6.3.1. VPC Flow Logs and Reachability Analyzer
š” First Principle: You can't fix what you can't see. VPC flow logs are the network equivalent of CloudTrail ā a record of every network conversation attempted in your VPC. Combined with Reachability Analyzer (which traces a hypothetical path through your configuration), you have both "what should happen" (Reachability Analyzer) and "what actually happened" (flow logs) for network diagnosis.
VPC Flow Log Fields (Key Subset):
| Field | Value | Meaning |
|---|---|---|
srcaddr | 10.0.1.45 | Source IP |
dstaddr | 10.0.2.100 | Destination IP |
srcport / dstport | 52341 / 443 | Source and destination ports |
protocol | 6 | TCP (17=UDP, 1=ICMP) |
action | ACCEPT or REJECT | Whether the packet was allowed |
log-status | OK, NODATA, SKIPDATA | Log delivery status |
Diagnosing with Flow Logs:
| Symptom | Flow Log Finding | Root Cause |
|---|---|---|
| Can't reach instance | REJECT on inbound port | Security group or NACL blocking |
| Instance can't reach internet | REJECT on outbound | NACL blocking outbound, or no route to IGW/NAT |
| Traffic arrives but no response | ACCEPT inbound, no outbound | Application not listening, or NACL blocking return traffic |
| No flow log entries at all | No records | Traffic not reaching the ENI; routing problem upstream |
VPC Reachability Analyzer:
A network path analysis tool that models your VPC configuration to determine if a path exists between a source and destination. It doesn't send actual packets ā it analyzes route tables, security groups, NACLs, and endpoints to produce either "Reachable" or "Not Reachable" with the specific blocking component identified.
Use Reachability Analyzer when:
- Setting up new connectivity and want to verify before going live
- A path that should be reachable isn't, and you need to identify why
- Auditing network configuration for compliance
Reachability Analyzer can find problems that flow logs can't (because if packets never reach the ENI, there's no flow log entry).
ā ļø Exam Trap: VPC Flow Logs record what actually happened at the ENI level ā packets that were blocked by a security group still generate a REJECT entry. However, if the traffic is blocked at the routing layer (e.g., no route to the destination in the route table), the packet never reaches the ENI and there's no flow log entry. Absence of flow log entries doesn't mean traffic wasn't attempted ā it may mean it was dropped before reaching the ENI. Reachability Analyzer catches routing problems that flow logs miss.
Reflection Question: A developer reports they can't SSH into a new EC2 instance in a private subnet. The security group allows port 22 from the developer's office IP. There are no flow log entries for SSH traffic to the instance. Based on the absence of flow log entries, what layer of the network stack do you investigate first?
