When you or your team are building applications on AWS you will reach a point where you need to ensure what you intended to build has been executed according to the design brief. Whether you are a cloud enterprise architect, program manager, infrastructure or security architect, cloud operations engineer, application architect, DevOps or an application developer, at every step of the application development and deployment lifecycle, you need to know exactly what has been build and what is running.
There are lots of reasons why you should accurately diagram and document your AWS environments. Knowing exactly what is running based on the actual resources configured in your AWS environments is probably the number one reason to generate network diagrams from AWS.
Once you have a clear line of sight on your network topology, you can instantly assess whether the network is running as intended.
The Hava automation process discovers exactly what is running in your AWS account as well as Azure and GCP,. This allows you to provide the information and documentation required to onboard engineers faster, get to grips with new client networks or report to management in an easily understood visual format.
With the increasing number of resources that can be configured to autoscale based on traffic and CPU activity, keeping track of all the changes can be difficult unless you automate the process.
Generate Network diagram from AWS
Opening up a drawing package like Visio and adding your AWS Icon template pack is a daunting prospect. It's even more challenging if your AWS environment contains more than a few VPC's, EC2 instances or a load balancer or two.
Firstly you need to manually draw out your VPC's and resources which can take hours or even days, then once you have hand drawn the diagrams, you then need to keep them up to date if they are going to be of any practical use. Typically, the minute you think you have your diagrams up to date, something changes or autoscales and your manually drawn diagrams are out of date. That's where using Hava's automated AWS diagram generator software comes into play.
Let's take a look at what Hava will automatically generate for you.
AWS Network Architecture Diagrams
There are a number of diagrams created by Hava automatically that will prove useful to your engineering and DevOps teams. These include an AWS Infrastructure diagram like this:
This diagram logically lays out all the resources discovered when your AWS account is connected to Hava's AWS Network Diagram Generator. In this diagram the main VPC represented by the green border, is surrounded by associated resources.
Inside the VPC, the availability zones in use are set out in columns and they contain the individual subnets set up in those AZs. All the resources contained in each subnet are diagrammed, as are any load balancers routing traffic to the various subnets.
Because you have a diagram automatically created from configuration data and that config data is stored with the resource info when the diagram is created, now you can interrogate each of the resources to see the settings and associations related to it. By clicking on any of the individual resource icons, the attribute pane on the right of the diagram displays all the known details related to the resource. Something that isn't possible with manually created drag-and-drop diagrams.
Automating the diagram build when you generate network diagrams from AWS can also reveal resources you are paying for and are not using that you may not be aware of. Long forgotten RDS instances and sometimes entire dev or test environments are regularly discovered by this automated diagram process. One of our clients discovered a database instance that was unused and costing close to $3k per month, and had been for over 3 years. That's well over $100,000.00 in unnecessary costs that could have been avoided had they diagrammed their environment earlier.
Custom AWS Infrastructure Diagram
There is always a compromise when it comes to automatically generating network documentation. The way that Hava discovers and builds your diagrams is based at a VPC level. If more than one VPC is detected in your AWS cloud account(s), then one diagram set per VPC is created.
This fits most use cases, however you may want to combine two or more VPCs onto a single diagram. This might be because they both relate to the same project or application. You can do this easily by using the custom query search function built into hava.io.
AWS Network Diagram Generator
The custom query above would create a new custom diagram containing the two specified AWS VPCs specified in the search. You would then have the ability to save this diagram so it is retained in your dashboard until you choose to delete it. As with all other diagrams generated by Hava, your custom AWS infrastructure diagram would keep itself continuously updated and will retain a version history every time a resource change is detected.
AWS Components List View
From our experience working with all sizes of client cloud environments, it is not practical to attempt to include every single component onto an AWS network diagram. Take for instance network interfaces and volumes. In a sizeable network with hundreds or maybe thousands of these less significant components, trying to map out every single component would most likely make the diagram unreadable, or certainly too rammed full of unimportant resources to easily recognise the core resources.
However, just because they aren't the most important elements of your network, it doesn't mean that you don't want to know about them.
Hava solves this issue by providing a detailed components list view that lists out every single resource detected.
This comprehensive list view can be sorted and exported along with estimated monthly costs so you can see at a glance what resources are consuming most of your budget. This detailed view is interactive like the other views. Selecting a resource on the diagram will reveal all the known settings and associations that resource has in the attributes pane on the side of the list view.
AWS Security Group Diagrams
Another benefit when you generate network diagrams from AWS with Hava is the ability to capture and visualize security groups, traffic flow and open port details.
AWS Security Group Diagram
With the security group diagram generated by Hava, you can view all of your configured security groups with the open ports overlaid. This provides an instant visual snapshot of the traffic flow and traffic ingress and egress points.
The security group diagram is also interactive which ensures you can select a particular security group on the diagram and view important information relating to that security group, like the connected resources, ingress and egress ports, IP addresses and associated tags.
Perpetually Updated AWS Diagrams
Your documentation is only useful if it is accurate. It is quite possible to spend weeks manually constructing network topology documentation for complex applications only to have it rendered useless by a minor change to your network configuration.
During the middle of an outage or network incident that has taken down your application, being able to quickly establish what should be running is crucial.
Built into Hava is an auto-sync function that continuously polls your connected AWS sources and automatically updates diagram sets when changes are detected. This means your diagrams are always current and up to date. The superseded diagram sets aren't discarded however, they are placed into version history. This enables you to pull up older diagrams in the same fully interactive format.
Having a detailed version history allows you to quickly and visually identify changes to your AWS environments, so you can easily compare a previously working set of network resources with the current configuration to see what's missing or what changed.
Having this audit trail also allows you to demonstrate the status of your network at any point in history. This can be invaluable during a PCI compliance audit or insurance claim should your network design ever be called into question.
ARCHITECTURAL MONITORING ALERTS
When changes are detected in the configuration of the cloud accounts you are managing, Hava can trigger an alert that lets your know when that change is detected.
This means you always know what is happening in your cloud accounts and for MSPs it means you can let clients loose on their own infrastructure and resources but you can keep an eye on the changes and can warn them of any security or cost implications of the deployed changes - no more bill shock!
COMPARE DIAGRAMS WITH DIFF VIEW
As changes are detected in your cloud configs, Hava stores superseded diagrams in version history automatically. You can compare any two interactive diagrams from any point in time using the revision comparison feature built into Hava. This shows you exactly what resources have been added, and which ones were removed during the time period between the two diagrams.
This could be the current live architecture diagram vs one from yesterday should you need to troubleshoot sudden unexpected application errors, or you could compare architecture over a longer period of time, like the period between PCI compliance audits so the auditors can see the changes they are interested in. You can also use diff views to analyse architectural drift or show clients the changes that have happened over time that have prompted questions around billing and escalating costs.
Exporting Your AWS Diagrams
Native AWS architecture diagrams created by Hava are the nearest we've seen to the examples provided by AWS. These are great to view and interrogate via the interactive dashboard, however sometimes you'll need to pull a set of diagrams for audit purposes or for management or sales presentations or other external purposes.
Hava's built-in export function allows you to do this in a number of formats.
CSV, VSDX, JSON, PDF and PNG
How to Edit Your AWS Network Diagrams
Should you want to edit your Hava generated diagrams, exporting to VSDX format and using Visio, draw.io or any VSDX compatible drawing package will allow you to edit your diagrams as required.
Should you not have access to Visio but would like to try this out, try opening one of your exported VSDX files in draw.io
Getting Hava to do the heavy lifting by generating accurate diagrams based on what is actually configured and running in your AWS environment enables you to access a base diagram ready to edit which will save you hours or possibly days preparing management reports or upgrade plans.
Editing within Hava is not provided as maintaining accurate diagrams generated from the source of truth is the main premise of the software, so having the ability to remove resources that actually exist, or adding resources to a diagram that do not exist would render the integrity of the diagrams and stored version history inaccurate.
In Conclusion.
There aren't too many engineers, architects or developers that would dispute the benefits of perpetually accurate AWS network documentation. Hava provides just this with:
- Auto generation of documentation for your AWS environments (as well as GCP & Azure)
- Keeps the diagram sets updated
- Retains a full set of diagrams in version history every time a resource changes
- Provides a comprehensive API to allow IaC build pipeline integration
- Provides a unique security view detailing security groups with visualized traffic ingress/egress
- Coming soon true 3d and separate compliance reporting
- Available as SaaS or fully self-hosted
You can try Hava for free for 14 days. Learn more here:
See also: What is AWS Elastic Beanstalk