Task Statement 3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. Overview (What this topic is about)
In Amazon Web Services networks, routing issues happen when traffic cannot reach its destination due to:
- Incorrect route tables
- Security group or NACL blocks
- Missing VPN / Direct Connect / Transit Gateway routes
- Misconfigured VPC peering or attachments
- Asymmetric routing paths
To troubleshoot and optimize connectivity, AWS provides tools that help you:
- Visualize network paths
- Test connectivity between resources
- Detect where traffic is blocked
- Analyze routing configuration across multiple VPCs and hybrid networks
The two key tools are:
- VPC Reachability Analyzer
- AWS Transit Gateway Network Manager
2. VPC Reachability Analyzer
2.1 What it is
Reachability Analyzer is a configuration analysis tool that checks whether a network path between a source and destination is reachable or blocked.
It does NOT send real traffic. Instead, it analyzes AWS configurations.
2.2 What it analyzes
It checks the full path, including:
- VPC route tables
- Security groups
- Network ACLs
- Internet Gateways
- NAT Gateways
- VPC Peering
- Transit Gateway attachments
- VPN connections
2.3 How it works (workflow)
- You define a source (example: EC2 instance ENI)
- You define a destination (example: another ENI, IP, or instance)
- You run an analysis
- AWS builds a possible network path
- It checks every hop for:
- Allowed traffic
- Blocked rules
- Missing routes
2.4 Output of Reachability Analyzer
It gives:
- Reachable / Not reachable status
- Step-by-step path
- Exact blocking component (very important for exams), such as:
- Security group denies traffic
- Route table missing route
- NACL denies port
- Transit Gateway route missing
2.5 Common use cases
- Troubleshooting EC2 to EC2 communication issues
- Checking VPC peering connectivity problems
- Validating hybrid connectivity (VPN / Direct Connect)
- Confirming security group changes impact
- Verifying routing before deployment
2.6 Exam important points
- It is non-intrusive (no traffic is sent)
- It analyzes configuration only
- It helps identify exact blocking point
- Works across VPC and hybrid networks
3. AWS Transit Gateway Network Manager
3.1 What it is
Transit Gateway Network Manager is a centralized tool used to:
- Monitor global network topology
- Manage Transit Gateway attachments
- Analyze routing across multiple regions and networks
- Detect connectivity issues in large-scale architectures
It is mainly used for multi-VPC and hybrid network environments.
3.2 What it manages
It provides visibility for:
- Transit Gateways
- VPC attachments
- VPN attachments
- AWS Direct Connect gateways
- On-premises networks (via Site-to-Site VPN or Direct Connect)
3.3 Key features
1. Global Network Topology View
- Shows all VPCs, regions, and connections in one place
- Helps understand routing structure
2. Route Analysis
- Checks how traffic flows between:
- VPC → VPC
- VPC → On-premises
- Cross-region networks
- Identifies missing or incorrect routes
3. Monitoring and Health Insights
- Detects:
- Tunnel down (VPN issues)
- Attachment failures
- Routing misconfigurations
4. Transit Gateway Route Visibility
- Shows which route tables are used
- Helps verify propagation and static routes
5. Integration with Network Logs
- Uses:
- VPC Flow Logs
- CloudWatch metrics
- Helps correlate routing issues with traffic behavior
3.4 Common use cases
- Managing global enterprise networks
- Troubleshooting multi-region connectivity
- Monitoring Transit Gateway routing behavior
- Validating hybrid cloud routing (on-prem + AWS)
- Identifying broken VPN or Direct Connect paths
3.5 Exam important points
- Designed for large-scale multi-account / multi-region networks
- Focuses on Transit Gateway-based architectures
- Provides topology + routing + monitoring
- Helps detect issues across hybrid networks
4. Reachability Analyzer vs Transit Gateway Network Manager
| Feature | Reachability Analyzer | Transit Gateway Network Manager |
|---|---|---|
| Scope | Single path analysis | Entire network topology |
| Type | Connectivity test | Network monitoring & management |
| Focus | “Can this reach that?” | “How is my network structured?” |
| Works with | VPC-level resources | Transit Gateway + hybrid networks |
| Output | Pass/fail + path details | Topology + routing insights |
5. Troubleshooting Strategy (Exam Approach)
When a routing issue appears:
Step 1: Use Reachability Analyzer
- Check exact source → destination path
- Identify blocking component
Step 2: Verify routing
- Route tables in VPC
- Transit Gateway route tables
- VPN/Direct Connect routes
Step 3: Use Network Manager (if large network)
- Check topology issues
- Validate TGW attachments
- Check cross-region routing
6. Common Exam Scenarios
You may see questions like:
Scenario 1
“EC2 cannot connect to another EC2 in different VPC”
👉 Use Reachability Analyzer to find:
- Missing route table entry OR security group issue
Scenario 2
“Multiple VPCs across regions are not communicating”
👉 Use Transit Gateway Network Manager:
- Check TGW route propagation
- Check attachment status
Scenario 3
“Need to verify if a network path is allowed before deployment”
👉 Use Reachability Analyzer (pre-check configuration)
7. Key Exam Takeaways
- Reachability Analyzer = path-level troubleshooting tool
- Transit Gateway Network Manager = global network visibility tool
- Both tools are configuration-based (no real traffic required)
- Critical for troubleshooting routing and connectivity issues
- Essential for hybrid and multi-VPC architectures
