How to Troubleshoot AWS EC2 Connectivity Issue

If you are a CloudOps or cloud network engineer, you probably receive daily tickets from developers that look something like this:

1. My instance suddenly cannot ssh into this server. Is something wrong with the network? Please help resolve.
2. I get my instance up and running, but it cannot access Internet. Is something wrong with the network? Please help resolve.
3. No one can access my application. Is something wrong with the network? Please help resolve.
4. ….

You get the idea. For any connectivity problem, network is always the first to blame.

To resolve the ticket, you need to login to AWS console to the respective cloud accounts, go to the region, find the problem instance, look at its security groups, associated route table and route entries, check the network ACL, etc. You often need to switch to a different AWS account console and repeat the same process on the other instance. More often than not, the problem lies in the user’s own environment, the problem has nothing to do with networking.

This troubleshooting process is not super difficult, but it is repetitive and time consuming, and it gets tiresome quickly.

Wouldn’t it be nice to have a tool that can pull up these information simultaneously and let me get to the bottom of the problem quickly?

Introducing Aviatrix FlightPath.

Aviatrix FlightPath is a handy troubleshooting tool designed specifically with the above trouble tickets in mind.

From the Aviatrix Controller browser console, you specify a source AWS account, region, VPC, it automatically retrieve all instances by using AWS APIs. You do that for the destination side as well. After you specify the source and destination instance, the tool automatically retrieve latest information associated with each instance, again using AWS APIs and bring them on the same page in a side by side layout so you can eye ball them and identify the problem quickly.

Here is one example to show how FlightPath works. Say a developer from BusinessOps account filed a ticket that says one instance “DevOps Server” in Oregon region cannot run “ssh” into the Prod instance in California region.

From the Controller browser console, click FlighPath under Troubleshooting on the navigation menu. Specify the above info and you’ll see something like the screenshot below. The highlights on each panel are the instances in question. Note the DevOps Server has IP address 10.10.0.121.

Now run FlightPath Test, you’ll see the FlightPath Report.

First check the routing table, it shows good connectivity:

Scroll up and down the FlightPath Report to check other fields. Next check the Security Group. And of course, the California Prod instance does not have its “ssh” port open to the Oregon DevOps instance IP address 10.10.0.121.

Problem Solved in minutes!

Upon further inspection, you’ll notice the complaining instance has a “ssh” open to the entire world. You may need to notify the ticket issuer to reduce the source address scope.

Aviatrix FlightPath is our tool for CloudOps and cloud network engineers. It saves time in dealing with daily networking trouble tickets.