If you have worked with AWS for any length of time, you will understand the importance of using effective AWS diagram tools.
Well laid out AWS network topology diagrams instantly communicate the state of play of your AWS infrastructure so your engineering team, management and consultants can easily understand what is running, where it is running and how the network hangs together.
Understanding how well designed your AWS infrastructure is does not stop at simple environment resource diagrams. Understanding your infrastructure security, how your configuration complies to AWS best practice recommendations and how resilient your network design is to region outages are all considerations to think about when selecting your AWS diagram toolset.
Automation is also a consideration from both an efficiency and accuracy perspective. If your documentation solution can automatically generate well laid out network topology diagrams and keep them automatically updated when your environment changes, whilst also tracking changes in a version history, you'll be saving a massive amount of time over manually creating diagrams and keeping them up to date.
In this post we'll take a closer look at how hava.io addresses these important considerations and how this is achieved in a single application to auto generate AWS diagrams.
AWS Infrastructure Diagrams
Creating AWS infrastructure diagrams with hava.io is as simple as creating a read-only AWS cross-account role and plugging the credentials into Hava. The application will then scan your account configuration and produce a set of diagrams laid out by VPC.
The AWS regions are represented by the columns within the VPC which each contain subnets configured within the region. With your environment visualised in this "Infrastructure View" you can select items and resources displayed on the interactive diagram to dig into the attributes of the selected resource, subnet or VPC.
This view gives you a visual prompt in relation to the regional redundancy built into your network design. Can your application survive an individual region outage which has been known to happen from time-to-time.
With optional display of resource names and connections to keep the diagram uncluttered and manual controls to scale and adjust the diagram, the standard infrastructure view out of the box provides provides the key information needed by engineers, DevOps and management.
An "extended infrastructure view" expands on the data displayed on your AWS infrastructure diagrams and an additional "List View" diagram provides an extensive list of discovered resources that do not get visualised.
AWS Container Diagrams
If you are building containerised solutions using AWS the Hava application will visualise these in a "Container View" diagram.
The below diagram depicts an ECS Cluster with multiple ECS Service instances within the cluster that contain multiple tasks per service. The task status is visualized using different colours. ie "Running", "Pending", "Stopped" etc
Colour codes include Green = OK, Yellow = Transitioning, Red = Warning, White = Stopped or empty which gives you an immediate visual guide of exactly what's going on and if anything needs attention.
AWS Security Diagrams
One of the most important aspects of cloud computing solutions is security and security should be a central component of your AWS diagram tools.
Visualizing your AWS security configuration allows you security team to immediately see what security groups have been set up, what ports are open and how IP traffic enters and exits your network.
A visualized security configuration can instantly highlight vulnerabilities like ports opened during development and testing that should have been closed or network ingress points that have been misconfigured. Your security team can pick up problems in seconds that would otherwise go unnoticed or take hours to uncover trawling through config settings.
Custom AWS Diagrams
While automatically generated AWS diagrams delineated by VPC are incredibly useful and time saving, sometimes you need to diagram specific elements within a VPC or collate resources from different VPCs or even cloud providers. This could be driven by individual projects, development vs production or hybrid cloud design. Hava's toolset addresses this with a very flexible query and search tool that allows you to build custom diagrams based on numerous criteria like region, resource name, VPC name and even arbitrary tags.
You can stack your query parameters to build a custom diagram from the returned resources. Using the Deep Search modifier within the query, the search will also return resources connected to the ones that meet your search criteria.
Once saved, the custom diagram will auto update every time a configuration change is detected and a version history retained as if it was a system generated diagram.
Always up to date
Automatically generating AWS network topology diagrams ensures you have accurate documentation. However they are only accurate until the next configuration change. Hava continuously syncs your standard and custom diagrams, so an up-to-date documentation set is always at hand.
Versioning
While automatically updated AWS diagrams ensure your documentation is always up to date, you may need to know what your network looked like prior to the configuration change. During an audit or unexpected network behaviour you may need to know what the config looked like last month or even 3 months ago.
Hava addresses this important requirement by retaining a full interactive document set every time a diagram is superseded in a version history. The older versions can be opened and inspected interactively just like the current document set and even exported for diffing or external archiving.
AWS ARCHITECTURE DIAGRAM VERSION COMPARISON
Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.
What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.
So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.
AWS ARCHITECTURE MONITORING
While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.
Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.
Now you and your security team can be across every change as it happens so you can assess and take action if required.
ENVIRONMENT DIAGRAM NOTES
For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.
Notes are accessed from the accordion menu within the attribute pane.
New notes are added to the top of the list so they are stored in chronological order.
SaaS or Self-hosted
Hava's AWS Diagram tools are available as cloud based SaaS where you simply connect a set of cross-account role credentials.
Due to some regional data regulations and corporate policy limitations, Hava is also available as a self-hosted application that can be run within your own cloud infrastructure.
You can take a free 14 day trial at any time to see what your AWS, GCP or Azure environments look like. We can also arrange a personal 1:1 live screenshare demonstration of Hava for you and your team if you would like a walkthrough of the capabilities of hava.io - no pressure or obligation.
