TechTokWithKriti
2 AWSome tools to optimize, troubleshoot, and secure AWS network architectures

2 AWSome tools to optimize, troubleshoot, and secure AWS network architectures

Amazon VPC Reachability Analyzer and Network Access Analyzer

Kriti's photo
Kriti
·

4 min read

Table of contents

Summary

You have a complex network architecture that spans multiple AWS accounts - multiple VPCs, various subnets - public, private, database subnets, ALBs, NLBs, various network security implementations including - network ACLs, security groups, network firewalls etc. Managing, troubleshooting and optimizing such a complex network can be tedious.

AWS offers tools to help with it; in this article we will be discussing two of these tools: AWS Reachability Analyzer and Amazon VPC Network Access Analyzer. We will discuss their functionalities, use cases and how they can be leveraged across different use cases.

Tools

What is AWS Reachability Analyzer?

AWS Reachability Analyzer is a network diagnostic tool that checks if a given source can communicate with a destination in our AWS environment. It analyzes network paths and identifies configuration issues that may block connectivity - basically shines a light on where In the network path do we need to focus our attention on. This makes troubleshooting easier and less time consuming.

Key Features:

  • Provides a path-level analysis of network connectivity.

  • Pinpoints misconfigurations in security groups, route tables, network ACLs etc.

  • Offers actionable insights for resolving connectivity issues.

Use Cases

  1. Troubleshooting Connectivity Issues:

    • Example: Verify if an EC2 instance in a private subnet can communicate with an RDS instance in a database subnet.

  2. Validating Network Changes:

    • Example: Before deploying changes, confirm that new configurations allow intended communication paths.

  3. Incident Resolution:

    • Example: Quickly identify the root cause of network outages.

What is Amazon VPC Network Access Analyzer?

Amazon VPC Network Access Analyzer evaluates network configurations against security and compliance policies. It identifies potential risks, such as overly permissive access controls or unintended internet exposure.

Key Features:

  • Scans your VPC for potential misconfigurations.

  • Identifies overly permissive security group rules and routes.

  • Ensures adherence to security best practices.

Use Cases:

  1. Proactive Risk Assessment:

    • Example: Detect and fix overly permissive security group rules.

  2. Compliance Audits:

    • Example: Ensure configurations align with internal security policies.

  3. Multi-VPC Environment Validation:

    • Example: Verify that network segmentation rules are enforced.

Detailed Examples

Scenario 1

  • You have a multi-account, multi-VPC setup with shared services VPCs hosting services that are leveraged by multiple services deployed across different accounts

  • VPCs are created based on the environments they serve like prod, staging, dev etc per each service.

  • Different VPCs are connected using a hub and spoke model leveraging Transit Gateways.

  • Cross-region connectivity is established using Transit Gateway peering

  • Now, imagine your prod service running on an EC2 instance in ProdAccountA is not able to reach a shared service running in a shared service VPC in the SharedServicesAccount.

Reachability Analyzer

  • You can use Reachability Analyzer to input the source and destination - it can be in the form of ec2 instance id, ip addresses, destination ip or transit gateway ENI based on which or how much of the network path you want to focus on

  • To add to this, Reachability Analyzer can work across multiple AWS accounts as part of your AWS organization

  • I recommend leveraging a shared networking account (perhaps where you have your networking services like Transit gateways, any shared Network Firewalls etc) to be one of your designated Admin account

Scenario 2

  • Your AWS network environment is required to have clear segmentation between prod, staging and dev.

  • Transit Gateway Route tables are leveraged to keep these environments segmented

  • You have compliance requirements to be met, and hence need to complete an audit to ensure that prod VPCs are only able to talk to other prod VPCs and Shared Services VPCs.

  • You also need to ensure that VPN connectivity is limited to only shared services environments, and especially not prod environments

Network Access Analyzer

  • You can leverage VPC Network Access Analyzer to ensure network segmentation.

  • Create network access scopes to determine the kind of findings based on definitions in ‘MatchPath’ and what should fall in ‘ExcludePath’. Eg you are only concerned with your prod and shared services VPCs adhering to stipulated network path guideline, hence they would go in MatchPaths.

  • eg: Some Prod VPCs should not be accessible from the internet at all, network access analyzer will help you with this as well.

AWSvpcAWS VPCtroubleshootingnetworking for beginnersnetworkingaccess controlLearnAWSCloud ComputingCloud Networking