If you are building solutions on Microsoft Azure, at some point you'll want to draw some Azure architecture diagrams
When you have accurate and up to date architecture diagrams on hand it enables you to visually explain your network infrastructure to both your engineering and operations team and also provide management with an easy to understand representation of what you are building and managing.
Accurate up to date diagrams also let you know that your network has been built in line with your design.
If you are onboarding new engineers, or engaging external consultants, you can bring them up to speed very quickly with a well laid out Azure network topology diagram.
The problem with traditional diagrams has always been the time it takes to draw them, which is why it's better to consider generating them instead. If you use manual drag and drop diagram software or drawing packages like Microsoft Visio the process can take forever which is why up to date Azure network topology diagrams are rarely on hand. Cloud engineers almost always don't have the time or motivation to sit down and draw Azure architecture diagrams. Who doesn't have far more important or pressing issues to work on.
This is where you can leverage Hava to help you create Azure diagrams.
If you are taking on a new client or development project, having access to infrastructure documentation is a massive advantage when trying to understand exactly what is running on your network. Come to think of it, with the complex nature of cloud consoles and network configurations you may be surprised at what you have running in your existing Azure infrastructure.
Back in the day our team provided expert cloud consulting services. When we took on a new client, diagramming the new client's infrastructure was always the first job in the process. It was always, without exception, time consuming, laborious but necessary in establishing exactly what was going on in the client's cloud accounts prior to starting work on improving or redesigning the network infrastructure.
If you have spent too many hours manually dragging and dropping or busting out the whiteboard to create Azure diagrams so you can keep control of your production and development environments, then you will also appreciate how much time is saved and how many errors are eliminated when you fully automate the Azure architecture diagramming process.
Draw Azure Architecture Diagrams Hands-Free
Microsoft Azure is one of many cloud platforms that are supported by hava.io which will safely connect to your cloud console configuration via read only credentials to automate the production and updating of azure infrastructure diagrams like this:
Connecting Hava to your Azure account so that your network topology diagrams can be automatically generated is a relatively simple process using the SaaS interface.
To import your environment resources from Microsoft Azure, you will need to access your Azure Portal at https://portal.azure.com
You then create a new Service Principle and retrieve a set of credentials to connect to Hava.
* Cloud interfaces change all the time. For the latest method to connect Azure to Hava, please check out : https://docs.hava.io/importing/azure/getting-started-with-azure/powershell
To do this, open the Azure Portal and launch PowerShell from the top menu bar :
1. Launch Powershell
Open the Azure Portal and launch PowerShell from the top menu bar
2. Create Service Principal
You will need to create a new Service Principal from the command line and a display name. In the below code example, we’ve used HavaServicePrincipal you can edit and choose a name that suits you.
3. Assign Reader Role
Hava only requires read-only access so, you can assign the read-only permissions to the Service Principal account using the below command.
4. Create the Password
Once you’ve created the Service Principal and assigned it with a Reader Role, you need to create password credentials to attach to the Service Principal.
5. Obtaining the Credentials
The final step required is to retrieve the necessary credentials to input into Hava.
Once you have the required credentials, you can log in to Hava which will open up the environments screen. You then select "Add Environments"
Click on the "Azure" Tab and enter the credentials you have just gathered from your Azure PowerShell.
You may at this point optionally name the connection. Hava will import your Microsoft Azure environment, layout the diagram and add the environment tile to the Hava dashboard.
From this point Hava will continuously sync with your portal and detect any discovered changes. When changes are detected a new Azure diagram is created and the superseded diagram is placed into a fully interactive version history, so you always have an accurate visual representation of your Azure Environment from any point in time, whenever required.
When you create Azure diagrams with Hava, the diagrams produced are laid out by resource group which typically contain subnets running in virtual networks. All of the resource metadata isn't placed on the diagram, but is displayed in a contextual attribute pane to the right hand side of the diagram.
Resource names and connection lines can be toggled on or off depending on your preference. The resource names appear under the diagram icons when enabled.
This keeps your Azure network topology diagram clean and free from clutter. The automatically generated network diagram allows you to select the interactive elements of the diagram, like a virtual network, subnet or individual resources like load balancers, gateways, virtual machines, peering connections and storage accounts. When you select an item on the diagram, all the metadata and settings are displayed to the right hand side of the diagram in the attribute pane. The metadata and settings are contextual to the currently selected element, as you select different resources, the attribute pane data changes.
With nothing selected on the diagram, the attribute pane displays information about the entire Azure environment including a usage cost estimate.
Azure Security Group Diagrams
When Hava auto-generates Azure diagram sets, a security group diagram is created.
This diagram shows the network security groups, inbound and outbound traffic routes and the ports that are in use. This diagram is specifically built for your security team to immediately help spot vulnerabilities due to unexpected ingress points or unsecured ports or ip address ranges.
Microsoft Azure Diagram Versioning
Diagram Versioning is one of the most powerful aspects of using Hava as part of your build pipeline or cloud toolkit. Hava keeps track of the changes detected in your Microsoft Azure infrastructure via continuous automated polling of your Azure configuration.
Once a change is detected in your Azure configuration, a new diagram set is created and the superseded diagrams are placed in the source diagram version history. At any time, you can select an older version of a diagram to view and inspect what the network looked like at that point in time. The versions remain fully interactive, not just a static diagram. You can click into resources, inspect attributes and settings and view in extended infrastructure and 3D just as you can on the live diagrams.
If you need to track down a network error or change that has caused your Azure dependent applications to fail or has degraded your application's performance, by viewing an older diagram set, you can pull up the older version in a separate browser and compare current diagrams side-by-side so you can visually compare the differences.
If your environments are large or complex, you can also export current and superseded diagrams in JSON format and Diff the files to surface all the changed resources and settings .
All the interactive Hava diagrams are exportable in a number of formats.
Can you Create Azure Diagrams to Edit?
There is no way within Hava to draw diagrams from scratch or to add or remove resource icons. This is because native Hava diagrams are designed to always reflect the source of truth at any point in time. You can alway be confident that what you are looking at on a Hava diagram accurately reflects reality. This is because there is no way to add or remove diagram elements, resources and metadata that could lead to confusion or mis-represent the state of the network during a security or compliance audit for instance.
We do however appreciate that sometimes you would like to use your Hava Azure network diagrams as a starting point for some redesign work, or you would like to annotate a diagram to explain elements of the diagram in management or sales presentations.
To enable manual editing of diagrams in that scenario, Hava provides:
Azure Diagram VSDX Export
The VSDX export option is the solution that enables you to export your Microsoft Azure infrastructure diagrams in Visio format. You can then use Visio or a compatible application like draw.io (diagrams.net) to import the diagram for manipulation.
This provides exported editable diagrams while also maintaining the integrity of the diagrams and data held within the Hava ecosystem, so you have an unquestionable source of truth reference retained within your Hava account. This documentation could be used during a PCI compliance audit, an insurance investigation, or maybe a security or other type of audit.
Additional Azure Network Diagrams
On top of the standard infrastructure architecture diagrams discussed above, there are two more diagrams for Azure that are automatically produced by simply connecting your Azure account to Hava.
The extended infrastructure view is in the same format as the infrastructure view, however it adds some additional information to the diagram like full resource names, IP addresses and resource sizes.
When you use Hava to automatically create Azure diagrams, the final Azure diagram is the "List View" . This diagram is more like a report and as the name suggests, provides a list of all the resources discovered in your environment.
This includes elements discovered in your data source that are not visualised on your diagrams. Some environments may have dozens of unimportant instances like network interfaces or virtual machine extensions, which add very little to the understanding of how the network is constructed and which if visualised could make the diagrams messy and difficult to read.
The list view is where you can find these resources. The list can be filtered, sorted by name, type or price and exported to CSV for easy import into a spreadsheet that can be used for cost analysis.
The visualised Microsoft Azure Diagram resources are detailed below.
|
Visualised |
Not Visualised |
Application Gateway |
✓ |
|
Availability Set |
|
✓ |
Express Route |
✓ |
|
Load Balancer |
✓ |
|
Local Network Gateway |
✓ |
|
Network Interface |
|
✓ |
Network Security Group |
|
✓ |
Public IP |
|
✓ |
Redis Cache |
✓ |
|
Resource Group |
✓ |
|
Route Table |
✓ |
|
SQL Server |
✓ |
|
Storage Account |
✓ |
|
Subnet |
✓ |
|
Virtual Machine |
✓ |
|
Virtual Machine Extension |
|
✓ |
Virtual Machine Scale Set |
|
✓ |
Virtual Network |
✓ |
|
Virtual Network Gateway |
✓ |
|
Virtual Network Peering |
✓ |
|