AWS Reachability Analyzer

Motivated by one of those "why can't A access B on AWS" questions I just saw, a short reminder - AWS has this thing called... Reachability Analyzer.

The name is straight to the point, and such is the tool itself. It allows you to create a set of named paths between points in your infrastructure, and test if they can be traversed end to end or not.

Apart from yes/no answer, you also get a nice visualization of how that path was laid out across systems. For example, I'm looking at one right now and can see following "route" that works:

ec2 -> eni -> sg -> acl -> rtb -> acl -> sg -> eni -> rds

On the other hand, example of encountering an issue may look like that:

SUBNET_ACL_RESTRICTION:

Network ACL acl-abcdef01 does not allow inbound traffic from subnet-abcdef02 to vpc-abcdef03.

Tests for each path can be rerun, to see if anything changed across time.

It's not something I've used very frequently, but boy was I glad it existed those few times in the past.

GCP and Azure seem to have similar tools.