Technical Overview

CloudNetDraw is a serverless tool for visualizing your Azure network architecture. It uses your Azure identity (user or service principal) to retrieve metadata about Virtual Networks, Peerings, and Subnets, then creates downloadable network diagrams in Draw.io format. It now also supports multi‑hub support, Azure Portal links on each resource and spoke-to-spoke peerings.

Authentication

  • Supports both OAuth2 (user account) and Service Principal-based login.
  • Scopes used: https://management.azure.com/.default and user_impersonation.
  • Tokens are short-lived (~60 minutes) and are never stored.

Data Collection

  • All subscriptions accessible to the identity are scanned.
  • For each subscription, the tool:
    • Identifies Virtual Networks (VNets), Peerings, and Subnets
    • Classifies one VNet as the "hub" (either explicitly or by peering count)
    • Captures NSG and UDR presence at subnet level
    • Captures resource IDs for elements such as vNets, NSGs, UDRs, etc.
  • All metadata is saved as a JSON file in /tmp/<session_id>/

Diagram Generation

  • The collected JSON is parsed by a module:
    • Generates two drawio diagrams with metadata
    • High-Level Diagram HLD and Mid-Level Diagram MLD
  • Both diagrams are bundled into a downloadable ZIP

HLD Examples

HLD example 1 HLD example 2 HLD example 3

MLD Examples

MLD example 1 MLD example 2 MLD example 3

Security

  • No user credentials are stored or logged.
  • All files are kept in function-local temp memory and deleted after use.
  • Audit logs for sign-ins and API access are visible in your Microsoft Entra ID logs.

Self-Hosting

When self-hosted, the Azure Function can be scheduled (e.g. daily) to automatically refresh network diagrams. Results are saved to a configured Azure Storage Account. You must grant Reader access to the managed identity used by the function.

Limitations

  • Only shows resources that the signed-in identity has access to.
  • Some layout simplifications may occur in large environments.