Visualizer
The visualizer is the main canvas for Network Visualization. Open it from the StratoLens sidebar to render your Azure network for the latest scan, switch to a historical snapshot, filter the topology, and click any resource for its details.
On this page
Picking a snapshot
Each completed scan produces one snapshot, and the visualizer always renders one snapshot at a time. The Viewing dropdown at the top of the page controls which one is loaded. Choose Latest Snapshot to follow the most recent scan automatically, or pick a date from the calendar and then a specific scan time from that day.
Filtering the canvas
Two multi-select dropdowns control what appears on the canvas:
- Filter subscriptions
- Limits the canvas to one or more subscriptions. Default is all subscriptions visible.
- Filter types
- Lists every Azure resource type present in the current snapshot, without the
microsoft.network/prefix. Several types are hidden by default, see Defaults & behavior.
Subnets, NICs, and DNS zones are hidden on first load
To keep the canvas readable, several noisy types are excluded from the default view: subnets, network interfaces, private DNS zones, private DNS zone virtual network links, network watchers, public DNS zones, and traffic manager profiles. Open Filter types and select them explicitly when you need them.
Navigating the canvas
The canvas is a force-directed layout with fixed cluster positions. Use these gestures to move around:
- Click + drag empty space
- Pan the canvas.
- Scroll wheel
- Zoom (range 0.1x to 4x).
- Drag a node
- Reposition a single node.
- Ctrl + drag (Cmd on macOS)
- Move a whole VNet cluster. Stops at peering and VWAN boundaries, so you can rearrange one VNet without dragging its peers.
- Shift + drag
- Move every node connected to the dragged node, regardless of connection type. Use this to relocate an entire hub-and-spoke or VWAN region in one motion.
Cluster vs. all-connected drag
Ctrl + drag respects topology boundaries (peering, VWAN), so it's the right gesture when you want to tidy a single VNet without dislodging its neighbors. Shift + drag ignores those boundaries and is best when you want to move a whole region at once.
Reading the canvas
Node styling and connection lines encode the relationship between resources. The Legend overlay at the bottom-left of the canvas lists every line color and pattern in the current view, plus the keyboard shortcuts.
Node styling
- Hub resource
- Purple border and bold name. Applied automatically to any node with three or more connections, and to every Azure Virtual Hub.
- Selected resource
- Orange fill with a glow.
- Dedicated subnets
AzureFirewallSubnet,GatewaySubnet, andAzureBastionSubnetrender smaller than regular subnets and sit on the line between the VNet and its associated firewall, gateway, or bastion. Only visible when subnets are turned on in Filter types.
Connection lines
Each line color and pattern represents a relationship type. Names match what you'll see in the legend: Peering, VWAN Connection, Gateway / Public IP, Network Security Groups, Route Tables, VPN Connections, Azure Bastion, NAT Gateway (dashed), and Child Resource (dashed).
Application Gateways and Load Balancers
These resources are decomposed into their internal pieces, listeners, frontend IPs, backend pools, health probes, and backend NICs, and clustered together in a horizontal tier below the VNets. This makes routing and backend membership visible at a glance, but can look busy when many gateways are present. To collapse the visual noise, deselect those internal types in Filter types.
Resource detail panel
Click any node to open the detail panel on the right. Click the same node again, or click empty canvas, to deselect. The panel shows, top to bottom:
- View in Explorer button (or View Parent in Explorer for child resources like rule collection groups). Jumps to the resource in Resource Explorer with the current snapshot preserved.
- Open in Azure Portal button. Opens the resource's blade at
portal.azure.comin a new tab. - Resource Details card with Subscription, Resource Group, Name, Type, and Location.
- A resource-specific configuration card when StratoLens has a dedicated display for that type.
Defaults & behavior
Defaults
- Snapshot
- Latest scan. Opening the page without a
?scanId=parameter redirects to the latest. - Subscription filter
- All subscriptions visible.
- Hidden resource types
- Subnets, network interfaces, private DNS zones, private DNS zone virtual network links, network watchers, public DNS zones, traffic manager profiles.
- Initial framing
- A one-time zoom-to-fit animation runs when a snapshot first loads. After that, your manual zoom level is preserved across filter changes.
Behavior to know about
- Hub detection is automatic. Any resource with three or more connections, and every Azure Virtual Hub, gets the hub style.
- The detail panel and Trace Route are mutually exclusive. Opening Trace Route closes the detail panel, and selecting a node closes the trace panel.
- Dedicated subnet placement (firewall, gateway, bastion subnets sitting between their VNet and resource) only takes effect when subnets are visible in the filter.
- Large topologies may take a few seconds to render on first load.
Prerequisites
What you need before opening the visualizer
- Read access to network topology data. The same read access used elsewhere in StratoLens is sufficient.
- At least one completed scan. On a brand-new install with no scans, the canvas shows a "No Scans Available" empty state. Run a scan from the Scanner page first.
Troubleshooting
No network resources found
Answer
The selected snapshot has no Microsoft.Network/* resources, or your filters have hidden everything in view. The most common cause is a strict Filter subscriptions selection that excludes the subscriptions where your network resources live. Reset the subscription filter or pick a different snapshot.
Error loading network topology
Answer
The topology request failed. The page shows the underlying error message. Reload the page or try a different snapshot. If it persists, check that the scan completed without errors in Scan History.
My Application Gateway or Load Balancer looks really busy
Answer
By design. Each one is decomposed into listeners, backend pools, frontend IPs, health probes, and backend NICs, so routing and membership are visible at a glance. To collapse it, deselect those internal types in Filter types.