6.3. Network Troubleshooting

💡 First Principle: Network problems in AWS are almost always one of three things Think of it like debugging a postal delivery failure: either the address is wrong (routing), the building has locked doors (security groups/NACLs), or DNS gave the wrong address. Unlike application bugs that require code changes, network issues are almost always configuration — and AWS provides VPC Flow Logs, Reachability Analyzer, and Network Manager to isolate exactly which layer is broken.: routing (the packet can't find its path), filtering (something is blocking the packet), or DNS (the name resolves to the wrong address or doesn't resolve at all). Systematic diagnosis means working through each layer — starting with DNS, then routing, then filtering — rather than making changes and hoping something fixes it.

The exam heavily tests network troubleshooting scenarios. The tools are VPC Reachability Analyzer (pre-checks a path without sending real traffic), VPC Flow Logs (shows what actually happened to packets), and service-specific access logs (shows what the load balancer, WAF, or CloudFront did).