Technical Overview
CloudNetDraw is a serverless tool for visualizing your Azure network architecture. It uses your Azure identity (user or service principal) to retrieve metadata about Virtual Networks, Peerings, and Subnets, then creates downloadable network diagrams in Draw.io format.
Authentication
- Supports both OAuth2 (user account) and Service Principal-based login.
- Scopes used:
https://management.azure.com/.default
anduser_impersonation
. - Tokens are short-lived (~60 minutes) and are never stored.
Data Collection
- All subscriptions accessible to the identity are scanned.
- For each subscription, the tool:
- Identifies Virtual Networks (VNets), Peerings, and Subnets
- Classifies one VNet as the "hub" (either explicitly or by peering count)
- Captures NSG and UDR presence at subnet level
- All metadata is saved as a JSON file in
/tmp/<session_id>/
Diagram Generation
- The collected JSON is parsed by two separate modules:
HLD.py
– generates a high-level hub-and-spoke viewMLD.py
– creates a detailed mid-level diagram with subnets and icons
- Both diagrams are bundled into a downloadable ZIP
HLD Examples
MLD Examples
Security
- No user credentials are stored or logged.
- All files are kept in function-local temp memory and deleted after use.
- Audit logs for sign-ins and API access are visible in your Microsoft Entra ID logs.
Self-Hosting
When self-hosted, the Azure Function can be scheduled (e.g. daily) to automatically refresh network diagrams.
Results are saved to a configured Azure Storage Account. You must grant Reader
access to the managed identity used by the function.
Limitations
- Only shows resources that the signed-in identity has access to.
- Currently supports hub-and-spoke topologies; spoke-to-spoke lines may be excluded in HLD.
- Some layout simplifications may occur in large environments.