Mapping and Understanding Network Topology in AWS

Effective network management in AWS requires more than just configuration; it requires high-fidelity visibility. This guide covers the tools and strategies used to visualize, monitor, and troubleshoot complex network topologies, focusing on AWS Transit Gateway Network Manager, VPC Traffic Mirroring, and Reachability Analyzer.

Learning Objectives

After studying this guide, you should be able to:

• Identify the primary use cases for AWS Transit Gateway Network Manager.
• Differentiate between logical and physical network topology mapping.
• Explain how to perform deep packet analysis using VPC Traffic Mirroring and Wireshark.
• Utilize Reachability Analyzer to verify connectivity intent and troubleshoot misconfigurations.
• Monitor key performance metrics like latency, jitter, and packet loss.

Key Terms & Glossary

• Transit Gateway (TGW): A network hub used to interconnect VPCs and on-premises networks.
• Network Topology: The physical or logical arrangement of nodes and connections in a network.
• Promiscuous Mode: A mode for a network interface controller (NIC) that causes it to pass all traffic it receives to the CPU, rather than just the frames addressed to it.
• Jitter: The variation in time delay between when a packet is transmitted and when it is received.
• Throughput: The actual amount of data successfully transmitted over a network in a given time period.

The "Big Idea"

In the cloud, network infrastructure is often abstract. Observability is the bridge between the configuration you think you have and the reality of how traffic flows. By mapping your topology, you transform a "black box" environment into a documented, measurable system where bottlenecks and security gaps become visible and actionable.

Formula / Concept Box

Hierarchical Outline

1. Network Topology Visualization
   • Transit Gateway Network Manager: Centralized global view.
     • Health Monitoring: Tracks status of TGWs and attachments.
     • Traffic Analytics: Visualizes flow patterns across regions.
2. Connectivity Testing & Verification
   • Reachability Analyzer: Path analysis tool.
     • VPC Insights: Identifies security group/NACL blocking.
3. Deep Packet Inspection (DPI)
   • VPC Traffic Mirroring: Captures raw L2/L3 packets.
   • Analysis Tools: Using Wireshark for troubleshooting "obscure" issues.
4. Performance Optimization
   • Identifying bottlenecks and misconfigurations.
   • Using AWS Global Accelerator to bypass the public internet.

Visual Anchors

Troubleshooting Logic Flow

Hybrid Connectivity Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, rounded corners, align=center, fill=blue!10}] \node (VPC1) {VPC A$Virginia)}; \node (VPC2) [right of=VPC1, xshift=2cm] {VPC B$Ireland)}; \node (TGW) [below of=VPC1, xshift=2cm, fill=orange!20] {\textbf{Transit Gateway}$Hub)}; \node (OnPrem) [below of=TGW, fill=gray!20] {On-Premises$Data Center)};

\end{tikzpicture}

Definition-Example Pairs

• Logical Topology: The mapping of how data flows regardless of physical placement.
  • Example: A diagram showing a Transit Gateway connected to three VPCs via attachments, even if they are in different Availability Zones.
• Physical Topology: The actual hardware and cabling layout of a network.
  • Example: In AWS, this is largely abstracted, but it would represent the underlying Global Infrastructure (Regions, AZs, and Edge Locations).
• VPC Traffic Mirroring: An feature that lets you copy network traffic from an ENI.
  • Example: Mirroring traffic from a suspicious EC2 instance to a security appliance for malware analysis.

Worked Examples

Problem: Inter-VPC Latency Investigation

Scenario: A database in VPC A is responding slowly to an application in VPC B. Both are connected via Transit Gateway.

Step 1: Check TGW Network Manager

• Open the console to view the Global Network.
• Check the Events tab to see if any TGW attachments have recently toggled state or reported performance degradation.

Step 2: Use Reachability Analyzer

• Create a path analysis from the App Instance ENI (Source) to the DB Instance ENI (Destination).
• Result: "Reachable." This rules out Security Groups or Route Table misconfigurations.

Step 3: Packet Analysis

• Enable VPC Traffic Mirroring on the App Instance.
• Route traffic to a monitoring instance running Wireshark.
• Analyze the TCP Round Trip Time (RTT). You find that $ACK$ packets are delayed by 200ms, indicating a possible congestion point at the TGW or a regional link issue.

Checkpoint Questions

1. Which tool provides a "Centralized View" of your global network across multiple accounts and regions?
2. What is the required mode for a destination interface when performing packet capture using VPC Traffic Mirroring?
3. When should you choose VPC Peering over Transit Gateway?
4. What three primary metrics does Transit Gateway Network Manager provide to track health?

▶Click to see answers

1. AWS Transit Gateway Network Manager.
2. Promiscuous Mode.
3. Use VPC Peering for simple, low-latency connections between two VPCs in the same region. Use Transit Gateway for hub-and-spoke models involving multiple VPCs, regions, or accounts.
4. Packet loss, latency, and bandwidth utilization.

Muddy Points & Cross-Refs

[!WARNING] Common Confusion: Students often confuse Reachability Analyzer with Network Insights.

• Reachability Analyzer tests a specific path between a source and destination to see if configuration allows it.
• Network Insights (via Network Manager) provides a broader analysis of flow data to optimize patterns.

Deep Dive Resources:

• Check the AWS Whitepaper on Hybrid Connectivity for more on DX (Direct Connect) integration.
• Refer to RFC 793 for details on the TCP protocol if you are performing packet analysis in Wireshark.

Comparison Tables