10 min read

AWS Topology Diagram by Hava

September 23, 2021

AWS Topology Diagrams

Accurate AWS topology diagrams are the easiest way to easily understand what you have configured and running in your AWS environments. An accurate diagram also allows you to easily communicate your AWS network design to key stakeholders including new engineers and external consultants.

If you are building or operating solutions hosted on AWS, you already understand the value a good network architecture diagram provides. The problem has always been the time it takes to manually draw diagrams, especially when using drag and drop charting applications.

If you have a complex network or multiple applications and dev/test environments it can take days or even weeks to research and map out your AWS Topology Diagram. Then of course, when you have done all the hard work mapping out your AWS infrastructure, resources and connections you then need to spend even more time keeping your diagrams up to date.

We understand this more than most because the team behind Hava are engineers that come from a cloud consulting and expert services background.

We were faced with the same problems you face if you are building or supporting cloud applications on AWS, Azure or GCP. When you take on existing infrastructure as part of a new role, or need to deploy new infrastructure for a new project or maybe while on-boarding a new client's network the very first thing you need to establish is what does the existing infrastructure look like.  What resources do you have to work with, what VPCs exist, what availability zones are they in, what does the security set up look like.

When you establish exactly what is running, then you can commence the design work to make the network faster, more available and more secure, or work out how to integrate a new project or application feature without breaking anything already in production.

If you are a manager or architect, a well laid out AWS topology diagram of your development and production environments allows you to see at a glance whether your design has been implemented as expected.

With everything visually mapped out on a diagram, you can spot the vulnerabilities and know what to expect if say an AWS availability zone or entire region experiences an outage. Is your application or data replicated so it remains available to your users? 

The thought of scouring through your AWS account console to start to manually mapping out your environments with a drag & drop diagramming tool is something nobody we know gets any pleasure out of, which is probably why accurate AWS infrastructure visualization diagrams are rarely prioritised or readily available during an unexpected event. Just about every client we took on in our consulting days couldn't produce up to date or accurate diagrams.

If you have taken on the task of manually documenting your network then no sooner have you completed the diagrams, something changes and you have to analyse the implications and update all the diagrams to reflect the changes. With the numerous modern CI/CD approaches like deploying infrastructure as code, or setting up AWS to autoscale various resources in response to traffic loads, the process of diagramming can take days or even weeks for larger environments, especially if multiple AWS accounts and environments are involved.

Back when our engineers were providing cloud consulting services, they would routinely take several days or weeks to establish an accurate picture of what a new client's AWS  network infrastructure looked like. Like you, they had to fire up the client's AWS management consoles, scour through all the services to establish exactly what was running, where it was running and how the security was configured that allowed traffic to traverse the network.

They knew that the information they needed was available in the AWS config data and could be used to build an automated AWS topology diagram tool to reduce the process from days or weeks of tedious manual diagramming down to a few seconds or minutes for larger environments. What was once a laborious task nobody could get excited about was condensed into a simple process of creating a set of cross-account role credentials, connecting to Hava and letting the Hava AWS network topology diagram application do the rest.

Initially getting the AWS infrastructure mapped was the primary focus which was achieved with the Hava Infrastructure View.


The Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are grouped by availability zones. The AWS Deployment Diagram generated also display both internal and external resources. 

All the Hava diagrams are fully interactive. Selecting any of the resources on a diagram changes the attribute panel on the right of the diagram canvas which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.

The Hava developers then thought about the relationships and connections between resources so created the ability to toggle on and off the ability to view connections.


Right from the start, we decided to keep the diagrams as clean as possible and free from non essential resources like network interfaces that could flood the diagrams making them messy and confusing. 

Although these less important components are not visualized on the network topology diagrams, we did need to know about these 'non-visualized' components, so we designed Hava to create a "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration. This view lists both visualized and non-vizualized resources.

List View



One of the major benefits of the Hava list view is the ability to sort the list by descending costs. This surfaces what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.

The list view provides you the ability to export this list of resources in CSV format which CFO's and accountants seem to enjoy. 

AWS Topology Diagram Security View

The Hava Security View was next diagram added. We already had the configuration metadata and relationships coming back from AWS so our security team asked if we could visualize the security relationships the same way we were able to visualize infrastructure. 

AWS Security View

AWS Security View 800x600

The security view diagram shows you all of your AWS security groups and then overlays the open ports to show how application users traverse your network.  You can click on a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses related to that resource.

This high level view makes some security config issues obvious, like ports used for development or testing that have been accidentally left open.

The AWS security view is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to enable effective visualized security monitoring.

One of the benefits of having a team of actual cloud engineers behind a product like hava.io as opposed to say a drag and drop flow chart drawing package solution, is that our team are always close to the market and hundreds of front line cloud engineers. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to send in feature requests which we endeavour to integrate into Hava as soon as possible. This means you have the most extensive and accurate AWS topology diagrams available when you connect your AWS accounts to Hava.

This is evidenced by the rising popularity of AWS Container Services.  As more development teams embrace containers to deploy applications and provide portability of software between environments we added the

Container View

AWS ECS Container View 800x600

The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.


When changes are detected in the configuration of the cloud accounts you are managing, Hava can trigger an alert that lets your know when that change is detected.


This means you always know what is happening in your cloud accounts and for MSPs it means you can let clients loose on their own infrastructure and resources but you can keep an eye on the changes and can warn them of any security or cost implications of the deployed changes - no more bill shock! 


As changes are detected in your cloud configs, Hava stores superseded diagrams in version history automatically. You can compare any two interactive diagrams from any point in time using the revision comparison feature built into Hava. This shows you exactly what resources have been added, and which ones were removed during the time period between the two diagrams.


This could be the current live architecture diagram vs one from yesterday should you need to troubleshoot sudden unexpected application errors, or you could compare architecture over a longer period of time, like the period between PCI compliance audits so the auditors can see the changes they are interested in. You can also use diff views to analyse architectural drift or show clients the changes that have happened over time that have prompted questions around billing and escalating costs.

Whichever diagram makes the most sense or delivers the information your team needs to manage your environments, the upside to using a hands free automatic AWS Topology Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added  or removed by mistake. What you see is from the source of truth, always accurate and always up to date.

When your configuration changes, so do the diagrams. All hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up these historical diagrams at any time you like. They are fully interactive like the live diagrams so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.

Having an audit trail of changes lets you find the cause of outages or issues fast.

The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.

How to generate an AWS Topology Diagram

There are currently two options for using Hava to generate your cloud infrastructure diagrams.

Option 1: Hava SaaS

The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.

You simply create an AWS cross account role with read only permissions (json policy supplied), then log into hava.io and connect your AWS account. Hava will read your AWS config data and render your diagrams and start to track any changes for audit purposes.

A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself even if you don't have any live environments. At the time of writing, no credit card is required to take the trial.

Option 2: Self Hosted

The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud accounts, then self-hosted may be the solution.

Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.

As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and pull diagrams.


We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.

You can contact us via sales@hava.io or learn more here:




Topics: aws cloud
Team Hava

Written by Team Hava

The Hava content team