The Problem with Cloud Computing Diagrams
The cloud computing landscape is becoming increasingly complex. As the adoption of multi-cloud infrastructure becomes more popular and the three major cloud vendors release more and more services and compute options, keeping pace is challenging.
Discovering and documenting all the resources and their respective settings across multiple cloud consoles can be a daunting prospect especially if you are taking over infrastructure as a new team member or taking on a new client's network or project
The first consideration is getting to grips with with what is running. More often than not, there will be little to no documentation, or if there is, it is so out of date that it is of little use. Accurate diagrams communicate at a glance how infrastructure is configured, what resources are running where and how they communicate. Diagrams are a window into the heart of any application, so it is essential that reality is reflected within the documentation.
Time is the next hurdle. Manually drawing and mapping out client networks or application infrastructure can take multiple team members days or weeks for particularly complex environments. Often you just don't have the time to dedicate to producing complex accurate diagrams.
The next issue is keeping your diagrams up to date. With today's cloud technologies often utilising autoscaling and easily deployed infrastructure as code approaches, the chances are your environments are rapidly changing and scaling/descaling as loads change. Automation makes it easier to respond to network load requirements, but adjusting and updating your infrastructure diagrams to reflect these changes is often overlooked or not considered a priority. Keeping on top of accurate documentation can be expensive if you are engaging highly skilled staff or external consultants to do this work.
Why Create Cloud Computing Diagrams?
The use cases for creating and maintaining accurate network topology diagrams are compelling.
The first reason is better internal communication. If you are onboarding a new engineer, being able to show them the network in diagram form will immediately convey what is running and how it all hangs together. This is done in seconds instead of hours or days of tedious research trawling through console settings.
The second reason is ease of external communication. From a governance perspective having accurate diagrams to demonstrate the state and structure of your network is important. Should you be subject to PCI compliance audits or questions around data protection or integrity, having accurate documentation on the state and design of your network infrastructure at any point in time will enable you to respond with confidence. You'll be much better prepared for Soc/pci/iso audits.
The third reason to maintain accurate diagrams is faster fault diagnosis and disaster recovery. Sometimes things go wrong and the faster you can identify the problem the better. If you have previous versions of your network configuration in diagram form that you can visually compare to what's currently running, you may be able to identify changes causing the issue faster than looking through logs and console settings. Having the ability to compare versions with a diff view or revision comparison tool that highlights the changes between diagrams is extremely useful.
Why Auto Generate Network Topology Diagrams?
Manually drawing network diagrams is extremely time consuming and error prone and you would probably only consider this method where absolutely no infrastructure already exists, like a proposal or proof of concept. Since no cloud infrastructure has been created yet, then you are left with no other option.
Once infrastructure exists however, then there is no excuse for spending time manually mapping out what is running. You can and should automate the diagramming process by connecting your cloud accounts to Hava and letting the application do all the heavy lifting.
When our founding team began looking at diagram automation, it was in response to the excessive amount of time it was taking to discover and diagnose what was running in new client cloud environments within their cloud consultancy. It was always a major undertaking to map out the existing infrastructure prior to any redesign recommendations.
This sentiment has been echoed by many Hava users, especially those working in the cloud consulting and MSP space. Automating the process has saved users hundreds, if not thousands of man hours getting to grips with cloud infrastructure as they take on new client networks.
Accuracy is another consideration. If you are manually drawing network diagrams, then it is very easy to draw a resource that doesn't exist or has been deleted since the original design and deployment. It's equally as easy to miss a resource that has been deployed but wasn't in the original design especially if auto scalers are in use
Keeping on top of what is actually running manually is tough especially if you have dynamic configurations that autoscale, which is why we believe automation is the only way to go. When you automate your cloud computing diagrams based on actual running configuration data you end up with accurate infrastructure diagrams from a "source of truth". There is then no question that the diagrams you are looking at reflect reality.
Identifying Cloud Network Vulnerabilities
When you create network visualization diagrams with Hava, your network is laid out logically by virtual network or VPC. Within each diagram subnets are drawn within availability zones. What this layout provides is the ability to spot redundancy issues. If an AZ has an outage, will your application persist? The Hava layouts allow you to answer that question easily.
How to Generate Cloud Computing Diagrams
Using Hava.io, generating cloud network topology diagrams for AWS, GCP and Azure is extremely straightforward. By creating an AWS cross account role, set of Azure read only credentials or a GCP Service account and adding them to Hava, you'll have your first set of diagrams automatically created.
Interactive Cloud Computing Diagrams
When you think of a network diagram, you generally imagine a static document containing resource icons, maybe some supporting text adjacent to the icons and a bounding box or two to represent VPCs or Subnets.
The term "Diagram" doesn't really do justice to the visualizations that Hava automatically generates. When your cloud config is scanned, the settings for each resource discovered are also captured. When you select a resource on the diagram, the contextual attribute pane to the right of the diagram displays all of the known config data. This saves you having to switch out to your cloud console to find more information about the resource.
Hava currently supports three cloud computing platforms:
AWS Cloud Computing Diagrams
The AWS infrastructure view diagram is created when a VPC is discovered in an environment. Within the VPC, each availability zone is laid out in columns containing all the discovered subnets.
As previously mentioned, selecting a resource, subnet or the entire bounding box VPC will change the attribute pane to display details about the selected item.
In addition to the infrastructure view, AWS environments also spawn a security group diagram.
The security view displays all the discovered security groups. On top of the groups, the open ports a traffic flow is overlaid which allows you to view the traffic ingress and egress and hopefully spot any vulnerabilities caused by misconfigured ports.
AWS container workloads are also supported via diagram visualization.
You can see all of the visualized resources for AWS here
GCP Cloud Computing Diagrams
Google cloud diagrams are supported by Hava. The GCP diagrams are laid out by Network. Sub Networks are mapped within the network and contain discovered resources. Zones are also visualized within the Virtual Networks.
Currently security and container views for GCP are on the development roadmap.
A list of visualized GCP resources can be found here
Azure Cloud Diagrams
Azure is the third platform supported by Hava for which diagrams are automatically generated. Azure Network Diagrams are generated for each discovered resource group, which in turn contain virtual networks and subnets.
The interactive nature of the Azure diagrams means you can select resources and components just like the AWS and GCP diagrams to dig into the settings and configuration of each component.
A full list of visualized Azure resources can be found here
Cloud Diagram Versioning
A cloud diagram is only of value when it is up to date. This is unless you need something historical to compare to what is currently running
Hava approaches the need for both current automated up to date diagrams and historical network diagrams by way of a unique versioning system.
Hava polls your cloud configuration continuously. Once a change is detected in an environment, a new set of diagrams is generated and the superseded set is placed into version history. The historical versions are also fully interactive, so you can dig into historical settings and config data which is especially useful when diagnosing errors or unexpected events.
If you are working with AWS, Azure or GCP and can see the benefits of improved accuracy and massive time savings by automating your documentation production, then moving to an automated solution like Hava will help improve accuracy, remove time sucking manual drawing tasks and may surface resources or security vulnerabilities you are presently unaware of.
You can tailor subscriptions for the number of cloud accounts you are managing. When you first open a Hava account you will receive a free 14 day trial of the fully featured Teams account so you can try out all the features.
You can learn more about Hava here: