Identifying the resources and VPCs in your AWS account and which AWS regions they are deployed in can be a time consuming process that is often put off when there are more important jobs to be done.
If you have been working with AWS infrastructure for any length of time, you understand the importance of documenting your AWS VPCs using network topology diagrams. They visually represent the construction of your AWS network, and can also speed up the on-boarding of new team members and external consultants.
Knowing what regions your infrastructure is deployed in is essential when trying to establish what would happen if there is an outage in one particular AWS region. If us-east-1 drops out, can your application continue to function.
So having a diagram that clearly shows what regions host your VPCs and AWS resources is not a bad idea.
You probably already understand the value a good network architecture diagram provides. The reason so many developers and engineers don't maintain accurate network diagrams has almost certainly been the time it takes to manually draw VPC diagrams. Flipping back and forth from your manual diagram software to your console settings is a tedious task that nobody enjoys. If you suddenly spot a resource has been deployed in a different region to your default, the whole diagram is impacted and you might need to start over.
If you have a complex network or multiple applications and environments, it can take days or even weeks to research and correctly map out your AWS Region Diagram. When you have done all the hard work mapping out your resource instances onto your diagram, grouping them into the correct VPCs and regions, you then need to perpetually spend more time keeping the diagrams up to date if they are to be of any practical use.
When you take on existing AWS infrastructure as part of a role change, or need to deploy infrastructure for a new application or maybe while on-boarding a new client the very first thing you need to establish is what does the existing infrastructure look like. What resource instances do you have to consider, what VPCs exist, what regions and availability zones are they in, what does the security set up look like.
When you know exactly what already exists, then you can commence the design work to make the network faster, more available and more secure, or you can establish the best way to support the existing infrastructure or maybe work out how to integrate a new project or application feature without breaking anything already in production.
If you are a product manager or network architect, a well laid out AWS diagram VPC visualization of your actual development environment allows you to see at a glance whether your design has been implemented as expected.
With everything visualized, you can spot the vulnerabilities and can realistically know what to expect if say an AWS availability zone or entire region experiences an outage.
The thought of logging in to your AWS account console, or accounts that you manage to start to manually mapping out networks with a drag & drop diagramming tool is something nobody we've ever met gets excited about, which is probably why accurate AWS cloud region diagrams are rarely prioritised or readily available when they are needed.
No sooner have you completed drawing your diagrams, something changes and you have to backtrack and update all the diagrams to reflect the changes, that's provided you spot the changes in the first place. With the numerous modern CI/CD approaches like deploying infrastructure as code, or getting AWS to autoscale various resources in response to traffic loads, this process can take days or even weeks for larger environments.
Back in our cloud consulting days, we knew that the information we needed to map out VPCs in their respective regions was available in the AWS config data, so we built an automated AWS cloud architecture diagram tool to reduce the diagramming process from days or weeks of laborious manual drawing down to a few seconds. What was once a time sucking tedious task nobody enjoyed was condensed into a simple process of generating a set of cross-account role credentials, connecting to Hava and letting the Hava application do the rest.
Initially getting the AWS Diagram VPC infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.
The Hava Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are mapped within the region columns. The AWS VPC diagram generated also displays both internal and external resources.
The AWS region diagrams automatically generated by Hava are interactive. Which means, clicking on any of the resources on the diagram changes the attribute panel on the right of the diagram which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The VPC diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.
We then thought about the relationships and connections between diagrammed resources, so created the ability to toggle on and off the ability to view connections.
Right from the outset, we decided to keep the Hava infrastructure diagrams clean and free from non essential resources like network interfaces that could flood the diagrams with unimportant information making the diagrams saturated, messy and confusing.
Although these less important components are not on the infrastructure diagrams, we did need to know about these 'non-visualized' components, so we created a "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration. This view lists both visualized and non-vizualized resources.
The listed resources also have an estimated cost detailed against them.
One of the benefits of this list view is the ability to sort the list by a number of criteria, including by descending costs. This reveals what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.
AWS Security View
The security view was next diagram added to Hava. Since we already had the configuration metadata and relationships coming back from AWS, our security focused clients asked if we could visualize the security relationships the same way we were able to visualize infrastructure. This led to the AWS Security View.
The security view shows you all of your AWS security groups and overlays the open ports to show how traffic traverses your network. You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses related to that resource.
This high level view makes some security config issues obvious, like ports used during development or testing that have inadvertently been left open.
The Hava AWS security diagram is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to security teams monitoring traffic across a network.
As more development teams embrace containers to deploy applications and provide portability of software between environments we added the container view to Hava.
The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.
ARCHITECTURAL MONITORING ALERTS
When changes are detected in the configuration of the cloud accounts you are managing, Hava can trigger an alert that lets your know when that change is detected.
This means you always know what is happening in your cloud accounts and for MSPs it means you can let clients loose on their own infrastructure and resources but you can keep an eye on the changes and can warn them of any security or cost implications of the deployed changes - no more bill shock!
COMPARE DIAGRAMS WITH DIFF VIEW
As changes are detected in your cloud configs, Hava stores superseded diagrams in version history automatically. You can compare any two interactive diagrams from any point in time using the revision comparison feature built into Hava. This shows you exactly what resources have been added, and which ones were removed during the time period between the two diagrams.
This could be the current live architecture diagram vs one from yesterday should you need to troubleshoot sudden unexpected application errors, or you could compare architecture over a longer period of time, like the period between PCI compliance audits so the auditors can see the changes they are interested in. You can also use diff views to analyse architectural drift or show clients the changes that have happened over time that have prompted questions around billing and escalating costs.
AWS Trusted Advisor Compliance Report
In addition to the diagrams produced by Hava, there is also a reporting module that contains an AWS compliance report.
The report details what resources, users and roles you have configured and which ones are in use. It will also analyse your AWS configuration and report findings based on AWS best practice. Findings are prioritised as high, medium and low severity and have a detailed explanation of the problem and the configuration policy at fault.
Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using a hands free automatic AWS Region Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.
What you see is from the source of truth, always accurate and always up to date.
When your configuration changes, so do the diagrams, all automatically, all hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.
The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.
How to generate an AWS Network Topology Diagram
There are currently two options for using Hava to generate your cloud infrastructure diagrams.
Option 1: Hava SaaS
The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.
You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.
A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.
Option 2: Self Hosted
The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.
Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.
As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and diagrams.
We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.
You can contact us via email@example.com or learn more here: