VPC Reachability Analyzer
A troubleshooting tool that statically analyzes network reachability between two resources within a VPC, identifying the cause of connectivity failures
Overview
VPC Reachability Analyzer is a service that statically analyzes network reachability between two specified resources within a VPC, identifying the cause of connectivity failures without sending actual traffic. It evaluates all network components along the path (security groups, network ACLs, route tables, VPC peering, Transit Gateway, etc.) to determine whether traffic can flow and, if not, which component is blocking it. This eliminates the need for time-consuming manual verification of each network layer during troubleshooting.
Analysis Path Configuration and Supported Resource Types
Reachability Analyzer analysis requires specifying a source and destination. Supported resource types include EC2 instances, network interfaces (ENIs), Internet Gateways, VPN Gateways, Transit Gateways, VPC peering connections, VPC endpoints, and Network Load Balancers. You can also specify IP addresses and ports to analyze reachability for specific protocols and port combinations. The analysis evaluates the entire path statically using configuration data without sending actual packets, meaning it works even when instances are stopped or security groups block all traffic. Results show either a reachable path with all hops listed, or an unreachable result identifying the specific component blocking traffic. Analysis completes in seconds regardless of network complexity, making it far faster than manual troubleshooting.
Troubleshooting Use Patterns
The most common use case is diagnosing why an application cannot connect to a database or external service. Instead of manually checking each security group, NACL, and route table, you specify the source (application EC2) and destination (RDS endpoint) and immediately see which component blocks the path. For multi-tier architectures, you can verify reachability between each tier: web to app, app to database, app to cache. When network changes cause unexpected connectivity loss, Reachability Analyzer quickly identifies whether the issue is a missing route, a restrictive security group rule, or a NACL deny rule. It is also valuable during infrastructure changes - before applying security group modifications, you can verify that critical paths remain reachable. Integration with CloudFormation enables pre-deployment reachability verification as part of change management processes.
Continuous Network Verification and Operational Integration
Beyond ad-hoc troubleshooting, Reachability Analyzer supports continuous network verification through saved analysis paths. You can save frequently checked paths and re-run them periodically or after changes to detect configuration drift. Automating this through Lambda and EventBridge enables scheduled reachability checks with SNS notifications when paths become unreachable. For compliance, saved paths documenting critical connectivity requirements serve as evidence that network segmentation is maintained. Cost is based on the number of analyses performed, making it economical for regular verification. The distinction from Network Access Analyzer is clear: Reachability Analyzer answers 'can A reach B?' for specific point-to-point troubleshooting, while Network Access Analyzer answers 'what can reach what?' for comprehensive security posture assessment.