modules that can answer a variety of network behavior and policy verification queries—such as reachability, routing, and configuration correctness.
  • Session Management: Handles connecting to the Batfish service, selecting the active network, setting snapshots, and running queries—all through simple Python calls.

Installation

Follow these steps to install and prepare the PyBatfish SDK for your network validation workflows:

  1. Install PyBatfish Python Package: 
    pip install pybatfish

    This installs the official Python client library needed to interact with the Batfish analysis engine.

  2. Prepare Python Environment:

    Ensure you are using Python 3.x, as PyBatfish requires this version for compatibility and performance.

  3. Run Batfish Service:

    Start the Batfish analysis engine, typically as a Docker container, so PyBatfish can access its API endpoints.

    docker run -d --rm --name batfish -p 9996:9996 -p 9997:9997 batfish/batfish

    This command launches the Batfish server exposing required ports locally.

  4. Verify Setup:

    Confirm the Batfish service is running and accessible on your localhost before running queries from PyBatfish.

Basic Usage

Follow these steps to get started with PyBatfish for network analysis and validation:

  1. Initialize a Session:

    Create a connection to the Batfish service to start interacting with the API.

    from pybatfish.client.session import Session

bf = Session(host="localhost")
  2. Set Up Network Snapshot:

    Define your network and load its snapshot into Batfish. This snapshot contains device configs and topology information.

    SNAPSHOT_DIR = "snapshots/"
NETWORK_NAME = "example_network"
SNAPSHOT_NAME = "snapshot1"

bf.set_network(NETWORK_NAME)
bf.init_snapshot(SNAPSHOT_DIR, name=SNAPSHOT_NAME, overwrite=True)
bf.set_snapshot(SNAPSHOT_NAME)
  3. Run Analysis Questions:

    Use built-in Batfish questions to query network configurations, detect issues, and validate behaviors.

  4. Example - Detect Configuration Issues: 
    from pybatfish.question import bfq

issues = bfq.initIssues().answer().frame()
print(issues)
  5. Example - Query BGP Session Status: 
    bgp_status = bfq.bgpSessionStatus().answer().frame()
print(bgp_status)

This approach lets you automate network validation and integrate PyBatfish into your Python workflows easily.

Common Questions & Analysis

Batfish offers a collection of built-in “questions” you can use to analyze and validate your network’s behavior and configuration. Here is how to use some of the most frequently used analysis steps:

  1. Detect Configuration Issues:

    Identify misconfigurations, errors, or inconsistencies across device configs.

    from pybatfish.question import bfq

issues = bfq.initIssues().answer().frame()
print(issues)
  2. Find Undefined References:

    Check for references to non-existent objects, such as a policy referencing a missing ACL.

    undefined = bfq.undefinedReferences().answer().frame()
print(undefined)
  3. Inspect Interface Properties:

    List properties such as interface state, subtype, and assigned addresses.

    interfaces = bfq.interfaceProperties().answer().frame()
print(interfaces)
  4. Analyze Routing Tables:

    Retrieve routing table entries across nodes and VRFs.

    routes = bfq.routes().answer().frame()
print(routes)
  5. Examine BGP Session Status:

    Check BGP peering establishment and status between routers.

    bgp_status = bfq.bgpSessionStatus().answer().frame()
print(bgp_status)
  6. Test ACL and Firewall Policies:

    See which packets are permitted or denied by specific filters or ACLs.

    acls = bfq.aclReachability().answer().frame()
print(acls)
  7. Trace Path and Test Reachability:

    Determine if traffic can flow between endpoints and simulate traceroutes.

    from pybatfish.datamodel.flow import HeaderConstraints

reach = bfq.reachability(
    headers=HeaderConstraints(srcIps="10.1.1.1", dstIps="10.2.2.2")
).answer().frame()
print(reach)
  8. Filter and Analyze Results:

    Results returned as Pandas DataFrames can be filtered, sorted, and processed to generate reports or automated tests.

    # Example: Filter for interfaces that are down
down_interfaces = interfaces[interfaces['Line_Status'] == 'DOWN']
print(down_interfaces)

These examples illustrate how Batfish helps automate and streamline common validation and troubleshooting tasks in complex network environments.

Automating with PyBatfish

PyBatfish can be integrated into automated workflows, enabling proactive network validation, compliance checks, and assurance before deployment. Here are the essential steps to automate network validation with PyBatfish:

  1. Set Up Your Environment:

    Prepare your configuration directories, test frameworks (such as pytest), and Python scripts for automation tasks.

  2. Establish a Batfish Session: 
    from pybatfish.client.session import Session

bf = Session(host="localhost")
bf.set_network("ci_network")
bf.init_snapshot("configs/", name="ci_snap", overwrite=True)
bf.set_snapshot("ci_snap")

    This code initializes a session to be reused across multiple validation checks.

  3. Write Automated Validation Tests:

    Use a testing framework like pytest to script and assert network correctness. Create tests that automatically run Batfish queries on each snapshot.

    import pytest
from pybatfish.question import bfq

@pytest.fixture(scope="session")
def bf():
    bf = Session(host="localhost")
    bf.set_network("ci_network")
    bf.init_snapshot("configs/", name="ci_snap", overwrite=True)
    bf.set_snapshot("ci_snap")
    return bf

def test_no_unestablished_bgp(bf):
    status = bfq.bgpSessionStatus().answer().frame()
    assert (status['Established_Status'] == 'ESTABLISHED').all()

    This example automatically checks that all BGP sessions are established after configuration changes.

  4. Integrate with CI/CD Pipelines:

    Add validation scripts to your continuous integration process so every code or configuration change is analyzed before deployment. This helps prevent outages and compliance violations.

  5. Report and Act:

    Capture results using Python’s data processing tools (like Pandas) and automate notifications or halt deployments if validation fails.

By automating with PyBatfish, teams can ensure network changes are validated reliably and consistently, reducing risk and saving time.

Supported Analyses (Samples)

Batfish provides a wide range of analyses and questions to uncover insights and validate network state. Here’s how to explore some of the most common analysis types:

  1. Undefined and Unreferenced Objects:

    Identify configuration components (such as ACLs or route maps) that are referenced but not defined, or defined but unused.

    undefined = bfq.undefinedReferences().answer().frame()
print(undefined)
  2. Session and Protocol Status:

    Check the establishment and health of routing protocol sessions (BGP, OSPF, IS-IS, etc.).

    bgp_status = bfq.bgpSessionStatus().answer().frame()
ospf_status = bfq.ospfSessionStatus().answer().frame()
print(bgp_status)
print(ospf_status)
  3. Routing Table Analysis:

    List and compare routing entries, including route availability and preference across devices.

    routes = bfq.routes().answer().frame()
print(routes)
  4. ACL and Firewall Policy Validation:

    Determine which packets are permitted or denied by ACLs or firewall rules, and analyze ACL line reachability.

    acls = bfq.aclReachability().answer().frame()
filter_lines = bfq.filterLineReachability().answer().frame()
print(acls)
print(filter_lines)
  5. Reachability and Path Simulation:

    Test if communication between endpoints is possible, simulate traceroutes, and analyze potential traffic paths.

    from pybatfish.datamodel.flow import HeaderConstraints

reachability = bfq.reachability(
    headers=HeaderConstraints(srcIps="10.0.0.1", dstIps="10.0.0.2")
).answer().frame()

traces = bfq.traceroute(
    headers=HeaderConstraints(srcIps="10.0.0.1", dstIps="10.0.0.2")
).answer().frame()

print(reachability)
print(traces)
  6. Configuration Compliance:

    Enforce corporate or security policies by checking for specific settings and device standards.

    # Example: Query and filter node properties
device_props = bfq.nodeProperties().answer().frame()
print(device_props)
  7. Change and Differential Analysis:

    Compare two snapshots to understand the impact of configuration changes or to audit security policies over time.

    diff = bfq.compareFilters(
    nodes="router1"
).answer(snapshot="after", reference_snapshot="before").frame()
print(diff)

These sample analyses help pinpoint configuration issues, validate policy enforcement, and proactively prevent network outages or vulnerabilities in automated workflows.

Example: CI/CD Integration

Integrating PyBatfish into a CI/CD pipeline enables automated validation of network configurations prior to deployment. Here is a step-by-step approach for adding Batfish validation into your continuous integration workflow:

  1. Set Up Version Control and Repository:

    Store your network configuration files and automation scripts in a version-controlled repository, such as GitHub or GitLab.

  2. Create a CI/CD Pipeline Configuration File:

    Define the pipeline steps in a YAML file appropriate for your automation system (e.g., .drone.yml for Drone, .gitlab-ci.yml for GitLab CI/CD, or .github/workflows/ for GitHub Actions).

    steps:
  - name: Install Dependencies
    image: python:3.9
    commands:
      - pip install pybatfish pytest

  - name: Validate Network Config
    image: python:3.9
    commands:
      - pytest test_batfish.py
  3. Create Automated Tests Using PyBatfish:

    Write Python tests that use PyBatfish to analyze snapshots and assert that critical network conditions are met.

    import pytest
from pybatfish.client.session import Session
from pybatfish.question import bfq

@pytest.fixture(scope="session")
def bf():
    bf = Session(host="localhost")
    bf.set_network("cicd_network")
    bf.init_snapshot("configs/", name="ci_snap", overwrite=True)
    bf.set_snapshot("ci_snap")
    return bf

def test_all_bgp_sessions_established(bf):
    status = bfq.bgpSessionStatus().answer().frame()
    assert (status['Established_Status'] == 'ESTABLISHED').all()
  4. Trigger Pipeline on Configuration Changes:

    Configure the pipeline to run validation automatically on pull requests, merges, or changes to network files.

  5. Review Results and Enforce Policy:

    If validation tests fail, prevent the deployment of non-compliant configurations. Successful validation allows changes to proceed to production or further deployment stages.

This setup automates pre-deployment network checks, making network infrastructure changes safer and more reliable across all environments.

Best Practices

Follow these guidelines to optimize your usage of PyBatfish for reliable and efficient network validation:

  1. Validate Snapshots Early:

    Always verify snapshots immediately after creation to catch configuration errors and inconsistencies before deeper analysis or deployment.

  2. Use DataFrames for Custom Checks:

    Leverage the Pandas DataFrame results returned from Batfish questions to filter, sort, and programmatically enforce network policies or compliance rules.

  3. Automate and Parallelize Testing:

    For large or complex networks, automate snapshot creation and question execution, and run analyses in parallel to reduce validation time.

  4. Compare Snapshots Before Changes:

    Utilize Batfish’s ability to diff snapshots to identify the impact of planned configuration changes and ensure they align with intent and policy.

  5. Integrate Validation Into CI/CD Pipelines:

    Embed PyBatfish checks into your continuous integration or deployment pipelines to enforce network correctness and compliance before production rollout.

  6. Keep Environment Configured Consistently:

    Ensure that your Batfish service, Python SDK, and configuration files are maintained in compatible versions and environments to avoid unexpected errors.

  7. Document Your Queries and Workflows:

    Maintain clear documentation of your Batfish questions, analysis scripts, and automation processes to simplify maintenance and onboarding.

Adhering to these best practices helps ensure effective network validation, reduces risks, and improves the efficiency of network operations and change management.

Conclusion

Throughout this blog post, we've explored the powerful capabilities of the Batfish PyBatfish SDK and how it can revolutionize network validation and analysis. Starting from understanding the fundamental components like the Batfish service and the Python SDK interface, we walked through the installation steps to get your environment ready. We then delved into basic usage, demonstrating how to initialize a session, set up network snapshots, and query for critical network information.

We examined a variety of common questions and analyses you can perform, such as detecting configuration issues, checking routing protocols, validating ACLs, and simulating network reachability. Automation was another essential topic, showing how PyBatfish can be integrated into testing frameworks and CI/CD pipelines to ensure network reliability and compliance before changes reach production.

Additionally, we reviewed the range of analyses supported by Batfish, which empower engineers to better understand their networks, identify inconsistencies, and enforce policies proactively. We looked at an example of how to embed PyBatfish into continuous integration, ensuring automated validation is part of your deployment workflow. Finally, following best practices ensures that your use of PyBatfish remains effective, maintainable, and scalable.

Thank you for following along this journey into automated network validation with Batfish’s PyBatfish SDK. Embracing these techniques can significantly reduce errors, improve operational confidence, and save valuable time in managing complex network environments. Happy analyzing and automating your network with Batfish!

Share Share Share Share Share Email