11 min read

AWS Cloud Architecture Diagram from Hava

November 18, 2021


Professional cloud engineers understand the importance of documenting networks using network topology diagrams. Not only do they assist with communicating the construction of your cloud network, they also speed up on boarding new team members, external consultants and quickly identifying what the network should look like in the middle of an outage.

If you are building or operating solutions hosted on AWS, you probably already understand the value a good network architecture diagram provides. The problem has always been the time it takes to manually draw diagrams. Flipping back and forth from your manual diagram software to your console settings is a laborious task that nobody enjoys.

If you have a complex network or multiple applications and dev/test environments, it can take days or even weeks to research and map out your AWS Cloud Architecture Diagram. When you have done all the hard work mapping out your AWS resources onto your diagram, you then need to spend even more time keeping the diagrams up to date.

We understand this because the team behind Hava are engineers that come from a cloud consulting background and spent a considerable amount of time manually mapping out cloud infrastructure.

When you take on existing infrastructure as part of a role change, or need to deploy new infrastructure for a new application or maybe while on-boarding a new client the very first thing you need to establish is what does the existing infrastructure look like.  What resources do you have to work with, what VPCs exist, what availability zones are they in, what does the security set up look like.

When you know exactly what is provisioned, then you can commence the design work to make the network faster, more available and more secure, or work out how to integrate a new project or application feature without breaking anything already in production.

If you are a project manager, a well laid out AWS cloud architecture diagram of your development environment allows you to see at a glance whether your architect's design has been implemented as expected. With everything visually diagrammed, you can spot the vulnerabilities and to know what to expect if say an AWS availability zone or entire region experiences an outage.

The thought of logging in to your AWS account console to start to manually mapping out your environments with a drag & drop diagramming tool is something nobody we know gets excited about, which is probably why accurate AWS cloud architecture diagrams are rarely prioritised or readily available during an unexpected event.

Then of course, no sooner have you completed drawing your diagrams, then something changes and you have to update all the diagrams to reflect the changes. With the numerous modern CI/CD approaches like deploying infrastructure as code, or getting AWS to autoscale various resources in response to traffic loads, this process can take days or even weeks for larger environments.

Back in our consulting days, we knew that the information we needed was available in the AWS config data and could be used to build an automated AWS cloud architecture diagram tool to reduce the diagramming process from days or weeks of tedious manual drawing down to a few seconds. What was once a tedious task nobody could get excited about was condensed into a simple process of generating a set of cross-account role credentials, connecting to Hava and letting the Hava application do the rest.

Initially getting the infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.


The Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are mapped by availability zones. The AWS diagram generated also displays both internal and external resources. 

The diagrams generated by Hava are interactive. Clicking on any of the resources on the diagram changes the attribute panel on the right of the diagram which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.

We then thought about the relationships and connections between diagrammed resources, so created the ability to toggle on and off the ability to view connections.

AWS Cloud Architecture diagram connections

Right from the beginning, we decided to keep the Hava diagrams clean and free from non essential resources like network interfaces that could flood the diagrams with unimportant information making them messy and confusing. 

Although these less important components are not visualized on the infrastructure diagrams, we did need to know about these 'non-visualized' components, so we  created a "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration. This view lists both visualized and non-vizualized resources.

The listed resources also have an estimated cost detailed against them.


One of the benefits of the list view is the ability to sort the list, including by descending costs. This surfaces what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.

AWS Cloud Diagram Security View

The security view was next diagram added to Hava. We already had the configuration metadata and relationships coming back from AWS so our security team clients asked if we could visualize the security relationships the same way we were able to visualize infrastructure. This led to the AWS Security View.

AWS Security View 800x600

The security view shows you all of your AWS security groups and overlays the open ports to show how traffic traverses your network.  You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses related to that resource.

This high level view makes some security config issues obvious, like ports used for development or testing that have been left open.

The AWS security view is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to enable effective visualized security monitoring.

One of the benefits of having a team of actual cloud engineers behind a product like Hava as opposed to say a drag and drop flow chart drawing package solution, is that we are always close to the market and hundreds of front line cloud engineers. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to send in feature requests which we endeavour to integrate into Hava as soon as possible.

This is evidenced by the rising popularity of AWS Container Services.  As more development teams embrace containers to deploy applications and provide portability of software between environments we added the container view to Hava.

AWS ECS Container View 800x600

The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.


Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.

What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.


So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.


While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.

Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.


Now you and your security team can be across every change as it happens so you can assess and take action if required.



For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.

Notes are accessed from the accordion menu within the attribute pane.


New notes are added to the top of the list so they are stored in chronological order.


Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS Cloud Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.

What you see is from the source of truth, always accurate and always up to date.

When your configuration changes, so do the diagrams. All hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.

The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.

How to generate an AWS Network Topology Diagram

There are currently two options for using Hava to generate your cloud infrastructure diagrams.

Option 1: Hava SaaS

The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.

You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.

A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.

Option 2: Self Hosted

The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.

Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.

As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and diagrams.

We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.



You can contact us via sales@hava.io or jump into a free trial here:




Topics: aws cloud
Team Hava

Written by Team Hava

The Hava content team