New AWS Networking Services: VPC Reachability Analyzer & AWS Network Firewall

What is aws vpc reachability analyzer?
What is AWS Virtual Private Cloud (VPC) Reachability Analyzer? Get to know this AWS network firewall service to protect your AWS VPC.
Share This Post

When people look at their cloud environment, they see their product running, whether that is a website, an application of some sort, or something else entirely. They are also aware of the infrastructure supporting that product—mostly because of the cost incurred, so the need to understand it is obvious. But there is one thing that’s often overlooked by many, particularly by those outside of the DevOps team that maintains the cloud environment: networking.

The reason for this is that networking is usually either free or one of the not-so-expensive components of the cloud, especially compared to compute instances or storage, for example. But on the AWS cloud (as well as the other major cloud providers), almost everything you do runs on the underlying networking setup, which makes networking a very crucial component in any cloud environment.

In this article, we’ll take a look at some of the recent updates introduced by AWS to its networking service, and, hopefully, you might find them useful enough to start using them yourself.

AWS Virtual Private Cloud (VPC) Reachability Analyzer

AWS Virtual Private Cloud (VPC) is a service dedicated to networking in the cloud, giving you full control of everything and anything you might need to run your cloud environment. AWS Virtual Private Cloud (PVC) covers the creation of subnets (both public and private), IP routes (along with all the firewalls used for them), NAT Gateways, VPN configurations, Elastic IP reservations, and much more. But as your business needs grow, so does the complexity of your networking in the cloud, and even the best-planned network architecture can run into issues. The problem becomes exponentially larger when you consider that you can link multiple VPCs via VPC peering or Transit Gateway, creating a massive interconnected network of resources, with multiple routes, firewall rules, etc.

A common problem, for example, is having overlapping or even conflicting configurations in place, effectively preventing your resources from communicating (and therefore even working). Another, even simpler scenario would be you placing a server in a private subnet without access to the public internet while still needing it.

The easier way to protect VPC configuration
Try N2WS Backup & Recovery to:

This is where AWS’ VPC Reachability Analyzer comes in handy, as it allows you to analyze reachability between two endpoints within your VPC (or multiple connected VPCs), and it does so without even sending packets Instead, it uses automated reasoning to look at all the resources configurations that can affect the connectivity and determines whether the network flow is possible. So, you can use it for troubleshooting network misconfigurations but also to verify your intended connectivity.

Unfortunately, VPC Reachability Analyzer isn’t free. The cost is low ($0.10 per analysis processed), but it is enough that you wouldn’t want to be running it constantly as a part of your automated processes. Instead, VPC Reachability Analyzer should only be used during networking configuration changes and to troubleshoot connectivity issues that arise.

AWS VPC and SD-WAN Native Integration Using AWS Transit Gateway Connect

Software-defined wide area networks (SD-WANs) have been used for a long time to connect branch offices to data centers and, with the introduction of cloud computing, also to extend to the cloud. This process created huge overhead—in terms of both additional setup complexity as well as maintenance needs. Up until now, to make the setup work with AWS Cloud, you had to manually provision everything, a procedure that desperately needed an upgrade.

For this reason, Amazon recently announced announced AWS Transit Gateway Connect, which is meant to natively integrate AWS Virtual Private Cloud with SD-WAN. Out of the gate, 13 vendors are already supported, including names like Cisco, Citrix, Sophos, Aviatrix, and Aruba. Plus, third-party SD-WAN appliances from these approved vendors can be physically located on-premises or run virtually on AWS Virtual Private Cloud.

This new feature supports Border Gateway Protocol (BGP), Generic Routing Encapsulation (GRE), performance metrics, telemetry data, and advanced visibility through network topology. AWS also claims that it increases total bandwidth.

AWS Transit Gateway Connect is priced at $0.02 per GB of data processed.

AWS Network Firewall

While the previous two features discussed provide some quality-of-life benefits when working with AWS, this next one is a big step in the right direction when it comes to improving security in the cloud. AWS originally only offered Security Groups (along with Network Access Control Lists) for securing your environment. Later, AWS introduced Web Application Firewall (WAF), followed by AWS Shield and AWS Firewall Manager.

AWS Network Firewall: what is it?

AWS Network Firewall is the newest addition out of AWS and quite a big one. It is a highly available (99.99%) and seamlessly scalable firewall service that is fully managed, providing you with the ability to apply blanket protections for your AWS VPC. AWS Network Firewall works with any protocol or application type, so you can inspect traffic from Layer 3 through Layer 7 (from Network to Application) of the OSI model. Traffic can be inspected whether it is leaving or entering your VPC from any direction, including inbound and outbound traffic to and from the internet, VPC-to-VPC, and VPN and AWS Direct Connect traffic. AWS Network Firewall is also integrated with the existing security services and configurations that you’re running and can coexist with them.

With AWS Network Firewall, you can simply place inspection points and security policies that you want to apply anywhere within your AWS network, without having to manage all the rules yourself. This is a huge benefit, as it removes unnecessary overhead—not only reducing the chance for a potential configuration error but also allowing you to focus your time elsewhere. So, for example, you can choose to inspect your production VPC only, or a test environment, or even an entire AWS account, if desired. AWS Network Firewall even allows you to centrally inspect multiple accounts using AWS Transit Gateway.

AWS Network Firewall additionally offers fine-grained controls, giving you the opportunity to inspect a wide range of things. To start, you can look at the IP address, port, and protocol, just like with Security Groups and Network Access Control Lists (although the ranges you can use scale much higher). General pattern matching is supported, so you can look at byte sequences within a network package. You can also inspect fully qualified domain names if needed and allow or drop traffic to certain addresses. With all of these options available, you are sure to be safe from threats like malware intrusion, protocol abuse, and many other attack attempts on your cloud environment.

AWS Network Firewall comes with an alert option as well so that you can get notifications about certain traffic, without having to interfere with it. And each drop or alert event will create a log, which can be saved in an S3 bucket or CloudWatch, or used with the Kinesis Data Firehose.

AWS Network Firewall Pricing

AWS Network Firewall does come with a price and a few considerations. For each hour of firewall running, you are going to pay $0.395. Also, each GB processed by the firewall will cost you $0.065. The upside is that for each hour and GB you’re using your AWS Network Firewall, you can use NAT Gateway free of charge—so traffic using one won’t be charged for the other.

For those of you interested in trying out AWS Network Firewall, keep in mind that this product is currently only available in US-East-1 (N. Virginia), US-West-2 (Oregon), and EU-West-1 (Dublin) AWS regions. More will be coming soon, as usual.


AWS’ three new additions to its networking ammunition are in doubt a lifesaver for troubleshooting and a step forward for automated security.

VPC Reachability Analyzer ensures that your network configurations are in order and that network reachability between important resources can be achieved. The integration between AWS VPC and SD-WAN allows for a quick and easy setup, where before it was a tedious manual task. And AWS Network Firewall steps up the security offering to a whole new level, providing numerous security features that were not available before and giving you a way to centrally manage your firewall rules for your entire networking setup in the cloud.

All of these features are fully (or at least partially) available as of now, so consider testing them out for your business needs.

Next step

The easier way to protect VPC configuration

Allowed us to save over $1 million in the management of AWS EBS snapshots...

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.