// Debugging AWS network connectivity issues including Amazon Virtual Private Cloud (Amazon VPC), security groups, network ACLs (NACLs), route tables, VPC endpoints, DNS, load balancers, and AWS Transit Gateway. Use when troubleshooting connectivity failures or validating network paths.
| name | aws-network-diagnostics |
| description | Debugging AWS network connectivity issues including Amazon Virtual Private Cloud (Amazon VPC), security groups, network ACLs (NACLs), route tables, VPC endpoints, DNS, load balancers, and AWS Transit Gateway. Use when troubleshooting connectivity failures or validating network paths. |
Security: Always ensure diagnosed resources meet or exceed the security configuration of the source resources. Refer to SECURITY.md for security requirements.
# Create analysis path
aws ec2 create-network-insights-path --source <eni-or-instance-id> --destination <eni-or-instance-id> --protocol TCP --destination-port <port> --region <region>
# Start analysis
aws ec2 start-network-insights-analysis --network-insights-path-id <path-id> --region <region>
# Get results
aws ec2 describe-network-insights-analyses --network-insights-analysis-ids <analysis-id> --region <region> --query 'NetworkInsightsAnalyses[0].{Reachable:NetworkPathFound,Explanations:Explanations}'
# Check inbound rules for a SG
aws ec2 describe-security-groups --group-ids <sg-id> --region <region> --query 'SecurityGroups[0].IpPermissions[*].{Proto:IpProtocol,FromPort:FromPort,ToPort:ToPort,Sources:IpRanges[*].CidrIp,SGSources:UserIdGroupPairs[*].GroupId}'
# Check outbound rules
aws ec2 describe-security-groups --group-ids <sg-id> --region <region> --query 'SecurityGroups[0].IpPermissionsEgress[*].{Proto:IpProtocol,FromPort:FromPort,ToPort:ToPort,Dest:IpRanges[*].CidrIp}'
# Find SGs attached to an instance
aws ec2 describe-instances --instance-ids <id> --region <region> --query 'Reservations[0].Instances[0].SecurityGroups'
# Find SGs allowing a specific port
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=<port>" "Name=ip-permission.to-port,Values=<port>" --region <region> --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName}'
# Get NACLs for a subnet
aws ec2 describe-network-acls --filters "Name=association.subnet-id,Values=<subnet-id>" --region <region> --query 'NetworkAcls[0].Entries[*].{Rule:RuleNumber,Action:RuleAction,Proto:Protocol,CIDR:CidrBlock,Ports:PortRange,Egress:Egress}' --output table
# Get routes for a subnet
aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=<subnet-id>" --region <region> --query 'RouteTables[0].Routes[*].{Dest:DestinationCidrBlock,Target:GatewayId||NatGatewayId||TransitGatewayId||VpcPeeringConnectionId,State:State}'
# Check if subnet is public (has route to IGW)
aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=<subnet-id>" --region <region> --query 'RouteTables[0].Routes[?GatewayId!=`null` && starts_with(GatewayId,`igw-`)]'
# List VPC endpoints
aws ec2 describe-vpc-endpoints --filters "Name=vpc-id,Values=<vpc-id>" --region <region> --query 'VpcEndpoints[*].{ID:VpcEndpointId,Service:ServiceName,Type:VpcEndpointType,State:State}'
# Check endpoint policy
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <ep-id> --region <region> --query 'VpcEndpoints[0].PolicyDocument'
# Check VPC DNS settings
aws ec2 describe-vpc-attribute --vpc-id <vpc-id> --attribute enableDnsSupport --region <region>
aws ec2 describe-vpc-attribute --vpc-id <vpc-id> --attribute enableDnsHostnames --region <region>
# Check Route 53 resolver rules
aws route53resolver list-resolver-rules --region <region> --query 'ResolverRules[*].{ID:Id,Domain:DomainName,Type:RuleType,Status:Status}'
# From EC2 instance: test DNS resolution
# dig <hostname>
# nslookup <hostname>
# host <hostname>
# ALB health check status
aws elbv2 describe-target-health --target-group-arn <tg-arn> --region <region> --query 'TargetHealthDescriptions[*].{Target:Target.Id,Port:Target.Port,State:TargetHealth.State,Reason:TargetHealth.Reason}'
# ALB listener rules
aws elbv2 describe-rules --listener-arn <listener-arn> --region <region>
# NLB target health
aws elbv2 describe-target-health --target-group-arn <tg-arn> --region <region>
# Classic ELB health
aws elb describe-instance-health --load-balancer-name <name> --region <region>
# Check NAT Gateway status
aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=<vpc-id>" --region <region> --query 'NatGateways[*].{ID:NatGatewayId,State:State,Subnet:SubnetId,PublicIP:NatGatewayAddresses[0].PublicIp}'
# Check peering status
aws ec2 describe-vpc-peering-connections --filters "Name=requester-vpc-info.vpc-id,Values=<vpc-id>" --region <region> --query 'VpcPeeringConnections[*].{ID:VpcPeeringConnectionId,Status:Status.Code,Peer:AccepterVpcInfo.VpcId,PeerRegion:AccepterVpcInfo.Region}'
# Check TGW attachments
aws ec2 describe-transit-gateway-attachments --filters "Name=transit-gateway-id,Values=<tgw-id>" --region <region> --query 'TransitGatewayAttachments[*].{ID:TransitGatewayAttachmentId,Type:ResourceType,Resource:ResourceId,State:State}'
# Check TGW route table
aws ec2 search-transit-gateway-routes --transit-gateway-route-table-id <rt-id> --filters "Name=state,Values=active" --region <region>
# Check if flow logs are enabled
aws ec2 describe-flow-logs --filter "Name=resource-id,Values=<vpc-id>" --region <region>
# Query flow logs via CloudWatch Insights
aws logs start-query --log-group-name <flow-log-group> --start-time $(date -d '1 hour ago' +%s) --end-time $(date +%s) --query-string '
fields @timestamp, srcAddr, dstAddr, srcPort, dstPort, protocol, action
| filter dstPort = <port> and action = "REJECT"
| sort @timestamp desc
| limit 50
' --region <region>
# TCP connectivity test
# nc -zv <host> <port> -w 5
# Traceroute
# traceroute -T -p <port> <host>
# MTR (continuous traceroute)
# mtr --tcp --port <port> <host> --report
# curl with timing
# curl -o /dev/null -s -w "DNS:%{time_namelookup} Connect:%{time_connect} TLS:%{time_appconnect} Total:%{time_total}\n" https://<host>
# Test SSL/TLS
# openssl s_client -connect <host>:<port> -servername <host>
# Check listening ports
# ss -tlnp | grep <port>
# netstat -tlnp | grep <port>
When debugging connectivity:
Customers are responsible for configuring VPC Flow Logs, managing IAM policies for log access, encrypting log data with AWS KMS, and securing security group and NACL configurations. AWS is responsible for the underlying VPC and Amazon CloudWatch Logs service infrastructure.
Expert guide for backing up AWS databases including Amazon Relational Database Service (Amazon RDS), Aurora, MS-SQL, MySQL, and PostgreSQL. Use when planning or executing database backup operations, retention policies, or restore procedures. Covers Amazon Simple Storage Service (Amazon S3) upload security.
Cross-region migration for compute services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Kubernetes Service (Amazon EKS). Covers AZ failure recovery, AMI/snapshot migration, coldsnap EBS Direct API transfers, AWS MGN agent-based migration, WSFC/SQL FCI cluster recovery, FSx ONTAP iSCSI, container image replication, task definition migration, Kubernetes workload backup/restore, and IRSA re-association.
Cross-region migration for database services including Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon Redshift, and Amazon ElastiCache. Covers snapshot copy and restore, cross-region read replica promotion, cross-region automated backups, Aurora Global Database failover, AWS KMS re-encryption, native database dump fallback, Amazon Redshift cross-region snapshot copy, and ElastiCache Global Datastore failover.
Cross-region migration for networking services including AWS Transit Gateway, AWS Site-to-Site VPN, AWS Client VPN, and AWS Direct Connect. Covers Transit Gateway recreation with VPC and Direct Connect gateway attachments, VPN tunnel configuration with pre-shared keys, Client VPN endpoint migration with certificate handling, and Direct Connect Gateway association.
Cross-region migration for security services including ACM, AWS KMS, AWS IAM Identity Center, IAM/STS federation, and AWS WAF. Covers certificate re-issuance and validation, KMS key re-encryption workflows, Encryption SDK re-keying, IAM Identity Center multi-region replication, SAML regional endpoint failover, STS endpoint configuration, and WAF WebACL cloning.
Querying and analyzing CloudWatch Logs, CloudTrail events, and other AWS log sources. Use when investigating errors, auditing actions, or understanding what happened with an AWS resource.