14 min read

AWS VPC Peering Diagram

January 27, 2022

AWS VPC Peering Diagram

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between the two VPCs using private IPv4 or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different AWS regions which is also known as an inter-region VPC peering connection.

When you are building solutions or networks on AWS you no doubt appreciate the value of a well laid out network topology diagram like the ones automatically generated by Hava.

AWS_Environment_with_Attribute_Pane

Instantly being able to see all the resource instances laid out by VPC, with columns representing aws regions that contain all of your subnets helps to understand exactly what is going on.

If a VPC peering connection is detected, it will be displayed to the right hand side of the VPC so you are aware that this VPC is able to communicate with another VPC either in your AWS account, or in someone else's.

Selecting any instance on a Hava infrastructure diagram will display the settings and metadata to the right hand side of the diagram.

aws_diagram_resource_instance_selected 

This image shows that selecting an EC2 instance displays the settings related to that selected instance like:

  • cost
  • type
  • architecture
  • platform
  • availability zone
  • launch time
  • virtualization type
  • dns
  • ips
  • subnets
  • security groups
  • network interfaces
  • volumes
  • tags

As you can see, there is a ton of information that you can interrogate, even though the diagram just has a single icon displayed for the selected EC2 instance, keeping the diagram clean and easily understood, while still having the powerful data on hand so you don't have to flip flop between your AWS console and Hava.

Hava shows your VPC peering connection to the right of your diagram being a circle with a cloud in the centre surrounded by four arrows.

VPC_Peering_View

As you can see on this diagram, there are six VPC peering connections.

Selecting any of them will change the attribute pane to the right of the diagram to show details about the peering connection.

VPC_Peering_Attribute_Details

The attribute pane will show you :

  • Status
  • Accepter VPC details
  • Peering Options
  • Requester VPC
  • Tags

From this information, you can identify the peered VPC.

Since the VPC could belong to another AWS account not connected as a data source, it is not automatically displayed on your infrastructure diagram, however you can use the custom diagram builder to create a diagram with multiple VPCs on it.

The "Search" function built into Hava is a custom diagram builder. 

It finds all the resources that match your search criteria and creates a new 'custom' diagram on the fly that you can then view and discard, or save for future use.  Any saved custom diagrams are automatically updated (with version history) just like the auto generated infrastructure diagrams that are created when you first connect your cloud accounts to Hava.

The hava.io custom search feature has been available for a number of years, however the latest iteration has introduced new and more powerful operators and operands to enable granular inspection of your cloud environments.

SEARCH OPERATORS 

Joining queries with ‘and '

"And" allows you to join queries together to limit or expand the results returned.

Search_And

will search for all resources that are EC2 Instances AND are within the VPC vpc-1234

Joining queries with ‘or '

Search_Or

will return resources within us-west-1 OR within us-west-2

Excluding matches with '-' (minus)

By adding a minus ( - ) before your search token you can remove any resources that match a query.

Search_Minus

 will return resources that are in the VPC vpc-1234 and don’t have a name starting with ‘dev-’

Grouping queries with brackets

You can also group a set of tokens together to create more complex queries by surrounding them with brackets.

Search_Brackets

will return all resources within the VPC vpc-1234 that have the tag CostCenter with a value of either dev or test.

Doing a DEEP SEARCH using @

Sometimes you not only want to see the matched resources, but anything connected to them as well. You may want to find your instances but also see their load balancers without having to specify them. Or perhaps you want to see your ECS clusters as well as the instances they are running on.

Search_Deep

 will return all instances, as well as connected resources such as load balancers and ECS clusters.

@CostCenter:dev and vpc:vpc-1234 will return all resources with the tag CostCenter and value dev that are in the VPC vpc-1234. It will then also return any resources connected to them as well on the resulting AWS VPC diagram

⚠️  Any resources returned with the Deep Search operator will be returned after the search is complete, and will not be matched against the query itself. If you search for a specific tag with the deep search operator it may return resources without that tag, for instance.

 

Complex Queries

Using these operators and tokens a range of complex queries can be created.

Search_Complex

What you should get in this case is a diagram with two VPCs:

  • vpc-1234 containing any resources with a CostCenter of either dev or test and aren’t owned by Jim Smith

  • vpc-4567 containing all the databases within it, all the instances within it, and any resources connected to the instances.

SEARCH TOKENS

ip:

Returns anything with the matching IP

ip:10.1.1.1  will match the exact IP

ip:10.1.*   will match the range

name:

Returns anything with the matching name

name:MyInstance will match the exact name

name:My*   will match anything starting with ‘My’

name:”My Other Instance” will match a name with spaces or other special characters

project:

Returns everything in the project - works for Google Cloud

region:

Returns anything in the region - works for AWS, Azure, and Google Cloud.

region:us-west-1 or region:us-west-2

resource_group:

Returns everything in the resource_group - works for Azure

source:

Returns anything in this source.

Search_Source

The source needs to be selected from the suggestion list.

subnet:

Returns everything in the subnet - works for AWS, Azure and Google Cloud

type:

Returns anything matching the type.

The type name needs to be selected from the suggestion list as the format needs to match allowed values.

type:”AWS::EC2::Instance”

virtual_network:

Return everything within the Virtual Network for Azure

vpc:

Search for everything in a VPC - works for Google Cloud and AWS

vpc:vpc-1234 will return everything in vpc-1234

vpc:vpc-1234 or vpc:vpc-5678 will return both VPCs

Any other value followed by ' : '   (Tags)

Any other token is considered a tag and works across AWS, Azure and Google Cloud

CostCenter:dev will return everything with the tag named CostCenter with the value dev

"aws:deployment:name”:”Test Deployment”  will handle tag names and values with spaces or special characters

Location:US* will search for a tag called Location with any values starting with US

The  hava search provides massive flexibility when you are looking to visualize your cloud environments and especially if you want to build VPC Peering diagrams. 

If this is the first time you have come across hava.io you can view a walk through video on the home page which will run you through automating your cloud infrastructure diagrams.

There are a number of diagrams that are automatically generated when you connect your AWS account (or GCP ad Azure for that matter) 

Hava Infrastructure View.

AWS_Environment_with_Attribute_Pane

The Hava Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are mapped within the columns of availability zones. The AWS VPC diagram generated also displays both internal and external resources. 

The diagrams automatically generated by Hava are interactive. Which means, clicking on any of the resources on the diagram changes the attribute panel on the right of the diagram which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The VPC diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.

You can toggle on and off the ability to view connections.

show_or_hide_connections

Hava List View

The list view details all known instance, including things like network interfaces that aren't visualised on the main infrastructure diagrams to keep them clean and readable. The listed resources can be sorted and also have an estimated cost detailed against them.

List_View_New_UI

One of the benefits of this list view is the ability to sort the list, including by descending costs. This reveals what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.

AWS CLOUD DIAGRAM SECURITY VIEW

The security view visualizes the security relationships the same way Hava visualizes infrastructure. 

AWS_Security_Group_Diagram

The security view shows you all of your AWS or Azure security groups and overlays the open ports to show how traffic traverses your network.  You can select a security group on the diagram to see all the connected resources in the attribute pane, as well as the ingress and egress port numbers and associated IP addresses related to that resource.

This high level view makes some security config issues obvious.

The Hava AWS security diagram is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to security teams monitoring traffic across a network.

One of the benefits of having a team of seasoned cloud engineers behind a product like Hava as opposed to say a drag and drop flow chart drawing package, is that we are always close to the market and hundreds of front line cloud engineers. If we don't pick up new technologies and methodologies first, then our customers will, and are sure to send in feature requests which we endeavour to integrate into Hava as soon as possible.

Hava Container View

AWS ECS Container View 800x600

The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster. The container status is displayed using different colours and selecting a task will show the container attributes in the right hand pane.

AWS TRUSTED ADVISOR COMPLIANCE REPORT

In addition to the diagrams produced by Hava, there is also a reporting module that contains an AWS compliance report.

Reports_NewUI

The report details what resources, users and roles you have configured and which ones are in use. It will also analyse your AWS configuration and report findings based on AWS best practice. Findings are prioritised as high, medium and low severity and have a detailed explanation of the problem and the configuration policy at fault.

What you see on your Hava diagrams is from the source of truth, always accurate and always up to date.

When your configuration changes, so do the diagrams, all automatically,  all hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.

The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.

HOW TO GENERATE AN AWS NETWORK TOPOLOGY DIAGRAM

There are currently two options for using Hava to generate your cloud network topology diagrams.

Option 1: Hava SaaS

The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.

You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.

A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.

Option 2: Self Hosted

The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.

Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.

As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and diagrams.

We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.

You can contact us via sales@hava.io or jump into a free trial here:

 

Team Hava

Written by Team Hava

The Hava content team

Featured