The VPC Reachability Analyzer is used to validate your network connectivity, troubleshoot, identify network configuration issues, and automate validations for connectivity after configuration changes or new deployments. The VPC Reachability Analyzer checks the network path taken by a packet from the source to destination. The tool creates a logical model of the configuration and then checks for connectivity. It is important to note that it does not actually send data over the forwarding plane; the reachability is analyzed in code only.
The VPC Reachability Analyzer traces the network connectivity from the source to destination and is very useful in reachability analysis, configuration validations, and troubleshooting. The service is used inside your VPC to perform connectivity testing and integrates with many AWS services and endpoints to give you a complete picture of the network path and metrics. The VPC Reachability Analyzer provides a hop-by-hop analysis of the path a packet traverses given the source, destination port, and protocol information you define when you set up a trace test. If the test fails, the analyzer will identify where the data is being blocked to assist in troubleshooting. For example, paths can be blocked by network configuration errors, a misconfigured security group, a network ACL deny rule, or a missing route in a route table, to give a few examples.
The Reachability Analyzer supports the following source and destination endpoints: EC2 instances, Internet gateways, network interfaces, Transit Gateways, Transit Gateway attachments, VPC endpoints, VPC peering connections, and VPN gateways. These endpoints must be in the same account and in the same region. Also, they must be in the same VPC or a peered or Transit Gateway VPC. Intermediate devices include network and application load balancers (but not gateway load balancers), NAT gateways, Transit Gateways, Transit Gateway attachments, and VPC peering connections. Reporting on successes and failures can list a large number of AWS components including the following: VPC, EC2 instances, Internet gateways, load balancers (excluding gateway load balancers), NAT gateways, network ACLs, network interfaces, prefix lists, route tables, security groups, subnets, ELB target groups, Transit Gateways, Transit Gateway attachments, Transit Gateway route tables, virtual private gateways, VPC endpoints, and VPC gateway endpoints.
The analyzer can be accessed via the web interface, the CLI, APIs, and SDKs, and is configured and enabled with CloudFormation. In the web console, open the VPC service and select the Reachability Analyzer on the Network Analysis tab in the left panel.
Granular scenarios can be configured; for example, a path is created from the source of the Internet gateway in a VPC to an EC2 instance selected as the destination on TCP port 80. With this test, you can verify that the web server is reachable from the Internet, as shown in Figure 5.7. Figure 5.8 shows the configuration and results of a trace test.
FIGURE 5.7 Network Reachability Analyzer configuration screen
If the test fails and the remote endpoint is not reachable based on your trace parameters, the output will list what is causing the blockage by component or service to direct you to where to begin your troubleshooting.
FIGURE 5.8 Network Reachability Analyzer trace results
In the case where there is more than one path from the source to the destination, the analyzer will display the shortest path. This can be modified to investigate other alternative paths by specifically listing components in the path to traverse.