I've found myself wondering on more than one occasion if a network issue I'm having is a result of security configuration (Routing Rules, Network ACLs, Security Groups) or something else entirely. To solve this, I originally wrote a network modeling tool to trace traffic flow from a source to a destination, simulating security evaluation at each hop.
Deprecation Notice (2026): This custom tool is no longer maintained and has been taken offline. AWS now offers native, high-fidelity services that provide this functionality with much greater accuracy:
- VPC Reachability Analyzer: Best for point-to-point troubleshooting. It shows hop-by-hop details and identifies the exact blocking component (e.g., a specific NACL rule).
- Network Access Analyzer: Best for security auditing. It helps you identify unintended network access and verify that your network segments are properly isolated.
While my tool served its purpose during the early days of VPC management, the native AWS analyzers now provide a more robust way to ensure your network configuration matches your intended connectivity.
Archive Note: For those interested in the logic behind traffic tracing, you can still view the original project structure in my blog-code repository.