18 min read

Azure Network Diagrams

January 19, 2021

Azure_Network_DiagramsWhen you are working with Microsoft Azure, there is no doubt you appreciate the value and necessity of great Azure cloud architecture diagrams. Diagrams provide a visual cue for better communication and understanding of your cloud infrastructure at all levels of your organisation, from management down to freshly onboarded engineers and consultants.

If you have spent too many hours of your working day manually creating Azure network diagrams to keep tabs on your network design, then you also appreciate how much manual labour and errors are eliminated when you automate the process.

Azure is one of many cloud platforms that are compatible with hava.io which will safely connect to your cloud console configuration, via read only credentials, to automate the production and updating of azure architecture diagrams like this:

Azure_View

Connecting your Azure data source to Hava so that your diagrams can be automatically generated is a straight forward process.

To import environment diagram data from Azure, you will need to access your Azure Portal at https://portal.azure.com , create a new Service Principle and retrieve a set of credentials for your account.

Open the Azure Portal and launch PowerShell from the top menu bar :

1. Launch Powershell

Open the Azure Portal and launch PowerShell from the top menu bar

Open Power Shell
 

2. Create Service Principal

You will need to create a new Service Principal from the command line and a display name. In the below code example, we’ve used HavaServicePrincipal you can edit and choose a name that suits you.

Create_Service_Principle

3. Assign Reader Role

Hava only requires read-only access so, you can assign the read-only permissions to the Service Principal account using the below command.

Assign_Reader_Role
 

4. Create the Password

Once you’ve created the Service Principal and assigned it with a Reader Role, you need to create password credentials to attach to the Service Principal.

Create_a_Password
 

5. Obtaining the Credentials

The final step required is to retrieve the necessary credentials to input into Hava.

Get_Credentials
 
Azure_Credentials
 
 

Once you have the required credentials, you can log in to Hava which will open up the environments screen.  You then select "Add Environments"

Hava_Add_New_Cloud_Environment
 

Click on the "Azure" Tab and enter the credentials you have just gathered from your Azure PowerShell.

Add_Azure_Environment_to_Hava

 

Hava will import your Azure Environment, layout the diagram and add the environment tile to the Hava Environments screen. From this point Hava will periodically sync with Azure and log any structural changes, so you always have an accurate visual representation of your Azure Environment.

Azure_View

The diagrams produced are logically laid out by resource group which might contain subnets running in virtual networks.  All of the resource metadata isn't placed on the diagram, but is displayed in a contextual attribute pane to the side of the diagram.

This keeps the diagram uncluttered, but allows you to select the interactive elements of the diagram, like a virtual network, subnet or individual resources like gateways, load balancers, virtual machines, virtual network peering connections and storage accounts. All the metadata and settings are displayed alongside the diagram in the attribute pane and are contextual to the currently selected element.

With nothing selected, the attribute pane displays information about the entire Azure environment including a cost estimate breakdown.

Azure Environment Diagram Cost Estimates

 

One of the most powerful aspects of using Hava as part of your build pipeline or DevOps strategy is that the software keeps track of any changes detected in your Azure infrastructure.

Once a change is detected, a new diagram set is spawned and the superseded diagram set is placed in the version history.  You can select an older version to view and it remains fully interactive, not just a static diagram), so you can click into resources, inspect attributes and settings just as you can on the live diagrams.

Hava_Versions

Selecting an older diagram set, you can pull up the older version in a separate browser and compare current diagrams side-by-side so you can visually detect the differences.

You could also export current and superseded diagrams in JSON format and Diff the files to surface all the changes or use the built in revision comparison tool.

Azure ARCHITECTURE DIAGRAM VERSION COMPARISON

Hava continuously scans your Azure architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.

What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.

Azure_Diff_View 

So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.

Azure ARCHITECTURE MONITORING

While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.

Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.

Alerts_Detail

Now you and your security team can be across every change as it happens so you can assess and take action if required.

All the interactive diagrams are exportable in a number of formats.

Export_Hava_Diagrams

There are currently no mechanisms within Hava to draw diagrams from scratch or to add or remove elements.  The diagrams are designed to always reflect the source of truth at any point in time.  You can alway be confident that what you are looking at within Hava diagrams reflects reality because there is no way to add or remove diagram elements and resources.

We do however appreciate that sometimes you would like to use a diagram as a starting point for some redesign work, or you would like to annotate a diagram to explain elements of the diagram in management or sales presentations.

Azure Diagrams for Visio

The VSDX export option is the solution, enabling you to export your Azure infrastructure diagrams in Visio format.  You can then use Visio or a compatible application to import the diagram for manipulation.

exported_hava_diagram_in_drawio 

This provides the flexibility of editable diagrams while also maintaining the integrity of the diagrams and data held natively within Hava, so you have an unquestionable source of reference during a PCI compliance, Insurance or other type of audit.

Azure Network Diagrams

On top of the standard infrastructure and security diagrams, there are two more diagrams in the Azure Visualization diagrams that are produced automatically by Hava.

The extended infrastructure view is similar to the infrastructure view, however it adds some more metadata to the diagram like full resource names and resource sizes.

The final diagram is the "List View".  This report is, as the name suggests, a list of all the resources discovered in your environment.

This includes elements that are not visualised on the diagrams.  Some resources may have dozens or hundreds of reasonably unimportant instances like network interfaces or virtual machine extensions, which if visualised would make the diagrams unreadable.

The list view is where you can find these resources.  The list can be filtered, sorted by name, type or price and exported to CSV for easy import into a spreadsheet for cost analysis.

Azure List View 800x600 

The visualised resources are detailed below. The elements in the attributes column signify that they are not displayed on the infrastructure diagrams but do appear in the list view.

Visualised

Attributes

Application Gateway

Availability Set

Express Route

Load Balancer

Local Network Gateway

Network Interface

Network Security Group

Public IP

Redis Cache

Resource Group

Route Table

SQL Server

Storage Account

Subnet

Virtual Machine

Virtual Machine Extension

Virtual Machine Scale Set

Virtual Network

Virtual Network Gateway

Virtual Network Peering

 
 
Hava provides a fast, efficient and accurate method of producing and maintaining your Azure cloud network topology diagrams automatically, providing you better internal communications, the ability to surface resources you may not have known were running and to be able to respond to events and outages using a safe repository of network configuration history.
 
If you are not using Hava yet to document your Azure cloud environments, you are welcome to try a 14 day free trial, absolutely no obligation or pressure and no credit card required to sign up.
 

 

In case you missed it:  Is Kubernetes dropping docker support

Team Hava

Written by Team Hava

The Hava content team

Featured