Introduction

Quadzig is a AWS Infrastructure visualization & discovery platform. It lets you visualize & navigate complex multi account AWS Infrastructure in a structured manner. Quadzig discovers your AWS Infrastructure with a minimal set of Read-Only IAM Permissions.

Adding an AWS Account

You can add AWS Account(s) by navigating to the Add Accounts Screen in the Quadzig app. You have an option of either adding a single AWS Account through a single Cloudformation Stack or multiple AWS Accounts through a Cloudformation Stackset.

If you have a large number of AWS Accounts and you have the ability to launch Cloudformation Stackset instances, we recommend that you use Cloudformation Stackset to add the AWS Accounts. Note that you can delete individual AWS Accounts from Quadzig after adding them through a cloudformation Stackset.

Adding a single AWS Account

Adding an AWS Account on Quadzig requires you to provision a limited Cross Account Read-Only IAM Role in your AWS Account. For your convenience, we provide a Cloudformation template that you can use to provision the IAM Role easily. This role is provisioned in the us-east-1 (N. Virginia) region by default. You can change the region to any of the 16 Supported Regions during Cloudformation Stack creation. If you do not have the permissions to launch the Cloudformation stack, you can copy the link available in the Quadzig Console and share it with a person who has appropriate access.

You can view the Cloudformation template here. Note that the browser may prompt you to download the file when you click on the link.

Please note that once you have launched the Cloudformation stack, it takes 2 to 3 minutes for the AWS Account to show up in the Accounts List

Adding Multiple AWS Accounts

Navigate to the Add Accounts Screen and select the Add Multiple AWS Accounts with Cloudformation Stacksets tab. You can change the Stackset region to your preference. Please note that the region you select in the Quadzig console is the region where the Stackset is deployed. You will have to select the region where cloudformation stacks are deployed in the AWS Console. This region has to be one of the 16 Supported Regions

Provisioning Access

Quadzig uses cross account IAM Role to discover your AWS infrastructure. To make it easy for you to manage the lifecycle of the IAM Role, a cloudformation stack is created in your account which in turn, creates the IAM Role. We only provision the minimal set of permissions required for visualizing your infrastructure.

Quadzig will NEVER request WRITE permissions to you AWS Account.

The following permissions are currently needed for Quadzig to discover resources within your AWS Account.

cloudwatch:GetMetricData
ec2:DescribeAddresses
ec2:DescribeClientVpnConnections
ec2:DescribeClientVpnEndpoints
ec2:DescribeClientVpnRoutes
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSpotFleetInstances
ec2:DescribeSpotFleetRequests
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeTransitGatewayAttachments
ec2:DescribeTransitGatewayPeeringAttachments
ec2:DescribeTransitGatewayRouteTables
ec2:DescribeTransitGateways
ec2:DescribeTransitGatewayVpcAttachments
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ecs:DescribeClusters
ecs:DescribeContainerInstances
ecs:DescribeServices
ecs:ListClusters
ecs:ListContainerInstances
ecs:ListServices
ecs:ListTagsForResource
elasticache:DescribeCacheClusters
elasticache:DescribeCacheSecurityGroups
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeGlobalReplicationGroups
elasticache:DescribeReplicationGroups
elasticache:ListTagsForResource
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBSubnetGroups
rds:ListTagsForResource

Quadzig may request additional permissions in the future when more resources are supported.

Supported Resources

Quadzig supports visualizing the following AWS Resources. Support for more is on the way. If you would like us to add support for a specific AWS Resource/Service, please let us know.

Resource Name
VPCs
Public Subnets
Private Subnets
Transit Gateways
NAT Gateways
Internet Gateways
VPC Peering Connections
Transit Gateway Attachments
EC2 Instances
RDS Aurora Instances
RDS Instances
Note: Only Postgres & Mysql resources are supported
Application Load Balancers
Network Load Balancers
Classic Load Balancers
ECS Cluster
ECS Service
Auto Scaling Groups
AWS Infinidash

Block Lists

If you would like Quadzig to skip discovering & visualizing certain resources, you can add the Resource ID to the block list in the Block Lists section. Resource IDs are AWS provided unique ID for your resources. For example, vpc-08f356d717d61bc6f is a Resource ID.

We only support VPC blocking as of now. If you would like to block more Resource Types, please let us know.

You also have an option to ignore default VPCs in all regions in the settings section.

Note: Blocking a VPC will also stop Quadzig from discovering & visualizing other resources like Subnets, EC2 Instances, RDS Instances in the VPC.

Note: You do NOT have to add full ARN to the block list. Just adding the Resource ID is enough to stop Quadzig from visualizing your resource.

Region Support

Quadzig supports visualizing infrastructure in the following 16 AWS Regions.

Region Code Region Name
us-east-2 Ohio
us-east-1 N. Virginia
us-west-1 N. California
us-west-2 Oregon
ap-south-1 Mumbai
ap-northeast-2 Seoul
ap-southeast-1 Singapore
ap-southeast-2 Sydney
ap-northeast-1 Tokyo
ca-central-1 Central
eu-central-1 Frankfurt
eu-west-1 Ireland
eu-west-2 London
eu-west-3 Paris
eu-north-1 Stockholm
sa-east-1 São Paulo

When you add a AWS Account, Quadzig discovers resources in all 16 supported regions by default. You can change the region list for each AWS Account individually through 'Edit AWS Account' screen.

Resource Discovery

Quadzig fetches the latest changes from your AWS Infrastructure only in 2 cases.

  1. When you add a new AWS Account, Quadzig runs a one time discovery of your AWS infrastructure.
  2. When you click on the 'Sync' button in the visualization/omnisearch screens, Quadzig runs a discovery to fetch the latest changes from your AWS Accounts.

Apart from the 2 scenarios described above, Quadzig NEVER proactively scans/discovers resources in your AWS Account.

We may provide an opt-in option for periodic discovery of your AWS resources in the future.

Deleting an AWS Account

You can delete an added AWS Account through the Accounts screen.

Deleting an AWS Account does not automatically delete the provisioned Cross Account IAM Role. To delete this role, please destroy the Cloudformation Stack associated with the account manually.

Deleting the Cloudformation Stack

If the Cloudformation stack associated with an AWS Account is manually deleted by you, Quadzig will no longer be able to discover resources from your AWS Account. In this case, an error is displayed in the Accounts screen indicating that the associated Cloudformation Template has been deleted.

You will have to delete the AWS Account from Quadzig and re-add it for visualization to start working again.

Browser Support

Quadzig requires a modern browser with javascript enabled to function. Quadzig does not currently support legacy browsers like IE11. We support the last 4 major releases of the Chrome, Firefox & Safari browsers. If you find a bug/are unable to use a functionality of Quadzig, please let us know

FAQ

See FAQ section.