Mastering Network Verification: AWS Reachability Analyzer & Connectivity Validation

Verifying that a network configuration meets specific design requirements is a critical skill for the AWS Advanced Networking Specialty. This guide focuses on using the VPC Reachability Analyzer, Transit Gateway Network Manager, and related tools to ensure connectivity intent is maintained through automation and logical validation.

Learning Objectives

• Define Connectivity Intent: Understand how to verify that network paths match the intended design using logical modeling.
• Operate Reachability Analyzer: Configure source and destination endpoints to perform hop-by-hop path analysis.
• Differentiate Monitoring Tools: Choose between VPC Flow Logs, Traffic Mirroring, and Reachability Analyzer based on the troubleshooting scenario.
• Automate Verification: Implement continuous validation of network changes using CLI/SDK integrations.
• Map Topologies: Utilize Transit Gateway Network Manager to visualize and monitor global hybrid network health.

Key Terms & Glossary

• Connectivity Intent: The desired state of the network (e.g., "Production VPC A must reach Database Subnet in VPC B via Transit Gateway").
• Formal Reasoning: The underlying technology of Reachability Analyzer that checks configuration logic without sending actual data packets.
• Hop-by-Hop Analysis: A detailed report of every network component (Gateways, SGs, NACLs) a packet would encounter along a path.
• Network Path: The sequence of AWS resources (ENIs, Route Tables, NAT Gateways) that traffic traverses between a source and destination.
• Traces: The specific test execution within Reachability Analyzer defined by a source, destination, protocol, and port.

The "Big Idea"

Network verification in AWS has evolved from manual "pings" to formalized validation. Instead of waiting for a packet to fail in flight, tools like the Reachability Analyzer use a mathematical model of your network configuration to prove whether a path is open or closed. This allows for "pre-flight" checks where you can verify that a complex security group or route table change won't break connectivity before the first real user packet is even sent.

Formula / Concept Box

Hierarchical Outline

1. VPC Reachability Analyzer
   • Core Logic: Uses automated reasoning; no data is sent over the forwarding plane.
   • Supported Endpoints: EC2 instances, IGWs, VPC Endpoints, VPN/Direct Connect Gateways, Transit Gateways.
   • Troubleshooting Output: Identifies specific blocking components (e.g., "Missing route in RTB-123" or "NACL Deny Rule 100").
2. Transit Gateway Network Manager
   • Global Visibility: Single dashboard for multi-region/multi-account Transit Gateways.
   • Hybrid Integration: Connects with on-premises SD-WAN (Cisco, Aruba, etc.).
   • Monitoring: Visualizes packet drops and route changes across the WAN.
3. Connectivity Automation
   • CI/CD Integration: Triggering Reachability Analyzer via API after CloudFormation deployments.
   • Compliance: Ensuring security group "tightness" by verifying only specific ports are reachable.

Visual Anchors

Reachability Analyzer Logical Flow

Path Analysis in a Hybrid Network

Definition-Example Pairs

• VPC Reachability Analyzer
  • Definition: A tool that performs a static analysis of VPC configurations to determine reachability.
  • Example: Using the analyzer to find out why a private EC2 instance cannot reach an S3 Interface Endpoint across a peered VPC connection.
• Transit Gateway Network Manager
  • Definition: A centralized tool to manage and monitor global networks built around AWS Transit Gateways.
  • Example: Visualizing a global network where a New York office connects to a Tokyo VPC via a Site-to-Site VPN and Transit Gateway.
• Connectivity Intent Validation
  • Definition: The process of programmatically ensuring that a change to the network doesn't violate business rules.
  • Example: A Lambda function that runs a Reachability Analyzer test every time a Security Group is updated to ensure SSH (Port 22) is still blocked from the public internet.

Worked Examples

Scenario: The Mystery of the Blocked Web Server

The Problem: An EC2 instance in a private subnet (VPC A) cannot reach an Application Load Balancer (ALB) in VPC B, even though VPC Peering is active.

1. Configure the Test:
   • Source: eni-0123456789 (The EC2 instance).
   • Destination: alb-987654321 (The ALB).
   • Protocol/Port: TCP / 80.
2. Run Reachability Analyzer:
   • The analyzer starts at the source ENI.
   • It checks the Outbound Security Group: Pass.
   • It checks the Private Subnet Route Table: Fail.
3. Analyze the Output:
   • The tool identifies that the Route Table for the private subnet lacks a route for VPC B's CIDR pointing to the Peering Connection ID (pcx-abc123).
4. Resolution:
   • Add the missing route to the Route Table. Rerun the test to confirm a "Reachable" status.

Checkpoint Questions

1. Does Reachability Analyzer send actual ICMP or TCP packets across the wire to test connectivity? (No, it uses logical modeling/formal reasoning).
2. Which tool would you use to see a visual map of your global network and monitor packet drops on a VPN? (Transit Gateway Network Manager).
3. True or False: Reachability Analyzer can identify a specific Network ACL rule number that is blocking traffic. (True).
4. Can Reachability Analyzer test connectivity to a Gateway Load Balancer? (No, Gateway Load Balancers are currently an exception in the intermediate device list).

Muddy Points & Cross-Refs

• Reachability Analyzer vs. Route Analyzer: Reachability Analyzer (VPC tool) checks the logic of the path (SGs, NACLs, Routes). Route Analyzer (Transit Gateway tool) specifically checks the Transit Gateway Route Tables for reachability but is less focused on the end-to-end host security components.
• Logical vs. Data Plane: If Reachability Analyzer says "Reachable" but your application still fails, the issue is likely at Layer 7 (Application/OS level, like a local Linux firewall or a service not listening) which the analyzer cannot see.

Comparison Tables

Network Analysis Tool Comparison