{"id":38,"date":"2026-05-27T20:49:10","date_gmt":"2026-05-27T20:49:10","guid":{"rendered":"https:\/\/inhochoi.com\/index.php\/2026\/05\/27\/building-a-secure-router-config-backup-system-with-google-antigravity-and-azure-key-vault\/"},"modified":"2026-05-27T20:49:10","modified_gmt":"2026-05-27T20:49:10","slug":"building-a-secure-router-config-backup-system-with-google-antigravity-and-azure-key-vault","status":"publish","type":"post","link":"https:\/\/inhochoi.com\/index.php\/2026\/05\/27\/building-a-secure-router-config-backup-system-with-google-antigravity-and-azure-key-vault\/","title":{"rendered":"Building a Secure Router Config Backup System with Google Antigravity and Azure Key Vault"},"content":{"rendered":"

What If Your AI IDE Could Build Your Entire Network Automation Pipeline?<\/h2>\n

I\u2019ve been experimenting with Google Antigravity<\/strong> \u2014 Google DeepMind\u2019s agent-first development platform \u2014 and I wanted to put it to a real-world test: building a scheduled, secure backup system<\/strong> for Cisco and Fortigate router configurations, with Azure Key Vault<\/strong> handling all the sensitive credentials. Here\u2019s how the whole thing comes together, and why Antigravity changes the game for network engineers who code.<\/p>\n

What Is Google Antigravity?<\/h2>\n

Antigravity isn\u2019t just another AI code assistant bolted onto VS Code. It\u2019s a full agentic development suite<\/strong> where autonomous AI agents plan, write, test, and debug your code across the editor, terminal, and even a browser \u2014 all with minimal hand-holding from you.<\/p>\n

The key features that matter for this project:<\/p>\n

    \n
  • Mission Control (Manager View)<\/strong> \u2014 Spawn multiple sub-agents that work in parallel. One agent can scaffold the Python project while another researches the Azure Key Vault SDK docs.<\/li>\n
  • Terminal & System Autonomy<\/strong> \u2014 Agents install dependencies (pip install netmiko azure-keyvault-secrets<\/code>), run tests, and fix errors automatically.<\/li>\n
  • Artifacts System<\/strong> \u2014 Instead of opaque chat logs, Antigravity produces structured deliverables: implementation plans, task checklists, and walkthroughs you can review before anything ships.<\/li>\n
  • Scheduled Tasks<\/strong> \u2014 You can set up cron-style schedules directly inside Antigravity to run automation on a recurring basis.<\/li>\n<\/ul>\n

    In short, you describe what<\/em> you want built, and Antigravity\u2019s agents handle the how<\/em>.<\/p>\n

    The Architecture: What We\u2019re Building<\/h2>\n

    Here\u2019s the high-level design of the secure config backup system:<\/p>\n

    \n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502  Azure Key Vault      \u2502  \u2190 Stores device IPs, usernames, passwords\n\u2502  (Secrets Store)      \u2502    as individual secrets\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n           \u2502\n           \u2502 DefaultAzureCredential\n           \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502  Python Backup Script \u2502  \u2190 Built & tested inside Antigravity\n\u2502  (Netmiko + Paramiko) \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n           \u2502\n     SSH connections\n     \u250c\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2510\n     \u25bc         \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Cisco  \u2502 \u2502 Fortigate \u2502  \u2190 show run \/ get system config\n\u2502 Router \u2502 \u2502 Firewall  \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n           \u2502\n           \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502  Timestamped Backup   \u2502  \u2190 \/backups\/cisco-rtr01_2026-05-28.cfg\n\u2502  Files (Local\/Cloud)  \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\n
    Step 1 \u2014 Store Credentials in Azure Key Vault<\/h2>\n
    The first rule: never hardcode device credentials<\/strong>. Azure Key Vault gives you a centralised, encrypted, RBAC-controlled secrets store. For each device, you\u2019d create secrets like:<\/p>\n
      \n
    • cisco-rtr01-ip<\/code> \u2192 10.1.1.1<\/code><\/li>\n
    • cisco-rtr01-username<\/code> \u2192 admin<\/code><\/li>\n
    • cisco-rtr01-password<\/code> \u2192 ********<\/code><\/li>\n
    • forti-fw01-ip<\/code> \u2192 10.2.2.1<\/code><\/li>\n
    • forti-fw01-username<\/code> \u2192 admin<\/code><\/li>\n
    • forti-fw01-password<\/code> \u2192 ********<\/code><\/li>\n<\/ul>\n
      You can create these via the Azure Portal, the az<\/code> CLI, or \u2014 and this is where it gets interesting \u2014 ask Antigravity to do it for you<\/strong>. Antigravity has built-in Azure MCP tools, including Key Vault operations. You could literally say:<\/p>\n
      \n
      \u201cCreate secrets in my Azure Key Vault called net-backup-vault for these three Cisco routers and two Fortigate firewalls. Here are the IPs and credentials.\u201d<\/p>\n<\/blockquote>\n
      The agent handles the rest.<\/p>\n
      Step 2 \u2014 Build the Backup Script with Antigravity<\/h2>\n
      Here\u2019s the core Python script that Antigravity would generate and refine for you. The key libraries are Netmiko<\/strong> (for SSH to network devices) and azure-keyvault-secrets<\/strong> (for pulling credentials at runtime):<\/p>\n
      \nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.secrets import SecretClient\nfrom netmiko import ConnectHandler\nfrom datetime import datetime\nimport os\n\nVAULT_URL = \"https:\/\/net-backup-vault.vault.azure.net\/\"\nBACKUP_DIR = \".\/backups\"\n\n# --- Authenticate to Azure Key Vault ---\ncredential = DefaultAzureCredential()\nclient = SecretClient(vault_url=VAULT_URL, credential=credential)\n\n# --- Device inventory ---\ndevices = [\n    {\"name\": \"cisco-rtr01\", \"type\": \"cisco_ios\",       \"cmd\": \"show running-config\"},\n    {\"name\": \"cisco-rtr02\", \"type\": \"cisco_ios\",       \"cmd\": \"show running-config\"},\n    {\"name\": \"forti-fw01\", \"type\": \"fortinet\",         \"cmd\": \"get system config\"},\n]\n\nos.makedirs(BACKUP_DIR, exist_ok=True)\ntimestamp = datetime.now().strftime(\"%Y-%m-%d_%H%M\")\n\nfor device in devices:\n    # Pull credentials from Key Vault (never stored on disk)\n    ip       = client.get_secret(f\"{device['name']}-ip\").value\n    username = client.get_secret(f\"{device['name']}-username\").value\n    password = client.get_secret(f\"{device['name']}-password\").value\n\n    connection = {\n        \"device_type\": device[\"type\"],\n        \"host\":        ip,\n        \"username\":    username,\n        \"password\":    password,\n    }\n\n    try:\n        with ConnectHandler(**connection) as conn:\n            config = conn.send_command(device[\"cmd\"])\n            filename = f\"{BACKUP_DIR}\/{device['name']}_{timestamp}.cfg\"\n            with open(filename, \"w\") as f:\n                f.write(config)\n            print(f\"OK   {device['name']} -> {filename}\")\n    except Exception as e:\n        print(f\"FAIL {device['name']}: {e}\")\n<\/code><\/pre>\n
      When you paste this requirement into Antigravity, it doesn\u2019t just generate the code. It:<\/p>\n
        \n
      1. Creates an implementation plan<\/strong> for you to review before writing any code.<\/li>\n
      2. Installs dependencies<\/strong> in a virtual environment.<\/li>\n
      3. Writes unit tests<\/strong> and runs them.<\/li>\n
      4. Handles edge cases<\/strong> \u2014 what if a device is unreachable? What if the Key Vault token expires?<\/li>\n<\/ol>\n
        Step 3 \u2014 Schedule the Backups<\/h2>\n
        Antigravity supports the \/schedule<\/code> command for recurring tasks. You could set it up like this:<\/p>\n
        \n
        \u201cRun the router backup script every day at 2:00 AM Adelaide time.\u201d<\/p>\n<\/blockquote>\n
        Under the hood, this creates a cron schedule (0 2 * * *<\/code>) that triggers the backup script automatically. Antigravity\u2019s agent wakes up, authenticates to Azure Key Vault, connects to each device, pulls the config, and saves timestamped backups \u2014 all without you touching a thing.<\/p>\n
        For production environments, you could also deploy this as an Azure Function<\/strong> with a Timer Trigger, which Antigravity can scaffold and deploy for you using its built-in Azure tools.<\/p>\n
        Step 4 \u2014 Why Azure Key Vault Is Non-Negotiable<\/h2>\n
        Here\u2019s why you should never<\/em> store device credentials in a flat file, a .env<\/code>, or (worst case) directly in your script:<\/p>\n
          \n
        • Encryption at rest and in transit<\/strong> \u2014 Key Vault uses HSM-backed encryption.<\/li>\n
        • Access control<\/strong> \u2014 Azure RBAC lets you grant “Key Vault Secrets User” to specific service principals or managed identities. No one else can read the secrets.<\/li>\n
        • Audit logging<\/strong> \u2014 Every secret access is logged in Azure Monitor. You know exactly who (or what) read a credential and when.<\/li>\n
        • Rotation<\/strong> \u2014 When you change a device password, you update one secret in Key Vault. Every script that reads it automatically gets the new value next run.<\/li>\n
        • No secrets on disk<\/strong> \u2014 Credentials exist only in memory during script execution. Nothing is written to config files or Git repos.<\/li>\n<\/ul>\n
          Step 5 \u2014 Extend It Further<\/h2>\n
          Once you have the foundation, Antigravity makes it easy to layer on more features. Just describe what you want:<\/p>\n
            \n
          • Git version control<\/strong> \u2014 \u201cCommit each backup to a Git repo so I can diff config changes over time.\u201d<\/li>\n
          • Email alerts<\/strong> \u2014 \u201cSend me an email if a backup fails.\u201d<\/li>\n
          • Config drift detection<\/strong> \u2014 \u201cCompare today\u2019s backup with yesterday\u2019s and flag any differences.\u201d<\/li>\n
          • Web dashboard<\/strong> \u2014 \u201cBuild a simple web page that shows the status of the last backup for each device.\u201d<\/li>\n
          • Azure Blob Storage<\/strong> \u2014 \u201cUpload each backup to an Azure Storage container for offsite retention.\u201d<\/li>\n<\/ul>\n
            Each of these is a one-line prompt in Antigravity. The agents research the best libraries, write the code, test it, and present you with a walkthrough for review.<\/p>\n
            My Take<\/h2>\n
            What impresses me most about Antigravity for this kind of project is the shift from writing code<\/em> to directing agents<\/em>. I didn\u2019t need to look up the Netmiko device type string for Fortigate or figure out the azure-identity<\/code> authentication flow. I described the architecture, reviewed the plan, and let the agents build it. For network engineers who aren\u2019t full-time developers, this is a massive productivity unlock.<\/p>\n
            The combination of Antigravity\u2019s agentic workflow<\/strong> + Azure Key Vault\u2019s secrets management<\/strong> + Netmiko\u2019s device connectivity<\/strong> gives you a production-grade, secure, automated config backup pipeline \u2014 and you can have it running in an afternoon.<\/p>\n
            If you\u2019re a network engineer thinking about automating your infrastructure, this is a great first project to try. Start with one router, one Key Vault secret, and one Antigravity prompt. Scale from there.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
            What If Your AI IDE Could Build Your Entire Network Automation Pipeline? I\u2019ve been experimenting with Google Antigravity \u2014 Google DeepMind\u2019s agent-first development platform \u2014 and I wanted to put it to a real-world test: building a scheduled, secure backup system for Cisco and Fortigate router configurations, with Azure Key Vault handling all the sensitive […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,5,7],"tags":[],"class_list":["post-38","post","type-post","status-publish","format-standard","hentry","category-automation","category-networking","category-security"],"_links":{"self":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/38","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/comments?post=38"}],"version-history":[{"count":0,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/38\/revisions"}],"wp:attachment":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/media?parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/categories?post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/tags?post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}