Task Statement 3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.
đAWS Certified Advanced Networking â Specialty
1. What âNetwork Misconfigurationâ Means in AWS
A network misconfiguration happens when AWS networking rules or settings are not aligned with intended connectivity.
In AWS, this usually affects communication between:
- EC2 instances inside a VPC
- Different subnets (public/private)
- VPC to internet
- VPC to another VPC (peering or Transit Gateway)
- On-premises to AWS (VPN or Direct Connect)
Even if resources are running, traffic may still fail due to incorrect setup.
2. Common Causes of Connectivity Issues in AWS
You must know these well for the exam:
2.1 Route Table Misconfiguration
- Missing route to destination (e.g., no route to Internet Gateway)
- Incorrect target (wrong NAT Gateway, TGW, or peering connection)
- Overlapping or conflicting routes
2.2 Security Group Issues
- Inbound rule missing (traffic blocked at entry)
- Outbound rule missing (response blocked)
- Incorrect ports or CIDR ranges
- Stateful behavior misunderstood (return traffic is automatically allowed if request is allowed)
2.3 Network ACL (NACL) Issues
- Stateless rules require both inbound and outbound configuration
- Incorrect rule order (lower numbered rules evaluated first)
- Missing ephemeral port range for return traffic
2.4 DNS Misconfiguration
- Wrong Route 53 private hosted zone association
- Instance resolving incorrect IP address
- Split-horizon DNS not configured properly
2.5 Subnet / Internet Gateway Issues
- Instance in private subnet without NAT Gateway
- No Internet Gateway attached to VPC
- Route table not associated with correct subnet
2.6 Cross-VPC Connectivity Issues
- Missing peering route entries
- Overlapping CIDR blocks
- Transit Gateway route table not associated correctly
2.7 On-Premises Connectivity Issues
- VPN tunnel down or misconfigured
- BGP route not advertised properly
- Direct Connect virtual interface misconfiguration
3. Key Tool: VPC Reachability Analyzer
One of the most important exam topics is Reachability Analyzer, a feature in Amazon Web Services VPC that helps you diagnose network connectivity issues.
3.1 What It Does
Reachability Analyzer helps you answer:
âCan traffic flow from Source A to Destination B?â
It simulates network paths without needing to send real traffic.
3.2 What It Analyzes
It evaluates all networking layers:
- Route tables
- Security groups
- Network ACLs
- IGW / NAT Gateway
- VPC peering
- Transit Gateway
- VPN / Direct Connect paths
- ENI-level configuration
3.3 How It Works (Exam Understanding)
You define:
- Source (EC2 instance, ENI, subnet, IGW, etc.)
- Destination (another instance, IP, ENI, etc.)
- Protocol (TCP/UDP)
- Port number
Then AWS:
- Simulates packet flow step by step
- Identifies where traffic is allowed or blocked
3.4 Output Results
Reachability Analyzer provides:
â Reachable Path
- Shows full path from source to destination
- Confirms which components allow traffic
â Not Reachable Path
- Shows exact stopping point
- Example reasons:
- Security group denies traffic
- Route missing
- NACL blocks traffic
This is very important for exam questions:
đ You must interpret where and why traffic is blocked.
4. How to Interpret Reachability Analyzer Results
When a path fails, focus on:
4.1 âBlocked at Security Groupâ
- Missing inbound rule for required port (e.g., 443, 22)
- Wrong CIDR or source SG reference
4.2 âBlocked at Network ACLâ
- Missing inbound/outbound rule
- Ephemeral port range not allowed (important for return traffic)
4.3 âNo Route Foundâ
- Route table does not include destination
- Missing route to:
- IGW
- NAT Gateway
- Transit Gateway
- VPC Peering
4.4 âBlackhole Routeâ
- Route exists but target is deleted (e.g., deleted NAT Gateway or TGW attachment)
5. Typical Exam Scenarios
You will often see questions like:
Scenario A: Private subnet cannot access internet
Likely issue:
- Missing NAT Gateway route in route table
Scenario B: EC2 cannot connect to another EC2 in same VPC
Likely issue:
- Security group blocking inbound traffic
- NACL blocking ephemeral ports
Scenario C: On-premises cannot reach VPC instance
Likely issue:
- VPN route not propagated
- TGW route table missing association
Scenario D: Application works intermittently
Likely issue:
- NACL rule order problem
- asymmetric routing due to misconfigured routes
6. Supporting Tools (Important for Exam)
Even though Reachability Analyzer is primary, you should also know:
6.1 VPC Flow Logs
- Shows ACCEPT or REJECT traffic
- Helps confirm if traffic is blocked at SG or NACL level
6.2 CloudWatch Logs
- Used to analyze flow log data
- Helps detect patterns of failure
6.3 AWS Network Manager
- Used for Transit Gateway topology visibility
- Helps identify routing issues at scale
7. Troubleshooting Method (Exam Strategy)
A strong exam approach is:
Step 1: Identify source and destination
- Instance, subnet, IP, or service
Step 2: Check route tables
- Is there a valid route?
Step 3: Check security groups
- Is inbound/outbound allowed?
Step 4: Check NACL
- Are both inbound and outbound rules correct?
Step 5: Use Reachability Analyzer
- Confirm exact failure point
Step 6: Validate with Flow Logs
- Confirm actual traffic behavior
8. Key Differences You Must Remember
Security Group vs NACL
| Feature | Security Group | NACL |
|---|---|---|
| Stateful | Yes | No |
| Rule evaluation | All rules evaluated | Ordered rules |
| Default behavior | Deny inbound, allow outbound | Allow all (default) |
| Scope | Instance level | Subnet level |
9. Exam Tips (Very Important)
- Always think in layers of network path
- Most issues are caused by:
- Security group
- Route table
- NACL
- Reachability Analyzer is the fastest way to pinpoint failure
- If traffic is blocked, identify exact hop where it fails
- Remember: SG issues are most common in exam scenarios
- Transit Gateway questions often involve missing route table associations
10. Summary
To troubleshoot AWS network misconfiguration:
- Understand route tables, SGs, and NACLs deeply
- Use Reachability Analyzer to simulate packet flow
- Identify the exact blocking point in the path
- Validate with VPC Flow Logs if needed
- Apply structured troubleshooting steps
