aws-architecture-diagram
AWS Architecture Diagram
MCP Server
- Command:
uvx awslabs.aws-diagram-mcp-server@latest(stdio transport) - Requires:
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION(orAWS_PROFILE) - Dependency: Requires
graphvizinstalled on the system (apt install graphvizorbrew install graphviz)
Key Capabilities
- Auto-discovery: Scan AWS account and render infrastructure as a diagram
- Network topology: VPCs, subnets, route tables, IGW, NAT GW, TGW connections
- Service mapping: EC2, ELB, RDS, Lambda placed in their VPC/subnet context
- Multiple formats: PNG, SVG, PDF output
- Filtered views: Scope diagram to specific VPCs, services, or tags
Workflow: Network Architecture Diagram
When a user asks "draw our AWS network" or "show me the architecture":
- Generate diagram: Use diagram tool scoped to networking resources
- Include: VPCs, subnets (public/private), IGW, NAT GW, TGW, VPN, peering connections
- Label: CIDR blocks, subnet names, AZ placement
- Connections: Show routing paths — TGW attachments, peering links, VPN tunnels
- Output: PNG or SVG file for sharing in Slack or documentation
- Report: Architecture summary alongside the diagram
Workflow: VPC Detail Diagram
When focusing on a specific VPC:
- Scope to VPC: Filter diagram to one VPC by ID or tag
- Show subnets: Public, private, isolated — grouped by AZ
- Show route tables: Main and custom route tables with key routes
- Show gateways: IGW, NAT GW, VPC endpoints
- Show security: NACLs, security group relationships
- Output: Detailed VPC topology diagram
Workflow: Multi-Account Network Diagram
When documenting cross-account architecture:
- Hub-spoke topology: Show Transit Gateway as the hub
- VPC attachments: Each spoke VPC with its CIDR and purpose
- Route propagation: Show which routes propagate where
- VPN/DX: On-premises connections via VPN or Direct Connect
- Inspection VPC: Network Firewall placement if applicable
- Output: Enterprise network topology diagram
Integration with Other Skills
| Skill | How They Work Together |
|---|---|
aws-network-ops |
Discover VPCs/TGWs first, then diagram them |
aws-cloud-monitoring |
Add CloudWatch metrics annotations to diagram |
aws-cost-ops |
Annotate diagram with cost per resource |
markmap-viz |
Generate mindmap alternative for simpler overviews |
Diagram Scoping Tips
| Scope | When To Use |
|---|---|
| Full account | Initial architecture review or documentation |
| Single VPC | Troubleshooting or VPC-specific audit |
| TGW + attachments | Multi-VPC connectivity review |
| Subnet-level | Security audit or routing investigation |
| Tagged resources | Application-specific or team-specific views |
Important Rules
- Graphviz required — the MCP server generates Graphviz DOT files and renders them;
graphvizmust be installed - Large accounts may produce complex diagrams — scope with filters for clarity
- Region-specific — diagram shows resources in the configured AWS_REGION only
- Read-only — only discovers and renders, never modifies resources
- Record in GAIT — log diagram generation for audit trail
Environment Variables
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION(orAWS_PROFILE)
More from automateyournetwork/netclaw
pyats-topology
Network topology discovery via CDP/LLDP neighbors, ARP tables, routing peers, and interface mapping to build complete network maps. Use when mapping the network, building a diagram, discovering what is connected to what, or documenting device neighbors and links.
20drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
19grafana-observability
Grafana observability platform — dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall schedules, annotations, datasource queries, panel rendering (75+ tools). Use when querying Grafana dashboards, running PromQL for interface metrics, searching Loki logs for syslog events, investigating firing alerts, or checking who is on call.
18pyats-health-check
Comprehensive network device health monitoring - CPU, memory, interfaces, hardware, NTP, logging, environment, and uptime analysis. Use when running a device health check, monitoring CPU or memory usage, checking interface errors, or validating NTP sync.
17aws-security-audit
AWS security auditing — IAM users/roles/policies, CloudTrail API events, security posture analysis. Use when auditing IAM permissions, investigating security incidents, checking MFA compliance, or tracing API activity in CloudTrail.
16aws-cloud-monitoring
AWS CloudWatch monitoring — metrics, alarms, log queries, VPC flow log analysis, network performance. Use when checking AWS alarms, analyzing VPC flow logs, investigating network latency, or monitoring VPN and NAT Gateway metrics.
15