14 min read

How to Improve the Accuracy of Your Cloud Diagrams Hands Free with Hava

August 19, 2023


There's no question diagrams mapping out your cloud architecture are extremely useful. They help you visually understand what is going on, whats running and how it all hangs together.

For engineers, that means you can get to grips with architecture that you are new to, like a new client account you just inherited, or a new internal application or project you've been assigned to,

For developers and devops it allows you to visually demonstrate the architecture you have deployed or recently built making stand ups and showcases easier.

For managers and product owners, diagrams allow you to see what your team are building and where your cloud budget is being consumed without having to trawl through cloud consoles or flying blind. You also get to see the approach and services being deployed to build your applications which gives you the opportunity to assess whether those services are in line with your company guidelines on technologies and security.

The Problem With Cloud Diagrams.

While cloud diagrams are extremely useful for any number of reasons, they can be extremely time consuming to produce and keep up to date, especially if you are drawing them manually.  

Depending on the complexity of the architecture, you can spend days or even weeks console hopping between environments, cloud accounts and in the case of hybrid solutions, switching between vendors to get line of sight on all the components of your application architecture.

Not fun.

Then once you have established what is running, how it is connected and how it is secured the architecture changes and you have to work out what changed and how it impacts your diagrams so you can update them.

A perpetually time consuming process that most people don't really have time for, which is why it is often ignored or put on the back burner. Which is OK until you have an outage or need to troubleshoot unexpected application problem where the first question is "where are the architecture diagrams?" 

Cloud Architecture Diagram Accuracy

Diagrams for simple cloud architecture built by a single team can often be managed manually, but when things become more complex or you have multiple projects being worked on by multiple engineers or remote teams, the opportunity for errors escalates.

There is always a danger when you have multiple people making changes to architecture that there will be conflict. Services outside the agreed methodology or conflicting IaC configurations that cause problems. Even if there are no physical problems, getting the correct resources represented on the architecture diagrams is challenging.

If you aren't fully aware of the changes being made to your architecture by other teams or team members, the chances are those changes aren't making it to the diagrams and will potentially cause problems when you need the diagrams to diagnose a problem.

The solution to getting 100% accurate always up to date diagrams that does not consume  days of your valuable time is to automate with Hava.


How to create cloud architecture diagrams hands free

The secret to generating and maintaining accurate cloud architecture diagrams for AWS, Azure and GCP hands-free is to connect your cloud accounts to Hava.

Within minutes you will get accurate diagrams of all the resources running in each cloud account connected. Hava scans the cloud config, separates the resources into virtual networks and creates a diagram set for each environment discovered.

This means if you have a thousand VPCs in an AWS account, you will get 1000 diagram sets created when you connect  All this by simply entering a set of read-only cross-account role credentials into Hava.

Creating Hands-Free Accurate Cloud Diagrams


Using Hava to generate AWS/GCP/Azure infrastructure diagram sets is as simple as creating a read-only cross-account role and using those credentials to connect your cloud account to Hava.

AWS for example, paste the Role ARN into the Hava dialogue box, add an optional name and click "Import"

Getting started create cross account role

Hava will connect to your environment and pull back the resources and relationships between them and build a complete visualisation of your environment in several diagram views.

Let's take a look at the different views of your network topology automatically generated by Hava. 

AWS Architecture VIEW


Your AWS architecture will be visualized by logically laying out one VPC per diagram. The AWS regions discovered are represented by the columns within the VPC. Each region will contain your subnets configured within each region.

With your environment visualised in this "Infrastructure View" you can select items and resources displayed on the interactive diagram to dig into the attributes of the selected resource, subnet or VPC.

This view gives you a visual prompt in relation to the regional redundancy built into your network design. Can your application survive an individual region outage? 

You are able to optionally display resource names and connections which by default are not displayed to keep the diagram uncluttered. There are manual canvas controls to scale and adjust the diagram. The standard infrastructure view out of the box provides the key information needed by Engineers, DevOps and Management and saves you hours or even days of tedious drag and drop diagramming. 

Being automated, your diagrams will reflect exactly what is running now in an easy to understand environment visualization.


Far from being a static diagram, all the diagrams and reports created by Hava are fully interactive. Clicking on a VPC, Subnet or individual resource will change attribute pane on the side of the diagram to display contextual information about the resource you just selected.


Should there be settings or items in the attribute pane that are selectable, doing so will reveal further information and details about that resource. When viewing the attributes of a top level VPC for instance, the security groups will be shown. Hovering over a security group name will highlight on the diagram all the resources that belong to that group.

Similarly, clicking on the security group name will change the contents of the attribute pane to the attributes of the selected security group.  This means that you can save valuable time by viewing attributes and deeper information about your visualized resources directly on the diagram without having to exit out to your AWS console.


If you are building containerised solutions using AWS, Hava will visualise these in a "Container View" diagram.

The below diagram depicts an ECS Cluster with multiple ECS Service instances within the cluster that contain multiple tasks per service.

The task status is represented by different colours for "Running", "Pending", "Stopped" etc 

Colour codes include Green = OK, Yellow = Transitioning, Red = Warning, White = Stopped or Empty which gives you an immediate visual guide of exactly what's going on and if anything needs attention.



One of the most important aspects of cloud computing architecture design is security and security should be a central component of your cloud diagram toolset.

Visualizing your AWS or Azure security configuration allows your security team to immediately see what security groups have been set up, what ports are open and how IP traffic enters and exits your network. 

A visualized security configuration can instantly highlight vulnerabilities like open ports or network ingress points that have been misconfigured. Your security team can potentially pick up problems in seconds that may otherwise go unnoticed or take hours to uncover trawling through console settings.



Some discovered resources in your cloud configuration don't make sense to visualize on an infrastructure diagram. Trying to cram 50 network interfaces, or 100 storage volumes onto a diagram just makes the document cluttered and difficult to read. 

That's not to say you don't need to know about the storage volumes, network interfaces, WAF rule sets etc which is why another "view" provided by Hava is the List View.  This view lists all of the discovered resources both visualized and not and allow you to sort them and export them.

This is particularly useful when trying to evaluate the cost estimates of all your configured network components from most expensive to least.



While automatically generated cloud diagrams delineated by VPC are incredibly useful and time saving, sometimes you need to diagram specific elements within your VPC or to collate resources from different VPCs or even different cloud providers.  

Hava's toolset addresses this with a very flexible query and search tool that allows you to build custom diagrams based on numerous criteria like region, resource name, VPC name and even leveraging tags and labels for AWS, GCP and Azure.

This enables you to customise diagrams to just include the key information you need that is dynamic and ready to view at a glance.

Custom Environment Diagrams can be used to:

  • Filter and diagram only the specific components of your environment you are interested in viewing
  • Combine data from separate environments into one diagram

  • Combine data from separate cloud providers into one diagram

  • View specific components from multiple sources on the one diagram

  • The search and filter box at the top of the environments dashboard is the starting point for creating a custom diagram and contains prompts for the available filters.


Using the region: search parameter for instance, would return anything in the specified region, including resources in any matching Azure or GCP data sources you have connected to Hava.

Ie:    region:us-west-1 or region:us-west-2  would construct a diagram with any of your resources found in the nominated regions.
Quite complex queries can be constructed using the query/search function like: 
(vpc:vpc-1234 and ((CostCenter:dev and !Owner:"Jim Smith") or (CostCenter:test and !Owner:"Jim Smith"))) or
(vpc:vpc-4567 and (@type:"AWS::EC2::Instance or type:"AWS::RDS::DBInstance"))


Using the Deep Search modifier "@" within the query, the search will also return resources connected to the ones that meet your search criteria when you generate architecture diagram from AWS configuration data.


Just like undocumented or misunderstood cloud architecture is challenging, so is keeping well documented architecture diagrams and reports up to date.

The best, most beautifully crafted and accurate diagram sets are only useful up until the time your network configuration changes, at which point they become obsolete and potentially promulgate mis-information to your management and engineering teams both internal and external.

Your cloud architecture documentation should change when your architecture does and while even the most diligent engineer has every intention of completing a configuration change by updating the associated diagrams and documentation, we've found this step is often overlooked.

Hava continuously syncs your standard and custom diagrams, so an up-to-date documentation set is always at hand. Should you need "up to the second" updates, you can manually sync your data sources at any time to build a fresh set of diagrams on the fly.


While automatically updated cloud diagrams ensure your documentation is always up to date, you may need to know what your network looked like prior to the configuration change. During an audit or unexpected network behaviour you may need to know what the config looked like last month or even 3 months ago. 


Hava addresses this important requirement by retaining a full interactive document set every time a diagram is superseded. The superseded document set is retained in a version history. The older versions can be opened and inspected interactively just like the current document set and even exported for diffing or external archiving. 

This gives you an audit trial of changes to your AWS architecture that allow you to pinpoint when changes were made in the event of unexpected network or application behaviour or sudden changes in cloud compute costs.

DIFF Diagrams

One of the unique features of Hava is the ability to compare any two diagrams versions and receive a diff diagram highlighting the changes between the two diagrams.

This could be seeing the latest changes to investigate the cause of unexpected architecture behaviour or you might need to compare architecture to the same time last year for PCI or other audit requirements, Whatever the scenario, you have the ability to select an two diagrams and you'll get a revision comparison showing all the resources that have either been removed or added.


Architecture Monitoring Alerts

Another useful feature of Hava that extends its utility beyond simple architecture diagrams is the ability to alert you when architecture changes are detected.

During the normal background sync process that initiates when you connect a cloud account to Hava, the process of checking for changes and updating diagram can also trigger an email alert. This contacts the people you nominate to let them know something has changed. You and/or your security team can then assess the changes to make sure everything is in order. As well as capturing the changes in the alerts console, you receive a diff diagram via email showing you the changes.


More alert integrations are in the pipeline including sending architecture change notifications to slack.


Hava has a fully featured API that enables you to pull config data, fire sync requests and any perform number of tasks and functions.

The API can be used to extend Hava's functionality. Customers have documented tasks like adding animated gifs of a network topology diagram as a build pipeline artifact.

The API functions include listing and creating environments, fetching and exporting diagrams in various formats, JSON exports, fetching and creating teams and team members and creating, fetching and syncing your AWS, Azure and GCP data sources.




Hava provides an export function on each diagram type so you can export your diagrams and the underlying data out to your preferred destination. 

These options include:

  • PDF
  • PNG
  • VSDX  ( Editable diagrams using Visio or draw.io )
  • CSV
  • JSON

The export function, and in particular the VSDX export provides the ability to edit and embellish your diagrams outside of the Hava application.

Note: Hava does not provide the ability to add or remove elements from automatically generated diagrams in order to maintain 100% accurate and factual diagrams with a version history within the application for audit and compliance purposes.


The Hava SaaS is ready for you 24/7.  Simply pick a plan and you'll be set up with a free trial within seconds.

Create a set of read-only credentials and connect your cloud to Hava. 

Within a few minutes Hava will map your cloud configuration and produce a full set of  interactive diagrams.



If you have strict geo or internal policy conditions that prevent you from granting read-only access to a 3rd party applications you can self-host Hava on your own cloud infrastructure, just get in touch to discuss this option.



Team Hava

Written by Team Hava

The Hava content team