AWS VPC Reachability Analyzer
AWS has added a new tool to their VPC ammunition- ‘VPC Reachability Analyzer’. VPC, as you know is a logically isolated private area of the AWS cloud where you can launch AWS resources. At times, when customers are deploying large workloads in AWS, it is also quite difficult and time consuming to troubleshoot network connectivity issues mainly due to misconfigurations. This is where VPC Reachability Analyzer can help.
VPC Reachability Analyzer analyzes the path between a source and destination by building a model of the network configuration, and then checking for reachability based on the configuration. It does not send packets or analyze the data plane.
You can find the VPC Reachability Analyzer in the left menu of VPC dashboard as shown in figure below:
Click on ‘Create and analyze path’ button to create the analyzer:
It supports following AWS resources which can be used as source or destination:
The following resource types are supported as intermediate components:
- Load balancers (except for Gateway Load Balancers)
- NAT gateways
- VPC peering connections
The following resource types can appear in reachable paths and in explanations when a path is not reachable:
- EC2 instances
- Internet gateways
- Load balancers (except for Gateway Load Balancers)
- NAT gateways
- Network ACLs
- Network interfaces
- Prefix lists
- Route tables
- Security groups
- Subnets
- Target groups
- Transit gateways
- Virtual private gateways
- VPC endpoints
- VPC gateway endpoints
- VPC peering connections
- VPCs
- VPN connections
Lets say, you need to analyze the path from Internet gateway to your EC2 instances on SSH post 22.
*port number for Destination port is optional. By default, Reachability Analyzer considers all ports.
Upon creating the Analyzer, it would start analyzing the traffic route from Internet Gateway to your instance. In this example there is no Inbound route defined for SSH to EC2 instance, hence Reachability test failed.
Select the AnalysisID nia-xxxxxx and expand the Explanations section, would give the reason for failure. In this example it says that the security group sg-xxxxx do not have specified route which means rules mismatch.
You can investigate the network connectivity issue and fix that easily.
Refer the following link to see different explanation codes — https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html
One important thing to note here, Reachability Analyzer doesn’t analyze on a continuous basis rather you would need to invoke the Analyzer, every time you need to analyze the connectivity:
In a similar way, you can create Reachability Analyzer for other routes as well. In an another example, I created an analyzer to analyze route from EC2 to Internet gateway.
Expanding the details of the Analysis ID you can see the route hop by hop, which is pretty cool. (I expect a similar route map for Failed status as well, I hope AWS will add to it.)
VPC Reachability Analyzer can be a life saver when troubleshooting highly complex network architectures with Peering connections, Transit gateways, VPC Endpoints etc.
I remember, I spent half a day troubleshooting a network issue in a deployment where AWS environment was connect with customer’s on promise network over Direct Connect and had more than 200 AWS resources, there was a misconfiguration of Virtual private gateway association in one of the route tables.
In this article, I showcased how you can use VPC Reachability Analyzer to test the network connectivity between source and destination in AWS. You can access it through APIs as well -https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html
Please refer below link to learn more on VPC Reachability Analyzer-
https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html
I hope you learned something from this article.
