11 min read

Best AWS Diagramming Tool

March 1, 2024

Best_AWS_Diagram_Tool

The best AWS diagram generator is certainly a subjective topic. Depending on how your cloud infrastructure is built, what technologies and automation pipeline you are using will definitely influence your view.

In terms of typical VPC deployment and the resources and services used to build modern cloud based applications, we believe the approach and layout generated by Hava when you connect it to your AWS accounts is a worthy contender for the best AWS diagram tool available, especially if automation and accuracy are important to you.

There are many reasons why you would want to accurately diagram and document your AWS environments. Knowing exactly what is running based on the actual resources configured in your AWS environments is probably the number one reason to use automated AWS Network Diagram Tool software over manually drawn diagrams.

The automated process built into Hava discovers exactly what is running in your AWS account as well as Azure and GCP, so you can provide the information and documentation needed to onboard engineers faster, get to grips with new client networks or report to management in a somewhat easy to understand visual format.

Best AWS Diagram Tool

Sitting down with any drawing package like Lucidchart or Visio and an AWS Icon template pack for most a fairly unatttractive prospect. It's even more challenging if your AWS environment contains a significant number of resource instances, multiple VPCs or is deployed in multiple regions or availability zones.

Initially you need to manually draw out your VPC's and resources which can take hours or even days, then, once you have drawn the diagrams, you need to keep them up to date if they are going to be of any practical use.

As we all know, the minute you think you have your diagrams up to date, something changes or autoscales in or out and your diagrams are suddenly out of date.  That's where using Hava's automated AWS diagram software comes into play.

AWS Network Topology Diagrams

There are a number of auto-generated hava.io diagrams that can prove useful to your engineering and DevOps teams. These include an AWS Infrastructure diagram like this:

AWS_Environment_with_Attribute_Pane

This diagram example logically lays out all the resources discovered when an AWS account is connected to Hava's AWS Network Diagram Generator. The VPC denoted by the green border, is surrounded by associated resources like internet and VPN gateways, S3 Buckets, VPC endpoints, VPC peering connections, Elastic Beanstalk environments and so on.

Inside the visualized VPC, the configured availability zones are laid out in columns that contain the configured subnets.  All the resource instances configured in each subnet are visualized, as are any load balancers routing traffic to the various subnets.

When you have a Hava diagram automatically created from configuration data, Hava captures the metadata related to each resource, so now you can interrogate of each of the resources to see the settings and associations related to it. By selecting any of the individual resource icons displayed on the interactive diagram, the attribute pane on the right of the diagram then displays all the known metadata related to the resource.  Something that simply isn't possible with manually created drag-and-drop diagrams.

Finding Anomalies in your AWS account

Automating the diagram build using Hava can also reveal resources you are paying for, but may not be aware of.  Long forgotten database instances and sometimes entire development or test environments are regularly discovered by this automation process. One of our clients discovered a RDS instance that was unused and costing close to $3k per month, and had been for over 3 years!

Custom AWS Diagrams

There is always a compromise when it comes to automatically generated documentation. The way that the Hava diagram tool discovers and builds AWS diagrams is based at a VPC level. If more than one VPC is detected in the AWS cloud accounts connected to your Hava account, then one diagram set per VPC is created.

This is usually the desired outcome, however you may want to combine two or more VPCs onto a single diagram, for instance if they both relate to the same project or application. 

You might also want to just document resources with a specific tag, or just diagram specific resource types across all your AWS accounts, the options are limitless.  You can also connect your GCP and Azure accounts to Hava and create custom diagrams pulling in details from multiple cloud vendors which can be useful if you have hybrid or multi-cloud infrastructure.

This can be achieved using the custom query search function built into hava.io.

AWS Custom Diagram Generator

custom_diagrams_multiple_vpc

This custom query would create a new 'on-the-fly' custom diagram containing the two nominated AWS VPCs specified in the search.  You would then have the ability to save this diagram so it is retained in your dashboard until you choose to delete it.  As with all other diagrams generated by Hava, your custom AWS infrastructure diagram would keep itself up to date and retain a version history every time a resource change is detected.

AWS Detailed Components Diagram

When designing the best AWS diagram tool we thought it wasn't practical to include every single component onto the AWS network diagram. Take for instance network interfaces, volumes or WAF Rules. In a large network with hundreds or maybe even thousands of these non essential components, trying to diagram out every single component would most likely make the diagram unreadable, or certainly too packed full of unimportant resources making the core components and resources harder to see.

However, that's not to say you don't need to know about them.

We solved this issue by providing detailed components "list view"  that lists out every single resource detected.

List_View_New_UI

This comprehensive list of resources shows both the important resources like EC2 instances, load balancers, database instances etc and this list can also be sorted and exported along with estimated monthly costs so you can see at a glance what resources are costing you the most money. This detailed view is also fully interactive. Selecting a resource on the diagram will reveal all the known settings and associations that resource has in the attribute pane on the right of the diagram.

AWS Security Group Diagrams

Another major benefit of automating the discovery and production of your AWS environment diagrams with Hava is the ability to capture and visualize security groups, traffic and open ports.

AWS Security Architecture Diagram

AWS_Security_Group_Diagram

With the Hava security group diagram view you can view all of your configured security groups with the open ports overlaid to provide an instant visual snapshot of the traffic flow, ingress and egress points. The security group diagram being interactive ensures you can select a particular security group on the diagram and view important metadata relating to the group, like the connected resources, ingress and egress ports, IP addresses and associated tags.

Automated AWS Diagram Updates

Finally, your AWS documentation is only useful if it is accurate. It is quite possible to spend weeks manually constructing network topology documentation only to have it rendered out of date by a minor change to your network configuration.

In the middle of an outage or network incident that has taken down your application, being able to quickly establish what should be running is crucial and having a reference diagram with the last running configuration allows you to isolate the problem.

Built into Hava is an automated sync function that contunually polls connected data sources and automatically updates diagram sets when changes are detected.  This means your diagrams are always current and up to date without your intervention. The superseded diagram sets aren't discarded however. They are placed into version history that enables you to pull up older diagrams in the same fully interactive format.

This allows you to quickly and visually identify changes to your cloud network topology, so you can easily compare a previously working set of network resources with the current configuration to see what's missing .

Having a version history also allows you to demonstrate the status of your network at any point in history. This can be invaluable during a PCI compliance audit or insurance claim should your network design ever be called into question.  

Exporting Generated AWS  Diagrams

The AWS architecture diagrams automatically created by Hava are the nearest we've seen to the examples and recommendations provided by AWS.  These are great to view and interrogate via the interactive dashboard, however sometimes you'll need to pull a set of diagrams for consultants or engineers, audit purposes or for management reports or sales presentations.

Hava's built-in diagram export function allows you to do this in a number of formats.

Export-diagram-formats

CSV, VSDX, JSON, PDF and PNG

ARCHITECTURAL MONITORING ALERTS

When changes are detected in the configuration of the cloud accounts you are managing, Hava can trigger an alert that lets your know when that change is detected.

Alerts_Detail

This means you always know what is happening in your cloud accounts and for MSPs it means you can let clients loose on their own infrastructure and resources but you can keep an eye on the changes and can warn them of any security or cost implications of the deployed changes - no more bill shock! 

COMPARE DIAGRAMS WITH DIFF VIEW

As changes are detected in your cloud configs, Hava stores superseded diagrams in version history automatically. You can compare any two interactive diagrams from any point in time using the revision comparison feature built into Hava. This shows you exactly what resources have been added, and which ones were removed during the time period between the two diagrams.

Hava_Revision_Comparison_Diagram

This could be the current live architecture diagram vs one from yesterday should you need to troubleshoot sudden unexpected application errors, or you could compare architecture over a longer period of time, like the period between PCI compliance audits so the auditors can see the changes they are interested in. You can also use diff views to analyse architectural drift or show clients the changes that have happened over time that have prompted questions around billing and escalating costs.

Editing AWS Network Diagrams

Should you want to manipulate or annotate your Hava generated diagrams, exporting to VSDX format and using Visio, draw.io or any VSDX compatible drawing package will allow you to edit your diagrams as required.  Each resource and component is movable and can be edited, removed or additional resources can be added in the event you are planning network changes.

Should you not have access to Visio but would like to try this out, try opening one of your exported VSDX files in draw.io

exported_hava_diagram_in_drawio

Getting Hava to do the bulk of the heavy lifting by initially generating accurate diagrams based on what is actually configured and running in your AWS environment enables you to access a base diagram ready to edit which will save you hours or possibly days preparing management reports or upgrade plans.

Hava does not allow editing diagrams within the application. This is by design, as keeping the diagrams stored within Hava is important to maintain integrity and accuracy of the diagrams so they always provide a true reference of reality.

ENVIRONMENT DIAGRAM NOTES

For every architecture diagram generated you have the ability to add text comments. This serves as a rolling dialogue your team can contribute to that may better explain elements of the diagram or bigger picture concepts related to the diagram.

Notes are accessed from the accordion menu within the attribute pane.

Access_Environment_Notes

New notes are added to the top of the list so they are stored in chronological order.

Multiple_Notes

 

In Conclusion.

There aren't  many engineers that would dispute the benefits of perpetually accurate network infrastructure documentation.  Hava provides just this with:

  • Auto generation of documentation for your AWS environments (as well as GCP & Azure)
  • Keeps the diagram sets updated
  • Retains a full set of diagrams in version history every time a resource changes
  • Provides a comprehensive API to allow IaC build pipeline integration
  • Provides a unique security view detailing security groups with visualized traffic ingress/egress
  • Coming soon true 3d and separate compliance reporting  
  • Available as SaaS or fully self-hosted

testimonials

You can try Hava for free for 14 days, learn more here:

 

Team Hava

Written by Team Hava

The Hava content team

Featured