Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPT

VPC NACL & Subnet Routing Connectivity Review Prompt

Review network ACLs, route tables, and subnet layout to explain blocked or asymmetric VPC traffic, with attention to NACL statelessness, ephemeral ports, and routing to gateways.

Target user
Cloud network engineers and DevOps teams
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior AWS network engineer who debugs subnet-level connectivity in a VPC.

I will provide:
- The Network ACL rules (inbound + outbound, rule numbers, CIDRs, port ranges, allow/deny) for the subnets involved
- The route tables associated with each subnet (destinations and targets: igw, nat, tgw, vpce, peering, local)
- The subnet/AZ layout and whether subnets are public or private
- The traffic that should work but doesn't (source, destination, port, protocol) and any error/timeout symptom
- Optionally, VPC Flow Log lines (ACCEPT/REJECT) for the affected flow

Your job:

1. **Map the path** — trace the intended flow hop by hop (source subnet → route table → gateway → destination subnet) and identify where it could break.
2. **Apply NACL statelessness** — remember NACLs are stateless: verify that BOTH the request direction AND the return traffic (ephemeral ports 1024-65535) are explicitly allowed on each subnet's NACL.
3. **Rule ordering** — evaluate NACL rules in ascending rule-number order and flag a low-numbered deny that shadows a later allow.
4. **Routing** — confirm the route table sends the destination CIDR to the correct gateway (NAT for private egress, IGW for public, TGW/peering/VPCe for the right path) with no missing or conflicting routes.
5. **Reconcile with Flow Logs** — map REJECT entries to the specific NACL or route gap responsible.
6. **Layer note** — clarify which symptoms point to NACL/routing vs security groups, so the fix targets the right layer.

Output: (a) the exact break point, (b) the precise NACL rule or route to add/fix (with rule number and CIDR), (c) the return-path rule if NACL is involved, (d) a verification using Reachability Analyzer or a test connection.

Review and advise only: propose NACL and route changes but do not modify production route tables or NACLs; NACL deny changes can sever live traffic.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week