How do I generate a network diagram of my Azure environment?

You can generate a diagram by logging into CloudNetDraw with your Azure credentials or a service principal. The tool will query your Azure resources and create a Draw.io-compatible network topology instantly.

Why do I get a ZIP file?

The solution generates two types of diagrams:

  • High-Level Diagram (HLD): Provides an overview of your Azure network architecture, showing virtual networks and their peerings.
  • Mid-Level Diagram (MLD): Offers more detail, including subnets and further details
It is impossible to send two files in a single HTTP response, so the diagrams are bundled into a ZIP file for easy download. This allows you to access both diagrams in one go.

Why am I asked for admin consent?

CloudNetDraw uses Microsoft Entra ID (Azure AD) for secure access. Some organizations require admin approval, depending on your tenant settings.

What Azure permissions are required to generate a diagram?

CloudNetDraw only needs read access to the Azure resources you want to visualize. Assign the Reader role to the authenticated user or service principal at the resource group or subscription level.

Does a Service Principal automatically have access?

No. If you use a Service Principal, you must manually assign it access to the required resources. The tool cannot assign permissions for you. You can use built-in roles like Reader at the subscription, resource group, or resource level.

What Azure resources are analyzed?

The tool currently maps Virtual Networks, Peerings, and Subnets. It uses Azure Resource Graph queries to identify structure and relationships.

Why is my diagram empty or missing networks?

This typically happens if the authenticated identity lacks proper permissions. Ensure the service principal or user account has Reader access to all relevant subscriptions and vNets.

How long does access last?

User tokens last for 60 minutes. The Service Principal form sends credentials directly to the backend without storing them. Access is temporary and used only to retrieve the necessary data once.

What if my environment uses custom roles or policies?

As long as the effective permissions allow for read access to network resources (like Microsoft.Network/virtualNetworks/read), the tool will work. Custom RBAC roles should include this permission.

Do you store my credentials or data?

No. Neither Service Principal secrets nor user tokens are stored. All data is processed in-memory and discarded after the diagram is generated.

Can I self-host CloudNetDraw in my Azure tenant?

Yes! CloudNetDraw is fully open-source and can be self-hosted for enterprise use. Instructions are available in the GitHub repo.