Amazon VPC Network Access Analyzer Improves Network Security

TABLE OF CONTENT
1. Introduction2. Overview of VPC Network Access Analyzer3. Findings 4. Supported Source Resources and Destination Resources Findings5. Supported Path Resources Amazon VPC Network Access Analyzer: Challenges Pricing7. Regions supported8. Step-by-Step Guide to Working with Network Access Analyzer9. Sample Reports10. Conclusion 11. CloudThat 12. FAQs1. Introduction to VPC Network Access Analyzer
VPC Network Access Analyzer can be used to determine the desired connection between AWS resources. You can use existing scopes, copy and customize the existing scope, or create new ones from scratch.
The Network Access Analyzer is able to verify the following requirements.
Network Segmentation
Internet Accessibility
Trusted Network Path
Trusted Network Access
2. Overview of VPC Network Analyzer

Source: amazon.docs
Network Access Analyzer uses inference algorithms to analyze network paths packets can follow between resources within our AWS network. It then returns the results for the path that corresponds with the customer-defined network area. It then performs a static network analysis. This means that no packets are sent to the network during this analysis. Network Access Analyzer is limited to the network conditions as described in the network configuration. This analysis does not include packet loss due temporary network interruptions and service outages.
3. Findings: Supported Source and Destination Resources
Network Access Analyzer is used to determine the network path that a packet may take within a network. The Network Access Analyzer only can find network paths that begin or end at these types of resources.
Network Interfaces
VPC Interface Endpoints
VPC Service Endpoints
Virtual Private Gateways
Internet Gateways
Transit Gateway Attachments
VPC gateway endpoints
VPC peering connections
4. Findings: Supported Path Resources
Network Access Analyzer network paths can pass through multiple resources, from the beginning to the end.
Internet gateways
Load balancers (except Gateway Load Balancers).
NAT gateways
Network ACLs
Firewalls for network networks
Network interfaces
VPC route tables
Security groups
Target groups
Transit gateway route tables
Transit gateway attachments
Endpoints for VPC interface
VPC gateway endpoints
VPC endpoints Services
VPC peering connections
Virtual private gateways
5. Amazon VPC Network Access Analyzer – Challenges
Internet Gateway and Virtual Private Gateways
Application Load Balancing
Network Load Balancing
Network Firewall
Amazon VPC Transit Gateways
Only IPv4
6. Pricing:
For creating VPC, there is no additional cost. Only the optional VPC capabilities that we use will be charged to us.
Network Access Analyzer will analyze your network and charge you $0.002.
7. Regions supported:
Only the following regions have Network Access Analyzer:
USA East (N. Virginia), US East, US West (N. California), US West(Oregon), Africa [Cape Town], Asia Pacific [Hong Kong], Asia Pacific (“Mumbai”), Asia Pacific (“Singapore”) Asia Pacific “Tokyo”) Canada (Central), Europe—Frankfurt], Europe—Ireland], Europe (London), Europe—Paris,” Europe (Stockholm), South America’s Sao Paulo and Europe (London).
8. Step-by-Step Guide to Working with Network Access Analyzer
a. Log in to AWS Management Console, and then select VPC.
b. Select Network Access Analyzer (Network Analysis).

c. Click Get Started to see pre-configured Network Access Scopes. To create a new scope, click on Create Network Access Scope.

d. Choose a template to use. Select Empty Template, then click Next.

e. Type the name and description of the scope.

f. Select Source or Destination by resource type or id.
Clicking here will allow you to add multiple match conditions.