Analyzing AWS Routing Patterns and Connectivity

This study guide covers the essential tools and methodologies for analyzing routing patterns, mapping network topology, and troubleshooting connectivity issues within complex AWS environments, specifically focusing on VPC Reachability Analyzer and AWS Transit Gateway Network Manager.

---

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between static path analysis and flow-based monitoring.
• Use VPC Reachability Analyzer to troubleshoot Security Group, NACL, and Route Table misconfigurations.
• Map global network topologies and monitor cross-region health using Transit Gateway Network Manager.
• Analyze VPC Flow Logs to identify routing patterns and traffic volume issues.
• Select the appropriate tool for packet-level deep dives (Traffic Mirroring) versus configuration validation.

---

Key Terms & Glossary

• Hop-by-hop Analysis: A detailed breakdown of every networking component (IGW, NAT GW, Peering, etc.) a packet traverses from source to destination.
• Logical Model: An abstract representation of network configuration used by Reachability Analyzer to calculate paths without sending actual traffic.
• Anycast Routing: A routing methodology used by Global Accelerator to direct traffic to the nearest healthy endpoint.
• SD-WAN (Software-Defined Wide Area Network): Technology that simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism.

---

The "Big Idea"

In modern cloud architecture, networking is no longer a static set of wires but a dynamic, software-defined fabric. The "Big Idea" here is Automated Observability. Instead of manually checking every route table in a 100-VPC environment, AWS provides tools that use automated reasoning (Reachability Analyzer) and centralized dashboards (Network Manager) to provide a single source of truth for network health and connectivity intent.

---

Formula / Concept Box

---

Hierarchical Outline

• I. VPC Reachability Analyzer
  • A. Functional Mechanism: Uses logical models (no data plane traffic).
  • B. Scope: Source/Destination pairs, ports, and protocols.
  • C. Troubleshooting Targets: Security Groups, NACLs, Route Tables, Gateways.
• II. Transit Gateway Network Manager
  • A. Global Observability: Centralized view of multiple TGWs and Regions.
  • B. Hybrid Connectivity: Integrates with on-premises SD-WAN devices.
  • C. Metrics: Monitoring packet drops, bytes sent/received, and topology changes.
• III. Supporting Analysis Tools
  • A. VPC Flow Logs: Captures IP traffic metadata (5-tuple).
  • B. VPC Traffic Mirroring: Deep packet inspection for security/shaping.
  • C. CloudWatch Logs: Aggregating and querying tool outputs.

---

Visual Anchors

Reachability Analyzer Logic

Global Network Manager Concept

---

Definition-Example Pairs

• Reachability Analyzer: A configuration testing tool that performs a static analysis of the network path.
  • Example: Checking why an EC2 instance cannot SSH into another instance in a peered VPC—discovering the NACL allows inbound traffic but the outbound ephemeral port range is blocked.
• Topology Mapping: The process of visualizing the physical or logical connections between network components.
  • Example: Using Transit Gateway Network Manager to generate a diagram showing how 50 VPCs across 3 regions connect to a central hub and an on-premises data center.

---

Worked Examples

Example 1: Troubleshooting a Connectivity Timeout

Scenario: A web server in Subnet A cannot reach a database in Subnet B.

1. Step 1: Initiate a Reachability Analyzer path from Web Server ENI to Database ENI on port 3306.
2. Step 2: Analyze results. The tool indicates "Unreachable" and highlights the Security Group of the Database.
3. Step 3: Inspect the SG. You find it only allows port 3306 from the 10.0.1.0/24 range, but the Web Server is in 10.0.2.0/24.
4. Solution: Update the SG rule to include the Web Server's CIDR or Security Group ID.

Example 2: Monitoring Global Packet Loss

Scenario: Users in Europe report intermittent connectivity to a central app in the US.

1. Step 1: Open Transit Gateway Network Manager.
2. Step 2: View the Events tab to see if any TGW Peering attachments have flapped.
3. Step 3: View the Metrics tab for "Packet Drop Count" on the Europe-US peering link.
4. Step 4: Correlate drops with a specific time window to determine if it's a provider issue or a capacity limit (TGW Quotas).

---

Checkpoint Questions

1. Does VPC Reachability Analyzer send actual packets over the wire during its test? Why or why not?
2. Which tool would you use to find the specific packet header causing an MTU (size) mismatch issue?
3. What is the primary benefit of integrating SD-WAN devices with Transit Gateway Network Manager?
4. How do VPC Flow Logs assist in identifying routing issues if they don't show the physical path?

---

Muddy Points & Cross-Refs

• Static vs. Dynamic: A common point of confusion is why Reachability Analyzer says "Reachable" but traffic still fails.
  • Answer: It only checks AWS configurations. It cannot see OS-level firewalls (like iptables or Windows Firewall) or application-level issues.
• Flow Logs vs. Traffic Mirroring:
  • Flow Logs: Good for patterns (Who is talking to whom?).
  • Traffic Mirroring: Good for content (What is inside the packet?).
• Cross-Refs: See Chapter 5: Transit Gateways for deep dives on TGW peering and Unit 4: Security for more on NACL vs. SG logic.

---

Comparison Tables