When you are building on AWS or working with applications built on AWS as a development or operations engineer you already appreciate the value of a well laid out network topology diagram that accurately represents what resources you have configured in your AWS accounts.
While there is very little dispute that cloud network diagrams are an essential tool when you want to know what you currently have running or if you want to communicate the design of your network to consultants or new engineers, the problem has always been the time it takes to create them.
Unfortunately the traditional methods of creating cloud network topology diagrams have always been slow, tedious manual work involving transposing information from your cloud console onto a drawing canvas using drag and drop diagram applications like Visio.
The process usually involved getting your hands on an AWS icon set, working out what services and resources you have running, what VPCs, regions and subnets are in use and then working out which resources belong to each VPC. Very time consuming, mind-numbing work that no engineer we've ever met enjoyed.
Our team have a long history of cloud consulting and every time they took on a new client, they had to go through the torturous task of documenting the client's existing network so internally developed a toolset for automating this process. That toolset was eventually spun off into a stand alone application and business now known as Hava.
Hava allows you to connect your AWS accounts to the application which can be either SaaS or self-hosted and it automatically generates network topology diagrams, security group diagrams for each VPC discovered and an AWS compliance report showing how well your network adheres to AWS best practice.
Recently a few vendors have attempted to bolt on an import function to their drawing applications, however these appear to be a one-shot function, unlike Hava which continuously monitors the connected data sources and automatically updates diagrams when changes are detected.
This is all done hands free, no user intervention is required, but you always have up to date network infrastructure diagrams on hand whenever you need them.
Because diagrams may well change several times in between you logging into Hava, the application retains all the diagrams that have been superseded in version history. So you have an audit trail of changes that have been made to your AWS environment should you be tracking down unexpected network behaviour or performance issues.
If you were relying on manually invoked diagram updates, you could possibly miss changes that have come and gone that caused a problem you are trying to investigate, which makes Hava's approach of continuously polling configuration data and auto generating diagrams a much smarter methodology.
How to create an AWS diagram fast.
When you leverage the power and accuracy of Hava to create your AWS infrastructure diagrams on autopilot you only need to connect your AWS account once. That's it.
Hava can be hosted on your own infrastructure (self-hosted) or you can simply subscribe to a SaaS plan and be up and running in a minute or two.
Then it's just a matter of creating an AWS cross account role and plugging that into Hava. Using a cross account role is AWS best practice in that it provides secure read-only access to console metadata which is what Hava uses to analyse running resources and construct diagrams.
So a minute or two of effort on your end, to create potentially unlimited VPC diagrams that stay up to date automatically until you disconnect.
So what do you get when you connect Hava to your AWS account, or indeed multiple AWS accounts.
The first diagram you get is the Infrastructure View.
The AWS Infrastructure view lays out your AWS VPCs into separate diagram sets. Subnets within the VPC are mapped within the columns of availability zones. The AWS VPC diagram generated also displays both internal and external resources.
All the diagrams automatically generated by Hava are interactive. Which means, clicking on any of the resources on the diagram changes the attribute panel on the right of the diagram which allows you to take a deep dive into the resource settings like security groups, IP ingress/egress ports, connected storage and so on. The infrastructure view diagrams also display the estimated costs of each resource which are totalled for the entire environment when the environment is opened up.
All the diagrams created by Hava are kept as clean and readable as possible. By default, connections and resource names are not shown, however these can be toggled on like in the example below.
Right from inception, our engineers decided to keep the Hava diagrams clean and free from non essential resources like network interfaces that could flood the diagrams with lots of unimportant information making them messy and confusing.
Although these less important components are not on the infrastructure diagrams, we did need to know about these 'non-visualized' components, so we created the Hava "List View". The List View is an extensive data set that lists all the resources discovered in your AWS configuration. This view lists both visualized and non-vizualized resources.
The listed resources also have an estimated cost detailed against them.
One of the benefits of this list view is the ability to sort the list, including by costs. This reveals what resources make up the bulk of your estimated cloud spend which should help when you are looking to save cloud costs or explain to management which important resources make up the bulk of your AWS bill.
AWS SECURITY VIEW
Since we already had the configuration metadata and relationships coming back from AWS to build the infrastructure diagrams, our security focused clients asked if we could visualize the security relationships the same way we were able to visualize infrastructure. This led to the AWS Security View.
The security view shows you all of your AWS security groups and overlays the open ports to show how traffic moves across your network. You can select a security group on the diagram to see all the connected resources in the attribute pane to the right, as well as the ingress and egress port numbers and associated IP addresses related to that resource.
This high level view makes some security configuration issues obvious, like ports used for development or testing that may have been inadvertently left open.
The Hava AWS security diagram is truly unique and is a result of a team of industry practitioners knowing exactly what information is important to security teams monitoring traffic across a network.
AWS Container Diagram
As more development teams embrace containers to deploy applications and provide portability of software between environments the need to visualise containerised workloads was created. To meet the need, the container view was added to Hava.
The container view displays your ECS Services and the contained ECS tasks inside an ECS Cluster.
AWS ARCHITECTURE DIAGRAM VERSION COMPARISON
Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.
What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.
So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.
AWS ARCHITECTURE MONITORING
While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.
Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.
Now you and your security team can be across every change as it happens so you can assess and take action if required.
ENVIRONMENT DIAGRAM NOTES
For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.
Notes are accessed from the accordion menu within the attribute pane.
New notes are added to the top of the list so they are stored in chronological order.
Now you have the ability to take advantage of the quickest way to create an AWS diagram.
Whichever diagram or view makes the most sense or delivers the information your team needs to build and manage your environments, the upside to using this hands free automatic AWS Cloud Infrastructure Diagram Tool like hava.io is that your diagrams are sourced directly from your AWS configuration, so nothing is missed out and nothing can be added by mistake.
What you see on the diagrams is derived from the source of truth, so your diagrams are always accurate and always up to date.
When your AWS configuration changes, so do all the diagrams, all automatically, all hands-free, no human interaction required. The diagrams that are automatically replaced are archived in a version history. You can open up the historical diagrams at any time you like. They are fully interactive so you can compare old configurations to new ones to find out what changed in the event of a problem or compliance audit.
The diagrams generated by Hava are also exportable. You can produce an AWS architecture PDF or a JPG for inclusion in your reporting as well as CSV and JSON.
There are currently two options for using Hava to generate your cloud infrastructure diagrams.
Option 1: SaaS
The SaaS option is by far the quickest and easiest way to start visualizing your AWS cloud infrastructure.
You simply create an AWS cross account role with read only permissions, then log into hava.io and connect your AWS account. Hava will read your AWS config data and render the diagrams and start to track any changes for audit purposes.
A 14 day fully functional trial is available (along with demo data) so you can try Hava for yourself. At the time of writing, no credit card is required to take the trial.
Option 2: Self Hosted
The self hosted option allows you to run Hava from within your own AWS infrastructure. If you have particular security or enterprise policies that prevent the connection of 3rd party applications to your cloud environments, then self-hosted may be the solution.
Both options are identical in functionality, but you will need to contact our support team to organise a self-hosted solution.
As well as using the application console to generate and view diagrams, Hava has a fully featured API that allows you to programmatically add and remove data sources, projects and diagrams.
We recommend requesting a one on one demo with our sales team if you would like to see Hava in action and explore the self-hosted option.
You can contact us via sales@hava.io or jump into a free trial. Learn more here:
