- Newest
- Most votes
- Most comments
You can use VPC Flow Logs to tell what packets have been rejected by security groups. Note that there are some limitations which are documented.
If you are troubleshooting and are looking to answer questions like "why can't A connected to B" then you're probably better off using Reachability Analyzer.
I really like the input for reachability analyzer. It's a good point to point (same region, limited resources) analyzer.
We also have Network Access Analyzer, which will provide "findings" from an access point, to another endpoint, identifying all possible communication - in the form of findings. A little more robust, different use cases than Reachability Analyzer.
Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. You can use Network Access Analyzer to:
Understand, verify, and improve your network security posture – Network Access Analyzer helps you identify unintended network access relative to your security and compliance requirements, enabling you to take steps to improve your network security.
Demonstrate compliance – Network Access Analyzer helps you demonstrate that your network on AWS meets your compliance requirements. https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/what-is-network-access-analyzer.html
Relevant content
- asked 8 months ago
- How can I access an Amazon EMR cluster through an application if the cluster is in a private subnet?AWS OFFICIALUpdated 13 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 months ago