8 min read

AWS Network Diagrams by Hava

May 26, 2020

AWS Architecture Diagram

If you have spent any time working with cloud computing infrastructure, you'll already appreciate the value of accurate and up to date network topology documentation.

The problem has always been the time it takes to manually draw diagrams and keep them up to date.

We know this because the team behind Hava come from a cloud consulting background.

We were faced with the same problems you most likely face. When you take on infrastructure as part of a new project or while on-boarding a new managed services client the very first thing you need to establish is what does ground zero look like.  What resources are configured, what VPCs do they reside in, what Availability Zones house them, what does the security look like.

When you know that, then you can commence the design work to make it faster, stronger and more secure, or work out how do integrate a new project without breaking anything already in production.

As a project manager, a logically laid out AWS network diagram of your development environment allows you to see at a glance whether the architect's design has been implemented as expected and to know what to expect if one of your availability zones experiences an outage.

The thought of firing up your AWS console(s) to start to manually map out your environments with a drag & drop diagramming tool probably brings you out in a cold sweat.

Then of course, the minute you complete the diagrams, something changes and you have to analyse the implications and update all the diagrams to reflect the change.

This process can take days or even weeks for larger environments, especially if multiple AWS accounts and environments are involved.

Back when we were providing expert cloud consulting services, we would routinely take several days or weeks to establish an accurate picture of what a new client's AWS complex network topology looked like.

We also knew that the information we needed was available in the config data and could be used to build an AWS Network Diagram to reduce the process from days or weeks down to a few seconds (or minutes for large environments)

Initially getting the infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.

AWS Architecture Diagram

The Infrastructure view lays out your VPCs grouped by availability zones and displays both internal and external resources. 

Being interactive, selecting any of the resources changes the attribute panel on the right to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage etc. The diagrams also display the estimated costs of each resource which are totalled for the entire environment.

We then thought about the relationships and connections between resources so created the ability to toggle on the ability to view connections.


We decided early on in the development of hava.io to keep the diagrams clean and free from non essential resources like network interfaces or WAF rules that could flood the diagrams making them messy and confusing.

However, we did need to know about these 'non-visualized' components, so we created the "List View". This is an extensive data set that lists all the resources discovered in your AWS configuration files and lists them along side the estimated costs per listed resource.


It turned out that one of the major benefits of the list view is the ability to sort the list by cost to show what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs

Responding to customer requests, we also added the ability for you to export the list in CSV format which CFO's and accountant seem to enjoy. 

Security was next on the agenda. We already had the config data and relationships coming back from AWS so our security team asked if we could visualize the security relationships the same way we were able to visualize infrastructure. The challenge was accepted and the Security View was born.

AWS Security View 800x600

The security view will show you all of your security groups and will overlay the open ports and how they traverse your network.  You can select a security group to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses.

This helicopter view makes security config issues stick out like a sore thumb.

The security view is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to enable effective security monitoring.

We can pretty much guarantee your security team will love this diagram.

One of the benefits of having a team of actual cloud engineers behind a product like hava.io as opposed to say a drag and drop flow chart drawing package solution, is that we are always close to the market. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to fire in feature requests which we endeavour to integrate into Hava quickly.

This is evidenced by the rising popularity of containerised solutions.  As more dev teams embrace the solution of containers to provide portability of software between environments we created the container view.

AWS ECS Container View 800x600

The container view visualizes your ECS Services and the contained ECS tasks inside an ECS Cluster.

Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS diagram generator like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.

What you see is from the source of truth, always accurate and always up to date.

When your configuration changes, so do the diagrams. No human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configs to new ones to find out what changed in the event of a problem or compliance audit.

The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.


When changes are detected in the configuration of the cloud accounts you are managing, Hava can trigger an alert that lets your know when that change is detected.


This means you always know what is happening in your cloud accounts and for MSPs it means you can let clients loose on their own infrastructure and resources but you can keep an eye on the changes and can warn them of any security or cost implications of the deployed changes - no more bill shock! 


As changes are detected in your cloud configs, Hava stores superseded diagrams in version history automatically. You can compare any two interactive diagrams from any point in time using the revision comparison feature built into Hava. This shows you exactly what resources have been added, and which ones were removed during the time period between the two diagrams.


This could be the current live architecture diagram vs one from yesterday should you need to troubleshoot sudden unexpected application errors, or you could compare architecture over a longer period of time, like the period between PCI compliance audits so the auditors can see the changes they are interested in. You can also use diff views to analyse architectural drift or show clients the changes that have happened over time that have prompted questions around billing and escalating costs.

How to generate an AWS Diagram

There are currently two options for using Hava to generate your cloud infrastructure diagrams.

Option 1: SaaS

The SaaS option is by far the quickest and easiest way to start visualizing your cloud infrastructure.

You simply create an AWS cross account role with read only persmissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.

A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.

Option 2: Self Hosted

The self hosted option allows you to run Hava from within your own infrastructure. If you have particular security or enterprise policies that prevent connection of 3rd party applications to your cloud environments, then self-hosted is the solution.

Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.


We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.


You can contact us via sales@hava.io or find out more here:




Topics: aws cloud
Team Hava

Written by Team Hava

The Hava content team