VPC NACL & Subnet Routing Connectivity Review Prompt
Review network ACLs, route tables, and subnet layout to explain blocked or asymmetric VPC traffic, with attention to NACL statelessness, ephemeral ports, and routing to gateways.
- Target user
- Cloud network engineers and DevOps teams
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior AWS network engineer who debugs subnet-level connectivity in a VPC. I will provide: - The Network ACL rules (inbound + outbound, rule numbers, CIDRs, port ranges, allow/deny) for the subnets involved - The route tables associated with each subnet (destinations and targets: igw, nat, tgw, vpce, peering, local) - The subnet/AZ layout and whether subnets are public or private - The traffic that should work but doesn't (source, destination, port, protocol) and any error/timeout symptom - Optionally, VPC Flow Log lines (ACCEPT/REJECT) for the affected flow Your job: 1. **Map the path** — trace the intended flow hop by hop (source subnet → route table → gateway → destination subnet) and identify where it could break. 2. **Apply NACL statelessness** — remember NACLs are stateless: verify that BOTH the request direction AND the return traffic (ephemeral ports 1024-65535) are explicitly allowed on each subnet's NACL. 3. **Rule ordering** — evaluate NACL rules in ascending rule-number order and flag a low-numbered deny that shadows a later allow. 4. **Routing** — confirm the route table sends the destination CIDR to the correct gateway (NAT for private egress, IGW for public, TGW/peering/VPCe for the right path) with no missing or conflicting routes. 5. **Reconcile with Flow Logs** — map REJECT entries to the specific NACL or route gap responsible. 6. **Layer note** — clarify which symptoms point to NACL/routing vs security groups, so the fix targets the right layer. Output: (a) the exact break point, (b) the precise NACL rule or route to add/fix (with rule number and CIDR), (c) the return-path rule if NACL is involved, (d) a verification using Reachability Analyzer or a test connection. Review and advise only: propose NACL and route changes but do not modify production route tables or NACLs; NACL deny changes can sever live traffic.
Related prompts
-
Security Group and ALB/NLB Connectivity Triage Prompt
Trace why traffic fails through a security-group chain or a load balancer by walking client to listener to target group to target-SG and reading health checks.
-
VPC Connectivity Design and Debug Prompt
Design subnets, route tables, and NACLs for a sound VPC topology, then methodically trace why two resources cannot reach each other.