๐ (GitHub)
Over the years I have been fortunate enough to work as a consultant within the cloud security and specifically within Azure security. Every time I start working with a new customer I like to get a visual of their network to get an overview of the complete infrastructure segmentation. Unfortunately often customers either lack this documentation entirely or it is woefully out of date. This leaves me to spend several hours generating an updated diagram, which again will be out of date rather quickly. I have been unable to find a simple tool to help map up Azure networks in a human-readable manner, at least that makes sense to me. This has been an annoyance for me as this is something I believe is a rather repetetive task which could and so should be automated. Some tools I have found does create a visual diagram based on the IaC, but often I see that not all infrastructure is actually deployed from IaC so there may be “shadow-LZs” not showing in those tools. Other tools are able to draw networks, but is limited to a single subscription and is unable to draw cross subscription diagrams.
I have created a small, simple tool in python which queries the Azure tenant, maps out the virtual-networks, peerings, NSGs and UDRs and generates a JSON with the details. Then another script uses that JSON to generate a Draw.io diagram which aims to give a snapshot of the current virtual network infrastructure. Currently the solution generates one High-Level Detailed diagram (HLD) showcasing only the HUB and Spoke vNets. It also has a module for what I have called the Medium-Level Detailed diagram (MLD) which also shows all subnets within each vNet, and if there is a NSG and/or UDR attached to the subnet.
This solution is made to be modular and adaptable for various use-cases, either to automate a pipeline to run daily and integrate with Confluence or ServiceNow internally in an organization to have updated drawings for security and operations. Or to simply use for a one-time-mapping of an environment. There are a lot of further use-cases for a tool like this, and I hope the community will aid me in developing some of them.
I have been bold enough to call this CloudNet Draw as I hope that further development will lead to include AWS and GCP as well!
Usage
azure-query.py
This is a simple query script which uses Azure CLI to query the Azure environment the current user has access to. Then it lists out the available subscriptions and prompts the user to decide which subscriptions should be included in generating the JSON file
azure-query-sp.py
This is meant for more enterprise use. A service principal is required and the script will query all subscriptions that the service principal has reader access to and will use that to generate the JSON
HLD.py
Currently the tool will either find a Virtual-WAN-HUB to designate as HUB or it will count peerings and designate the vNet with the most peerings as HUB. Then it will check if the HUB has any ExpressRoute or VPN Gateways or Azure Firewall, if it does it will add those objects to the drawing. Further it will then draw out each Spoke network peered to the HUB with the peering. Lastly it will draw out vNets which have no peerings to the hub.
MLD.py
The MLD script has the same functionality as the HLD, but it does add some more details. In addition to the HLD the MLD will add each subnet within each vNet with its name, address space and whether there are NSG or UDR attached to the subnet. This diagram will naturally be larger and in very large environments this might be very large to contain within one image.
Further development and next steps
Currently the tool does not support multi-hub environments, based on my experience it is difficult to draw such large environments within one drawing, so I would currently suggest to map out from each hub in separate drawings. But I would like to add a module in the HLD allowing for such large environments
The current solution does not support mapping out spoke to spoke vNet peerings, I would like to add this as well as this can be critical to understand network flow in these environments. This will likely be the next part added to the tool as I am already working on it.
I would also like to have a LLD with this tool, mapping out the entire network for each LZ / vNet with all interfaces, private endpoints etc. But that is further down the line
The next step to make it more enterprise friendly is to incorporate it into an azure function to be hosted within Azure itself.