Visualizer¶
The Fugue visualizer creates detailed interactive diagrams of the infrastructure in an AWS, AWS GovCloud, Azure, Azure Government, Google, or repository environment. The diagrams are automatically generated and updated, allowing users to easily visualize resource configurations, relationships, and compliance state for current or previous scans. The visualization can be exported as a PNG or SVG.
Users can access the visualizer from the environment dashboard by selecting the “Visualizer” link in the header near the top of the page:
By default, the diagram is zoomed out to show all resources in the graph, with networks and regions collapsed (except the largest region). You can zoom in or view in full screen to more closely inspect the resources. Select a resource to view its attributes.
Compliance state visualization is enabled by default and noncompliant resources are shown in red. For more information about compliance visualization, see Visualizing Resource Compliance State.
Environment resources from the latest scan are displayed by default and the diagram is automatically updated after future scans. If you change the resource types that Fugue scans, the visualizer will reflect the updated types after the next scan. You can visualize previous scans by using the date picker.
For a list of the resources shown in the visualizer, see Which Resources are Visualized? Note that the details panel shows references and compliance state for all the resources Fugue supports.
Visualization Components¶
The visualizer is composed of many different elements, which are labeled below. Click here to see the diagram in full size.
1. Each circular node represents a single resource…
2. …Or grouped resources bounded by a thin gray box, with the number of nodes in the bottom right corner:
3. Expanding grouped resources allows you to view each individual resource:
4. A collection is a square containing zero or more nodes, and the number of nodes appears in the bottom right. A collection represents a resource that contains other resource types, such as an Amazon ECS service containing tasks:
5. Collections can be expanded to show the nodes inside of them:
6. Collections may also be grouped together…
…and therefore a group of collections can be expanded or collapsed:
7. A collection that doesn’t contain any resources is shown with a gray slash through it (see note here):
8. Lines between resources represent resource connections. There are four types:
Connections to the internet from internet gateways and S3 buckets with website configurations
Connections from S3 buckets to log buckets (shown below)
VPC peering connections
9. A network (such as an Azure VNET, below) is depicted as a set of brackets [ ]. Resources in the network are depicted as nodes inside the brackets:
Networks are collapsed by default, and if they contain resources that can be rendered in the visualizer, they display three dots:
A network without any resources in it is shown with a slash through it:
10. The internet is depicted as an I-beam symbol. A resource connected to this symbol is connected to the internet:
11. Unconnected resources appear on the right side of the visualization:
12. Labels and configuration information, such as the name super-store below, are shown when you zoom in closely and are hidden when you zoom farther out:
13. Noncompliant resources appear in red. Below, the Lambda instance is compliant, and the noncompliant RDS and VPC are shown in red. For more details, see Visualizing Resource Compliance State:
14. When an environment contains more than one region, horizontal brackets labeled by region separate the infrastructure. Global resources, such as the Amazon CloudFront distributions below, are labeled global:
In multi-region AWS environments, all regions are collapsed by default except the largest:
Regions that are collapsed and contain resources that can be rendered in the visualizer display three dots:
This example environment includes all supported regions:
15. When a node resource has references, they are listed as pods above it. Click on a pod to view details for a single resource or a list of resources when a pod contains multiple resources. See Pods for more information.
For a list of the resources shown in the visualizer, see Which Resources are Visualized? Note that the details panel shows references and compliance state for all the resources Fugue supports.
Security Group Connections Between Resources¶
A security group connection between resources occurs when one resource has a security group that accepts traffic from resources in a second security group. The connection is represented as a line between the resource nodes.
For example, the diagram below shows multiple AWS Lambda resources that forward traffic to the same Security Group:
Working with Pods¶
Pods are small circles in the visualizer that show other resources referenced by the node resource. For example, a security group referenced by a VPC instance displays as a pod above it. Click on the pod to view resource details about the security group.
If multiple instances reference this security group, a pod representing it will appear above each instance. Pods appear as small shaded circles above Nodes, Clusters, and to the right of Networks. If a resource references multiple resources of the same type, they will display as a “stack” of pods. Click on the stack of pods to view the list of resources.
If the pod resource is noncompliant, it is red.
Visualizing Resource Compliance State¶
Compliance state visualization is enabled by default, and can be toggled off or on through the “Show Compliance Errors” checkbox on the View Options panel (accessible via the 
cog icon in the bottom left of the diagram).
Noncompliant resource nodes, networks, and collections are red. If a resource type supports compliance visualization, and it is not red, it is compliant. Waived rule results are ignored and don’t impact how a resource is visualized.
See the full list of AWS and AWS GovCloud and Azure resources that support compliance state visualization. Note that all resource types Fugue supports report compliance state in the details panel.
Below, the LB nodes are noncompliant and shown in red. The other resources, such as RDS, Lamdas, and LB nodes are compliant.
If you click on the red 
(warning) symbol next to the noncompliant resource, the resource details panel opens, and at the bottom it lists the failed compliance controls and why they failed. In the animation below, you can see that the DDB table named example-ddb-table is noncompliant with a number of controls:
Grouped resources, collections, networks, and regions show compliance a little differently. For details, see How collapsed groupings show compliance.
Viewing Groupings¶
Grouped resources¶
Similar resources of the same type are grouped together. Grouped resources in the visualizer are depicted as a stack of nodes surrounded by a light gray border, and the number of resources is shown in the bottom right corner:
Grouped resources may be expanded or collapsed to view individual nodes.
Collections¶
A collection represents a resource that contains other resource types. For example, AWS auto scaling groups containing EC2 instances, and ECS services containing tasks, are rendered as collections. A collection is depicted as a square with a thick border containing zero or more nodes:
Collections may also be expanded or collapsed to view individual nodes:
A collection that doesn’t contain any resources is shown with a gray slash through it.
Note
There are a variety of reasons on why a collection would not contain any resources, such as if the resources are not currently running, if they are not enabled for scans, or if you are looking at an old scan before Fugue added support for the resources.
Networks¶
Networks are collapsed by default. You can expand them to view the resources inside.
Networks that are collapsed and contain resources that can be rendered in the visualizer display three dots. The number in the bottom right shows the number of renderable resources in the network. This number includes nodes inside grouped resources and collections as well as resources connecting a network to the internet, such as an AWS internet gateway:
Networks that are collapsed and do not contain any renderable resources are shown with a slash through the middle:
Regions¶
All regions except the largest are collapsed by default. As with other groupings, you can expand them to view the resources inside.
Networks and regions that are collapsed and contain resources that can be rendered in the visualizer display three dots. As with networks, the number in the bottom right shows the number of renderable resources in the region:
How to expand and collapse groupings¶
You can select the outward-arrow icon in the upper right to expand the grouping and view the individual resources:
Select the inward-arrow icon to contract the grouping:
The animated image below shows expansion/contraction in action:
You can expand or collapse all grouped resources, collections, networks, and regions at once by accessing the View Options panel via the square cog icon in the bottom left of the diagram and then selecting Expand All Groupings or Condense All Groupings:
Nested groups/collections¶
Collections can be grouped together. For example, in the image below, two ECS nodes are grouped together:
If you drill down into it, the group of collections can be expanded, in this case revealing collections containing containing multiple resources:
Going one step further, you can expand individual collections – such as Prod ECS, which contains two resources:
How collapsed groupings show compliance¶
Collapsed grouped resources, collections, groups of collections, networks, and regions show compliance state a little differently:
Nodes inside grouped resources and collections
All compliant: All nodes are normal (bordered in black)
All noncompliant: All nodes are red
Mixed compliance:
One red node if one resource is noncompliant
Two red nodes, one black node if 2+ nodes (but not all) are noncompliant
When any resource in a collapsed group is noncompliant, the top node is shown as noncompliant.
Below is a group of resources containing nodes of mixed compliance:
Single collection
A noncompliant single collection has a red background, like so:
Grouped collections
All compliant: All collections are normal
All noncompliant: All collections are red
Mixed compliance:
One red collection, one black collection if one collection is noncompliant
Two red collections, one black collection if 2+ collections (but not all) are noncompliant
When any collection in a collapsed group is noncompliant, the top collection is shown as noncompliant.
Below is a group of collections with mixed compliance:
Below is a depiction of grouped resources with all compliant resources, no compliant resources, and mixed compliance:
Networks and regions
All contained resources are compliant: All three dots are gray
All contained resources are noncompliant: All three dots are red
Mixed compliance:
One red dot, two gray dots if one resource is noncompliant
Two red dots, one gray dot if 2+ (but not all) resources are noncompliant
Below is a depiction of regions with all compliant resources, no compliant resources, and mixed compliance:
To see the compliance state for each individual resource in any grouping, expand it.
For more about visualizing compliance state, see Visualizing Resource Compliance State.
Viewing the Visualizer for Repository Environments¶
After you kick off a scan for your repository environment, the diagram is automatically generated to include your resources from the Terraform HCL and CloudFormation YAML files in your repository. By default, the diagram is zoomed out to show all resources in the graph, with the with the CloudFormation or Terraform files collapsed (except the largest file). You can zoom in or view in full screen to more closely inspect the resources. Select a resource to view its attributes.
Viewing Resource Details¶
The visualizer allows you to view resource attributes and references via the resource details panel. To access the panel, click on a resource, and the panel appears on the left side of the screen.
The Attributes section lists configuration details for the selected resource. For example, you’d see cidr_block for an Amazon VPC. Nested attributes can be expanded or collapsed by clicking on them.
The References section lists other resources related to the selected resource. For example, you’d see a list of security groups for a VPC. You can click on a resource listed in the Reference section and it redirects you to that resource, as shown below.
The Compliance section lists any failed rules and associated compliance controls for the selected resource. For example, you might see that a noncompliant VPC failed the rule “VPC flow logging must be enabled” and the controls PCI DSS v3.2.1 1.3.4 and 1.3.5.
Because waived rule results are ignored, they are not listed in the Compliance section.
Additionally, you can copy an attribute for a resource by selecting the “Copy to Clipboard” icon.
You can close the details panel by clicking on the X on the lower right side of the panel, or by deselecting the resource.
Searching¶
The visualizer supports searching on resource ID, resource type, and resource name. These capabilities make it easier to find specific resources and drill down on resource details.
To search within the visualizer:
Enter a resource ID, resource type, or resource name.
Select the resource from the suggested list or hit enter to get a list of resources that match your search criteria. Resources that match your search criteria are highlighted blue, as shown below.
3. The visualizer zooms into the selected resource and highlights it, as shown below.
Filtering¶
Visualizer now supports filtering by region, tags, services, compliance state, severity, rules, or families. Filtered views can be exported. Once filters are applied, you can share them via URL.
Note
Visualizer supports filtering by resource tag for AWS and Azure.
To filter within the visualizer:
Select the filter icon.
Expand the filters and select the desired criteria. Only resources that match your filter criteria display, as shown below.
3. Optionally, select settings > Export as .PNG to export a filtered view of your visualization.
4. Optionally, once the filters are applied, bookmark or share the URL.
Panning, Zooming, and Viewing in Full Screen¶
You can navigate the visualizer by panning and zooming. You can also reset zoom so all resources are shown, enable/disable full screen mode, and enable/disable compliance visualization. The visualizer supports keyboard shortcuts.
To pan, click inside the diagram and drag it around:
You can also use the arrow keys on your keyboard.
To zoom in:
Click the plus sign
+in bottom right of graphOr, scroll down with mouse
Or, pinch closed with trackpad
Or, press the plus
+(equals=) key on your keyboard
To zoom out:
Click the minus sign
-in bottom right of graphOr, scroll up with mouse
Or, pinch open with trackpad
Or, press the minus
-(underscore_) key on your keyboard
To reset zoom and show all resources:
Click the
“center” icon in bottom right of graphOr, refresh the page
Or, double-tap the spacebar on your keyboard
To view in full screen mode:
Click the
full-screen toggle icon in bottom right of graph
To exit full screen mode:
Click the
full-screen toggle icon in bottom right of graph
To view the compliance state of your resources (enabled by default):
Access the View Options panel by selecting the
square cog icon in the bottom left of the diagram or by pressing the period .key on your keyboardCheck “Show Compliance Errors”
To disable compliance state visualization:
Access the View Options panel by selecting the
square cog icon in the bottom left of the diagram or by pressing the period .key on your keyboardUncheck “Show Compliance Errors”
You can also close the View Options panel by pressing the . period key.
Here’s an example of full screen mode:
Here’s an example of the compliance view:
Which Resources Are Visualized?¶
For a list of AWS and AWS GovCloud resources that the visualizer can display, see AWS & AWS GovCloud.
For Azure and Azure Government resources, see Azure.
For Google resources, see Google.
Note that the details panel shows references and compliance state for all the resources Fugue supports.
Supported AWS & AWS GovCloud Resources¶
The resource details panel shows references and compliance state for all the AWS & AWS GovCloud resources Fugue supports.
The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:
AWS.AccessAnalyzer.Analyzer (ANALYZ) [Displays as a Node]
AWS.ACM.Certificate (CERT) [Displays as a Node]
AWS.ApiGateway.Authorizer (AUTH) [Displays as a Pod]
AWS.ApiGateway.ClientCertificate (CERT) [Displays as a Pod]
AWS.ApiGateway.Deployment (DEPOLY) [Displays as a Pod]
AWS.ApiGateway.GatewayResponse (RESPONSE) [Displays as a Pod]
AWS.ApiGateway.Model (MODEL) [Displays as a Pod]
AWS.ApiGateway.RequestValidator (VALIDTR) [Displays as a Pod]
AWS.ApiGateway.Resource (RESOURCE) [Displays as a Pod]
AWS.ApiGateway.RestApi (API) [Displays as a Node]
AWS.ApiGateway.Stage (STAGE) [Displays as a Pod]
AWS.ApiGateway.UsagePlan (PLAN) [Displays as a Pod]
AWS.ApiGatewayV2.Api (API) [Displays as a Node]
AWS.ApiGatewayV2.ApiMapping (MAPPING) [Displays as a Pod]
AWS.ApiGatewayV2.Authorizer (AUTHORIZR) [Displays as a Pod]
AWS.ApiGatewayV2.Deployment (DEPLOY) [Displays as a Pod]
AWS.ApiGatewayV2.DomainName (DOMAIN) [Displays as a Pod]
AWS.ApiGatewayV2.Integration (INTEG) [Displays as a Pod]
AWS.ApiGatewayV2.IntegrationResponse (RESPONSE) [Displays as a Pod]
AWS.ApiGatewayV2.Model (MODEL) [Displays as a Pod]
AWS.ApiGatewayV2.Route (ROUTE) [Displays as a Pod]
AWS.ApiGatewayV2.RouteResponse (RESPONSE) [Displays as a Pod]
AWS.ApiGatewayV2.Stage (STAGE) [Displays as a Pod]
AWS.ApiGatewayV2.VpcLink (GTW LNK) [Displays as a Node Border]
AWS.Athena.Workgroup (ATHENA) [Displays as a Node]
AWS.AutoScaling.AutoScalingGroup (ASG) [Displays as a Cluster]
AWS.AutoScaling.LaunchConfiguration (LAUNCH CFG) [Displays as a Pod]
AWS.CloudFormation.Stack (STACK) [Displays as a Node]
AWS.CloudFormation.StackSet (STACKSET) [Displays as a Node]
AWS.CloudFront.Distribution (CF) [Displays as a Node]
AWS.CloudTrail.Trail (TRAIL) [Displays as a Node]
AWS.DirectoryService.ConditionalForwarder (DIRCF) [Displays as a Pod]
AWS.DirectoryService.Directory (DIR) [Displays as a Node]
AWS.DocDB.Cluster (DOC DB) [Displays as a Cluster]
AWS.DocDB.ClusterInstance (DB INST) [Displays as a Node]
AWS.DocDB.ClusterSnapshot (SNAPSHOT) [Displays as a Pod]
AWS.DynamoDB.Table (DDB) [Displays as a Node]
AWS.EC2.Image (AMI) [Displays as a Node]
AWS.EC2.Instance (EC2) [Displays as a Node]
AWS.EC2.InternetGateway (IGW) [Displays as a Node Border]
AWS.EC2.RouteTable (ROUTE TBL) [Displays as a Pod]
AWS.EC2.SecurityGroup (SG) [Displays as a Pod]
AWS.EC2.Snapshot (SNAPSHOT) [Displays as a Pod]
AWS.EC2.Subnet (SUBN) [Displays as a Pod]
AWS.EC2.Volume (VOLUME) [Displays as a Pod]
AWS.EC2.Vpc (VPC) [Displays as a Network]
AWS.EC2.VpcEndpoint (ENDPT) (gateway endpoints only) [Displays as a Pod]
AWS.EC2.VpcPeeringConnection (PEER) [Displays as a Pod]
AWS.ECR.LifecyclePolicy (LIFECYCLE) [Displays as a Pod]
AWS.ECR.Repository (ECR) [Displays as a Node]
AWS.ECR.RepositoryPolicy (POLICY) [Displays as a Pod]
AWS.ECS.Cluster (CLSTR) [Displays as a Pod]
AWS.ECS.Service (ECS) [Displays as Cluster]
AWS.ECS.Task (TASK) [Displays as a Node]
AWS.ECS.TaskDefinition (DEF) [Displays as a Pod]
AWS.EFS.FileSystem (EFS) [Displays as a Node]
AWS.EFS.MountTarget (MOUNT) [Displays as a Pod]
AWS.EKS.Cluster (EKS) [Displays as a Node]
AWS.Elasticsearch.Domain (ESEARCH) [Displays as a Node]
AWS.ELB.LoadBalancer (ELB) [Displays as a Node]
AWS.ELBv2.LoadBalancer (LB) [Displays as a Node]
AWS.Glue.CatalogDatabase (GLUE DB) [Displays as a Cluster]
AWS.Glue.CatalogTable (TABLE) [Displays as a Node]
AWS.Glue.Connection (CONNECTION) [Displays as a Pod]
AWS.Glue.Crawler (CRAWLER) [Displays as a Node]
AWS.Glue.Database GLUE DB [cluster]
AWS.Glue.Job (GLUE JOB) [Displays as a Node]
AWS.Glue.SecurityConfiguration (SEC CFG) [Displays as a Pod]
AWS.Glue.Table TABLE [Displays as a Node]
AWS.Glue.Trigger (TRIGGER) [Displays as a Pod]
AWS.Glue.Workflow (WORKFLOW) [Displays as a Pod]
AWS.IAM.Group (IAMGRP) [Displays as a Node]
AWS.IAM.InstanceProfile (IAM) [Displays as a Pod]
AWS.IAM.ManagedPolicy (POLICY) [Displays as a Node]
AWS.IAM.Role (ROLE) [Displays as a Pod]
AWS.IAM.ServerCertificate (IAMSRV) [Displays as a Node]
AWS.IAM.User (USER) [Displays as a Node]
AWS.Kinesis.Stream (KNSIS) [Displays as a Node]
AWS.KinesisFirehose.DeliveryStream (HOSE) [Displays as a Pod]
AWS.KMS.Key (KEY) [Displays as a Node]
AWS.Lambda.EventSourceMapping (EVENT) [Displays as a Pod]
AWS.Lambda.Function (λ) [Displays as a Node]
AWS.Lambda.Permission (PERM) [Displays as a Pod]
AWS.Neptune.Cluster (NEPTUNE) [Displays as a Cluster]
AWS.Neptune.ClusterInstance (NPT INST) [Displays as a Node]
AWS.Neptune.ClusterSnapshot (SNAPSHOT) [Displays as a Pod]
AWS.RAM.PrincipalAssociation (PRINCIPAL) [Displays as a Pod]
AWS.RAM.ResourceAssociation (RESOURCE) [Displays as a Pod]
AWS.RAM.ResourceShare (RAM) [Displays as a Node]
AWS.RDS.Cluster (RDS) [Displays as a Node]
AWS.RDS.ClusterInstance (RDS) [Displays as a Node]
AWS.RDS.Instance (RDS) [Displays as a Node]
AWS.RDS.Snapshot (SNAPSHOT) [Displays as a Pod]
AWS.RDS.SubnetGroup (SUBNT GRP) [Displays as a Label]
AWS.Redshift.Cluster (REDSH) [Displays as a Node]
AWS.Redshift.ParameterGroup (PARAM GRP) [Displays as a Pod]
AWS.Redshift.SubnetGroup (SUBNT GRP) [Displays as a Pod]
AWS.S3.AccountPublicAccessBlock (PUB ACCESS) [Displays as a Pod]
AWS.S3.Bucket (S3) [Displays as a Node]
AWS.S3.Bucket.Inventory (INVENTORY) [Displays as a Pod]
AWS.S3.Bucket.Metric (METRIC) [Displays as a Pod]
AWS.S3.Bucket.Notification (NOTIFY) (Also generates connections from the S3 Bucket to a Lambda, SNS, or SQS) [Displays as a Pod]
AWS.S3.Bucket.Policy (POLICY)[Displays as a Pod]
aws_s3_bucket_server_side_encryption_configuration (SSE CONFIG) [Displays as a Pod] (Note this resource type is only supported for Repository environments)
AWS.Sagemaker.Endpoint (SAGE ENDPT) [Displays as a Node]
AWS.Sagemaker.EndpointConfiguration (CONFIG) [Displays as a Pod]
AWS.Sagemaker.Model (SAGE MDL) [Displays as a Node]
AWS.Sagemaker.NotebookInstance (SAGE NOTE) [Displays as a Node]
AWS.Sagemaker.NotebookInstanceLifecycleConfiguration (LIFECYCLE) [Displays as a Pod]
AWS.SecretsManager.Secret (SECRET) [Displays as a Node]
AWS.SNS.Subscription (SUBSCR) [Displays as a Pod]
AWS.SNS.Topic (SNS) [Displays as a Node]
AWS.SQS.Queue (SQS) [Displays as a Node]
AWS.WAF.WebACL (WAF) [Displays as a Pod]
AWS.WAFv2.WebACL (WAFv2) [Displays as a Node]
AWS.WAFv2.WebACLAssociation (ASSOC) [Displays as a Pod]
AWS.Workspaces.Directory (WORK DIR) [Displays as a Cluster]
AWS.Workspaces.IPGroup (IP GROUP) [Displays as a Pod]
AWS.Workspaces.Workspace (WORKSP) [Displays as a Node]
Note
If you are interested in gaining access to beta resources, please send an email to support@fugue.co.
VPC Attributes¶
Attributes shown for each VPC:
CIDR block
VPC ID
Region
Number of security groups
Number of subnets
Peering connections
Route Tables
Attributes shown for each subnet:
Name, if subnet is named
CIDR block, if unnamed
Unique label corresponding to resources inside the subnet (purple badge, bottom)
Attributes shown for each security group:
Name
Unique label corresponding to resources inside the security group
Below, Example EC2 instance is in 4 subnets (labels A-D). Security Groups and Route Tables are listed as labels in the Other References section. At the top, Security Groups are listed as pods.
You can click on a label on the right to view either:
Resource details for a single resource
List of resources when there is more than one
You can click on a pod on the top to view resource details for a single resource or a list of resources when there is more than one. Refer to pods for more information.
VPC peering connections (PEER) are shown as a line between two VPCs. Each VPC is labeled with the name of the peering connection. In the example below, there is one peering connection:
VPC-1connectspeer-vpcandVPC-2
peer-vpc is an external VPC, and though it is rendered, it does not list any information apart from the VPC ID.
VPC gateway endpoints (ENDPT) are shown as a line between a VPC and all S3 buckets or all DDB tables in the same region. In the example below, Example VPC Endpoint connects a VPC and S3 buckets:
Implicit Resources¶
Sometimes infrastructure in your environment may refer to a resource that Fugue doesn’t have access to. For example, if you have a VPC peering connection with an external account, Fugue does not have access to anything inside the external VPC.
In situations like this, the unknown resource is displayed as an implicit resource. When you select the resource details panel, you see the message “This resource was not found in your scan, so it is displayed as an implicit resource.” In the external VPC vpc-3ba7f15f below, you can see that no information is displayed.
Reasons a resource might be considered implicit:
Resource type isn’t selected for scanning
Resource is in a region that is not part of the environment
Resource is in another cloud provider account
Fugue’s IAM role doesn’t have the necessary permissions to survey it
Supported Azure & Azure Government Resources¶
The details panel shows references and compliance state for all the Azure and Azure Government resources Fugue supports.
The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:
Azure.ActiveDirectory.Application (APP) [Displays as a Node]
Azure.ActiveDirectory.Group (AD GRP) [Displays as a Node]
Azure.ActiveDirectory.ServicePrincipal (PRINCPL) [Displays as a Node]
Azure.ActiveDirectory.User (AD USER) [Displays as a Node]
Azure.Authorization.PolicyAssignment (PLCY ASSIGN) [Displays as a Node]
Azure.Authorization.RoleAssignment (ROLE ASSIGN) [Displays as a Node]
Azure.Authorization.RoleDefinition (ROLE DEF) [Displays as a Node]
Azure.Automation.Account (AUTO) [Displays as a Node]
Azure.Automation.Credential (CRED) [Displays as a Pod]
Azure.Automation.Schedule (SCHED) [Displays as a Pod]
Azure.Cdn.Profile (CDN) [Displays as a Node]
Azure.Compute.AvailabilitySet (AVSET) [Displays as a Pod]
Azure.Compute.Image (IMAGE) [Displays as a Pod]
Azure.Compute.ManagedDisk (DISK) [Displays as a Pod]
Azure.Compute.SharedImageGallery (GALRY) [Displays as a Node]
Azure.Compute.Snapshot (SNAPSH) [Displays as a Pod]
Azure.Compute.VirtualMachine (VM) [Displays as a Node]
Azure.Compute.VirtualMachineScaleSet (SCALE SET) [Displays as a Node]
Azure.Container.Group (GROUP) [Displays as a Node]
Azure.Container.Registry (RGST) [Displays as a Node]
Azure.CosmosDB.Account (COSDB) [Displays as a Node]
Azure.Databricks.Workspace (BRICK) [Displays as a Node]
Azure.DataLakeStore.Account (DLAKE) [Displays as a Node]
Azure.DataLakeStore.FirewallRule (FWRULE) [Displays as a Pod]
Azure.KeyVault.AccessPolicy (POLICY) [Displays as a Pod]
Azure.KeyVault.Certificate (CERT) [Displays as a Pod]
Azure.KeyVault.Key (KEY) [Displays as a Pod]
Azure.KeyVault.Secret (SECRET) [Displays as a Pod]
Azure.KeyVault.Vault (VAULT) [Displays as a Node]
Azure.Kubernetes.Cluster (KUBER) [Displays as a Node]
Azure.ManagedIdentity.Identity (MNGED ID) [Displays as a Node]
Azure.Monitor.ActionGroup (MONTR) [Displays as a Pod]
Azure.Monitor.ActivityLogAlert (ALERT) [Displays as a Pod]
Azure.Monitor.DiagnosticSetting (METRIC) [Displays as a Pod]
Azure.Monitor.LogProfile (LOG) [Displays as a Node]
Azure.Monitor.MetricAlert (METRIC) [Displays as a Pod]
Azure.MySQL.Configuration (CONFIG) [Displays as a Pod]
Azure.MySQL.ConfigurationSet (CONFIG SET) [Displays as a Pod]
Azure.MySQL.Database (DB) [Displays as a Node]
Azure.MySQL.FirewallRule (FWRULE) [Displays as a Pod]
Azure.MySQL.Server (MYSQL) [Displays as a Cluster] [Displays as a Pod]
Azure.MySQL.VirtualNetworkRule (MYSQL) [Displays as a Node Border]
Azure.Network.ApplicationGateway (AGW) [Displays as a Node]
Azure.Network.ApplicationSecurityGroup (APP SG) [Displays as a Pod]
Azure.Network.DDoSProtectionPlan (DDOS) [Displays as a Node]
Azure.Network.DNSZone (DNS) [Displays as a Node]
Azure.Network.Firewall (FW) [Displays as a Node]
Azure.Network.LoadBalancer (LB) [Displays as a Node]
Azure.Network.NetworkInterface (NETINT) [Displays as a Pod]
Azure.Network.NetworkSecurityGroup (SG) [Displays as a Pod]
Azure.Network.NetworkWatcher (WATCH) [Displays as a Cluster]
Azure.Network.NetworkWatcherFlowLog (FLWLG) [Displays as a Node]
Azure.Network.PublicIPAddress (IP) [Displays as a Pod]
Azure.Network.RouteTable (ROUTE TBL) [Displays as a Pod]
Azure.Network.Subnet (SUBN) [Displays as a Label]
Azure.Network.VirtualNetwork (VNET) [Displays as a Network]
Azure.Network.VirtualNetworkGateway (GW) [Displays as a Pod]
Azure.Network.VirtualNetworkGatewayConnection (CONN) [Displays as a Pod]
Azure.PostgreSQL.Configuration (CONFIG) [Displays as a Pod]
Azure.PostgreSQL.ConfigurationSet (CONFIG SET) [Displays as a Pod]
Azure.PostgreSQL.Database (DB) [Displays as a Node]
Azure.PostgreSQL.FirewallRule (FWRULE) [Displays as a Pod]
Azure.PostgreSQL.Server (PGSQL) [Displays as a Cluster]
Azure.PostgreSQL.VirtualNetworkRule (PGSQL) [Displays as a Node Border]
Azure.Redis.Cache (REDIS) [Displays as a Node]
Azure.SecurityCenter.Contact (CONTACT) [Displays as a Node]
Azure.SecurityCenter.SubscriptionPricing (PRICING) [Displays as a Node]
Azure.SQL.Database (DB) [Displays as a Node
Azure.SQL.ElasticPool (POOL) [Displays as a Node]
Azure.SQL.FirewallRule (FWRULE) [Displays as a Pod]
Azure.SQL.Server (SQL) [Displays as a Cluster]
Azure.SQL.VirtualNetworkRule (SQL) [Displays as a Node Border]
Azure.Storage.Account (STRAC) [Displays as a Node]
Azure.Storage.Container (CONTAINER) [Displays as a Pod]
Azure.Web.AppService (APP) [Displays as a Node]
Azure.Web.AppServicePlan (APP) [Displays as a Pod]
Azure.Web.FunctionApp (FN APP) [Displays as a Pod]
Note
If you are interested in gaining access to beta resources, please send an email to support@fugue.co.
VNet Attributes¶
Attributes shown for each Azure Virtual Network:
Name
Region
Number of security groups
Number of subnets
Attributes shown for each subnet:
Name
Unique label corresponding to resources inside the subnet (purple badge, bottom)
Attributes shown for each security group:
Name
Unique label corresponding to resources inside the security group
Each resource inside the VNet shows an label corresponding to its subnet and security group. The purple subnet label appears above the security group label in the left.
You can click on a label on the right to view either:
Resource details for a single resource
List of resources when there is more than one
You can click on a pod on the top to view resource details for a single resource or a list of resources when there is more than one. Refer to pods for more information.
Supported Google Resources¶
The details panel shows references and compliance state for all the Google resources Fugue supports.
The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:
Google.BigQuery.Dataset (BIG Q) [Displays as a Cluster]
Google.BigQuery.DatasetIAMPolicy (IAM) [Displays as a Pod]
Google.BigQuery.DataTransferConfig (DATA) [Displays as a Pod]
Google.BigQuery.Table (TABLE) [Displays as a Node]
Google.Compute.AutoScaler (AUTO) [Displays as a Pod]
Google.Compute.BackendBucket (BACKBK) [Displays as a Node]
Google.Compute.BackendService (BACKSRV) [Displays as a Node]
Google.Compute.Disk (DISK) [Displays as a Pod]
Google.Compute.Firewall (FW) [Displays as a Node Border]
Google.Compute.GlobalAddress (ADDR) [Displays as a Pod]
Google.Compute.GlobalForwardingRule (RULE) [Displays as a Pod]
Google.Compute.HealthCheck (HEALTH) [Displays as a Pod]
Google.Compute.Instance (INST) [Displays as a Node]
Google.Compute.InstanceGroup (GROUP) [Displays as a Cluster]
Google.Compute.InstanceGroupManager (MGR) [Displays as a Pod]
Google.Compute.InstanceIAMPolicy (IAM) [Displays as a Pod]
Google.Compute.InstanceTemplate (TEMP) [Displays as a Pod]
Google.Compute.Network (NETWORK) [Displays as a Network]
Google.Compute.NetworkPeering (PEER) [Displays as a Pod]
Google.Compute.ProjectMetadata (META) [Displays as a Pod]
Google.Compute.SecurityPolicy (IAM) [Displays as a Pod]
Google.Compute.Snapshot (SNAP) [Displays as a Pod]
Google.Compute.SSLCertificate (CERT) [Displays as a Pod]
Google.Compute.SSLPolicy (POLICY) [Displays as a Pod]
Google.Compute.SubNetwork (SBN) [Displays as a Pod]
Google.Compute.TargetHTTPProxy (PROXY) [Displays as a Node]
Google.Compute.TargetHTTPSProxy (PROXY) [Displays as a Node]
Google.Compute.TargetPool (POOL) [Displays as a Pod]
Google.Compute.TargetSSLProxy (PROXY) [Displays as a Pod]
Google.Compute.TargetTCPProxy (PROXY) [Displays as a Pod]
Google.Compute.URLMap (UMAP) [Displays as a Pod]
Google.Container.Cluster (KUBER) [Displays as a Node]
Google.Container.NodePool (POOL) [Displays as a Pod]
Google.DNS.ManagedZone (ZONE) [Displays as a Node]
Google.IAM.ServiceAccount (SRVACT) [Displays as a Node]
Google.IAM.ServiceAccountIAMPolicy (IAM) [Displays as a Pod]
Google.IAM.ServiceAccountKey (KEY) [Displays as a Pod]
Google.KMS.CryptoKey (KEY) [Displays as a Node]
Google.KMS.CryptoKeyIAMPolicy (IAM) [Displays as a Pod]
Google.KMS.KeyRing (KEYRING) [Displays as a Cluster]
Google.Logging.Metric (METRIC) [Displays as a Pod]
Google.Logging.ProjectBucketConfig (LOG BUCKET) [Displays as a Pod]
Google.Logging.ProjectSink (LOG SINK) [Displays as a Pod]
Google.Monitoring.AlertPolicy (IAM) [Displays as a Pod]
Google.Monitoring.MetricDescriptor (METRIC)
Google.Redis.Instance (REDIS) [Displays as a Node]
Google.ResourceManager.Project (PROJECT) [Displays as a Pod]
Google.ResourceManager.ProjectDefaultServiceAccounts (ACCOUNT) [Displays as a Pod]
Google.ResourceManager.ProjectIAMAuditConfig (AUDIT) [Displays as a Pod]
Google.ResourceManager.ProjectIAMPolicy (POLICY) [Displays as a Pod]
Google.SQL.Database (DB) [Displays as a Node]
Google.SQL.DatabaseInstance (SQL) [Displays as a Cluster]
Google.SQL.SSLCert (CERT) [Displays as a Pod]
Google.SQL.User (USER) [Displays as a Pod]
Google.Storage.Bucket (BUCKET) [Displays as a Node]
Google.Storage.BucketACL (ACL) [Displays as a Pod]
Google.Storage.BucketIAMPolicy (POLICY) [Displays as a Pod]
Google.Storage.Notification (NOTIF) [Displays as a Pod]
Supported Fugue IaC Kubernetes Resources (limited beta)¶
The details panel shows references and compliance state for all the Kubernetes resources Fugue supports.
Note
Kubernetes is only supported for Fugue’s Infrastructure as Code (IaC) offering, which is in limited beta. If you are interested in gaining access, please send an email to support@fugue.co. For more information, refer to Setup - Repository (limited beta).
The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:
ClusterRole (ROLE) [Displays as a Pod]
ConfigMap (CFG MAP) [Displays as a Pod]
CronJob (CRON) [Displays as a Node]
DaemonSet (DAEMON) [Displays as a Cluster]
DefaultServiceAccount (ACCOUNT) [Displays as a Node]
Deployment (DEPLOY) [Displays as a Cluster]
HorizontalPodAutoscaler (AUTOSCALER) [Displays as a Node]
Ingress (INGRESS) [Displays as a Node Border]
Job (JOB) [Displays as a Cluster]
PersistentVolume (VOLUME) [Displays as a Node]
PersistentVolumeClaim (CLAIM) [Displays as a Pod]
Pod (POD) [Displays as a Node]
PodDisruptionBudget (BUDGET) [Displays as a Node]
PodSecurityPolicy (SEC POLICY) [Displays as a Node]
ReplicaSet (REPLICA) [Displays as a Cluster]
Role (ROLE) [Displays as a Pod]
Secret (SECRET) [Displays as a Pod]
Service (SERVICE) [Displays as a Node]
ServiceAccount (ACCOUNT) [Displays as a Node]
StatefulSet (STATE SET) [Displays as a Cluster]
Note
If you are interested in gaining access to beta resources, please send an email to support@fugue.co.
Visualizing Previous Scans¶
To visualize resources from a previous scan, select a scan date and time from the date picker on the visualizer page:
The page will automatically refresh with an updated visualization. You can continue to select other scans from the date picker to visualize resources from past scans as desired. To reset to the most recent scan, simply refresh the page. If you leave the page, the diagram will be reset to the most recent scan when you return.
You may export the visualization from a past scan.
View Options¶
The View Options sidebar allows you to:
You can access the View Options sidebar by selecting the square cog icon in the bottom left of the diagram.
Exporting a Diagram¶
To save the visualization for a particular scan, use the visualizer’s export image feature:
Access the View Options sidebar by selecting the
square cog icon in the bottom left of the diagram.Optionally enable/disable compliance state visualization or expand/contract groupings.
Optionally, use filters to select your desired criteria. Only your filtered options are exported.
Select either “Export as .PNG” or “Export as .SVG” button to download a PNG or SVG of your environment visualization.
Here’s an example:
The exported image is the same as what appears in the visualizer on your screen, but it displays the entire environment at once and does not include the background grid or zoom controls. If you’ve selected “Show Compliance Errors,” the PNG will show compliance errors. If you expand some groupings and keep others condensed, the PNG will reflect that, too.
The exported image also includes the following environment information in the bottom left corner:
Environment name
Cloud provider
Account number (AWS) or subscription number (Azure)
Region(s) (AWS)
Date and time of the selected scan
To export the visualization of a historic scan, see Visualizing Previous Scans.
Note
For environments with a large number of resources, the visualizer exports the biggest image with the highest resolution that the browser can handle. The image export process may freeze the browser UI for a second or even a few seconds on very large environments. Filtered views can be exported. See Filtering.
Supported Browsers¶
The visualizer is supported in the following browsers:
Chrome
Firefox
Microsoft Edge
Opera
Safari
Note
The Fugue API does not support visualization.
WebGL is Required¶
Hardware acceleration must be enabled in your browser to use WebGL.
Chrome and Opera:
Preferences > Advanced > System > Use hardware acceleration when available
Firefox:
Preferences > Performance > Use recommended performance settings > Use hardware acceleration when available