When you are working with AWS cloud infrastructure, accurate network topology diagrams play a major part in monitoring and internally communicating the design of your AWS infrastructure.
Being able to visualise all of your AWS components and resources in diagram form assists in understanding what is running where and also helps experienced engineers spot vulnerabilities and redundancy issues in network design.
The main problem with documenting AWS components has always been the time it takes to manually draw diagrams. Depending on the complexity of your infrastructure It can take days or even weeks to accurately depict what AWS components you have configured. Then of course, you need to spend even more time consistently, to keep your diagrams up to date.
We know this because the team behind Hava are engineers and developers that come from a cloud consulting background.
We were faced with the same problems you face. When reviewing existing infrastructure ahead of deploying new infrastructure, the very first thing you need to establish is what does ground zero look like. What resources are configured, what VPCs do they reside in, what availability zones house them, what does the security surface look like.
As a project manager, a logically laid out AWS network diagram of your cloud environment allows you to see at a glance whether the architect's design has been implemented as expected. With all your AWS components visually laid out, you can spot the vulnerabilities and to know what to expect if say one of your availability zones experiences an outage.
The thought of opening up all of your AWS admin consoles to start to manually map out your AWS environments with a drag & drop diagramming tool is something nobody gets excited about, which is probably why network component diagrams are rarely prioritised.
Then of course, the instant you finish the diagrams, something changes and you have to start over, analyse the implications of the changes and update all the diagrams to reflect the change. With the numerous approaches like deploying infrastructure as code, getting AWS to autoscale various resources, or having automatically deployed infrastructure like Lambda functions that respond to events to deploy component instances, there are so many scenarios where your infrastructure can change..
The monitoring and diagram update process can take days or even weeks for larger environments, especially if multiple AWS accounts and environments are involved.
Back in the day, when we were providing cloud consulting services, we would routinely take several days or weeks to establish an accurate picture of what a new client's AWS network infrastructure looked like.
We also knew that the information we needed was available in the config data and could be used to build an AWS Components Diagram to reduce the process from days or weeks down to a few seconds (or minutes for large environments)
Initially getting the infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.
The Hava Infrastructure view lays out your AWS VPCs grouped by availability zones. The diagram displays both internal and external resources.
The infrastructure diagram is fully interactive. Selecting any of the components on the diagram changes the attribute pane on the right hand side which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so forth. The diagrams also display the estimated costs of each resource which are totalled for the entire environment when you have no resources selected.
We then thought about the connections between resources so created the ability to toggle on the ability to view connections.
Right at the start of the development of hava.io, we decided to keep the diagrams clean and free from non essential resources like network interfaces or WAF rules that could flood the diagrams making them messy and confusing.
Although these unvisualized components were not on the diagram, we wanted to know about these 'non-visualized' components, so we designed the "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration files. This view lists both visualized and non-vizualized resources along side the estimated costs per listed resource.
One of the benefits of the list view is the ability to sort the components by descending cost to show what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs.
We also added the ability for you to export the list in CSV format which CFO's and accountants seem to enjoy.
One of the benefits of having a team of actual cloud engineers behind a product like hava.io as opposed to say a drag and drop flow chart drawing package software, is that we are always close to the market. If we don't pick up new technologies and resources first, then our customers will, and are sure to let us know. We endeavour to integrate new resources into Hava quickly.
This is evidenced by the rising popularity of AWS Container Services. As more developers embrace serverless and containers to provide portability of software between platforms we created the container view.
The container view visualizes your ECS Services and the contained ECS tasks inside each detected ECS Cluster.
AWS Compliance Report
On top of the AWS components diagrams produced by Hava, there is also a reporting module that contains an AWS Well-Architected (best practice) compliance report.
The compliance report displays what resources, users and roles you have configured in your AWS accounts connected to Hava and whether they are in use. It will also analyse your AWS configuration settings and report findings based on best practice. Findings are prioritised by severity as high, medium and low and have a detailed explanation of the problem and the configuration policy at fault.
AWS Security Diagram Tool
The Security View was next to be developed. Since we already had the config data and relationships coming back from AWS, client security teams asked if we could visualize the security relationships the same way we were able to visualize infrastructure. The challenge was accepted and the AWS Security View was born.
The security view shows you all of your security groups and will overlay the open ports and how traffic traverses your network. You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses.
This high level view can make some security config issues stand out.
The security view is truly unique in the AWS visualization space and is a result of a team of industry practitioners knowing exactly what information is important for security teams to enable effective security monitoring.
Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS Components Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.
What you see is from the source of truth, always accurate and always up to date.
When your configuration changes, so do the diagrams, on autopilot. No human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configs to new ones to find out what changed in the event of a problem or compliance audit.
The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.
How to generate an AWS Network Diagram
There are currently two options for using Hava to generate your interactive cloud infrastructure diagrams.
Option 1: Hava SaaS
The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.
You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.
A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.
Option 2: Self Hosted
The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.
Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.
We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.
You can contact us via firstname.lastname@example.org or jump into a free trial here:
Read Next: What is AWS Lambda