How do I use the VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

3 minute read

I'm unable to connect to my destination server using an Amazon Virtual Private Cloud (Amazon VPC) resource as the source. How do I troubleshoot this issue using VPC Reachability Analyzer?

Short description

To troubleshoot Amazon VPC connectivity issues, use Reachability Analyzer to check for common issues with:

Security group configurations
Network access control list (network ACL) configurations
Route table configurations

Resolution

Important: VPC Reachability Analyzer relies on data from other AWS services. If the tool fails to run, then confirm the following:

You have the required API permissions.
The source, destination, and intermediate components are supported by Reachability Analyzer.

Using Reachability Analyzer from the AWS Management Console

1. Open the Amazon VPC console.

2. In the navigation pane, choose Reachability Analyzer.

3. Select the Region where your resources are located.

4. For Source type, choose Instances. Then, select your source resource.

5. For Destination type, choose Internet Gateways. Then, select your destination resource.

6. For Protocol, choose TCP or UDP, depending on your use case.

7. Choose Create and analyze path.

8. After the path analysis completes, view the results.

If the Reachability status is Not reachable, then there's an issue in the path.

You can analyze an existing path by specifying an intermediate component. Find an alternative reachable path that traverses the intermediate component by doing the following:

1. Select the path, and then choose Analyze path.

2. Determine the Amazon Resource Name (ARN) for the intermediate component.

For example, the ARN for a Network Address Translation (NAT) gateway is:

arn:aws:ec2:us-east-1:123456789012:nat-gateway/nat-012345678901234ab

3. Enter the ARN for the intermediate component, and then choose Confirm.

4. Refresh the page, and then view the new analysis ID that displays with the intermediate hop path.

Using Reachability Analyzer from the AWS CLI

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Follow the steps in Getting started with VPC Reachability Analyzer using the AWS CLI.

For example, let's say that you're diagnosing connectivity issues between the following points:

Source = Amazon Elastic Compute Cloud (Amazon EC2) instance i-ab001122334455667
Destination = Internet gateway igw-00aabb11223344556 on port 22 in an Amazon VPC

1. Create a path using the following example command:

aws ec2 create-network-insights-path --source i-ab001122334455667 --destination igw-00aabb11223344556 --destination-port 22 --protocol TCP

Example output:

{
    "NetworkInsightsPath": {
        "NetworkInsightsPathId": "nip-01a23b456c789101d1",
        "NetworkInsightsPathArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-path/nip-01a23b456c789101d1",
        "CreatedDate": "2021-06-01T01:00:00.000000+00:00",
        "Source": "i-ab001122334455667",
        "Destination": "igw-00aabb11223344556",
        "Protocol": "tcp",
        "DestinationPort": 22
    }
}

2. Analyze the path by adding the network insights path ID as a parameter in the following example command:

aws ec2 start-network-insights-analysis --network-insights-path-id nip-01a23b456c789101d1

Example output:

{
    "NetworkInsightsAnalysis": {
        "NetworkInsightsAnalysisId": "nia-0fb371a9ea7ce9712",
        "NetworkInsightsAnalysisArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-analysis/nia-0fb371a9ea7ce9712",
        "NetworkInsightsPathId": "nip-01a23b456c789101d1",
        "StartDate": "2021-06-01T01:00:00.000000+00:00",
        "Status": "running"
    }
}

3. Get the results of the path analysis by adding the NetworkInsightsAnalysisIds parameter obtained in the previous step to the following example command:

aws ec2 describe-network-insights-analyses --network-insights-analysis-ids nia-0fb371a9ea7ce9712

When a path is unreachable, NetworkPathFound is false and ExplanationCode contains an explanation code. For more information about each of the explanation codes, see VPC Reachability Analyzer explanation codes.

Related information

New – VPC Reachability Analyzer

Topics

Networking & Content Delivery

Relevant content

Possible to run AWS VPC Reachability analyzer from Lambda ENI to RDS endpoint?
Accepted Answer
AWSKid2k
asked a year ago
IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS result for VPC Reachability Analyzer
AWS-User-6022443
asked a year ago
Trace route via TGW and VPC
Tarun
asked 6 months ago
VPC to VPC connectivity
Accepted Answer
MODERATOR
AWS-User-6939396
asked 3 years ago
New – VPC Reachability Analyzer
learn2skills
asked 2 years ago
How can I troubleshoot Lambda function connectivity issues to an Amazon VPC using Reachability Analyzer?
AWS OFFICIALUpdated 4 months ago
How do I troubleshoot VPN tunnel connectivity to an Amazon VPC?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot connectivity issues that I'm experiencing while using an Amazon VPC?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?
AWS OFFICIALUpdated 10 months ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published 3 months ago