Getting started with VPC Reachability Analyzer using the AWS CLI - Amazon Virtual Private Cloud

Getting started with VPC Reachability Analyzer using the AWS CLI

You can use VPC Reachability Analyzer to determine whether a destination resource in your virtual private cloud (VPC) is reachable from a source resource. To get started, you specify a source and a destination. For example, you can run a reachability analysis between two network interfaces or between a network interface and a gateway. If there is a reachable path between the source and destination, Reachability Analyzer displays the details. Otherwise, Reachability Analyzer identifies the blocking component.

Before you begin

Verify that your source and destination resources meet the following requirements.

  • The following resources types are supported as sources and destinations:

    • Instances

    • Internet gateways

    • Network interfaces

    • Transit gateways

    • VPC endpoints

    • VPC peering connections

    • VPN gateways

  • The source and destination resources must be owned by the same AWS account.

  • The source and destination resources must be in the same Region.

  • The source and destination resources must be in the same VPC or in VPCs that are connected through a VPC peering connection. In the case of a shared VPC, the resources must be owned by the same AWS account.

Step 1: Create a path

Use the following create-network-insights-path command to create a path. In this example, the source is an internet gateway and the destination is an EC2 instance.

aws ec2 create-network-insights-path --source igw-0797cccdc9d73b0e5 --destination i-0495d385ad28331c7 --destination-port 22 --protocol TCP

The following is example output.

{ "NetworkInsightsPaths": { "NetworkInsightsPathId": "nip-0b26f224f1d131fa8", "NetworkInsightsPathArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-path/nip-0b26f224f1d131fa8", "CreatedDate": "2021-01-20T22:43:46.933Z", "Source": "igw-0797cccdc9d73b0e5", "Destination": "i-0495d385ad28331c7", "Protocol": "tcp" } }

Step 2: Analyze the path

Use the following start-network-insights-analysis command to determine whether the destination is reachable using the protocol and port that you specified for the path. The analysis can take a few minutes to complete.

aws ec2 start-network-insights-analysis --network-insights-path-id nip-0b26f224f1d131fa8

The following is example output.

{ "NetworkInsightsAnalysis": { "NetworkInsightsAnalysisId": "nia-02207aa13eb480c7a", "NetworkInsightsAnalysisArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-analysis/nia-02207aa13eb480c7a", "NetworkInsightsPathId": "nip-0b26f224f1d131fa8", "StartDate": "2021-01-20T22:58:37.495Z", "Status": "running" } }

Step 3: Get the results of the path analysis

After the path analysis completes, you can view the results using the describe-network-insights-analyses command.

aws ec2 describe-network-insights-analyses --network-insights-analysis-ids nia-02207aa13eb480c7a

Example 1: Not reachable

The following is example output where the path is not reachable. When a path is not reachable, NetworkPathFound is false and ExplanationCode contains an explanation code. For descriptions of the explanation codes, see VPC Reachability Analyzer explanation codes. In this example, ENI_SG_RULES_MISMATCH indicates that the security group does not allow the traffic. After you add a rule to the security group to allow the traffic, you can reanalyze the same path and confirm that it is reachable.

{ "NetworkInsightsAnalyses": [ { "NetworkInsightsAnalysisId": "nia-02207aa13eb480c7a", "NetworkInsightsAnalysisArn": "arn:aws:ec2:us-east-1:123456789012:network-insights-analysis/nia-02207aa13eb480c7a", "NetworkInsightsPathId": "nip-0b26f224f1d131fa8", "StartDate": "2021-01-20T22:58:37.495Z", "Status": "succeeded", "NetworkPathFound": false, "Explanations": [ { "Direction": "ingress", "ExplanationCode": "ENI_SG_RULES_MISMATCH", "NetworkInterface": { "Id": "eni-0a25edef15a6cc08c", "Arn": "arn:aws:ec2:us-east-1:123456789012:network-interface/eni-0a25edef15a6cc08c" }, "SecurityGroups": [ { "Id": "sg-02f0d35a850ba727f", "Arn": "arn:aws:ec2:us-east-1:123456789012:security-group/sg-02f0d35a850ba727f" } ], "Subnet": { "Id": "subnet-004ff41eccb4d1194", "Arn": "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-004ff41eccb4d1194" }, "Vpc": { "Id": "vpc-f1663d98ad28331c7", "Arn": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-f1663d98ad28331c7" } } ], "Tags": [] } ] }

Example 2: Reachable

The following is example output where the path is reachable. When a path is reachable, NetworkPathFound is true, ForwardPathComponents contains component-by-component details about the shortest reachable path from source to destination, and ReturnPathComponents contains component-by-component details about the shortest reachable path from destination to source.

{ "NetworkInsightsAnalyses": [ { "NetworkInsightsAnalysisId": "nia-076744f74a04c3c7f", "NetworkInsightsAnalysisArn": "arn:aws:ec2:us-west-2:123456789012:network-insights-analysis/nia-076744f74a04c3c7f", "NetworkInsightsPathId": "nip-0614b9507b4e3e989", "StartDate": "2021-01-20T23:47:08.080Z", "Status": "succeeded", "NetworkPathFound": true, "ForwardPathComponents": [ { "SequenceNumber": 1, "Component": { "Id": "igw-0797cccdc9d73b0e5", "Arn": "arn:aws:ec2:us-west-2:123456789012:internet-gateway/igw-0797cccdc9d73b0e5" }, "OutboundHeader": { "DestinationAddresses": [ "10.0.2.87/32" ] }, "InboundHeader": { "DestinationAddresses": [ "35.161.108.53/32" ], "DestinationPortRanges": [ { "From": 443, "To": 443 } ], "Protocol": "6", "SourceAddresses": [ "0.0.0.0/5", "11.0.0.0/8", "12.0.0.0/6", ... ], "SourcePortRanges": [ { "From": 0, "To": 65535 } ] } }, { "SequenceNumber": 2, "AclRule": { "Cidr": "0.0.0.0/0", "Egress": false, "Protocol": "all", "RuleAction": "allow", "RuleNumber": 100 }, "Component": { "Id": "acl-f3663d9a", "Arn": "arn:aws:ec2:us-west-2:123456789012:network-acl/acl-f3663d9a" } }, { "SequenceNumber": 3, "Component": { "Id": "sg-02f0d35a850ba727f", "Arn": "arn:aws:ec2:us-west-2:123456789012:security-group/sg-02f0d35a850ba727f" }, "SecurityGroupRule": { "Cidr": "0.0.0.0/0", "Direction": "ingress", "PortRange": { "From": 443, "To": 443 }, "Protocol": "tcp" } }, { "SequenceNumber": 4, "Component": { "Id": "eni-0a25edef15a6cc08c", "Arn": "arn:aws:ec2:us-west-2:123456789012:network-interface/eni-0a25edef15a6cc08c" }, "Subnet": { "Id": "subnet-004ff41eccb4d1194", "Arn": "arn:aws:ec2:us-west-2:123456789012:subnet/subnet-004ff41eccb4d1194" }, "Vpc": { "Id": "vpc-f1663d98ad28331c7", "Arn": "arn:aws:ec2:us-west-2:123456789012:vpc/vpc-f1663d98ad28331c7" } }, { "SequenceNumber": 5, "Component": { "Id": "i-0626d4edd54f1286d", "Arn": "arn:aws:ec2:us-west-2:123456789012:instance/i-0626d4edd54f1286d" } } ], "ReturnPathComponents": [ { "SequenceNumber": 1, "Component": { "Id": "i-0626d4edd54f1286d", "Arn": "arn:aws:ec2:us-west-2:123456789012:instance/i-0626d4edd54f1286d" }, "OutboundHeader": { "DestinationAddresses": [ "0.0.0.0/5", "11.0.0.0/8", "12.0.0.0/6", ... ], "DestinationPortRanges": [ { "From": 0, "To": 65535 } ], "Protocol": "6", "SourceAddresses": [ "10.0.2.87/32" ], "SourcePortRanges": [ { "From": 443, "To": 443 } ] } }, { "SequenceNumber": 2, "Component": { "Id": "eni-0a25edef15a6cc08c", "Arn": "arn:aws:ec2:us-west-2:123456789012:network-interface/eni-0a25edef15a6cc08c" }, "Subnet": { "Id": "subnet-004ff41eccb4d1194", "Arn": "arn:aws:ec2:us-west-2:123456789012:subnet/subnet-004ff41eccb4d1194" }, "Vpc": { "Id": "vpc-f1663d98ad28331c7", "Arn": "arn:aws:ec2:us-west-2:123456789012:vpc/vpc-f1663d98ad28331c7" } }, { "SequenceNumber": 3, "Component": { "Id": "sg-02f0d35a850ba727f", "Arn": "arn:aws:ec2:us-west-2:123456789012:security-group/sg-02f0d35a850ba727f" } }, { "SequenceNumber": 4, "AclRule": { "Cidr": "0.0.0.0/0", "Egress": true, "Protocol": "all", "RuleAction": "allow", "RuleNumber": 100 }, "Component": { "Id": "acl-0a8e20a0a9f144d36", "Arn": "arn:aws:ec2:us-west-2:123456789012:network-acl/acl-0a8e20a0a9f144d36" } }, { "SequenceNumber": 5, "Component": { "Id": "rtb-0d49a54c0a8c0bd9b", "Arn": "arn:aws:ec2:us-west-2:123456789012:route-table/rtb-0d49a54c0a8c0bd9b" }, "RouteTableRoute": { "DestinationCidr": "0.0.0.0/0", "GatewayId": "igw-0797cccdc9d73b0e5", "Origin": "createroute" } }, { "SequenceNumber": 6, "Component": { "Id": "igw-0797cccdc9d73b0e5", "Arn": "arn:aws:ec2:us-west-2:123456789012:internet-gateway/igw-0797cccdc9d73b0e5" }, "OutboundHeader": { "SourceAddresses": [ "35.161.108.53/32" ] } } ], "Tags": [] } ] }