What is AWS Reachability Analyzer?

AWS VPC Reachability Analyzer is a service provided by Amazon Web Services (AWS) that allows us to analyze and troubleshoot network connectivity problems within a virtual private cloud (VPC). If the destination is accessible through the source resource, the Reachability Analyzer visualizes the network path between the source and the destination resource. However, the Reachability Analyzer can identify the reason for blockage if the destination resource is inaccessible.

How Reachability Analyzer works

Reachability Analyzer does not work by sending packets from the source resource to the destination resource. Instead, it builds a network configuration model and then checks the reachability status based on that configuration.

To analyze traffic between two resources with Reachability Analyzer, we create a path. We can specify the following resources as sources or destinations:

  • Network interfaces

  • Transit gateways

  • Transit gateway attachments

  • VPC endpoint services

  • VPC endpoints

  • VPC peering connections

  • VPN gateways

  • EC2 Instances

  • Internet gateways

Analyzing network connectivity Reachability Analyzer
Analyzing network connectivity Reachability Analyzer

We can also specify source and destination ports to analyze traffic on a particular port. Once the path is created, Reachability Analyzer provides a status showing if the path between source and destination is “Reachable” or “Not reachable.” The Reachability Analyzer also visualizes the entire path (showing all resources such as security groups, ACLs, etc.) between source and destination.

In the case of the “Not reachable” path, Reachability Analyzer provides the reason for blockage and blocking point. It marks the blocking point in red in the network hierarchy for better understanding.

Use cases of Reachability Analyzer

Reachability Analyzer can be used to do the following tasks:

Troubleshooting connectivity issues

Reachability Analyzer provides explanations to identify the details of the blocking component between a connection. We can then use these explanations to fix an unreachable path. It also helps identify misconfigurations, security group rules, or any other network-related problems that might affect resource connectivity. For instance, we can ensure that the path between a frontend and backend instance is reachable and, if not, what the blocking point is.

Intent verification

AWS VPC Reachability Analyzer allows us to confirm whether a security rule in a security group or a network access control list (ACL) works as expected. It helps examine whether the traffic between two resources flows according to the user’s intent. For instance, if a user intends that the back-end instance should not be accessible from the internet, Reachability Analyzer can help analyze the path between the internet gateway and the EC2 back-end instance, informing us if the path is reachable or not.

Automating the verification of connectivity intent

Reachability Analyzer can also help automate the validity of connectivity intent whenever there are alterations in our network setup. With this automation, any modification in our network configuration will remain consistent with our intent. For instance, with Reachability Analyzer, we can ensure that the alterations in our security group or route table are not disturbing the network configuration we intend.

Getting started with Reachability Analyzer

Reachability Analyzer is an easy-to-use service. Let’s take a look at the step-by-step guide to how to use Reachability Analyzer:

  1. Create a path: The very first step is creating the path. To create the path you want to analyze, specify the source and destination technologies. You can specify additional information such as ports and IP addresses for both source and destination as well. Next, choose TCP or UDP protocol for the path. You can also add a tag if necessary. Once everything is specified, click the “Create and analyze path” button.

  2. Analyze the path: Once the path has been successfully created, click the “Path ID” column. It will take you to a new page where you will be able to see the reachability status as “Reachable” or “Not reachable.” The Reachability Analyzer shows the shortest path between the source and the destination. If the path is not reachable, the point of failure would be visible in red in the path. You can also learn about the failure through the “Explanations” section.

  3. Re-analyze the path: If the reachability status does not match your intent, you can edit the path and change the network configuration. Once changed, you can re-analyze the path and verify if the status matches your intent.

  4. Delete the path: Once you’re done with path analysis, you can delete the Reachability Analyze path and its analyses. The path will be automatically deleted after 120 days.

Reachability Analyzer and other monitoring tools

AWS provides multiple other monitoring tools, such as AWS CloudTrail and AWS Network Firewall. AWS Reachability Analyzer complements other monitoring tools by providing additional visibility and insights into the network connectivity of a path. For instance, VPC Flow Logs, a feature of VPC, helps us capture the information on IP traffic going in and out of the VPC. Reachability Analyzer can focus specifically on analyzing the reachability of endpoints, allowing users to identify potential issues or misconfigurations affecting connectivity.

Example scenario

Network administrators can use AWS Reachability Analyzer with other AWS services and monitoring tools to automate the process of getting notified about network failure issues. Consider a scenario where the AWS administrator wants to be quickly notified if any change in network infrastructure causes connectivity failure. In this case, AWS CloudTrail can be used to log changes and send them to Amazon EventBridge. The EventBridge rule will forward changes to the AWS Lambda Function. The Lambda function will determine if any EC2 instances are affected. The Reachability Analyzer will assess the path to check connectivity from the internet to the instance.

Architecture diagram for example use case
Architecture diagram for example use case

Test yourself

Solve the quiz given below to test what you’ve learned about Reachability Analyzer.

1

Which of the following is the primary purpose of AWS Reachability Analyzer?

A)

Identify unused AWS resources

B)

Check the health of EC2 instances

C)

Analyze internet traffic flow

D)

Test network connectivity within a VPC

Question 1 of 30 attempted

Conclusion

The AWS Reachability Analyzer is a game changer for network engineers and administrators. It provides a comprehensive analysis of network configurations and paths within a VPC and allows users to identify and troubleshoot connectivity issues.

Free Resources

Copyright ©2024 Educative, Inc. All rights reserved