AWS VPC Reachability Analyzer: Network Visibility & Troubleshooting
VPC Reachability Analyzer in architectures to provide visibility
AWS VPC Reachability Analyzer: Network Visibility & Troubleshooting
This guide covers the VPC Reachability Analyzer, a critical tool for AWS Network Engineers to perform deterministic reachability analysis, troubleshoot connectivity issues, and automate network validation within the AWS environment.
Learning Objectives
After studying this guide, you should be able to:
- Explain the difference between logical modeling and active data plane probing.
- Configure a reachability analysis between different AWS resource types.
- Interpret reachability results to identify specific blocking components (SGs, NACLs, Routes).
- Integrate Reachability Analyzer into automated deployment pipelines for connectivity intent validation.
Key Terms & Glossary
- Logical Model: A representation of network configuration (code-based) used to calculate paths without sending actual packets.
- Hop-by-Hop Analysis: A granular view of every network component (e.g., Peering connections, NAT Gateways) a packet encounters.
- Connectivity Intent: The desired state of network access that is validated against the actual configuration.
- Forwarding Plane: The part of the network that moves actual data packets; Reachability Analyzer avoids this to prevent interference.
The "Big Idea"
[!IMPORTANT] The VPC Reachability Analyzer shifts network troubleshooting from reactive "trial and error" (using ping/traceroute) to proactive verification. By analyzing the configuration code rather than live traffic, it provides a 100% accurate reflection of how the AWS infrastructure is programmed to behave, allowing you to find "needle in a haystack" misconfigurations in seconds.
Formula / Concept Box
| Input Parameter | Requirement | Description |
|---|---|---|
| Source | Required | The starting resource (ENI, Instance, VPC Endpoint, etc.). |
| Destination | Required | The target resource or IP address. |
| Protocol | Required | TCP or UDP (determines which rules are evaluated). |
| Destination Port | Optional | Specific port to test; defaults to all if omitted. |
Hierarchical Outline
- I. Core Mechanism
- Configuration Analysis: Uses mathematical modeling of VPC components.
- Non-Intrusive: No actual traffic is generated; does not impact bandwidth or costs per GB.
- II. Connectivity Analysis Process
- Path Discovery: Identifies all possible paths between source and destination.
- Rule Evaluation: Checks Security Groups, Network ACLs, and Route Tables at every hop.
- Status Indicators: Returns
ReachableorUnreachablewith specific "blocking" reasons.
- III. Integration & Automation
- CloudWatch Integration: Metrics for successful/failed traces.
- Event-Driven: Triggering traces after a CloudFormation or Terraform deployment.
Visual Anchors
Analysis Workflow
Network Path Logic
Definition-Example Pairs
-
Term: Blocking Component
-
Definition: The specific AWS resource or rule preventing traffic flow.
-
Example: You try to reach a web server on port 443, but the analyzer identifies that the Inbound Rule of the web server's Security Group only allows port 80.
-
Term: Automated Validation
-
Definition: Using scripts or CI/CD to ensure network changes haven't broken existing paths.
-
Example: A Jenkins pipeline runs a Reachability Analyzer test after a Terraform apply to ensure the DB subnet can still talk to the App subnet.
Worked Examples
Troubleshooting a "Timed Out" Connection
Scenario: An EC2 instance in Subnet A cannot connect to an EC2 instance in Subnet B via SSH (Port 22).
- Configure Test: Set Source =
Instance-A, Destination =Instance-B, Protocol =TCP, Port =22. - Run Analysis: The tool completes in under 1 minute.
- Identify Output: The analyzer returns
Unreachable. - Analyze Results: It highlights Network ACL #123 in Subnet B. The "Deny" rule #50 is processed before the "Allow" rule #100.
- Fix: Reorder the NACL rules so the Allow rule has a lower number than the Deny rule.
Checkpoint Questions
- Does VPC Reachability Analyzer send actual ICMP packets to test the path?
- What are the three main components the analyzer checks to determine if a path is blocked?
- Can the Reachability Analyzer identify latency or packet loss issues?
▶Click to see answers
- No. It uses a logical model of the configuration.
- Security Groups, Network ACLs, and Route Tables.
- No. Since it does not send real traffic, it cannot measure real-time metrics like latency; it only checks for configuration-based connectivity.
Muddy Points & Cross-Refs
- Confusion: People often confuse Reachability Analyzer with VPC Flow Logs.
- Correction: Flow Logs tell you what did happen (reactive); Reachability Analyzer tells you what can happen (predictive/proactive).
- Hybrid Connectivity: Reachability Analyzer works within the AWS environment. For on-premises to AWS, you should look into Transit Gateway Network Manager or Route Analyzer (for Direct Connect/VPN).
Comparison Tables
| Feature | Reachability Analyzer | VPC Flow Logs | Traffic Mirroring |
|---|---|---|---|
| Mechanism | Logical Model (Code) | Log records of metadata | Packet duplication |
| Traffic Required? | No | Yes | Yes |
| Primary Use | Configuration Debugging | Auditing/Usage analysis | Deep Packet Inspection |
| Cost Model | Per analysis run | Per GB of logs | Per hour/mirror session |
| Visual Output | Hop-by-hop topology | Text-based logs | Raw PCAP files |