What If Your AI IDE Could Build Your Entire Network Automation Pipeline?
I’ve been experimenting with Google Antigravity — Google DeepMind’s agent-first development platform — and I wanted to put it to a real-world test: building a scheduled, secure backup system for Cisco and Fortigate router configurations, with Azure Key Vault handling all the sensitive credentials. Here’s how the whole thing comes together, and why Antigravity changes the game for network engineers who code.
What Is Google Antigravity?
Antigravity isn’t just another AI code assistant bolted onto VS Code. It’s a full agentic development suite where autonomous AI agents plan, write, test, and debug your code across the editor, terminal, and even a browser — all with minimal hand-holding from you.
The key features that matter for this project:
- Mission Control (Manager View) — Spawn multiple sub-agents that work in parallel. One agent can scaffold the Python project while another researches the Azure Key Vault SDK docs.
- Terminal & System Autonomy — Agents install dependencies (
pip install netmiko azure-keyvault-secrets), run tests, and fix errors automatically. - Artifacts System — Instead of opaque chat logs, Antigravity produces structured deliverables: implementation plans, task checklists, and walkthroughs you can review before anything ships.
- Scheduled Tasks — You can set up cron-style schedules directly inside Antigravity to run automation on a recurring basis.
In short, you describe what you want built, and Antigravity’s agents handle the how.
The Architecture: What We’re Building
Here’s the high-level design of the secure config backup system:
┌─────────────────────┐
│ Azure Key Vault │ ← Stores device IPs, usernames, passwords
│ (Secrets Store) │ as individual secrets
└──────────┬──────────┘
│
│ DefaultAzureCredential
▼
┌─────────────────────┐
│ Python Backup Script │ ← Built & tested inside Antigravity
│ (Netmiko + Paramiko) │
└──────────┬──────────┘
│
SSH connections
┌────┼────┐
▼ ▼
┌────────┐ ┌──────────┐
│ Cisco │ │ Fortigate │ ← show run / get system config
│ Router │ │ Firewall │
└────────┘ └──────────┘
│
▼
┌─────────────────────┐
│ Timestamped Backup │ ← /backups/cisco-rtr01_2026-05-28.cfg
│ Files (Local/Cloud) │
└─────────────────────┘
Step 1 — Store Credentials in Azure Key Vault
The first rule: never hardcode device credentials. Azure Key Vault gives you a centralised, encrypted, RBAC-controlled secrets store. For each device, you’d create secrets like:
cisco-rtr01-ip→10.1.1.1cisco-rtr01-username→admincisco-rtr01-password→********forti-fw01-ip→10.2.2.1forti-fw01-username→adminforti-fw01-password→********
You can create these via the Azure Portal, the az CLI, or — and this is where it gets interesting — ask Antigravity to do it for you. Antigravity has built-in Azure MCP tools, including Key Vault operations. You could literally say:
“Create secrets in my Azure Key Vault called net-backup-vault for these three Cisco routers and two Fortigate firewalls. Here are the IPs and credentials.”
The agent handles the rest.
Step 2 — Build the Backup Script with Antigravity
Here’s the core Python script that Antigravity would generate and refine for you. The key libraries are Netmiko (for SSH to network devices) and azure-keyvault-secrets (for pulling credentials at runtime):
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from netmiko import ConnectHandler
from datetime import datetime
import os
VAULT_URL = "https://net-backup-vault.vault.azure.net/"
BACKUP_DIR = "./backups"
# --- Authenticate to Azure Key Vault ---
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
# --- Device inventory ---
devices = [
{"name": "cisco-rtr01", "type": "cisco_ios", "cmd": "show running-config"},
{"name": "cisco-rtr02", "type": "cisco_ios", "cmd": "show running-config"},
{"name": "forti-fw01", "type": "fortinet", "cmd": "get system config"},
]
os.makedirs(BACKUP_DIR, exist_ok=True)
timestamp = datetime.now().strftime("%Y-%m-%d_%H%M")
for device in devices:
# Pull credentials from Key Vault (never stored on disk)
ip = client.get_secret(f"{device['name']}-ip").value
username = client.get_secret(f"{device['name']}-username").value
password = client.get_secret(f"{device['name']}-password").value
connection = {
"device_type": device["type"],
"host": ip,
"username": username,
"password": password,
}
try:
with ConnectHandler(**connection) as conn:
config = conn.send_command(device["cmd"])
filename = f"{BACKUP_DIR}/{device['name']}_{timestamp}.cfg"
with open(filename, "w") as f:
f.write(config)
print(f"OK {device['name']} -> {filename}")
except Exception as e:
print(f"FAIL {device['name']}: {e}")
When you paste this requirement into Antigravity, it doesn’t just generate the code. It:
- Creates an implementation plan for you to review before writing any code.
- Installs dependencies in a virtual environment.
- Writes unit tests and runs them.
- Handles edge cases — what if a device is unreachable? What if the Key Vault token expires?
Step 3 — Schedule the Backups
Antigravity supports the /schedule command for recurring tasks. You could set it up like this:
“Run the router backup script every day at 2:00 AM Adelaide time.”
Under the hood, this creates a cron schedule (0 2 * * *) that triggers the backup script automatically. Antigravity’s agent wakes up, authenticates to Azure Key Vault, connects to each device, pulls the config, and saves timestamped backups — all without you touching a thing.
For production environments, you could also deploy this as an Azure Function with a Timer Trigger, which Antigravity can scaffold and deploy for you using its built-in Azure tools.
Step 4 — Why Azure Key Vault Is Non-Negotiable
Here’s why you should never store device credentials in a flat file, a .env, or (worst case) directly in your script:
- Encryption at rest and in transit — Key Vault uses HSM-backed encryption.
- Access control — Azure RBAC lets you grant “Key Vault Secrets User” to specific service principals or managed identities. No one else can read the secrets.
- Audit logging — Every secret access is logged in Azure Monitor. You know exactly who (or what) read a credential and when.
- Rotation — When you change a device password, you update one secret in Key Vault. Every script that reads it automatically gets the new value next run.
- No secrets on disk — Credentials exist only in memory during script execution. Nothing is written to config files or Git repos.
Step 5 — Extend It Further
Once you have the foundation, Antigravity makes it easy to layer on more features. Just describe what you want:
- Git version control — “Commit each backup to a Git repo so I can diff config changes over time.”
- Email alerts — “Send me an email if a backup fails.”
- Config drift detection — “Compare today’s backup with yesterday’s and flag any differences.”
- Web dashboard — “Build a simple web page that shows the status of the last backup for each device.”
- Azure Blob Storage — “Upload each backup to an Azure Storage container for offsite retention.”
Each of these is a one-line prompt in Antigravity. The agents research the best libraries, write the code, test it, and present you with a walkthrough for review.
My Take
What impresses me most about Antigravity for this kind of project is the shift from writing code to directing agents. I didn’t need to look up the Netmiko device type string for Fortigate or figure out the azure-identity authentication flow. I described the architecture, reviewed the plan, and let the agents build it. For network engineers who aren’t full-time developers, this is a massive productivity unlock.
The combination of Antigravity’s agentic workflow + Azure Key Vault’s secrets management + Netmiko’s device connectivity gives you a production-grade, secure, automated config backup pipeline — and you can have it running in an afternoon.
If you’re a network engineer thinking about automating your infrastructure, this is a great first project to try. Start with one router, one Key Vault secret, and one Antigravity prompt. Scale from there.