One of the key roles of cloud network managers is containing costs. It is so easy to add to networks and scale resources in the never ending quest for lower latency and better application performance.
Even if you are working for or consulting to large organisations with seemingly unlimited budgets, sooner or later once your application or project is in production, the sights will be turned on the ongoing cloud spend.
During the initial development stage it's not uncommon to get multiple developers and/or teams involved in order to meet project deadlines and in doing so you can often spin up multiple development, test and staging environments so the various branches of development activity can be isolated but tested thoroughly before being merged into production.
The problem is, when the additional development teams and consultants go away, very often their development and testing environments do not. After several rotations of developers, it's extremely easy to lose sight of exactly what environments are related to production and ongoing development and which ones are unused development or test environments that nobody is using or sometimes even aware of.
While a complete replication of your production environment can be obvious, sometimes other resources can be lurking in the cloud account that aren't so obvious, like a copy of a database that was taken at some point in history for analysis of a problem and is now sitting in isolation, in it's own VPC but nobody really knows why.
One of the side benefits of using Hava to automatically generate your cloud network topology diagrams is these outliers are brought to the surface.
When you connect a cloud account to Hava, be that an Amazon AWS, Google Cloud or Microsoft Azure account, Hava will scan the console settings and generate an infrastructure diagram for each VPC or virtual network detected. This is the first opportunity to spot unexpected environments.
When you log into Hava you will start at the environments dashboard.
If there are additional VPCs or virtual networks appearing on the environments dashboard, you will be able to dig into these unexpected environments and delete them if they are no longer required. Maybe they are residue from long gone developers, or test environments used in the frenzy of bringing your application to market that are no longer required.
Typically these environments aren't something you go looking for and can be buried deep in the console and not immediately obvious on the cloud account bill.
The second opportunity to spot rogue resources are on your production VPC / Virtual Network diagrams. Here you might encounter a stand alone subnet with a single resource link a database instance, or a handful of resources that aren't connected to your production resources.
If you manually draw diagrams, these outliers will never appear or be included on diagrams so avoid any scrutiny for months or maybe years until someone digs into the console settings looking at services that you may not be aware are in use and stumbles across a running instance.
If this sounds unlikely, rest assured it's more common than you think. In one of the more extreme examples, a customer connected their AWS account to Hava and uncovered a stand alone database instance that was running but not in use. A stand alone VPC with a single RDS instance with no association to production. It was costing the company close to $2k per month. It had been running for over 3 years untouched. You do the math.
What resources or entire dev/test environments do you have running undetected in your AWS, GCP or Azure accounts?
How much are they costing you?
By connecting to Hava, you'll know the answer.
So what is hava.io?
Hava is an application that is a SaaS that can be accessed online or run in isolation self-hosted on your own cloud infrastructure. Hava automatically generates cloud network topology diagrams, security diagrams, container workload diagrams and AWS best practice compliance reports.
You simply connect your AWS, GCP and Azure accounts or connect your Kubernetes Clusters to Hava and your diagrams will be generated hands free and equally as important, they are automatically kept up to date. Hava continuously polls your network config and as changes are detected, new diagrams are generated even when you are not logged in.
Superseded diagrams are moved into version history, so you always have an audit trail of changes.
AWS NETWORK TOPOLOGY DIAGRAMS
There are a number of cloud visualization diagrams that can prove useful to your engineering and operations teams. These include an AWS Infrastructure diagram like this:
The diagram shown above logically lays out all the resources discovered when an AWS account is connected to Hava's cloud visualization tool. The main VPC is depicted by the green outside border and is surrounded by associated resources like internet and VPN gateways, S3 Buckets, VPC endpoints, VPC peering connections, Elastic Beanstalk environments and so forth.
Inside the VPC, your configured availability zones are set out in columns. These columns contain the individual subnets set up in those AZs. All the resources contained in each subnet are visualized as are any load balancers that are routing traffic to the various subnets.
Having your diagrams automatically created from your AWS console configuration data enables interrogation of each of the resources to see the settings and associations related to them. By selecting any of the individually visualised resources, the attribute pane to the right hand side of the diagram displays all the known metadata related to the resource. This is one aspect of Hava's cloud visualization diagrams that isn't possible with manually created drag-and-drop diagram makers.
Automating the diagram build using Hava also reveals resources you may not be aware of. Long forgotten database instances and sometimes entire development, staging or test environments are regularly discovered by this automated cloud visualization process.
GCP CLOUD ARCHITECTURE DIAGRAMS
Hava's cloud visualization diagram tool will connect to your GCP accounts and visualize your GCP networks, zones and subnets.
AZURE CLOUD ARCHITECTURE DIAGRAMS
In addition to visualizing your AWS and GCP cloud environments, you can also import your Azure environments into Hava. Hava will create diagrams for each resource group discovered in Azure. The resource group will detail any virtual networks found in the resource group which in turn can contain multiple subnets and other resources like virtual machines, load balancers, peering connections and storage accounts.
CUSTOM CLOUD VISUALIZATION
There is always a compromise when it comes to automatically generated documentation. The way that Hava discovers and generates network topology diagrams is based at a VPC or resource group level. If more than one VPC is detected in your Amazon cloud account for instance, then one diagram set per VPC is created.
You may however want to combine two or more VPCs onto a single diagram, or just diagram a subset of your resources. This can be achieved using the custom query function built into Hava.
CUSTOM CLOUD DIAGRAM GENERATOR
This custom query would create a new custom diagram containing the two nominated AWS VPCs specified. You would then have the ability to save this diagram so it is always present in your dashboard until you choose to delete it. As with all other diagrams, your custom infrastructure diagram would keep itself up to date and retain a version history every time a resource change is detected. The filter and deep search allows you to quickly find resources across hundreds of cloud accounts using resource names, tags, IP addresses and a range of other search criteria.
CLOUD RESOURCES LIST
In reality it is just not practical to include every single component detected in your cloud config onto a network topology diagram. Take for instance network interfaces, volumes or WAF rules. In a large network with hundreds or maybe thousands of these second tier components, trying to visualize every single component would make the diagram almost unreadable, or certainly too busy to easily recognise the core components.
Hava's cloud visualization tool solves this issue by providing detailed components list that details every single resource detected. This is known as the "List View"
This is a comprehensive list of resources that can be sorted and exported along with estimated monthly costs so you can see at a glance what resources are costing you the most money. This detailed list view is also interactive. Selecting a resource on the diagram will reveal all the known settings and associations that resource has.
AWS SECURITY GROUP VISUALIZATION
Another major benefit of using Hava to automate the discovery of your AWS environment diagrams is the ability to capture and visualize security group information. While only available for AWS currently, security views for Azure and GCP are on our development roadmap.
AWS SECURITY ARCHITECTURE DIAGRAM
With an AWS security group diagram you can view all of your configured security groups. All your open ports are overlaid on the visualization to enable an instant understanding of the traffic flow, ingress and egress points. The security view diagram is also interactive which ensures you can select any security group on the diagram and important information relating to the security group, like the connected resources, ingress and egress IP addresses and associated tags are revealed without having to exit out to your AWS console to investigate.
Hava also provides an Azure security diagram.
Kubernetes Cluster Diagrams
Hava supports the direct connection of Kubernetes Clusters and will generate diagrams. You can connect any K8s cluster to Hava using a generated configuration file. Hava will then scan the cluster and visualise the cluster and running pods giving you a visualisation of your containerised workloads.
Hava will scan your cluster and auto generate a complete visualisation of the resources detected, cluster, nodes, pods and the relationships between them.
In the above example all the pods are green indicating a healthy state. As with all Hava interactive diagrams you can select a pod to see all the containers running in it, you could hover over a node in the attributes pane to highlight all the pods running on that node. The power of the visualisation is when things aren't running as expected.
The colour of each pod indicates the run status of the workload. The green indicates healthy and running, but the red indicates a sub-optimal health status like stopped. An amber pod denotes the status is changing, so it could be starting or stopping.
By selecting a suspect pod, you are able to see the meta data in the attribute pane including the connected containers and associated nodes in the cluster so you can quickly identify what needs to be addressed in order to return the workloads to optimal health.
As well as stand alone Kubernetes Clusters, Hava also generates container diagrams for AWS EKS and ECS containers, Azure AKS and Google Cloud Platform GKE managed container environments.
AUTOMATED CLOUD VISUALIZATION UPDATES
Your documentation is only useful if it is up to date. It is quite possible to spend weeks manually constructing network topology diagrams only to have them rendered useless by a minor change to your network configuration. Given the nature of services provided by the major cloud vendors like autoscaling that provision or remove resources in response to traffic demand, the chances are your cloud infrastructure is changing more often than you would first imagine.
Built into Hava is an automatic synchronisation function that polls connected cloud account data sources and automatically updates cloud visualization diagram sets when changes are detected. This means your diagrams are always current and up to date. The superseded diagram sets aren't deleted or overwritten however. They are placed into Hava's version history. This audit trail of changes stores superseded diagrams which enables you to pull up and investigate older diagrams in the same fully interactive format as the live current diagram set.
This allows you to quickly identify changes to your cloud network topology either visually by placing diagrams side-by-side or by exporting them for programmatic comparison.
Versioning also allows you to demonstrate the status of your network to key stakeholders at any point in history. This can be invaluable during a PCI compliance audit, insurance or security audit should your network design ever be called into question.
EXPORTING CLOUD DIAGRAMS
The native cloud architecture diagrams created by Hava are the nearest we've seen to the examples and recommendations provided by the major cloud platforms. These are great to view and interrogate via the Hava application dashboard, however sometimes you might need to pull a set of diagrams for audit purposes or to incorporate into management or sales presentations.
The built-in diagram export function allows you to do this by providing these five export options
CSV, VSDX, JSON, PDF and PNG
When viewing any of your Hava diagrams, you can select the export function, tell Hava what format you would like and Hava will generate the export file for download.
EDITING YOUR CLOUD VISUALIZATION DIAGRAMS
Should you want to manipulate or embellish your auto generated Hava diagrams, exporting to VSDX format and using Visio, draw.io or any VSDX compatible drawing package will allow you to edit your diagrams as required.
Should you not have access to Visio but would like to try this out, try opening one of your exported VSDX files in draw.io (diagrams.net)
Getting Hava to do the bulk of the heavy lifting by initially generating accurate diagrams based on what is actually configured and running in your cloud environments enables you to access a base diagram ready to edit which will save you hours or possibly days preparing management reports.
AWS ARCHITECTURE DIAGRAM VERSION COMPARISON
Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.
What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.
So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.
AWS ARCHITECTURE MONITORING
While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.
Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.
Now you and your security team can be across every change as it happens so you can assess and take action if required.
ENVIRONMENT DIAGRAM NOTES
For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.
Notes are accessed from the accordion menu within the attribute pane.
New notes are added to the top of the list so they are stored in chronological order.
If you are not already using Hava to auto generate cloud network topology diagrams and documentation from your AWS, Azure, GCP or Kubernetes deployments, you can take a free trial using the button below. Who knows what you will discover.
