4.2.5. Reachability Analyzer
Reachability Analyzer provides a powerful tool for network specialists to quickly verify network reachability between resources and diagnose connectivity issues by simulating network paths.
Scenario: An application server in a private subnet cannot connect to a database server in another private subnet within the same VPC. You've checked Security Groups and NACLs but the issue persists.
For network specialists, diagnosing connectivity issues in complex AWS networks can be challenging due to multiple layers of network controls (Security Groups, NACLs, route tables, VPC peering, Transit Gateway).
Reachability Analyzer is a feature in Amazon VPC that analyzes the network path between two resources in your AWS network and determines if they are reachable. If they are not, it identifies the component that is blocking the path.
Key Features of Reachability Analyzer:
- Path Simulation: You specify a source and a destination (EC2 instance, Elastic Network Interface (ENI), load balancer, VPN gateway, Direct Connect Gateway, IP address).
- Connectivity Determination: It reports whether the resources are reachable and provides details of the network path if reachable.
- Root Cause Identification: If not reachable, it pinpoints the exact blocking component (e.g., a specific Security Group rule, a missing route table entry, a NACL rule).
- Supported Resources: Works across VPCs, VPC peering connections, Transit Gateways, VPNs, and Direct Connect connections.
- Proactive Analysis: Can be used to verify network configurations before deployment.
Practical Implementation: Using Reachability Analyzer (CLI)
# Assuming SOURCE_ENI_ID and DESTINATION_ENI_ID are defined
# 1. Create a network insights path
PATH_ID=$(aws ec2 create-network-insights-path \
--source-eni-id $SOURCE_ENI_ID \
--destination-eni-id $DESTINATION_ENI_ID \
--protocol tcp \
--destination-port 5432 \
--query NetworkInsightsPath.NetworkInsightsPathId --output text)
echo "Network Insights Path ID: $PATH_ID"
# 2. Start the network insights analysis
ANALYSIS_ID=$(aws ec2 start-network-insights-analysis \
--network-insights-path-id $PATH_ID \
--query NetworkInsightsAnalysis.NetworkInsightsAnalysisId --output text)
echo "Network Insights Analysis ID: $ANALYSIS_ID"
# 3. Describe the analysis results (wait for status to be "succeeded")
aws ec2 describe-network-insights-analyses --network-insights-analysis-ids $ANALYSIS_ID --query "NetworkInsightsAnalyses[0].Explanation"
⚠️ Common Pitfall: Not using Reachability Analyzer for complex connectivity issues. Manually tracing paths through multiple layers of network controls is error-prone and time-consuming.
Key Trade-Offs:
- Automated Analysis vs. Manual Effort: Reachability Analyzer automates complex path analysis, saving significant manual effort but requiring understanding of its output.
Reflection Question: How does Reachability Analyzer, by simulating network paths between resources and identifying the exact blocking component (e.g., Security Group rule, route table entry), fundamentally provide a powerful tool for you as a Network Specialist to quickly verify network reachability and diagnose complex connectivity issues?