AWS Reachability Analyzer says this path works, but in reality, it fails

Netcat command that you mentioned will initiate a TCP connection to the destination host on the port number specified. If there is a route exist and server is listening on the specified port, the connection will succeed.

However, Reachability Analyzer analyzes the path between a source and destination by building a model of the network configuration, and then checking for reachability based on the configuration. It does not send packets or analyze the data plane.

So if you see reachability analyzer is returning path as succeeded, that mean it verified there is no traffic is getting blocked by security group, ACL and also there is a route between source and destination. These path can be internal when you specify instance 1 as source and instance 2 as destination. It could be possible that 2 instances may not be reachable over the internet but can be very well reachable using private ip. You should be able to see the route that vpc analyzer returned using the analysis explorer.

Also if the destination server is not listening on the specified port, reachability analyzer will still succeed as long as there is routable path exist between src and dst. But netcat will fail, as it try to send a SYN packet to the server and server will not acknowledge if its not listening on the port or some firewall is blocking the traffic at the OS level.