Overview

Cloudcraft offers a powerful, live read-only visualization tool for cloud architecture, enabling you to explore, analyze, and manage your infrastructure with ease. Not to be confused with the Standalone Cloudcraft documentation, this guide outlines the functionality, setup, and use cases of Cloudcraft in Datadog, detailing its benefits for various user personas, and highlighting key features and capabilities.

Cloudcraft’s core functionality is its ability to generate detailed architecture diagrams. These diagrams visually represent AWS and Azure cloud resources, allowing you to explore and analyze your environments. Cloudcraft’s diagrams are optimized for clarity and performance, providing an intuitive interface for navigating large-scale deployments. This helps teams to:

• Trace incidents back to their root causes through infrastructure dependencies.
• Determine if infrastructure is the cause of an incident, such as cross-region traffic causing latency or increased costs.
• Analyze and address the most relevant security misconfigurations.
• Onboard new team members.
• Accelerate incident MTTR and proactive governance tasks by simplifying infrastructure navigation.

Prerequisites

• To access Cloudcraft in Datadog, you need the cloudcraft_read permission.

• Resource collection must be enabled for your AWS accounts.

• For the best experience, Datadog strongly recommends using the AWS-managed SecurityAudit policy, or the more permissive ReadOnlyAccess policy.

• Viewing content on the Security overlay requires additional products to be enabled:

  • To view security misconfigurations and identity risks, Cloud Security must be enabled.
  • To view sensitive data, Sensitive Data Scanner must be enabled. For a user to turn the layer on, they must have the data_scanner_read permission.

Note: Cloudcraft adapts to restrictive permissions by excluding inaccessible resources. For example, if you don’t grant permission to list S3 buckets, the diagram excludes those buckets. If permissions block certain resources, an alert displays in the UI.

Enabling resource collection can impact your AWS CloudWatch costs. To avoid these charges, disable Usage metrics in the Metric Collection tab of the Datadog AWS Integration.

• To access Cloudcraft in Datadog, you need the cloudcraft_read permission.

• You need the Datadog Admin Role, or any role with the azure_configurations_manage permission. See the Azure setup instructions for more information.

• Enable resource collection for your Azure accounts:

  1. Navigate to Integrations > Azure.
  2. Add your Azure subscription by selecting + Add New App Registration if not already added.
  3. Select the App Registration containing your Azure subscription.
  4. On the Resource Collection tab, ensure the Enable Resource Collection toggle is enabled.

• Viewing content on the Security overlay requires additional products to be enabled:

  • To view security misconfigurations and identity risks, Cloud Security must be enabled.
  • To view sensitive data, Sensitive Data Scanner must be enabled. For a user to turn the layer on, they must have the data_scanner_read permission.

Getting started

To get started using Cloudcraft, use the following steps:

1. Navigate to Infrastructure > Resources > Cloudcraft.
2. A real-time diagram of the resources is displayed in your environment.

Note: If your environment has more than 10,000 resources, filter the diagram by account, region, or tags to display it.

Group By

With Group By, Cloudcraft divides your diagram into distinct sections based on different group types. This feature offers a clear and organized perspective of your resources, making it especially helpful for visualizing complex cloud environments.

Enable the Show All Controls toggle to display the available Group By options. You can remove specific groupings by unchecking options like VPC and Region. To view the current nesting structure and add the Network ACL (Network Access Control List) layer, click the + Tags menu.

Group by tags

You can group resources by AWS and Azure tags, such as app, service, team, or cost center, to organize your view by team or workload. When grouping by tags, color-coded labels are displayed on each group. When grouping by the service tag, a raised block is displayed to visually indicate the service grouping.

Note: Grouping by tags is supported for AWS and Azure tags only. Tags from the Datadog Agent (for example, locally configured env or team tags) are not supported.

Saved views

Saved views allow you to save specific filters on your diagram that are most important to you, enabling efficient troubleshooting with scoped queries on your accounts, regions, environments, and resources.

To apply a saved view to your diagram:

• Navigate to Infrastructure > Resources > Cloudcraft. Select one or more accounts, regions, and resources. Apply any desired filters to your saved view, then click +Save as new view.
• Select the desired saved view from the menu at the top of the diagram view. The diagram automatically updates to reflect the chosen view.

Explore resources

Use the zoom and hover features to pinpoint the most critical resources. As you zoom in, additional resource names become visible. Hovering over a resource displays a panel with basic information, while clicking on a resource opens a side panel with observability, cost, and security data, along with cross-links to other relevant Datadog products.

Projection toggle

Toggle the projection from 3D (default) to 2D to visualize your resources from a top-down view.

Filtering and search

Diagrams can be filtered by tags, such as team, application, or service, allowing you to concentrate on relevant resources while maintaining context through connected resources. Additionally, Cloudcraft provides a powerful search and highlight feature, enabling ease of location of specific resources or groups of resources.

Click the + Filter menu to filter your resources by commonly used tags such as service, team, region, and more. Additionally, click the More Filters option to filter by AWS and Azure tags, custom tags, and Terraform tags. The filter option reloads the diagram to display only the infrastructure that matches the filter criteria.

Search and highlight

Use the search bar to locate resources on the diagram by name, ID, or tag. This feature is effective for finding specific resources within your cloud architecture. It highlights the search criteria in the diagram, without creating a new diagram, by greying out the elements that do not match the search criteria.

Permissions

To access Cloudcraft in Datadog, you need the cloudcraft_read permission. This permission is included in the Datadog Read Only Role by default. If your organization uses custom roles, add this permission to the appropriate role. For more information on managing permissions, see the RBAC documentation.

Next steps

Learn how to navigate between built-in overlays to view your architecture from different perspectives. Each overlay is designed to support specific operational goals, such as:

• Infrastructure: High-level view of services and resources.
• Observability: Indicates which hosts have the Agent installed and what observability features are enabled.
• Security: IAM, firewall, and security group visibility.
• Cloud Cost Management: Track and optimize resource spend.

Further reading

お役に立つドキュメント、リンクや記事:

Plan new architectures and track your cloud footprint with Cloudcraft (Standalone)BLOG Create rich, up-to-date visualizations of your AWS infrastructure with Cloudcraft in DatadogBLOG Visually identify and prioritize security risks using CloudcraftBLOG