Visualizer

The Fugue visualizer creates detailed interactive diagrams of the cloud infrastructure in an AWS, AWS GovCloud, or Azure environment. The diagrams are automatically generated and updated, allowing users to easily visualize resource configurations, relationships, and compliance state for current or previous scans. The visualization can be exported as a PNG.

_images/VizDashboard1.png

Users can access the visualizer from the environment dashboard by selecting the “Visualizer” link in the header near the top of the page:

_images/viz-link.png

By default, the diagram is zoomed out to show all resources in the graph. You can zoom in or view in full screen to more closely inspect the resources. Select a resource to view its attributes.

_images/VizZoomed.png

Compliance state visualization is enabled by default and noncompliant resources are shown in red. For more information about compliance visualization, see Visualizing Resource Compliance State.

_images/viz-compliance-state-example.png

Environment resources from the latest scan are displayed by default and the diagram is automatically updated after future scans. If you change the resource types that Fugue scans, the visualizer will reflect the updated types after the next scan. You can visualize previous scans by using the date picker.

For a list of the resources the visualizer supports, see Which Resources are Visualized? You’ll also find a list of AWS and AWS GovCloud and Azure resources that support compliance state visualization.

Visualization Components

The visualizer is composed of many different elements, which are labeled below. Click here to see the diagram in full size.

_images/viz-annotated-components-4-28.png

1. Each circular node represents a single resource

_images/viz-single-resource.png

2. …Or a resource group bounded by a thin gray box:

_images/viz-group-collapsed.png

3. Expanded resource groups allow you to view each individual resource:

_images/viz-group-expanded.png

4. A collection is a square containing zero or more nodes, and it represents a resource that contains other resource types, such as an ECS service containing tasks:

_images/viz-collection.png

5. Collections can be expanded to show the nodes inside of them:

_images/viz-expanded-collection.png

6. Collections may also be grouped together

_images/viz-grouped-collection.png

…and therefore a group of collections can be expanded or collapsed:

_images/viz-expanded-grouped-collection.png

7. A collection that doesn’t contain any resources is shown with a gray slash through it (see note here):

_images/viz-empty-collection.png

8. Lines between resources represent resource connections. There are four types:

  • Security group connections between resources

  • Connections to the internet from internet gateways (IGWs) and S3 buckets with website configurations

  • Connections from S3 buckets to log buckets (shown below)

  • VPC peering connections

_images/viz-connected-resources.png

9. A network (such as a VNET, below) is depicted as a set of brackets [ ]. Resources in the network are depicted as nodes inside the brackets:

_images/viz-virtual-network.png

10. The internet is depicted as an I-beam symbol. A resource connected to this symbol is connected to the internet:

_images/viz-internet-icon.png

11. Unconnected resources appear on the right side of the visualization:

_images/viz-unconnected-resources.png

12. Labels and configuration information, such as the name Example EC2 Instance below, are shown when you zoom in closely and are hidden when you zoom farther out:

_images/VizLabel.png

13. Noncompliant resources appear in red. Below, the EC2 instance is compliant, and the noncompliant ELB and example-sg security group are shown in red. For more details, see Visualizing Resource Compliance State:

_images/VizNoncomplianceSmall1.png

14. When an environment contains more than one region, horizontal brackets labeled by region separate the infrastructure. Global resources, such as the CloudFront distributions below, are labeled global:

_images/viz-region.png

This example environment includes all supported regions:

_images/multiregionviz.gif

For a list of the resources the visualizer supports, see Which Resources are Visualized? You’ll also find a list of AWS and AWS GovCloud and Azure resources that support compliance state visualization.

Security Group Connections Between Resources

A security group connection between resources occurs when one resource has a security group that accepts traffic from resources in a second security group. The connection is represented as a line between the resource nodes.

For example, the diagram below shows two resources, demo-lb and Example EC2 Instance:

  • security-group-1 is associated with demo-lb.

  • security-group-2 is associated with Example EC2 Instance.

As you can see from the direction of the arrow, security-group-1 forwards traffic to security-group-2, so a line is drawn from demo-lb to Example EC2 Instance.

_images/VizSGConnection.png

Visualizing Resource Compliance State

Compliance state visualization is enabled by default, and can be toggled off or on through the “Show Compliance Errors” checkbox on the View Options panel (accessible via the viz-options cog icon in the bottom left of the diagram). Noncompliant resource nodes, networks, and collections are red. If a resource type supports compliance visualization, and it is not red, it is compliant. See the full list of AWS and AWS GovCloud and Azure resources that support compliance state visualization.

Below, the ELB node, CloudFront distribution node, example-sg security group, and three of the four DDB nodes are noncompliant and shown in red. The EC2 node and the DDB node named Example DDB Table are both compliant.

_images/VizNoncompliance1.png

If you click on the red viz-warning (warning) symbol next to the noncompliant resource, you’ll see a list of failed compliance controls and why they failed. This modal is the same one you’d see under the Compliance by Resource tab in the environment dashboard. In the animation below, you can see that the DDB table named dev-database is noncompliant with a number of compliance controls:

_images/VizNoncomplianceModal1.gif

Groups and collections show compliance a little differently. For details, see How collapsed groups and collections show compliance.

Viewing Resource Groups and Collections

Resource groups

Similar resources of the same type are grouped together. A resource group is depicted as a stack of nodes surrounded by a light gray border, and the number of grouped resources is shown in the bottom right corner:

_images/viz-single-resource-group.png

Resource groups may be expanded or collapsed to view individual nodes.

Collections

A collection represents a resource that contains other resource types. For example, AWS auto scaling groups containing EC2 instances, and ECS services containing tasks, are rendered as collections. A collection is depicted as a square with a thick border containing zero or more nodes:

_images/viz-single-collection.png

Collections may also be expanded or collapsed to view individual nodes:

_images/expand-collection-4.gif

A collection that doesn’t contain any resources is shown with a gray slash through it.

Note

There are a variety of reasons on why a collection would not contain any resources, such as if the resources are not currently running, if they are not enabled for scans, or if you are looking at an old scan before Fugue added support for the resources.

_images/viz-empty-collection.png

How to expand and collapse groups/collections

You can select the outward-arrow icon in the upper right to expand the group/collection and view the individual resources:

_images/VizGroup1.png

Select the inward-arrow icon to contract the group:

_images/VizContractGroup1.png

The animated image below shows expansion/contraction in action:

_images/VizExpandGroup1.gif

You can expand or collapse all groups and collections at once by accessing the View Options panel via the viz-options square cog icon in the bottom left of the diagram and then selecting Expand All Groupings or Condense All Groupings:

_images/viz-expand-condense-all.gif

Nested groups/collections

Collections can be grouped together. For example, in the image below, two ASG collections are grouped together:

_images/viz-collapsed-collection.png

If you drill down into it, the group of collections can be expanded, in this case revealing a collection containing a single resource (Staging 2 ASG), and a collection containing multiple resources (Prod ASG):

_images/viz-collection-group-expanded.png

Going one step further, you can expand individual collections – such as Prod ASG, which contains two resources:

_images/viz-collection-group-all-expanded.png

How collapsed groups and collections show compliance

Collapsed resource groups, collections, and groups of collections show compliance state a little differently:

Nodes inside groups and collections

  1. All compliant: All nodes are normal (bordered in black)

  2. All noncompliant: All nodes are red

  3. Mixed compliance:

    1. One red node if one resource is noncompliant

    2. Two red nodes, one black node if 2+ nodes (but not all) are noncompliant

When any resource in a collapsed group is noncompliant, the top node is shown as noncompliant.

Below is a resource group containing nodes of mixed compliance:

_images/viz-resource-group-compliance.png

Single collection

A noncompliant single collection has a red background, like so:

_images/viz-noncompliant-single-collection.png

Grouped collections

  1. All compliant: All collections are normal

  2. All noncompliant: All collections are red

  3. Mixed compliance:

    1. One red collection, one black collection if one collection is noncompliant

    2. Two red collections, one black collection if 2+ collections (but not all) are noncompliant

When any collection in a collapsed group is noncompliant, the top collection is shown as noncompliant.

Below is a group of collections with mixed compliance:

_images/viz-mixed-compliance-grouped-collections.png

To see the compliance state for each individual resource, whether in a group or collection, expand it.

For more about visualizing compliance state, see Visualizing Resource Compliance State.

Below is a depiction of resource groups with all compliant resources, no compliant resources, and mixed compliance:

_images/viz-collapsed-stacks.png

Viewing Resource Details

The visualizer allows you to view resource attributes and references via the resource details panel. To access the panel, click on a resource, and the panel appears on the left side of the screen.

The Attributes section lists configuration details for the selected resource. For example, you’d see cidr_block for a VPC. Nested attributes can be expanded or collapsed by clicking on them.

The References section lists other resources related to the selected resource. For example, you’d see a list of security groups for a VPC. You can click on a resource listed in the Reference section and it redirects you to that resource, as shown below.

_images/Viz-DetailsPane.gif

You can close the details panel by clicking on the X on the lower right side of the panel, or by deselecting the resource.

Panning, Zooming, and Viewing in Full Screen

You can navigate the visualizer by panning and zooming. You can also reset zoom so all resources are shown, enable/disable full screen mode, and enable/disable compliance visualization. The visualizer supports keyboard shortcuts.

To pan, click inside the diagram and drag it around:

_images/VizPan.gif

You can also use the arrow keys on your keyboard.

To zoom in:

  • Click the plus sign + in bottom right of graph

  • Or, scroll down with mouse

  • Or, pinch closed with trackpad

  • Or, press the plus + (equals =) key on your keyboard

To zoom out:

  • Click the minus sign - in bottom right of graph

  • Or, scroll up with mouse

  • Or, pinch open with trackpad

  • Or, press the minus - (underscore _) key on your keyboard

To reset zoom and show all resources:

  • Click the viz-center “center” icon in bottom right of graph

  • Or, refresh the page

  • Or, double-tap the spacebar on your keyboard

To view in full screen mode:

  • Click the viz-full-on full-screen toggle icon in bottom right of graph

To exit full screen mode:

  • Click the viz-full-off full-screen toggle icon in bottom right of graph

To view the compliance state of your resources (enabled by default):

  1. Access the View Options panel by selecting the viz-options square cog icon in the bottom left of the diagram or by pressing the period . key on your keyboard

  2. Check “Show Compliance Errors”

To disable compliance state visualization:

  1. Access the View Options panel by selecting the viz-options square cog icon in the bottom left of the diagram or by pressing the period . key on your keyboard

  2. Uncheck “Show Compliance Errors”

You can also close the View Options panel by pressing the . period key.

Here’s an example of zooming:

_images/VizZoomDemo.gif

Here’s an example of full screen mode:

_images/VizFullScreen.png

Here’s an example of the compliance view:

_images/viz-toggle-compliance.gif

Which Resources Are Visualized?

For a list of supported AWS and AWS GovCloud resources, see AWS & AWS GovCloud.

For Azure resources, see Azure.

Supported AWS & AWS GovCloud Resources

The visualizer currently supports the following AWS or AWS GovCloud resources. Each abbreviation shows how the resource is labeled in the diagram:

  • ApiGateway.RestApi (API)

  • AutoScaling.AutoScalingGroup (ASG)

  • AutoScaling.LaunchConfiguration (not shown, only used to render ASG)

  • CloudFront.Distribution (CF)

  • DynamoDB.Table (DDB)

  • EC2.Instance (EC2)

  • EC2.InternetGateway (IGW)

  • EC2.SecurityGroup (only shown as label)

  • EC2.Subnet (only shown as label)

  • EC2.Vpc (VPC)

  • EC2.VpcEndpoint (ENDPT) (gateway endpoints only)

  • EC2.VpcPeeringConnection (PEER)

  • ECR.Repository (ECR)

  • ECS.Service (ECS)

  • ECS.Task (TASK)

  • EFS.FileSystem (EFS)

  • EFS.MountTarget (not shown, only used to render EFS)

  • EKS.Cluster (EKS)

  • ELB.LoadBalancer (ELB)

  • ELBv2.LoadBalancer (LB)

  • Lambda.Function (λ)

  • RDS.Cluster (RDS)

  • RDS.Instance (RDS)

  • RDS.SubnetGroup (not shown, only used to render RDS)

  • Redshift.Cluster (REDSH)

  • Redshift.ParameterGroup (not shown, only used to render REDSH)

  • Redshift.SubnetGroup (not shown, only used to render REDSH)

  • S3.Bucket (S3)

VPC Attributes

Attributes shown for each VPC:

  • CIDR block

  • VPC ID

  • Region

  • Number of security groups

  • Number of subnets

  • Peering connections

Attributes shown for each subnet:

  • Name, if subnet is named

  • CIDR block, if unnamed

  • Unique label corresponding to resources inside the subnet (purple badge, top)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group (blue badge, bottom)

Each resource inside the VPC shows an label corresponding to its subnet and security group. The purple subnet label appears above the blue security group label. (If the subnet or security group is noncompliant, the label is red instead.)

Below, Example EC2 Instance is in subnet new-subnet-2 (label B) and the default security group (label C):

_images/VizSubnets1.png

You can click on a label to show all resources in that security group or subnet, and the rest of the visualization is dimmed. (This also displays the resource’s attributes.) For example, the default security group with the label E is highlighted, and you can see that both EC2 instances are in the security group:

_images/viz-highlight-subnet-aws.png

VPC peering connections (PEER) are shown as a line between two VPCs. Each VPC is labeled with the name of the peering connection. In the example below, there are two peering connections:

  • peering-connection-test connects peer-vpc and vpc-76f2xxxx

  • personal-peering-test connects peer-vpc and vpc-3ba7xxxx

vpc-3ba7xxxx is an external VPC, and though it is rendered, it does not list any information apart from the VPC ID.

_images/vpc-peering.png

VPC gateway endpoints (ENDPT) are shown as a line between a VPC and all S3 buckets or all DDB tables in the same region. In the example below, Example VPC Endpoint connects a VPC and S3 buckets:

_images/viz-vpc-endpoint-buckets-annotated.png

AWS & AWS GovCloud Resources Supporting Compliance State Visualization

The visualizer also shows compliance state for the following resources:

  • ApiGateway.RestApi (API)

  • AutoScaling.AutoScalingGroup (ASG)

  • CloudFront.Distribution (CF)

  • DynamoDB.Table (DDB)

  • EC2.Instance (EC2)

  • EC2.SecurityGroup (label)

  • EC2.Subnet (label)

  • EC2.Vpc (VPC)

  • ECR.Repository (ECR)

  • ECS.Service (ECS)

  • ECS.Task (TASK)

  • EFS.FileSystem (EFS)

  • EKS.Cluster (EKS)

  • ELB.LoadBalancer (ELB)

  • ELBv2.LoadBalancer (LB)

  • Lambda.Function (λ)

  • RDS.Cluster (RDS)

  • RDS.Instance (RDS)

  • Redshift.Cluster (REDSH)

  • S3.Bucket (S3)

Implicit Resources

Sometimes infrastructure in your environment may refer to a resource that Fugue doesn’t have access to. For example, if you have a VPC peering connection with an external account, Fugue does not have access to anything inside the external VPC.

In situations like this, the unknown resource is displayed as an implicit resource. When you select the resource details panel, you see the message “This resource was not found in your scan, so it is displayed as an implicit resource.” In the external VPC vpc-3ba7f15f below, you can see that no information is displayed.

_images/VizImplicit.png

Reasons a resource might be considered implicit:

  • Resource type isn’t selected for scanning

  • Resource is in a region that is not part of the environment

  • Resource is in another cloud provider account

  • Fugue’s IAM role doesn’t have the necessary permissions to survey it

Supported Azure Resources

The visualizer currently supports the following Azure resources. Each abbreviation shows how the resource is labeled in the diagram:

  • Azure.Compute.VirtualMachine (VM)

  • Azure.Network.NetworkInterface (not shown, used to link VMs with Subnets and Security Groups)

  • Azure.Network.NetworkSecurityGroup (only shown as label)

  • Azure.Network.Subnet (only shown as label)

  • Azure.Network.VirtualNetwork (VNET)

  • Azure.SQL.Server (SQL)

  • Azure.Storage.Account (STRAC)

VNet Attributes

Attributes shown for each Azure Virtual Network:

  • Name

  • Region

  • Number of security groups

  • Number of subnets

Attributes shown for each subnet:

  • Name

  • Unique label corresponding to resources inside the subnet (purple badge, top)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group (blue badge, bottom)

Each resource inside the VNet shows an label corresponding to its subnet and security group. The purple subnet label appears above the blue security group label.

Below, virtual machine dev-east-vm is in subnet default (label A, top) and security group dev-east-vm-nsg (label A, bottom):

_images/VNetSubnets.png

You can click on a label to show all resources in that security group or subnet, and the rest of the visualization is dimmed. (This also displays the resource’s attributes.) For example, the default subnet with the label A is highlighted, and you can see that both VMs are in the subnet:

_images/viz-highlight-subnet-azure.png

Azure Resources Supporting Compliance State Visualization

The visualizer also shows compliance state for the following resources:

  • Azure.Compute.VirtualMachine (VM)

  • Azure.Network.NetworkSecurityGroup (only shown as label)

  • Azure.Network.Subnet (only shown as label)

  • Azure.Network.VirtualNetwork (VNET)

  • Azure.SQL.Server (SQL)

  • Azure.Storage.Account (STRAC)

Visualizing Previous Scans

To visualize resources from a previous scan, select a scan date and time from the date picker on the visualizer page:

_images/date-picker-select-date.png

The page will automatically refresh with an updated visualization. You can continue to select other scans from the date picker to visualize resources from past scans as desired. To reset to the most recent scan, simply refresh the page. If you leave the page, the diagram will be reset to the most recent scan when you return.

You may export the visualization from a past scan.

View Options

The View Options sidebar allows you to:

You can access the View Options sidebar by selecting the viz-options square cog icon in the bottom left of the diagram.

_images/viz-view-options-sidebar.png

Exporting a Diagram

To save the visualization for a particular scan, use the visualizer’s export image feature:

  1. Access the View Options sidebar by selecting the viz-options square cog icon in the bottom left of the diagram.

  2. Optionally enable/disable compliance state visualization or expand/contract groups and collections.

  3. Select the “Export as .PNG” button to download a PNG of your environment visualization.

Here’s an example:

_images/viz-image-export-example.png

The exported image is the same as what appears in the visualizer on your screen, but it displays the entire environment at once and does not include the background grid or zoom controls. If you’ve selected “Show Compliance Errors,” the PNG will show compliance errors. If you expand some groups/collections and keep others condensed, the PNG will reflect that, too.

The exported image also includes the following environment information in the bottom left corner:

  • Environment name

  • Cloud provider

  • Account number (AWS) or subscription number (Azure)

  • Region(s) (AWS)

  • Date and time of the selected scan

To export the visualization of a historic scan, see Visualizing Previous Scans.

Note

For environments with a large number of resources, the visualizer exports the biggest image with the highest resolution that the browser can handle. The image export process may freeze the browser UI for a second or even a few seconds on very large environments.

Supported Browsers

The visualizer is supported in the following browsers:

  • Chrome

  • Firefox

  • Microsoft Edge

  • Opera

  • Safari

Note

The Fugue API does not support visualization.

WebGL is Required

Hardware acceleration must be enabled in your browser to use WebGL.

Chrome and Opera:

  • Preferences > Advanced > System > Use hardware acceleration when available

Firefox:

  • Preferences > Performance > Use recommended performance settings > Use hardware acceleration when available