7 min read

AWS Network Topology Diagram

July 22, 2021

AWS Network Topology Diagram

Accurate AWS network topology diagrams play a major part in monitoring and internally communicating the design of well engineered AWS infrastructure.

The problem has traditionally been the time it takes to manually draw diagrams, especially when using drag and drop graphics applications. Depending on the complexity of your network it can take days or even weeks to research and map out an AWS network topology diagram. Then of course, you need to spend even more time keep the diagrams up to date. We know this because the team behind Hava are engineers that come from a cloud consulting background.

We were faced with the same problems you face in an engineering or DevOps scenario. When you take on existing infrastructure or need to deploy new infrastructure as part of a new application or maybe while on-boarding a new managed services client the very first thing you need to establish is what does the existing infrastructure look like.  What resources do you have configured, what VPCs do they reside in, what Availability Zones are they in, what does the security surface look like.

When you know the state of play, then you can commence the design work to make it faster, highly available and more secure, or work out how do integrate a new project or application feature without breaking anything already in production.

As a project manager, a well laid out AWS network topology diagram of your dev environment allows you to see at a glance whether the architect's design has been implemented as expected. With everything visually laid out, you can spot the weak points and to know what to expect if say an AWS availability zone or entire region experiences an outage.

The thought of logging in to your AWS console(s) to start to manually mapping out your environments with a drag & drop diagramming tool is something nobody gets excited about, which is probably why accurate AWS network topology diagrams are rarely prioritised.

Then of course, the instant you complete the diagrams, something changes and you have to analyse the implications and update all the diagrams to reflect the changes. With the numerous approaches like deploying infrastructure as code, or getting AWS to autoscale various resources, this process can take days or even weeks for larger environments, especially if multiple AWS accounts and environments are involved.

Back when Hava (via Vibrato/Servian) were providing  cloud consulting services, we would routinely take several days or weeks to establish an accurate picture of what a new client's AWS  network infrastructure looked like. Like you, we had to fire up the AWS console, scour through all the services to establish exactly what was running where.

We also knew that the information we needed was available in the config data and could be used to build an Automated AWS Network Topology Diagram Tool to reduce the process from days or weeks down to a few seconds or minutes for larger environments. What was once a laborious task nobody could get excited about was condensed into a simple process of generating a set of cross-account role credentials and letting the Hava application do the rest.

Initially getting the infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.

Show_Route_Table_Connections

The Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are grouped by availability zones. The diagrams generated also display both internal and external resources. 

The Hava diagrams are interactive. Selecting any of the resources on the diagram changes the attribute panel on the right of the diagram canvas which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.

We then thought about the relationships and connections between resources so created the ability to toggle on and off the ability to view connections.

Security_Group_Connections

We decided to keep the diagrams clean and free from non essential resources like network interfaces or WAF rules that could flood the diagrams making them messy and confusing. Busy overcrowded diagrams are a feature of some drag and drop diagram solutions that have attempted to bolt on an AWS import feature recently but this is something we specifically engineered Hava to avoid from the beginning.

Although these less important components are not on the diagrams, we did need to know about these 'non-visualized' components, so we designed the AWS Network Diagram Tool to create the "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration files. This view lists both visualized and non-vizualized resources along side the estimated costs per listed resource.

AWS-Slide-3

 

One of the major benefits of the list view is the ability to sort the list by descending costs. This surfaces what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.

We also added the ability for you to export the list in CSV format which CFO's and accountant seem to enjoy. 

AWS Security View

The Security View was next diagram (or report) on the agenda. We already had the configuration metadata and relationships coming back from AWS so our security team asked if we could visualize the security relationships the same way we were able to visualize infrastructure. The challenge was accepted and the AWS Security View was born.

AWS-Slide-2

The security view shows you all of your security groups and will overlay the open ports and how they traverse your network.  You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses.

This high level view makes some security config issues obvious.

The AWS security view is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to enable effective visualized security monitoring.

One of the benefits of having a team of actual cloud engineers behind a product like hava.io as opposed to say a drag and drop flow chart drawing package solution, is that we are always close to the market. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to fire in feature requests which we endeavour to integrate into Hava quickly.

This is evidenced by the rising popularity of AWS Container Services.  As more dev teams embrace the solution of containers to provide portability of software between environments we created the container view.

AWS-Slide-4

The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.

AWS Trusted Advisor Compliance Report

On top of the diagrams produced by Hava, there is also a reporting module that contains an AWS trusted advisor compliance report.

Reports

The report details what resources, users and roles you have configured and whether they are in use. It will also analyse your AWS configuration and report findings based on best practice. Findings are prioritised as high, medium and low severity and have a detailed explanation of the problem and the configuration policy at fault.

Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS Network Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.

What you see is from the source of truth, always accurate and always up to date.

When your configuration changes, so do the diagrams. No human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configs to new ones to find out what changed in the event of a problem or compliance audit.

The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.

How to generate an AWS Network Topology Diagram

There are currently two options for using Hava to generate your cloud infrastructure diagrams.

Option 1: Hava SaaS

The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.

You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.

A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.

Option 2: Self Hosted

The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.

Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.

We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.

You can contact us via sales@hava.io or jump into a free trial here:

Try Hava For Free Today!

  

 

 

Topics: aws cloud
Team Hava

Written by Team Hava

The Hava content team

Featured