Ansible CLI vs Automation Platform: Which One Do You Need?
By
Shibi Vasudevan
·
14 minute read
If you are running Ansible at any kind of scale, you have already hit the question: keep using ansible-playbook from a Linux jump host, or pay Red Hat for Ansible Automation Platform? The answer is rarely about features alone. It is about licensing, RBAC, audit trails, and what your security team wants to see when something goes wrong at 2 a.m.
This guide compares Ansible CLI (also called ansible-core or community Ansible) against Ansible Automation Platform (AAP) on the things that actually drive the decision: licensing, cost, RBAC, scheduling, and supportability. You will also see where AWX and Ansible Tower fit, because the naming has shifted three times in the past five years and that confuses almost every comparison written before 2024.
- Ansible CLI vs Ansible Automation Platform at a Glance
- What is Ansible CLI (ansible-core)?
- What is Ansible Automation Platform?
- Ansible Tower, AWX, and AAP: How the Names Connect
- Ansible Open Source vs Ansible Automation Platform: Licensing in 2026
- Ansible Automation Platform Pricing and Total Cost
- Key Differences: Ansible CLI vs Ansible Automation Platform
- Ansible Automation Platform Architecture (What You Actually Get)
- Choosing Between Ansible CLI, AWX, and AAP
Ansible CLI vs Ansible Automation Platform at a Glance
Before the deep dive, here is how the two tiers compare across the dimensions that usually decide the call.
| Dimension | Ansible CLI (ansible-core) | Ansible Automation Platform |
| Licensing | GPLv3, free | Red Hat subscription required |
| Interface | Command line only | Web UI, REST API, CLI |
| RBAC | None (host-level only) | Granular, role-based |
| Scheduling | External (cron, systemd) | Built-in scheduler |
| Audit logs | stdout / custom logging | Centralized, queryable |
| Execution isolation | Python virtualenv | Containerized execution environments |
| High availability | Build it yourself | Built-in clustering |
| Support | Community forum | 24/7 Red Hat enterprise support |
| Best for | Individual engineers, small teams, labs | Enterprise teams, regulated environments |
Ansible CLI wins on simplicity and zero cost. AAP wins everywhere a compliance officer or a 30-person platform team has an opinion. The middle ground, AWX, gives you most of the AAP interface for free but without Red Hat's stability guarantees or certified content.
If you want a safe place to test either tier before committing, CloudMyLab's hosted lab environments let you spin up Ansible CLI on a jump host or stand up AWX and AAP against real Cisco, Arista, and Juniper devices, without burning down a production network while you learn.
What is Ansible CLI (ansible-core)?
Ansible CLI is the command-line distribution of Ansible. It is the original, GPLv3-licensed open-source project that ships as the ansible and ansible-playbook binaries. Since the 2.10 split, the upstream package is officially called ansible-core, with collections delivered separately through Ansible Galaxy.
You install it with pip or your distro's package manager, write playbooks in YAML, define hosts in an inventory file, and run them from a terminal:
ansible-playbook -i hosts.yml site.yml
That is the whole interface. There is no web UI, no built-in scheduler, no shared state across users, and no RBAC. If two engineers need to run the same playbook against the same inventory, they each run it from their own machine, with their own SSH keys, against the same hosts. Coordination happens in Slack or Git, not in the tool.
How Ansible CLI works
Ansible CLI connects to managed nodes over SSH (for Linux and network devices) or WinRM (for Windows). It uses Ansible modules to perform the actual work, pushing Python code to the target, executing it, and returning the result. No agent runs permanently on the managed node, which is one of the reasons network teams prefer Ansible over Puppet or Chef for switch and router automation.
Inventory can be a flat INI file, a YAML file, or a dynamic source (a script or plugin that pulls hosts from cloud APIs, a CMDB, or NetBox). A minimal inventory looks like this:
[routers] router1 ansible_host=192.168.1.1 ansible_user=admin router2 ansible_host=192.168.1.2 ansible_user=admin [switches] switch1 ansible_host=192.168.2.1 ansible_user=admin
Credentials in a flat file are fine in a lab. In production, you encrypt them with Ansible Vault, pull them from a secrets manager, or pass them at runtime through --ask-vault-pass. Plain-text production credentials are the single most common Ansible audit finding.
For network automation specifically, point the connection plugin at network_cli instead of the default SSH plugin. It handles paged CLI output, prompts, and idle timeouts the way networking gear actually behaves:
- name: Gather running config from routers
hosts: routers
gather_facts: false
connection: network_cli
tasks:
- name: Show running-config
ios_command:
commands: show running-config
register: output
- name: Display output
debug:
var: output.stdout
What Ansible CLI does well
Ansible CLI is fast to start, free, and powerful enough that a single engineer can automate a few hundred devices from a laptop. It has no daemon to break, no database to back up, and no upgrade path that can corrupt jobs in flight. For learning, for labs, and for small environments where one or two engineers own the automation, it is genuinely the right tool.
For a deeper walkthrough of getting Ansible CLI installed and your first playbook running, see Ansible Setup Step-by-Step.
Where Ansible CLI breaks down
Three things tend to push teams off Ansible CLI and onto AAP or AWX. The first is auditability. When a CLI user runs a playbook, the trail lives in their local shell history and whatever logs they decided to capture. There is no central record of "who ran what against which hosts at what time." Auditors hate this.
The second is access control. Anyone with SSH access to the jump host and read access to the playbooks can run anything. You can fence this off with sudo rules and Git permissions, but the result is brittle and easy to bypass.
The third is scale. With 50 servers and one engineer, cron is fine. With 5,000 endpoints and a team of 12, you need scheduled jobs, queueing, retries, partial-failure handling, and visibility into what is running right now. None of that ships with ansible-playbook.
What is Ansible Automation Platform?
Ansible Automation Platform is Red Hat's commercial product built on top of ansible-core. It bundles the same playbook engine you already know with a control plane that adds a web UI, a REST API, RBAC, scheduled jobs, audit logs, and centralized inventory and credential management. The flagship component is the Automation Controller (which used to be called Ansible Tower, and before that, AWX).
A typical AAP deployment lets a team of platform engineers, network engineers, and application owners share one place to author, run, and review automation. Developers can launch a job from a self-service portal without ever touching SSH keys or the underlying playbook. Auditors get a single view of who ran what, when, against what.
Key components of Ansible Automation Platform
AAP ships as a few interconnected components, each solving a problem the CLI does not:
- Automation Controller: the web UI and REST API. Job templates, surveys, RBAC, schedules, logs.
- Automation Mesh: a distributed execution layer. You place execution nodes near the gear they manage (a DMZ, a remote site, a cloud VPC) and the controller routes jobs through the mesh instead of opening SSH from the controller to every endpoint.
- Execution Environments: containerized runtimes that bundle a specific ansible-core version, your collections, and any Python dependencies. Same container in dev and prod, no "works on my laptop" surprises. See Ansible Execution Environments for the full breakdown.
- Automation Hub: a private registry for certified collections and your custom ones, with signing and verification.
- Automation Analytics: usage and performance reporting on top of your job history.
- Event-Driven Ansible: rule-based triggers that launch playbooks in response to webhooks, alerts, or telemetry.
Job templates are the unit of work most teams interact with. A template defines a playbook, the inventory it runs against, the credentials to use, the execution environment, and any survey questions to ask the operator. A template named "Backup Network Devices" might point at backup_configs.yml, the "Routers and Switches" inventory, and a vault credential for SSH access. Operators with the right role click "Launch," fill in any survey fields, and watch the job run.
Inventories in AAP support static lists, dynamic sources (AWS, Azure, GCP, vSphere, NetBox, ServiceNow), and smart inventories that filter on host facts. Credentials are encrypted at rest, scoped by RBAC, and can be Machine, Network, Source Control, Vault, or one of a long list of cloud-specific types.
For practical examples of how teams build automation against real network gear, see how CloudMyLab runs network automation proofs of concept.
Ansible Tower, AWX, and AAP: How the Names Connect
The naming history is the single biggest source of confusion in Ansible comparisons, so it is worth walking through it once.
Ansible Tower was the original commercial product. Red Hat acquired Ansible in 2015, kept selling Tower as the paid tier, and open-sourced the upstream code as AWX in 2017. AWX is community-supported, ships features faster, and gets used as the testbed for what eventually lands in the paid product.
In 2021, Red Hat folded Tower into a broader bundle and renamed it Ansible Automation Platform. Tower the product became Automation Controller the component. The name "Ansible Tower" still floats around in old blog posts, certifications, and job postings, but it has not been a current product since 2021.
So the modern lineup looks like this:
| Name | What it actually is | License | Status |
| ansible-core (CLI) | Open-source playbook engine | GPLv3 | Current |
| AWX | Upstream open-source controller | Apache 2.0 | Current, community-supported |
| Ansible Tower | Old name for the commercial controller | Red Hat subscription | Renamed to Automation Controller in 2021 |
| Automation Controller | The current commercial controller | Red Hat subscription | Current, ships inside AAP |
| Ansible Automation Platform | Bundle: Controller + Mesh + EEs + Hub + Analytics + EDA | Red Hat subscription | Current |
When somebody says "we are migrating from Tower to AAP," they almost always mean "we are upgrading our existing Automation Controller install to the version that comes with the current AAP bundle." The platform is the same lineage. Job templates, surveys, RBAC, and the API all carry forward.
When somebody says "Tower vs Ansible," they usually mean "AAP vs the CLI." Treat that as the actual question.
AWX vs Ansible Automation Platform
AWX gives you the same web UI, the same job templates, the same RBAC model, and a remarkably similar developer experience to the paid AAP. The differences are about support and stability:
- AWX has no Red Hat support contract. If something breaks, you read GitHub issues and Slack.
- AWX does not include certified content. You source collections from Galaxy or build your own.
- AWX does not include Automation Mesh, Automation Analytics, or Event-Driven Ansible at parity with AAP.
- AWX releases roll faster, which is good if you want new features and bad if you want a frozen target.
- AWX is officially installable only on Kubernetes, via the AWX Operator. AAP has supported installs on RHEL, OpenShift, and (with some limitations) other distributions.
AWX is an excellent place to evaluate the controller experience before paying for AAP. Many teams run AWX in a non-production environment for years before approving an AAP purchase, and that is a legitimate use of the project.
Ansible Open Source vs Ansible Automation Platform: Licensing in 2026
Licensing is where this comparison gets real, and where most teams realize their Ansible bill is bigger than they thought.
ansible-core licensing
ansible-core is licensed under GPLv3. You can install it, modify it, redistribute it, and use it commercially with no per-node, per-user, or per-host fee. The constraint is the standard GPLv3 copyleft: if you distribute a modified version of ansible-core itself, your modifications must also ship under GPLv3.
In practice, almost no one distributes a modified ansible-core. You write playbooks, collections, and roles, and those are not derivatives of ansible-core in the GPL sense. The license is effectively "free for any use" for 99% of users.
Ansible Galaxy collections ship under a mix of licenses (Apache 2.0, MIT, GPL, BSD). Each collection sets its own.
Ansible Automation Platform licensing
AAP requires a paid Red Hat subscription. Red Hat sells AAP on a per-managed-node basis, with the price scaling by node count and support tier (Standard or Premium, the latter adding 24/7 coverage). Red Hat does not publish a public price list for AAP, so quotes are quote-only and vary substantially by region, channel partner, and committed term.
In exchange for the subscription, you get:
- 24/7 Red Hat support with SLAs (Premium tier)
- Certified Ansible Content Collections (signed, tested, supported by Red Hat)
- Security advisories and patches
- Lifecycle commitments (typically 3 years of full support per major release)
- Indemnification for the components Red Hat ships
- Access to Automation Analytics and the certified Automation Hub
A subscription does not cover every node you can reach. It covers the managed nodes you run automation against, counted by Red Hat's specific definition. Read the entitlement carefully before negotiating.
Ansible community vs Ansible Automation Platform licensing in practice
The licensing decision usually comes down to three questions. Does your organization require a vendor with an SLA on the automation tooling itself? Do you need certified, signed content for a regulated environment? Does your security team require indemnification on the platform you use to push configuration changes to production?
If the answer to any of those is yes, AAP is the answer regardless of whether ansible-core technically meets the functional requirements. If the answer to all three is no, ansible-core or AWX is genuinely sufficient for most teams.
For teams already paying for Red Hat Enterprise Linux or OpenShift, AAP often gets bundled into a broader Red Hat agreement at a reduced effective rate. If you are renewing a RHEL agreement in the next 12 months, ask the rep about adding AAP to the same negotiation.
Ansible Automation Platform Pricing and Total Cost
Public AAP pricing does not exist in the way it does for, say, GitHub Enterprise. Red Hat sells AAP through quotes tied to your node count, term, support tier, and existing Red Hat agreements. That said, public marketplace listings and customer reports give a rough shape:
- Small deployments (under 100 managed nodes): roughly $10K–$25K per year
- Mid-sized deployments (100–1,000 managed nodes): roughly $25K–$100K per year
- Large enterprise deployments (1,000+ managed nodes, Premium support, multi-region): $100K+ per year
These are software subscription numbers only. Total cost of ownership also includes the infrastructure to run AAP (control nodes, execution nodes, database), the engineering time to deploy and maintain it, and any professional services from Red Hat or a partner.
For comparison, an ansible-core deployment at the same scale costs $0 in software but loads more cost onto engineering: more time on tooling, more custom audit logging, more glue code for scheduling and RBAC, and more operational risk when something fails outside hours.
Where a hosted lab fits in the cost picture
Whichever tier you pick, you need somewhere safe to test playbooks before they touch production. That is true for ansible-core, AWX, and AAP. Hardware lab racks land at $50K–$100K initial / $195K 3-year TCO. DIY cloud labs, where you self-host EVE-NG or GNS3 on AWS or Azure, run $10K–$20K initial / $87K 3-year TCO once you account for infrastructure, image management, and engineer time.
A managed cloud lab, like CloudMyLab's hosted EVE-NG, GNS3, or Cisco Modeling Labs, lands at $2K–$5K initial / $45K 3-year TCO and removes the infrastructure and image-management overhead entirely. For teams running automation against multi-vendor topologies, that is usually the cheapest path to a representative test environment.
Key Differences: Ansible CLI vs Ansible Automation Platform
Here is the side-by-side many readers come for. This expands the at-a-glance table with the operational detail behind each row.
| Feature | Ansible CLI (ansible-core) | Ansible Automation Platform |
| License | GPLv3, free | Red Hat subscription |
| Interface | CLI only | Web UI + REST API + CLI |
| Inventory | Static files (INI/YAML) or dynamic plugins | Centralized inventory with sync schedules |
| Credentials | Vault-encrypted files or env vars | Encrypted credential store with RBAC |
| RBAC | None at the tool level | Granular: org, team, project, inventory, template |
| Scheduling | External (cron, systemd timers, CI) | Built-in scheduler with timezone support |
| Audit logs | CLI output, custom logging | Centralized, queryable, retained |
| Job history | Whatever you log | Full job database with output |
| Execution isolation | Python virtualenv | Containerized Execution Environments |
| Distributed execution | Build it yourself | Automation Mesh |
| High availability | Manual setup | Active-active controller clustering |
| Surveys / inputs | --extra-vars on the command line | Survey forms in the UI |
| Source control integration | Git on disk | Native project sync from Git, SVN, archive |
| API | None (CLI only) | Full REST API, webhook triggers |
| Notifications | Build it yourself | Email, Slack, webhook, ServiceNow, more |
| Support | Community forums | 24/7 Red Hat (Premium) or business hours (Standard) |
| Cost (per year) | $0 | $10K-$100K+ depending on node count |
The pattern across this table is consistent. Ansible CLI gives you the engine and assumes you will build everything around it. AAP gives you the engine plus the control plane an enterprise platform team would otherwise have to build from scratch.
Ansible Automation Platform Architecture (What You Actually Get)
If you are evaluating AAP, the architecture diagram on Red Hat's site is mostly marketing. Here is how a real deployment is laid out.
A standard AAP install has three layers: control, execution, and managed nodes. The control plane runs the Automation Controller (web UI, API, scheduler, database) and is typically deployed as two or three nodes in an active-active cluster behind a load balancer. The database is PostgreSQL, either embedded or an external managed instance.
The execution layer runs the actual playbooks. Execution nodes are stateless workers that pull jobs from the controller, run the playbook inside a containerized execution environment, and stream results back. You scale execution capacity by adding more nodes, and you place them topologically: an execution node in your DMZ for managing internet-facing servers, another inside a regulated VPC, another at a remote site so playbooks against local devices do not traverse the WAN.
Automation Mesh is the routing layer that ties the control plane to execution nodes across networks. It uses a single TCP port and signed peer relationships, so you do not have to open SSH from the controller out to every endpoint. For air-gapped or strict-segmentation environments, this is the feature that makes AAP viable where ansible-core was not.
The managed nodes are unchanged from CLI Ansible. SSH or WinRM, no agent, the same modules. AAP does not replace Ansible's connection model; it sits on top of it.
A small AAP deployment might be two control nodes, two execution nodes, and a managed PostgreSQL. A larger one might have multiple controller clusters across regions, a hub for content, dozens of execution nodes, and Automation Analytics ingesting job history into a central reporting environment.
For a deeper look at execution environments specifically, including how to build your own and pin dependencies, see Ansible Execution Environments and How to Optimize Ansible Performance.
Choosing Between Ansible CLI, AWX, and AAP
The decision between these three is mostly about scale and risk tolerance, not raw features. Use this matrix as a starting point.
| If you are... | Use this |
| Learning Ansible, automating a personal lab | Ansible CLI |
| One or two engineers automating fewer than ~100 nodes | Ansible CLI |
| A small team that wants a UI, scheduling, and RBAC for free | AWX (self-hosted) |
| An enterprise that needs SLAs, certified content, and audit | AAP |
| A regulated environment (finance, healthcare, gov) | AAP |
| Already paying for RHEL or OpenShift | AAP, bundled into the renewal |
| Running multi-vendor network automation across sites | AAP with Automation Mesh |
| Evaluating before committing | Start with CLI on a hosted lab, layer AWX next |
The most common mistake is buying AAP before you have a working CLI playbook library. AAP does not write your automation for you; it operates and governs automation you have already written. If your team has not yet standardized on roles, collections, and a Git workflow with ansible-core, paying for the platform first will not fix the upstream problem.
The second most common mistake is staying on Ansible CLI past the point where the audit and RBAC gaps become real risk. If your security team is asking who ran what against production and your answer is "let me check shell history on the jump box," you are already past the point where the CLI is enough.
If you want a low-risk path to test all three tiers against realistic network topologies, CloudMyLab's Network Automation Lab Services give you cloud-hosted environments where you can run ansible-core, AWX, and a trial of AAP against multi-vendor gear without buying hardware or building your own emulator stack. For a broader look at what hosted automation labs unlock, see Network Automation PoCs and Ansible Modules Types Explained for module-level depth.
Learning resources
If you want to go deeper, these resources are worth bookmarking:
- Ansible Setup Step-by-Step for getting from zero to a running playbook
- Ansible Execution Environment for the containerized runtime model
- Mastering Ansible Navigator for the modern CLI replacement Red Hat ships with AAP
- Ansible Vault and Credentials for secrets management
- Ansible Modules Types Explained for the module landscape
- Official Ansible documentation: docs.ansible.com
- Red Hat interactive labs: redhat.com/en/interactive-labs/ansible
- Ansible community forum: forum.ansible.com
Frequently Asked Questions
What is the difference between Ansible CLI and Ansible Automation Platform?
Ansible CLI (also called ansible-core) is the free, open-source command-line tool that runs playbooks. Ansible Automation Platform is Red Hat's commercial product that wraps ansible-core in a web UI, REST API, RBAC, scheduler, audit log, and centralized inventory and credential management. AAP requires a paid Red Hat subscription; ansible-core is GPLv3 and free.
Is Ansible Automation Platform free?
No. Ansible Automation Platform requires a paid Red Hat subscription priced per managed node, usually quoted between $10K and $100K+ per year depending on node count and support tier. The upstream open-source equivalent is AWX, which gives you a similar web UI and feature set without Red Hat support. ansible-core (the CLI) is also free.
What replaced Ansible Tower?
Ansible Automation Platform replaced Ansible Tower in 2021. The product formerly sold as Ansible Tower is now called Automation Controller, and it ships as one component inside the broader AAP bundle. Existing Tower deployments upgrade in place to Automation Controller; the API, RBAC model, and job templates carry forward.
What is the difference between AWX and Ansible Automation Platform?
AWX is the upstream open-source project that Red Hat builds Automation Controller from. Functionally, AWX gives you the same web UI, job templates, and RBAC as AAP. The differences are support (none for AWX), certified content (none for AWX), Automation Mesh (AAP-only), and stability (AWX ships features faster, AAP commits to longer release lifecycles). AWX is a legitimate way to evaluate the AAP experience before purchasing.
How much does Ansible Automation Platform cost?
Ansible Automation Platform is priced per managed node by Red Hat, with no public price list. Public benchmarks put small deployments (under 100 nodes) at roughly $10K–$25K per year, mid-sized deployments (100–1,000 nodes) at $25K–$100K, and large enterprise deployments at $100K and up. Existing Red Hat customers can often negotiate AAP into a broader RHEL or OpenShift agreement.
Can Ansible CLI replace Ansible Automation Platform?
For small environments and individual engineers, yes. Ansible CLI handles the same playbooks and modules as AAP. What it cannot replace is the control plane: RBAC, audit logging, scheduled jobs, the REST API, and the web UI. If your organization needs those for compliance or for cross-team collaboration, you have to build them yourself or move to AAP or AWX.
Is ansible-core the same as Ansible CLI?
In practice, yes. Ansible-core is the official upstream package name for what most engineers call Ansible CLI. The split happened in Ansible 2.10, when the project separated the engine (ansible-core) from the collections (now distributed through Galaxy and Automation Hub). When somebody says "Ansible CLI," they almost always mean ansible-core plus whichever collections they have installed.
Do I need Ansible Automation Platform for network automation?
No. Ansible CLI handles network automation against Cisco, Arista, Juniper, FortiNet, and most other vendors using the network_cli connection plugin and vendor-specific collections. AAP adds value on top when you need RBAC across a network team, scheduled config backups, audit trails for change management, or Automation Mesh for reaching gear across segmented networks. For a single engineer automating one site, ansible-core is enough.
