How do I use the VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

3 minute read
0

I'm unable to connect to my destination server using an Amazon Virtual Private Cloud (Amazon VPC) resource as the source. How do I troubleshoot this issue using VPC Reachability Analyzer?

Short description

To troubleshoot Amazon VPC connectivity issues, use Reachability Analyzer to check for common issues with:

  • Security group configurations
  • Network access control list (network ACL) configurations
  • Route table configurations

Resolution

Important: VPC Reachability Analyzer relies on data from other AWS services. If the tool fails to run, then confirm the following:

Using Reachability Analyzer from the AWS Management Console

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose Reachability Analyzer.

3.    Select the Region where your resources are located.

4.    For Source type, choose Instances. Then, select your source resource.

5.    For Destination type, choose Internet Gateways. Then, select your destination resource.

6.    For Protocol, choose TCP or UDP, depending on your use case.

7.    Choose Create and analyze path.

8.    After the path analysis completes, view the results.

If the Reachability status is Not reachable, then there's an issue in the path.

You can analyze an existing path by specifying an intermediate component. Find an alternative reachable path that traverses the intermediate component by doing the following:

1.    Select the path, and then choose Analyze path.

2.    Determine the Amazon Resource Name (ARN) for the intermediate component.

For example, the ARN for a Network Address Translation (NAT) gateway is:

arn:aws:ec2:us-east-1:123456789012:nat-gateway/nat-012345678901234ab

3.    Enter the ARN for the intermediate component, and then choose Confirm.

4.    Refresh the page, and then view the new analysis ID that displays with the intermediate hop path.

Using Reachability Analyzer from the AWS CLI

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Follow the steps in Getting started with VPC Reachability Analyzer using the AWS CLI.

For example, let's say that you're diagnosing connectivity issues between the following points:

  • Source = Amazon Elastic Compute Cloud (Amazon EC2) instance i-ab001122334455667
  • Destination = Internet gateway igw-00aabb11223344556 on port 22 in an Amazon VPC

1.    Create a path using the following example command:

aws ec2 create-network-insights-path --source i-ab001122334455667 --destination igw-00aabb11223344556 --destination-port 22 --protocol TCP

Example output:

{
    "NetworkInsightsPath": {
        "NetworkInsightsPathId": "nip-01a23b456c789101d1",
        "NetworkInsightsPathArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-path/nip-01a23b456c789101d1",
        "CreatedDate": "2021-06-01T01:00:00.000000+00:00",
        "Source": "i-ab001122334455667",
        "Destination": "igw-00aabb11223344556",
        "Protocol": "tcp",
        "DestinationPort": 22
    }
}

2.    Analyze the path by adding the network insights path ID as a parameter in the following example command:

aws ec2 start-network-insights-analysis --network-insights-path-id nip-01a23b456c789101d1

Example output:

{
    "NetworkInsightsAnalysis": {
        "NetworkInsightsAnalysisId": "nia-0fb371a9ea7ce9712",
        "NetworkInsightsAnalysisArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-analysis/nia-0fb371a9ea7ce9712",
        "NetworkInsightsPathId": "nip-01a23b456c789101d1",
        "StartDate": "2021-06-01T01:00:00.000000+00:00",
        "Status": "running"
    }
}

3.    Get the results of the path analysis by adding the NetworkInsightsAnalysisIds parameter obtained in the previous step to the following example command:

aws ec2 describe-network-insights-analyses --network-insights-analysis-ids nia-0fb371a9ea7ce9712

When a path is unreachable, NetworkPathFound is false and ExplanationCode contains an explanation code. For more information about each of the explanation codes, see VPC Reachability Analyzer explanation codes.


Related information

New – VPC Reachability Analyzer

AWS OFFICIAL
AWS OFFICIALUpdated a year ago