9 min read

Cloud Architecture Diagram Tool

June 17, 2021

Cloud_Architecture_Diagram_Tool

There are numerous reasons why you would want to accurately diagram and document your AWS environments. Knowing exactly what is running based on the actual resources configured in your cloud environments is probably the number one reason to use an automated Cloud Architecture Diagram Tool over manually drawing your network topology diagrams.

Hava's automation process discovers exactly what is running, so you can provide the information and documentation to onboard engineers faster, get to grips with new client architecture or report to management in an easily understood visual format.

Cloud Infrastructure Diagram Generator

Sitting down with Visio and your cloud platform Icon template pack is a daunting prospect if your AWS, Azure or GCP environment contains more than a handful of resources or a load balancer or two.

Not only do you need to manually lay out your projects or VPC's and resources which can take hours or even days, once you have drawn the diagrams, you then need to keep them up to date if they are going to be of any practical use.  That's where using automated cloud diagram software comes into play.

AWS Architecture Diagrams

There are a number of network topology diagrams that can prove useful to your engineering and DevOps team. These include an AWS Infrastructure diagram like this:

AWS_Environment_with_Attribute_Pane

This diagram logically lays out all the resources discovered when an AWS account is connected to Hava's AWS VPC Diagram Generator. The main VPC (the green rectangle) is surrounded by associated resources like internet and VPN gateways, S3 Buckets, VPC endpoints, VPC peering connections and so forth.

Inside the VPC, the configured availability zones are set out in columns that contain the individual subnets set up in those AZ's.  All the resources contained in each subnet are visualized as are any load balancers routing traffic to the various subnets.

Having your diagrams automatically created from configuration data enables interrogation of each of the resources to see the settings and associations related to it. By clicking on any of the individually visualised resources, the attribute pane on the right hand side of the diagram displays all the known details related to the resource.  This is one aspect of Hava diagrams that simply isn't possible with manually created drag-and-drop diagram makers.

Automating the diagram build using AWS Diagram Software also reveals resources you may not be aware of.  Long forgotten database instances and sometimes entire dev or test environments are regularly discovered by this automation process.

GCP Cloud Architecture Diagrams

Hava's cloud architecture diagram tool will connect to your GCP accounts and visualize your GCP networks, zones and subnets.

GCP_Architecture_Diagram

Azure Cloud Architecture Diagrams

As with AWS and GCP, you can also import your Azure environments into Hava. Hava will create diagrams for each Resource Group discovered. The resource group will detail any Virtual Networks configured in the group which in turn can contain multiple subnets and other resources like virtual machines, load balancers, peering connections and storage accounts.

Azure_View

Custom Cloud Architecture Diagram

There is always somewhat of a compromise when it comes to generated documentation. The way that Hava discovers and builds diagrams is based at a VPC or resource group level. If more than one VPC is detected in your Amazon cloud account for instance, then one diagram per VPC is created.

You may however want to combine two or more VPCs onto a single diagram.  This can be achieved using the custom query function built into hava.io.

Custom Diagram Generator

multi_vpc_search

This custom query would create a new custom diagram containing the two nominated AWS VPCs specified.  You would then have the ability to save this diagram so it is always present in your dashboard until you choose to delete it.  As with all other diagrams, your custom infrastructure diagram would keep itself up to date and retain a version history every time a resource change is detected.

Cloud resource List

Sometimes it is just not practical to include every single component detected in your cloud config onto a diagram. Take for instance Network Interfaces, Volumes or WAF Rules. In an enterprise network with hundreds or maybe thousands of these non essential components, trying to visualize every single component would make the diagram practically unreadable, or certainly too busy to easily recognise the core components.

Hava's cloud architecture diagram tool solves this issue by providing detailed components list that details every single resource detected.

List_View_New_UI

This is a comprehensive list of resources that can be sorted and exported along with estimated monthly costs so you can see at a glance what resources are costing you the most money. This detailed view is also interactive. Selecting a resource on the diagram will reveal all the known settings and associations that resource has.

AWS and Azure Security Diagrams

Another major benefit of automating the discovery of your AWS and Azure environment diagrams is the ability to capture and visualize security group information. Security views for  GCP are on our development roadmap.

AWS Security Architecture Diagram

AWS_Security_Group_Diagram

With an AWS security group diagram you can view all of your configured security groups with the open ports overlaid on the visualization to enable an instant visual snapshot of the traffic flow, ingress and egress points. The diagram is interactive which ensures you can select a particular security group on the diagram and important information relating to the group, like the connected resources, ingress and egress IP addresses and associated tags.

AWS Well Architected Compliance

Hava also has a reporting module that features an AWS Compliance Report on the environments dashboard.

Reports_NewUI

The report steps you through all the regions and resources you have configured and will draw your attention to adverse well-architected findings graded as high, medium or low and the reasoning behind the finding.

The report is presentation quality and gives you insights on your AWS configuration and highlights opportunities for improvement.

ARCHITECTURE DIAGRAM VERSION COMPARISON

Hava continuously scans your cloud architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.

What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.

Diff_View-1 

So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.

cloud ARCHITECTURE MONITORING

While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.

Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.

Alerts_Detail

Now you and your security team can be across every change as it happens so you can assess and take action if required.

Automated Cloud Diagram Updates

Finally, your documentation is only beneficial if it is accurate. It is quite possible to spend weeks manually constructing network topology diagrams only to have it rendered useless by a minor change to your network configuration. Given the nature of services provided by the major cloud vendors that autoscale and auto provision resources in response to traffic demand, the chances are your cloud infrastructure is changing more often than you imagine.

Built into Hava is an auto-sync function that polls connected cloud account data sources and automatically updates diagram sets when changes are detected.  This means your diagrams are always current and up to date. The superseded diagram sets aren't discarded however. They are placed into Hava's version history that enables you to pull up and investigate older diagrams in the same fully interactive format.

This allows you to quickly identify changes to your cloud network topology either visually or by programmatic comparison.

It also allows you to demonstrate the status of your network to key stakeholders at any point in history. This can be invaluable during a pci compliance audit or insurance claim should your network design ever be called into question.  

Exporting Cloud Network Topology Diagrams

Native cloud architecture diagrams created by Hava are the nearest we've seen to the examples and recommendations provided by the major cloud platforms.  These are great to view and interrogate via the dashboard, however sometimes you'll need to pull a set of diagrams for audit purposes or for management or sales presentations.

The built-in export function allows you to do this by providing these export options

Export-diagram-formats

CSV, VSDX, JSON, PDF and PNG

Editing your Cloud Architecture Diagrams

Should you want to manipulate or embellish your auto generated diagrams, exporting to VSDX format and using Visio, draw.io or any VSDX compatible drawing package will allow you to edit your diagrams as required.  

Should you not have access to Visio but would like to try this out, try opening one of your exported VSDX files in draw.io (diagrams.net)

exported_hava_diagram_in_drawio

Getting Hava to do the bulk of the heavy lifting by initially generating accurate diagrams based on what is actually configured and running in your cloud environments enables you to access a base diagram ready to edit which will save you hours or possibly days preparing management reports.

Conclusion.

There aren't too many cloud engineers that would dispute the benefits of perpetually accurate network documentation.  Hava provides just this with:

  • Auto generation of documentation for your AWS, GCP & Azure networks
  • Keeps the diagram sets updated
  • Retains a full set of diagrams in version history every time a resource changes
  • Provides a comprehensive API to allow IaC build pipeline integration
  • Provides a unique AWS security view detailing security groups with visualized traffic ingress/egress
  • Compliance reporting  
  • Architecture Monitoring
  • Diff diagrams
  • Available as SaaS or fully self-hosted

 

You can learn more about Hava here:

 

Team Hava

Written by Team Hava

The Hava content team

Featured