At two or three VPCs, your AWS network is easy to hold in your head. You know what connects to what, why the peering exists, and what each subnet is for.

At seven VPCs, it starts to blur. At fifteen, across multiple accounts and regions, nobody on the team has a complete picture anymore — and the team has usually stopped pretending otherwise.

This is the state most AWS environments reach after eighteen months of growth. It is not a failure of engineering discipline. It is what happens when cloud infrastructure moves faster than documentation, and when the tools AWS provides for visibility do not scale beyond a single account.

What the AWS Console Shows You (And What It Doesn't)

The AWS VPC console gives you a per-account, per-region view of your network resources. Within a single account and region you can inspect VPCs, subnets, route tables, peering connections, Transit Gateway attachments, Internet Gateways, and NAT Gateways. That is a complete inventory of parts — but not a map.

What it shows

  • VPCs and their CIDR blocks
  • Subnets and availability zones
  • Route tables and their routes
  • VPC peering connections
  • Transit Gateway attachments
  • Internet Gateways and NAT Gateways

What it doesn't show

  • Cross-account topology in one view
  • Whether VPC A can actually reach VPC B
  • Which VPCs are production vs staging
  • What changed since last week
  • Overlapping CIDRs across VPCs
  • Orphaned VPCs with no connectivity

For a small, single-account environment this is manageable. For anything larger, the console is a collection of raw data with no synthesis — and the questions that matter most (can staging reach production? does this VPC connect to anything?) cannot be answered without significant manual work.

How VPC Topology Gets Away from Teams

Several patterns drive topology drift in growing AWS environments:

VPCs added without a naming or tagging convention

Six months later, nobody remembers what vpc-0a3f... is for or which team owns it. The VPC may be running workloads, or it may be empty and forgotten.

Peering connections added under time pressure

A peering solves an immediate connectivity problem during an incident. The cleanup task never gets created. The peering stays — including any cross-environment paths it introduced.

TGW route tables that weren't updated as VPCs were added

A VPC gets attached to the TGW but route propagation is misconfigured. Traffic doesn't flow, nobody notices, and the VPC sits orphaned — still incurring costs for the attachment and subnets.

CIDRs duplicated when copying VPC configurations

A new dev environment gets created from a template without changing the IP range. The conflict is harmless until someone tries to connect the new VPC to anything — at which point the fix is a full re-IP.

Multi-account growth without centralized visibility

Different teams own different accounts. Nobody has a unified view of how the accounts connect through TGW or peering. Cross-account isolation assumptions are never verified.

Each of these is a normal consequence of moving fast. The problem is cumulative — by the time someone tries to understand the full topology, the raw materials are spread across multiple consoles in multiple accounts and require significant manual effort to synthesize.

What a Useful Topology Map Needs to Answer

1

What exists?

Every VPC, subnet, Transit Gateway, peering connection, IGW, and NAT Gateway — across all accounts and regions — in one place.

2

What can reach what?

Not just what routing resources exist, but whether a path actually exists between two VPCs given the current combination of routes and attachments.

3

What environment is this?

Which VPCs are production? Which are staging? Which carry PCI scope? Without environment context, a topology map is just a graph of unlabelled nodes.

4

What changed?

Which new VPCs were added since last week? Which peering connections are new? Topology changes are often where security gaps are introduced.

Building a Topology Map Manually: What It Takes

Teams that need a topology map typically approach it one of two ways:

AWS Config + manual synthesis. AWS Config records configuration history for VPCs, subnets, and route tables. With the right queries and enough time, you can reconstruct the topology. This works but requires significant ongoing effort to keep current and provides no reachability analysis.

Draw it manually. Someone spends a day clicking through the console and drawing a diagram in Lucidchart or draw.io. This is accurate at the moment of creation and obsolete within weeks.

Neither approach scales. Neither provides reachability analysis. Neither detects when the topology changes. And neither integrates with compliance requirements — which increasingly demand evidence that your network is what your diagram says it is, continuously, not just at the moment of the last audit.

How Netway Maps Your Topology Automatically

1

Collection

The Lambda function calls EC2 Describe* APIs across all configured accounts and regions — collecting VPCs, subnets, TGW attachments, TGW route tables, VPC peerings, route tables, IGWs, NAT Gateways, and VPC endpoints.

2

Graph construction

Resources become nodes. Connectivity relationships become edges. The graph is annotated with environment group tags from your VPC metadata — production, staging, development, CDE.

3

Reachability analysis

For any two VPCs, Netway determines whether a network path exists by traversing the graph — accounting for route table entries, not just the existence of connectivity resources. A peering with no matching routes on both sides does not constitute a path.

4

Change detection

Each scan is compared to the previous snapshot. New nodes, removed connections, and route table changes are recorded in a diff log. Any change that affects an isolation rule evaluation triggers an alert.

5

Visualization

The Netway dashboard renders the topology as an interactive graph, grouped by environment. The reachability matrix shows all VPC-to-VPC path status in a grid. Isolation violations are highlighted in red.

What to Do With the Map

A live topology map answers questions that previously required hours of manual work:

"Does our staging environment have any path into production?" → check isolation rule status or reachability matrix
"What is this VPC and does it connect to anything?" → find it in the graph, check its edges
"We added a TGW attachment last Tuesday — did it introduce any unintended paths?" → check the topology diff for that date
"Our QSA wants a network diagram — where do we get one?" → download from the Compliance tab

The map is also the foundation for compliance evidence. You cannot generate credible network segmentation evidence without first knowing what your network actually looks like.

Getting Started

1

Register at netway.basavytix.com

2

Run the CloudFormation deploy command shown in your dashboard

3

Run the scan

4

The topology graph appears in your dashboard

Basavytix is a Bengaluru-based software company building AWS network visibility and compliance tooling — including automated cost optimization.
Learn more at netway.basavytix.com or reach out at support@basavytix.com.