If you are using AWS to build solutions that consist of more than a handful of resources you will appreciate the need for accurate network documentation. By far, the best form of documentation to be able to easily communicate how your AWS network is constructed is a network topology diagram.
Mapping out your VPCs, regions, subnets and resources allows you to see exactly what is running where and how resources are connected. Which is invaluable when you need to identify potential problems or improvement opportunities or need to explain to new engineers or external consultants exactly how your network hangs together.
When your network consists of only a few resources it is possible to create diagrams manually using a drawing tool and scouring through your AWS account console to identify the resources you have provisioned and the regions and VPCs that have been used to contain them.
Once you start using multiple accounts, autoscaling, multi region multi zone designs and potentially hundreds of provisioned resources, the task of manually creating diagrams becomes incredibly complex and time consuming.
The potential to make diagram errors is ever present and the automated nature of some AWS services means that your network can be changing all the time and keeping your documentation up to date and accurate can be next to impossible.
The solution is to automate the process using hava.io. Hava was created by expert cloud consultants who needed a method of quickly visualizing client cloud infrastructure so the actual work of improving and redesigning could begin.
When you have an accurate visualization of your AWS network topology, you can spot vulnerabilities like availability zone redundancy issues and security issues like open ports and unsecured resources.
Automated discovery of your AWS resources can also surface orphaned and obsolete resources that haven’t been deleted. Usually this is a result of legacy apps or testing environments that were never shut down and are going unnoticed, buried in your AWS billing account.
Hava’s AWS Diagram Maker
Getting started with Hava is simple. In line with AWS best practice, all you need to do is create a cross account role in AWS and use it to connect to your Hava account.
Once connected, hava will read your console configuration settings and build diagrams for each vpc or serverless cluster discovered. At no time does Hava read the contents of your databases or file systems.
Any data that is stored in order the draw the diagrams is encrypted both in transit and at rest.
There are several AWS diagram views created.
AWS Infrastructure View
The infrastructure view shows a VPC (the green box). The vertical dotted line columns represent the availability zones in use and within these are your subnets (the blue rectangles).
Clicking on the VPC, AZ, Subnet or an individual resource icon will reveal an attribute pane on the right hand side of the diagram.
The strategy behind the attribute pane is to keep the diagram as clean and readable as possible. If we attempted to place all the key metadata related to the resources on the diagram, it would soon become unreadable.
AWS 3D Diagrams
As well as zoom, skew and stretch, on of the diagram canvas controls allows you to view a 3D render of your network topology. This view is also interactive, so you can select elements to change the attribute pane and highlight selected resources. The 3D view will also allow you to rotate the canvas and fly in & out to view the 3D models up close.
Export and Edit AWS Diagrams
Hava does not have an edit function, it will only diagram resources that actually exist. This is to maintain the integrity of your diagrams as a source of truth. What is running in your AWS account is what appears on your diagrams. This makes them an invaluable resource when faced with compliance or audit questions and enables you to be confident that the network you designed has been correctly provisioned. There can be no suggestion that resources on the diagram were not running, or that resources were running that are no longer on the diagram.
That said, it is possible to export hava diagrams in a number of formats:
PDF and PNG hard copies of you diagram can be used for presentations, reports or interesting wall hangings in the office. The CSV export contains all the resources that you can import into spreadsheets or use for diffing or other analysis.
The VSDX files are the starting point for external editing. You can use Visio or a compatible editor like draw.io (either online of offline). When ingested, all of the diagram components are editable, so you can remove, add, annotate or draw whatever you like onto the diagram.
This is especially useful if you want to take your existing infrastructure as a baseline for proposed changes to your AWS network. Keeping the editing outside of Hava maintains the integrity of your diagram history.
Auto Update AWS Diagrams
Just as creating diagrams manually can be a time consuming labour intensive task, keeping those diagrams up to date can be equally time consuming. With dev teams pushing infrastructure as code on a regular basis, or auto scaling operations adding and removing resources at will, it’s no wonder the majority of dev teams admit to not keeping on top of their network diagram documentation.
Once you connect Hava to your AWS account, your diagrams will be kept up to date automatically.
AWS Diagram Version Histor
When things go wrong and your application(s) stop working as expected, you need to find out what caused the outage as soon as possible. When Hava detects changes in your network infrastructure it creates a new diagram and places the superseded version into a version history.
This means you have an audit trail of all the changes in your network. You can pull up the previous version to see what was added, what was removed or what changed.
You can also respond to historical enquiries, like the accounts team asking why the AWS bill doubled in March. Having two diagrams side by side makes easy to visualise the changes, or you can export both the current and previous diagrams in CSV or JSON to compare them programatically.
AWS Security Group Diagram Maker
The next view is the Security Group view. This diagram lays out all your security groups down the page and overlays the open ports and traffic ingress/egress so your security team can visually assess vulnerabilities.
Selecting a security group will change the attribute pane to show the group’s metadata and all the resources connected to the group. Security diagrams are also sent to version history once they are superseded, which gives your security team accurate data during an audit or security event.
AWS Serverless Container Diagram Maker
The next diagram automatically generated by Hava is the Container View. This diagram lays out detected ECS clusters.
Within the cluster you will see all of the ECS services which contain individual ECS tasks.
The tasks are colour coded so you can see the status at a glance and when selected you can view the cluster and service details, container instance name, task definition and so forth.
AWS Well Architected Compliance.
In addition to the diagrams, Hava also has a reporting module that contains an AWS compliance report. This report compares your AWS configuration with best practices and produces a report detailing what you have running and any adverse finding related to the configuration.
The report will provide:
- Region usage
- Resources used in each region
- IAM users and roles set up and in use
- Compliance findings graded by informational, low, medium and high.
- Detailed findings and recommendation to address the finding.
Hybrid AWS Diagram Maker
As well as AWS, Hava also supports Google Cloud Platform and Microsoft Azure. You create GCP and Azure diagram sets in much the same way as AWS. Once connected you then have the ability to create Hybrid diagrams.
If you have an application that uses both AWS and GCP/Azure for instance, you can use Hava’s custom query diagram builder to pull in all the resources from both platforms related to the application or project.
Once you save the diagram, Hava will keep it automatically up to date and will maintain a version history just like the auto generated diagrams.
You can build diagrams for subsets of data like a specific tag pair, or you can join data from different AWS accounts, different vendors and specific resource types.
For instance, your database administrator could create a single diagram of all of your databases across all your AWS/GCP/Azure accounts to keep an eye on the status and utilisation without having to jump around to different consoles.
Embed your AWS diagrams anywhere
Typically you need to provide a log in to users in order to view your Hava diagrams. It is possible however, to embed diagrams into properties that support iframe embeds.
This means you can make diagrams available in your intranet, a wiki or even a Jira ticket so that other team members can view the interactive network topology without consuming a user log-in.
Each diagram has a ‘Share’ button that will generate an embed code snippet you can drop anywhere you like. Obviously there is potentially confidential infrastructure information contained in your diagrams, so embeds should be used with caution.
Prefer to let your code do the talking?
Hava has a fully featured API to let you create, pull, export, add datasources and integrate documentation artifacts into CI/CD pipelines.
So if you want to get back your precious time and possibly your sanity, you can say goodbye to manual diagramming forever by adding Hava to your cloud development toolbox.
Originally published at https://www.hava.io.