A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between the two VPCs using private IPv4 or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different AWS regions which is also known as an inter-region VPC peering connection.
When you are building solutions or networks on AWS you no doubt appreciate the value of a well laid out network topology diagram like the ones automatically generated by Hava.
Instantly being able to see all the resource instances laid out by VPC, with columns representing aws regions that contain all of your subnets helps to understand exactly what is going on.
If a VPC peering connection is detected, it will be displayed to the right hand side of the VPC so you are aware that this VPC is able to communicate with another VPC either in your AWS account, or in someone else's.
Selecting any instance on a Hava infrastructure diagram will display the settings and metadata to the right hand side of the diagram.
This image shows that selecting an EC2 instance displays the settings related to that selected instance like:
- cost
- type
- architecture
- platform
- availability zone
- launch time
- virtualization type
- dns
- ips
- subnets
- security groups
- network interfaces
- volumes
- tags
As you can see, there is a ton of information that you can interrogate, even though the diagram just has a single icon displayed for the selected EC2 instance, keeping the diagram clean and easily understood, while still having the powerful data on hand so you don't have to flip flop between your AWS console and Hava.
Hava shows your VPC peering connection to the right of your diagram being a circle with a cloud in the centre surrounded by four arrows.
As you can see on this diagram, there are six VPC peering connections.
Selecting any of them will change the attribute pane to the right of the diagram to show details about the peering connection.
The attribute pane will show you :
- Status
- Accepter VPC details
- Peering Options
- Requester VPC
- Tags
From this information, you can identify the peered VPC.
Since the VPC could belong to another AWS account not connected as a data source, it is not automatically displayed on your infrastructure diagram, however you can use the custom diagram builder to create a diagram with multiple VPCs on it.
The "Search" function built into Hava is a custom diagram builder.
It finds all the resources that match your search criteria and creates a new 'custom' diagram on the fly that you can then view and discard, or save for future use. Any saved custom diagrams are automatically updated (with version history) just like the auto generated infrastructure diagrams that are created when you first connect your cloud accounts to Hava.
The hava.io custom search feature has been available for a number of years, however the latest iteration has introduced new and more powerful operators and operands to enable granular inspection of your cloud environments.
SEARCH OPERATORS
Joining queries with ‘and '
"And" allows you to join queries together to limit or expand the results returned.
will search for all resources that are EC2 Instances AND are within the VPC vpc-1234
Joining queries with ‘or '
will return resources within us-west-1 OR within us-west-2
Excluding matches with '-' (minus)
By adding a minus ( - ) before your search token you can remove any resources that match a query.
will return resources that are in the VPC vpc-1234 and don’t have a name starting with ‘dev-’
Grouping queries with brackets
You can also group a set of tokens together to create more complex queries by surrounding them with brackets.
will return all resources within the VPC vpc-1234 that have the tag CostCenter with a value of either dev or test.
Doing a DEEP SEARCH using @
Sometimes you not only want to see the matched resources, but anything connected to them as well. You may want to find your instances but also see their load balancers without having to specify them. Or perhaps you want to see your ECS clusters as well as the instances they are running on.
will return all instances, as well as connected resources such as load balancers and ECS clusters.
@CostCenter:dev and vpc:vpc-1234 will return all resources with the tag CostCenter and value dev that are in the VPC vpc-1234. It will then also return any resources connected to them as well on the resulting AWS VPC diagram
| ⚠️ Any resources returned with the Deep Search operator will be returned after the search is complete, and will not be matched against the query itself. If you search for a specific tag with the deep search operator it may return resources without that tag, for instance. |
Complex Queries
Using these operators and tokens a range of complex queries can be created.
What you should get in this case is a diagram with two VPCs:
-
vpc-1234 containing any resources with a CostCenter of either dev or test and aren’t owned by Jim Smith
-
vpc-4567 containing all the databases within it, all the instances within it, and any resources connected to the instances.
SEARCH TOKENS
ip:
Returns anything with the matching IP
ip:10.1.1.1 will match the exact IP
ip:10.1.* will match the range
name:
Returns anything with the matching name
name:MyInstance will match the exact name
name:My* will match anything starting with ‘My’
name:”My Other Instance” will match a name with spaces or other special characters
project:
Returns everything in the project - works for Google Cloud
region:
Returns anything in the region - works for AWS, Azure, and Google Cloud.
region:us-west-1 or region:us-west-2
resource_group:
Returns everything in the resource_group - works for Azure
source:
Returns anything in this source.
The source needs to be selected from the suggestion list.
subnet:
Returns everything in the subnet - works for AWS, Azure and Google Cloud
type:
Returns anything matching the type.
The type name needs to be selected from the suggestion list as the format needs to match allowed values.
type:”AWS::EC2::Instance”
virtual_network:
Return everything within the Virtual Network for Azure
vpc:
Search for everything in a VPC - works for Google Cloud and AWS
vpc:vpc-1234 will return everything in vpc-1234
vpc:vpc-1234 or vpc:vpc-5678 will return both VPCs
Any other value followed by ' : ' (Tags)
Any other token is considered a tag and works across AWS, Azure and Google Cloud
CostCenter:dev will return everything with the tag named CostCenter with the value dev
"aws:deployment:name”:”Test Deployment” will handle tag names and values with spaces or special characters
Location:US* will search for a tag called Location with any values starting with US
The hava search provides massive flexibility when you are looking to visualize your cloud environments and especially if you want to build VPC Peering diagrams.
If this is the first time you have come across hava.io you can view a walk through video on the home page which will run you through automating your cloud infrastructure diagrams.
There are a number of diagrams that are automatically generated when you connect your AWS account (or GCP ad Azure for that matter)
Hava Infrastructure View.
The Hava Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are mapped within the columns of availability zones. The AWS VPC diagram generated also displays both internal and external resources.
The diagrams automatically generated by Hava are interactive. Which means, clicking on any of the resources on the diagram changes the attribute panel on the right of the diagram which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The VPC diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.
You can toggle on and off the ability to view connections.
Hava List View
The list view details all known instance, including things like network interfaces that aren't visualised on the main infrastructure diagrams to keep them clean and readable. The listed resources can be sorted and also have an estimated cost detailed against them.
One of the benefits of this list view is the ability to sort the list, including by descending costs. This reveals what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.
AWS CLOUD DIAGRAM SECURITY VIEW
The security view visualizes the security relationships the same way Hava visualizes infrastructure.
The security view shows you all of your AWS or Azure security groups and overlays the open ports to show how traffic traverses your network. You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses related to that resource.
This high level view makes some security config issues obvious.
The Hava AWS security diagram is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to security teams monitoring traffic across a network.
One of the benefits of having a team of seasoned cloud engineers behind a product like Hava as opposed to say a drag and drop flow chart drawing package, is that we are always close to the market and hundreds of front line cloud engineers. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to send in feature requests which we endeavour to integrate into Hava as soon as possible.
Hava Container View
The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster. The container status is displayed using different colours and selecting a task will show the container attributes in the right hand pane.
AWS ARCHITECTURE DIAGRAM VERSION COMPARISON
Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.
What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.
So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.
AWS ARCHITECTURE MONITORING
While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.
Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.
Now you and your security team can be across every change as it happens so you can assess and take action if required.
What you see on your Hava diagrams is from the source of truth, always accurate and always up to date.
When your configuration changes, so do the diagrams, all automatically, all hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.
The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.
HOW TO GENERATE AN AWS NETWORK TOPOLOGY DIAGRAM
There are currently two options for using Hava to generate your cloud network topology diagrams.
Option 1: Hava SaaS
The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.
You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.
A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.
Option 2: Self Hosted
The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.
Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.
As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and diagrams.
We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.
You can contact us via sales@hava.io or jump into a free trial here:
