Cloud App Analyzer Application Discovery

This topic explains Cloud App Analyzer’s Application Discovery feature. Application discovery helps you identify applications and their component microservices within your AWS and Azure environments. This makes it easier to understand how these applications and microservices connect and interact, including identifying potential security issues.

Cloud App Analyzer Application Discovery supports AWS EKS (Elastic Kubernetes Service) and Azure AKS (Azure Kubernetes Service). It provides detailed visualization of applications, including clusters, nodes, pods, deployed containers, and other Kubernetes resources.

A microservice, as defined in the context of Cloud App Analyzer, consists of an interconnected set of cloud resources that collectively perform a set of functions or services. These resources can include compute, networking, and database components among others. Microservices work together to form a larger application.

Cloud App Analyzer analyzes applications and represents them in a dependency graph that clearly visualizes connections between microservices. Microservices are shown as clouds with a dotted outline.

Clicking on a microservice in the Application map opens a dependency graph for the selected microservice. The Microservice map clearly visualizes connections and dependencies among resources. The root node is identified by the red flag .

This graph details the application’s structure and highlights elements with security issues, offering a view of the complex relationships within the cloud environment. By showing where vulnerabilities occur within the application, this visual tool helps prioritize security issues based on their placement and impact.

Also, from the Assets & Securities Issues section, when you discover that a resource is used by applications and select Show Graph, the node representing that resource will be highlighted in the displayed graph.

View Discovered Applications

To access the list of discovered applications:

Do the following:

Search applications and microservices

You can use the search fields on the Discovered Applications and Discovered Microservices lists to filter the list as per the following:

  • Region

  • Application name

  • Microservice name

  • Workload ID

  • Workload type

  • Resource tags

  • Resource type

  • Resource labels

  • Text search

View Workload Statistics

Use the workload statistics feature to see high-level counts of all discovered workloads across your applications. You can view these statistics directly within an application’s details or from the All Accounts view when working in a multi-account environment.

Supported workload types include the following resources:

AWS Workloads: Azure Workloads:

EKS cluster

EKS namespace

ECS cluster

ECS service

ECS task

ECS task definition

CloudFormation stack

EC2 instance

Lambda function

Container *

EKS cluster

EKS namespace

Service Fabric cluster

Service Fabric managed cluster

Virtual machine scale set

Virtual machine scale set instance

Virtual machine

Container app environment

Container app

Function app

Web app

Static app

Container instance

Container **

* Containers on AWS: Appear only for statistical purposes, reflecting the count of unique container images running within other workloads. For example, if 10 pods use the same container image, they count as one container. Images stored in ECR are excluded from this total.

** Containers on Azure: Follow the same logic as AWS. The count reflects only unique container images currently active. Images stored in ACR do not affect this total.

Viewing Workload Statistics

  1. From an Application or Microservices List Page

    Do the following:

    Below the page title, locate the Workloads link next to the total number of discovered workloads.

    From the Workload Statistics page, click Discovered Applications to return to the main Discovered Applications page.

    1. Click Workloads to open the Workload Statistics page, where you can see all discovered workloads.

    2. From the Workload Statistics page, click Discovered Applications to return to the main Discovered Applications page.

  1. From All Accounts View

    Do the following:

    In the All Accounts view, find the Workloads column in the accounts table to see the workload count for each account.

    A Total row at the bottom sums all applications and workloads across every account. Two numbers appear:

    • The first shows the total on the current page.

    • The second, in brackets, shows the grand total across all pages.

Assign Application Names via Resource Tags

For AWS / Azure

You can identify an application or microservice by applying a specific tag to one of its constituent resources. The special tag used for this purpose is:

algosec:app-discovery:app-name

By assigning the algosec:app-discovery:app-name tag to just one resource (for example, a VM Scale Set, subnet, or firewall), the specified app name can propagate to all parent or child resources. Even in complex environments with many microservices, this hierarchical “bubbling up” ensures consistency and simplifies application naming across your infrastructure.

If multiple algosec:app-discovery:app-name tags are present, the system alphabetically sorts these tag values and uses the top entry. This ensures that parent objects with inherited tags consistently and predictably select a single application name.

 

â See also: