Do you have dozens of services running on AWS, but no one on your team can draw how they are connected? It's a familiar situation. The infrastructure has grown organically, the documentation is six months out of date, and the new engineer has been trying to figure out where the traffic is going for three days. The solution is to create an AWS architecture diagram based on what already works. Not from scratch, but by reverse engineering the existing environment. Below is a step-by-step guide to doing this.
Why You Need a Visual Diagram of Your AWS Infrastructure
Of course, you can live without a diagram as long as everything works. But then an incident occurs on Friday evening, and you spend half an hour figuring out which ALB maps to which target group, where the NAT gateway is located, and why traffic from one VPC isn't reaching the other.
The AWS data flow diagram is not just a decoration for a Confluence page. It is a working tool that is needed in several situations:
- Onboarding. A new employee spends 15 minutes reviewing the diagram and understands the architecture. Without the diagram, it would take three days of Slack questions.
- Security. The visual diagram immediately shows open ports, public endpoints, and illogical traffic routes. It's easy to miss a list of resources.
- Compliance. Auditors want to see where data is stored and how it moves. The diagram saves weeks of correspondence.
- Incident management. When something goes down, the diagram shows dependencies. Instead of guessing, you can perform targeted diagnostics.
If your diagram is more than three months old, consider it obsolete. Infrastructure changes faster than people can update documentation.
Understanding AWS Components and Symbols
AWS maintains an official library of icons - AWS symbols, organized by service category. They can be downloaded for free and used in any AWS diagram tool, from draw.io to specialized platforms. The icons are updated with each major service release.
Components found in almost any AWS diagram:
- Network layer - VPC, public and private subnets, Internet Gateway, NAT Gateway, Route Tables.
- Computing - EC2 instances, Auto Scaling Groups, Lambda functions, ECS/EKS clusters.
- Balancing - Application Load Balancer, Network Load Balancer, API Gateway.
- Data - RDS, DynamoDB, ElastiCache, S3 buckets.
- Content delivery - CloudFront, Route 53.
- Security - Security Groups, NACLs, IAM roles, WAF.
Important point: don't try to cram all 200+ AWS services into one diagram. A good diagram shows what a specific DevOps audience needs - network and deployment. For the security team - data flows and access points. For management - the big picture without technical details.
Brainboard uses standard AWS icons out of the box - no need to download and import anything manually.
How to Map Your Existing AWS Infrastructure
Now let's get down to business. The process of creating an AWS components diagram from a live infrastructure consists of four steps. You don't have to do everything in one day - it's better to do it in parts, but do it well.
Step 1 - Inventory Your AWS Resources
The first thing you need is a complete list of everything that works. It sounds obvious, but this is where most people stumble. A typical mistake is to scan only the main account and the main region.
How to collect inventory:
- AWS Config - shows all resources with a history of changes
- AWS Resource Groups - Tag Editor can search for resources across all regions
- CLI - aws resourcegroupstaggingapi get-resources will dump everything that has tags (and show what doesn't have tags - and there are usually a lot of such resources)
Don't forget to check all regions. A forgotten EC2 instance in ap-southeast-1, launched "for five minutes" two years ago, is a classic example. And yes, check all accounts in the organization if you have a multi-account setup.
Step 2 - Map Network and Data Flow
You have your inventory - now you need to understand how it all fits together. To build an AWS data flow diagram, go through:
- VPC configurations: what subnets, how routing, is there peering or Transit Gateway
- Security Groups: who can go where. Often, this is where rules such as 0.0.0.0/0 on port 22 are found, which were "forgotten."
- Load Balancer targets: what target groups, what instances behind them
- VPC Flow Logs: real traffic, not theoretical
Draw arrows - where the data goes from and to. Incoming traffic from users, inter-service communication, database access, and external API calls. Without arrows, the diagram is just a set of icons.
Step 3 - Group Components by Function
A flat list of 87 resources on a single canvas is not a diagram; it's chaos. Group resources by functional layers:
- Network layer - VPC, subnets, NAT, Internet Gateway
- Computing layer - EC2, Lambda, containers
- Data layer - RDS, DynamoDB, S3, caches
- Security layer - WAF, Security Groups, IAM
- External integrations - third-party APIs, SaaS services
Grouping helps the reader understand why all this exists, not just what it is. The difference is like that between a subway map and a list of stations.
Step 4 - Build and Refine the Diagram
Final assembly. Place the groups on the canvas, connect them with arrows with labels (traffic direction, protocol, port). Circle the VPC and subnets with borders - this immediately adds structure.
What to label: instance types, availability zones, endpoints, and CIDR blocks. Not everything - just what's important for understanding. If the diagram can't be read without zooming in, it has too many details. It's better to make two levels: an overview diagram and detailed drill-downs for each layer.
Brainboard is ideal for this process - it lets you build diagrams visually and generate Terraform code from them. In other words, the diagram ceases to be a "picture" and becomes a working artifact.
Best AWS Diagram Tools for Reverse-Engineering Infrastructure
There are plenty of tools available, from free to enterprise-level. Here's what teams actually use for AWS network diagram:
- draw.io (diagrams.net) - free, works in a browser, has a library of AWS icons. Suitable for manual drawing. The downside is that everything is done manually, with no connection to the actual infrastructure.
- Lucidchart - more convenient than draw.io for teamwork, with auto-import from AWS. Paid.
- Cloudcraft - tailored for AWS, can scan accounts and build 3D diagrams. Beautiful, but limited in terms of customization.
- AWS Application Composer - a native tool from Amazon for visualizing serverless architectures. Free, but does not cover all services.
- Brainboard - a fundamentally different approach: the diagram and Terraform code are synchronized. Draw the architecture - get IaC. Import existing infrastructure - get both a diagram and code. For teams that want to create an AWS architecture diagram and immediately link it to infrastructure code, this is the most comprehensive option.
The choice depends on the task. For a one-time diagram, draw.io is sufficient. For live documentation that updates along with the infrastructure, you need a tool that integrates into your workflow.
Best Practices for Maintaining AWS Diagrams
Drawing a diagram is half the battle. Keeping it up to date is the real challenge. Here are a few rules to help you avoid abandoning your diagram after a month:
- Link updates to deployments. If you change the infrastructure, update the diagram. This should be part of the Definition of Done, not a separate task "for later."
- Assign an owner. If no one is responsible for the diagram, then no one is. Let it be the DevOps lead or platform engineer.
- Use IaC as the source of truth. Terraform state or CloudFormation stacks contain the current state of the infrastructure. Brainboard automatically synchronizes the diagram with the code - no manual updates required.
- Review quarterly. Even with a perfect process, something slips through. A scheduled check every three months helps catch discrepancies.
- Version control. Store diagrams alongside infrastructure code in Git. This way, you can see the history of changes and always roll back to a previous version.
The main thing is to create an AWS diagram, not for a pretty picture, but for a working tool the team uses every day.
FAQ
1. Can I generate an AWS diagram automatically from my account?
Yes. Cloudcraft and other tools can scan your account and automatically build a diagram. Brainboard lets you import your existing infrastructure and get both a diagram and Terraform code simultaneously.
2. What is the best free tool to create an AWS architecture diagram?
draw.io (diagrams.net) is the best free option. It works in a browser and has a complete library of AWS icons. For more serious tasks, use AWS Application Composer (free but limited).
3. How detailed should my AWS network diagram be?
It depends on the audience. An overview diagram for management - 15-20 components. Technical for DevOps - all services with ports, CIDR, and availability zones. It is better to have two levels than to overload a single diagram.
4. Where can I download official AWS architecture symbols?
On the official AWS website: Architecture Icons. They are updated regularly and available in PNG, SVG, and formats for major tools (draw.io, PowerPoint, Figma).
5. How often should I update my AWS infrastructure diagram?
After every significant change, and once a quarter during scheduled checks, if the update is not built into the deployment process, the diagram will become outdated in a couple of weeks.
.webp)
HealthcareControl environments and simplify operations.webp)
FinancialFragmentation leads to increased costs, inefficiency and risk.webp)
RetailUnify financial operations to reduce risk and costs
TelecommunicationSimplify network complexity and accelerate service delivery
GovernmentSecure, compliant, and efficient cloud adoption for the public sector.webp)
Move to IaCThe easiest way to move to IaC: Brainboard one click migration..webp)
Standardize IaCGive your users a reason to follow your guidelines..webp)
Self-serve modelBuild your internal service catalog to easily provision on-demand infrastructure..webp)
Lower the learning curveYou don’t need to learn everything at once. Learn by doing..webp)
Your Disaster Recovery strategySystems fail, all the time. Plan ahead and protect against the unknown today!
Smart cloud designerThe power of design combined with the flexibility of code
Terraform & OpenTofu modulesCentral & single source of truth of your private, public and/or community modules.
GitOps workflowSmoothly connect your cloud infrastructure with your git repository.
Drift detection and remediationMonitor and maintain control of any drift between your source of truth and your cloud provider.
Synchronized architecturesEliminate drift between your environments (dev, QA, staging, prod…)
