Accurate AWS deployment diagrams can play a significant role in monitoring and internally communicating the design of well engineered AWS infrastructure.
The problem has always been the time it takes to manually draw diagrams, especially when using tedious drag and drop graphics applications. Depending on the complexity of your network it can possibly take days or even weeks to research and map out an AWS deployment diagram. Then of course, you need to spend even more of your valuable time keeping the diagrams up to date. We know this because the team behind Hava are software engineers that come from an expert cloud consulting background.
Our team were faced with the same problems you face in day to day engineering or DevOps scenarios. When you take on existing infrastructure or need to deploy new infrastructure as part of a new application or maybe while on-boarding a new consulting or managed services client the very first thing you need to establish is what does the existing infrastructure look like. What resources do they have configured, how many subnets are in play, what VPCs do they reside in, what Availability Zones are they in, what does the security surface look like. All crucial questions that can be easily answered by visualizing your AWS deployment.
When you know the state of play, then you can commence the design work you have been engaged to undertake, whether that's to make it faster, more available and more secure, or to work out how to integrate a new project or application feature without breaking anything already in production.
If you are a project manager, a well laid out AWS network topology diagram of your development environment allows you to see at a glance whether the initial design has been implemented as expected. With everything visually laid out, you can evaluate the network reality matches your expectation. You can spot the weak points and you can know what to expect your application to do, if say an AWS availability zone or entire region experiences an outage.
The thought of logging in to your AWS console or consoles to start to manually mapping out your AWS Deployment Diagram with a drag & drop diagramming tool is something nobody gets excited about, which is probably why accurate AWS network topology diagrams are rarely prioritised by anyone, well at least anyone we've met.
Then of course, the moment you finally complete the network topology diagrams, something changes and you have to analyse the implications and update all the diagrams to reflect the changes. With the numerous approaches like deploying infrastructure as code, or getting AWS to autoscale various resources like EC2, this process can take days or even weeks for larger environments, especially if multiple AWS accounts and environments are involved.
Back when our engineers were providing cloud consulting services, we would routinely take several days or weeks to establish an accurate picture of what a new client's AWS network infrastructure looked like. Like you, we had to fire up the AWS console, scour through hundreds of services, security groups and resources to establish exactly what was running where.
We also knew that the information we needed was available in the config data and could be used to build an automated AWS network topology diagram tool to reduce the process from days or weeks down to a few seconds or minutes for larger environments. What was once a painstakingly tedious task nobody could get excited about was now condensed into a simple process of generating a set of cross-account role credentials and letting the Hava application work it's magic.
Initially getting the infrastructure visualized was the primary focus which was achieved with the Hava Infrastructure View.
The Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are grouped by availability zones. The diagrams generated also display both internal and external resources.
The Hava diagrams are interactive. Selecting any of the resources on the diagram changes the attribute panel on the right of the diagram canvas which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.
We then thought about the relationships and connections between resources so created the ability to toggle on and off the ability to view connections.
Right from the start of developing Hava, our engineers decided to keep the diagrams clean and free from non essential resources like network interfaces or WAF rules that could flood the diagrams that could potentially make them messy and confusing. Messy overcrowded diagrams are a feature of some drag and drop diagram solutions that have attempted to bolt on an AWS import feature recently but this is something we specifically engineered Hava to avoid from the beginning which we feel makes it the best AWS diagram tool available..
Although these less important components are not on the diagram visualizations, we understand the need to know about these 'non-visualized' components, so our engineers designed the AWS Deployment Diagram Tool to create the "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration files. This view lists both visualized and non-vizualized resource instances along side the estimated costs per listed resource.
One of the major benefits of the list view is the ability to sort the list by descending costs. This surfaces what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.
We also added the ability for you to export the list in CSV format which CFO's and accountant seem to enjoy.
AWS Security View
The Security View was next diagram (or report) on the agenda. We already had the configuration metadata and relationships coming back from AWS so our security team asked if we could visualize the security relationships the same way we were able to visualize infrastructure. The challenge was accepted and the AWS Security View was born.
The Hava security view shows you all of your security groups and then overlays the open ports and how the traffic traverses your network. You can select a security group on the diagram to see all the connected resources in the attribute pane to the right hand side of the diagram, as well as the ingress and egress port numbers and associated IP addresses.
This high level view can makes some security config issues obvious like ports opened for developer access still remaining open in the production environment or configuration issues leaving your network wide open to attack.
The AWS security view is truly unique and is a result of a team of industry practitioners knowing exactly what information is important for your security team to enable effective visualized security monitoring.
One of the benefits of having a team of actual cloud engineers behind a product like hava.io as opposed to say a drag and drop flow chart drawing application, is that we are always close to the market. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to send in feature requests which we endeavour to integrate into Hava quickly.
This is evidenced by the increasing popularity of AWS Container Services. As more dev teams embrace the solution of platform agnostic containers to provide portability of software between environments we created the container view.
The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.
AWS Trusted Advisor Compliance Report
On top of the various diagrams produced by Hava, there is also a reporting module that contains an AWS trusted advisor compliance report.
The report details what resources, users and roles you have configured and whether they are being used. It will also analyse your AWS configuration and report findings based on trusted advisor and AWS well-architected best practice. Findings are prioritised as high, medium and low severity and have a detailed explanation of the problem and the configuration policy at fault.
Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS Deployment Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.
What you see is from the source of truth, always accurate and always up to date.
Because of the constant monitoring automation, when your configuration changes, so do your diagrams. No human interaction required. The superseded diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configs to new ones to find out what changed in the event of a problem or compliance audit.
The diagrams generated by Hava can also be exported. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON for diffing and comparison purposes. A VSDX export allows you to ingest your diagrams into Microsoft Visio or a compatible application like draw.io so you can embelish and modify the diagrams during design or proposal activities.
How to generate an AWS Network Topology Diagram
There are currently two options for using Hava to generate your cloud infrastructure diagrams.
Option 1: Hava SaaS
The online SaaS option found at https://www.hava.io is by far the quickest and easiest way to start visualizing your AWS cloud deployment infrastructure.
You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account using those credentials. Hava will read your AWS configuration data and render the diagrams and start to track any changes for auto update and audit purposes.
A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.
Option 2: Self Hosted
The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.
Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution. If not available now, we are close to releasing a one-click self hosted install.
We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.
You can contact us via firstname.lastname@example.org or jump into a free trial here: