Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What is “Test Connectivity” in AWS?
Test connectivity means checking whether traffic can successfully travel:
- From on-premises → AWS
- From AWS → on-premises
- Between AWS resources (VPCs, subnets, instances)
It helps you answer:
- Can this source reach the destination?
- If not, where is it blocked?
2. Why Testing Connectivity is Important
In AWS networking, issues often occur due to:
- Wrong route tables
- Missing routes
- Security groups blocking traffic
- Network ACL rules
- Firewall restrictions
- VPN or Direct Connect misconfiguration
Instead of manually checking everything, AWS provides tools to automatically analyze the network path.
3. Main AWS Connectivity Testing Tools
You must know these two tools:
1. Reachability Analyzer
2. Route Analyzer (Transit Gateway Network Manager)
4. Reachability Analyzer
4.1 What is Reachability Analyzer?
Reachability Analyzer is an AWS tool that:
- Checks if a network path exists
- Between a source and destination
- Within AWS (mostly VPC-based resources)
It performs a static analysis (not sending real traffic).
4.2 How It Works
You define:
- Source (e.g., EC2 instance, ENI)
- Destination (e.g., another EC2, load balancer)
AWS then:
- Simulates the network path
- Checks every component:
- Route tables
- Security groups
- NACLs
- Gateways
4.3 What It Can Analyze
- EC2 to EC2
- EC2 to Internet Gateway
- EC2 to NAT Gateway
- EC2 to VPC endpoint
- Cross-VPC (via peering or Transit Gateway)
4.4 Output of Reachability Analyzer
It provides:
If reachable:
- Full path (hop-by-hop)
If NOT reachable:
- Exact failure point:
- “Blocked by Security Group”
- “No route in route table”
- “NACL denies traffic”
4.5 Example (IT Scenario)
You deploy:
- Application server in private subnet
- Database in another subnet
Connection fails.
Using Reachability Analyzer:
- You discover:
- Security group does not allow port 3306
4.6 Key Exam Points
- Does NOT send real packets
- Works at configuration level
- Helps identify misconfigurations quickly
- Supports cross-account (with permissions)
5. Route Analyzer (Transit Gateway)
5.1 What is Route Analyzer?
Route Analyzer is part of:
- AWS Transit Gateway Network Manager
It is used to:
- Analyze routing across:
- Transit Gateway
- On-premises networks
- VPN / Direct Connect
5.2 Why Route Analyzer is Needed
Reachability Analyzer mainly focuses on VPC-level connectivity, but:
When you have:
- Multiple VPCs
- On-premises data centers
- Transit Gateway
You need end-to-end route validation.
5.3 What It Does
Route Analyzer:
- Evaluates routing paths across:
- Transit Gateway route tables
- Attachments (VPC, VPN, Direct Connect)
- Verifies if:
- A route exists
- Traffic can flow correctly
5.4 Example (IT Scenario)
You have:
- On-premises network connected via VPN
- Transit Gateway connected to multiple VPCs
Problem:
- On-premises cannot reach application in VPC
Route Analyzer shows:
- Missing route in Transit Gateway route table
5.5 Key Exam Points
- Works with:
- Transit Gateway
- AWS global network
- Helps troubleshoot:
- Hybrid connectivity (on-prem + AWS)
- Focuses on routing issues
6. Reachability Analyzer vs Route Analyzer
| Feature | Reachability Analyzer | Route Analyzer |
|---|---|---|
| Scope | VPC-level | Transit Gateway / Hybrid |
| Traffic Type | Simulated | Route evaluation |
| Checks | SG, NACL, routes | Routes only |
| Use Case | Instance connectivity | On-prem to AWS routing |
| Real packets | No | No |
7. Other Supporting Connectivity Testing Methods
Even though exam focuses on analyzers, you should also know:
7.1 VPC Flow Logs
- Capture network traffic metadata
- Helps identify:
- Accepted traffic
- Rejected traffic
7.2 Ping / Traceroute (From EC2 or On-prem)
- Tests real connectivity
- Requires:
- ICMP allowed
7.3 AWS Network Manager
- Centralized monitoring
- Visualizes:
- Global network
- Connections
8. Common Connectivity Issues (Exam Focus)
Be ready to identify these:
1. Route Table Issues
- No route to destination
- Wrong target (e.g., IGW instead of TGW)
2. Security Group Issues
- Port not allowed
- Wrong source/destination
3. NACL Issues
- Explicit deny rule
4. VPN / Direct Connect Issues
- BGP routes not advertised
- Tunnel down
5. Transit Gateway Issues
- Missing route table association
- Incorrect propagation
9. Step-by-Step Troubleshooting Approach (Exam Strategy)
When connectivity fails:
Step 1: Check Routing
- Route tables
- Transit Gateway routes
Step 2: Check Security
- Security groups
- NACLs
Step 3: Use Tools
- Reachability Analyzer → find exact block
- Route Analyzer → check hybrid routing
Step 4: Validate
- Test again after fixing
10. Key Exam Tips (VERY IMPORTANT)
- Reachability Analyzer = configuration path validation
- Route Analyzer = routing validation (especially hybrid)
Remember:
- If question involves:
- EC2 → EC2 issue → Use Reachability Analyzer
- If question involves:
- On-prem → AWS via TGW → Use Route Analyzer
11. Quick Summary
- AWS provides built-in tools to test connectivity without sending real traffic
- Reachability Analyzer
- Checks full network path inside AWS
- Identifies exact blocking component
- Route Analyzer
- Focuses on routing across Transit Gateway and hybrid networks
- Both tools are critical for troubleshooting and validation
