There are so many reasons why you should accurately document your AWS cloud environments with Network Topology Diagrams. They visually portray how your network is constructed, what is running where and how resources are grouped and connected.
This is a major time saver when explaining your network to new engineers, consultants or other internal stakeholders.
The only decision you need to make is whether to manually construct diagrams based on reviewing your console configuration, or to use an automated AWS Diagram Creator to scan your AWS environments and build the diagrams for you.
The former method is often time consuming and prone to human error, whereas the latter option is fast, accurate and removes the human error factor.
Visualizing exactly what is running based on the actual resources configured in your AWS environments is probably the number one reason to use an automated AWS Diagram Creator over manually drawn diagrams.
The automation process discovers exactly what is running in your AWS account, so you can provide the documentation to onboard engineers faster, get to grips with new client networks or report to management in an easily understood visual format.
AWS DIAGRAM
Mapping out your AWS environment with say Visio or draw.io and using an AWS Icon template pack is a daunting prospect if your AWS environment contains more than a handful of resources from the AWS Services list.
Not only do you need to manually lay out your VPC's, availability zones and resources which can take hours or days, once you have drawn the diagrams, you then need to keep them up to date if they are going to be of any practical use. That's where using an automated AWS diagram creator comes into play.
AWS Infrastructure DIAGRAMS
There are several network topology diagrams that can prove useful to your DevOps, Engineering and developer teams when building applications on AWS. These include an AWS Infrastructure diagram like this:
This diagram lays out all the resources discovered in a logical format when an AWS account is connected to Hava. Given applications and projects are usually isolated in Virtual Private Clouds (VPCs), the Hava AWS Diagram generator creates one diagram set per discovered VPC.
The main VPC (the green rectangle) is surrounded by connected resources like internet and VPN gateways, S3 Buckets, VPC endpoints, VPC peering connections and Elastic Beanstalk environments.
Inside the VPC, the configured availability zones (AZs) are set out in columns. These columns in turn, contain the individual subnets set up in those AZs. All the resources contained in each subnet are visualized as are any load balancers routing traffic to the various subnets.
Hava creates this AWS diagram automatically from configuration data in the account source you connect, which enables interrogation of each of the resources to see the settings and associations related to it. By clicking on any of the individual resource icons, the attribute pane on the right hand side of the diagram displays all the known details related to the resource. Something that isn't possible with manually created drag-and-drop diagram makers which provides a massive time saving when compared to flipping between diagrams and cloud consoles. If you were to try and include all the known metadata for drawn resources on the diagram, the resulting diagram would be a mess.
Automating the diagram build using AWS Diagram Software also reveals resources you may not be aware of. Long forgotten database instances and sometimes entire dev or test environments are regularly discovered by Hava users when they connect their cloud accounts to Hava.
Build Custom AWS VPC Infrastructure DIAGRAMs
There is usually a compromise when it comes to automation and generated documentation. The way that Hava discovers and builds diagrams is as discussed earlier based at a VPC level. If more than one VPC is detected in your AWS account, then these are placed on separate diagrams.
You may however want to combine two or more VPCs onto a single diagram. This can be achieved using the custom query function built into hava.io.
AWS VPC Custom DIAGRAM GENERATOR
This custom query would create a new 'on-the-fly' custom diagram containing the two nominated AWS VPCs specified. You then have the ability to save this diagram so it is always present in your dashboard (until you choose to delete it). As with all other diagrams, your custom AWS infrastructure diagram would keep itself up to date and retain a version history every time a resource change is detected.
AWS SECURITY DIAGRAMS
Another major benefit of automating the discovery of your AWS environment diagrams using the Hava AWS Diagram Creator is the ability to visualize security group information.
AWS SECURITY Group DIAGRAM
With a security group diagram you can view all of your configured AWS security groups. The open ports are overlaid to enable an instant visual snapshot of the traffic flow and access points.
The diagram also being interactive ensures your security team can select a particular security group on the diagram and view important information relating to the group, like the connected resources, ingress and egress IP addresses and associated tags.
AWS VPC Resource List
Sometimes it is just not practical to include every single component onto a diagram. Take for instance Network Interfaces, Volumes or WAF Rules. In a large network with hundreds or maybe thousands of these second tier components, trying to visualize every single component would make the diagram practically unreadable, or certainly too busy to easily recognise the core components and connections.
Hava solves this issue by providing detailed list that reveals every single resource detected, whether visualised on the diagram or not.
This comprehensive list of resources can also be sorted and exported along with estimated monthly costs so you can see at a glance what resources are costing you the most money.
This detailed view is also interactive. Selecting a resource on the diagram will reveal all the known settings and associations that resource has.
AWS ARCHITECTURE DIAGRAM VERSION COMPARISON
Hava continuously scans your AWS architecture and when changes are detected a new diagram set is automatically generated. The superseded diagrams are not discarded or overwritten. Instead they are moved into version history. Still fully interactive.
What this means is you can view your cloud architecture at any point in time and also leverage Hava's revision comparison (Diff Diagrams) to quickly identify what has been added or removed between the two diagram dates.
So you can easily identify all the changes made since your last compliance audit, or see what changed yesterday that is causing unexpected network or application errors.
AWS ARCHITECTURE MONITORING
While diff diagrams are super helpful in diagnosing changes after the fact, you may want to keep on top of changes as they happen.
Hava's architecture monitoring alerts will let you know the minute a change is detected. You simply nominate the environment you wish to monitor and add a group of recipients to receive the alerts. When a change is detected like the addition or removal of a resource, Hava will send each recipient a diff diagram showing the changes.
Now you and your security team can be across every change as it happens so you can assess and take action if required.
ENVIRONMENT DIAGRAM NOTES
For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.
Notes are accessed from the accordion menu within the attribute pane.
New notes are added to the top of the list so they are stored in chronological order.
EXPORTING AWS NETWORK TOPOLOGY DIAGRAMS
The native AWS infrastructure diagrams created by Hava are the nearest we've seen to the examples and recommendations produced by AWS. These are great to view and interrogate via the dashboard, however sometimes you'll need to pull a set of diagrams for archiving, audit purposes or for management or sales presentations.
Hava's built-in export function allows you to do this by providing these exportable file format options
- CSV
- VSDX
- JSON
- PNG
Editing Hava Diagrams
Hava maintains updated diagrams of your cloud infrastructure and when a change is detected, a new diagram is created, then Hava places superseded diagrams into a version history.
These diagrams are generated from actual real configuration data (the source of truth) so can be relied upon for audit and governance.
There is currently no method of editing Hava diagrams which maintains the integrity and auditability of the diagrams.
Should you want to manipulate or embellish your auto generated diagrams with an editor, exporting to VSDX format and using Visio, draw.io or any VSDX compatible drawing package will allow you to edit your diagrams as required.
Should you not have access to Visio but would like to try this out, try opening one of your exported VSDX files in the opensource draw.io (diagrams.net)
Using Hava to do the bulk of the heavy lifting by initially generating accurate diagrams based on what is actually configured in your AWS environment enables you to generate a base diagram ready to edit, which could save you hours or possibly days preparing management reports or base diagrams ready to manipulate.
Container Diagrams
Hava will also visualize containerized tasks and workloads when encountered in your AWS configuration.
Each visualized task is color coded to indicate if the task is running, starting/stopping and spare
.
AUTOMATED AWS DIAGRAM UPDATES
Finally, your documentation is only useful if it is kept up to date. It is quite possible to spend weeks manually constructing AWS network topology documentation only to have it rendered useless by changes to your network configuration.
Built into every Hava account is an auto-sync function that polls connected data sources and automatically updates diagram sets when changes are detected. This means your diagrams are always current and up to date.
This includes your automatically detected environments as well as any custom diagrams you made with the query builder and saved to your environment dashboard.
The superseded diagram sets aren't discarded however. They are placed into a version history that enables you to pull up older superseded diagrams in the same fully interactive format.
This allows you to quickly and visually identify changes to your AWS network topology by pulling up the current and superseded diagrams side by side and comparing them. You can also export both diagrams as JSON and use diff to find the changes.
The Version history also allows you to demonstrate the status of your network at any point in history. This can be invaluable during a PCI compliance audit or insurance claim should your network design ever be called into question.
Conclusion
There aren't many people that would dispute the benefits of perpetually accurate AWS network topology documentation.
Diagramming networks is the very first function any cloud or security consultant undertakes when onboarding a new client account. This can take days and require multiple engineers, resulting in significant expense to your organisation, or your client's. Time that is better spend making improvements.
Automating the process is a far better approach.
Hava provides just this with:
- Auto generation of documentation for your AWS environments (as well as Azure and Google Cloud Platform)
- Automated diagram updates
- Retention of a full set of superseded diagrams in version history every time a resource changes
- Provides a comprehensive API to allow IaC build pipeline integration
- Provides a unique security view detailing security groups with visualized traffic ingress/egress
- True 3d renders
- Separate AWS Well Architected compliance reporting
- Available as SaaS or fully self-hosted
If you are currently building on AWS, Azure or GCP you can try Hava for free here: