Network Path Analyzer

Overview of Network Path Analyzer

Network Path Analyzer (NPA) provides a unified and intuitive capability you can use to identify virtual network configuration issues that impact connectivity. NPA collects and analyzes the network configuration to determine how the paths between the source and the destination function or fail. No actual traffic is sent, instead the configuration is examined and used to confirm reachability.

NPA carefully examines routing and security configurations and identifies the potential network path your defined traffic traverses, along with information about virtual networking entities in the path. In addition to the path information, output of these checks includes how routing rules and network access lists (security lists, NSGs, and so on) allow or deny traffic. The sources and destinations could be within OCI, or across OCI and on-premises, or OCI and internet. NPA analyzes all the standard OCI networking elements with their associated configuration.

Using NPA, you can:

Troubleshoot routing and security misconfigurations that are causing connectivity issues
Validate that the logical network paths match your intent
Verify that the virtual network connectivity setup works as expected before starting to send traffic

To achieve any of these objectives, create a test that you think should work and then run the test. You can also save this test definition to run it again later. Saved tests are displayed in the Network Path Analyzer page for you to select.

The following source and destination scenarios are supported:

OCI to OCI
OCI to on-premises
On-premises to OCI
Internet to OCI
OCI to internet

Tests can be defined for the following parameters:

Source options	Destination options	Protocol	Port Information	Bi-directional flag
An IP address (within OCI, on-premises or internet) Compute instance VNIC LBaaS NLB	An IP address (within OCI, on-premises or internet) Compute instance VNIC LBaaS NLB	Any IP protocol supported in the current security list.	Depending on the protocol type provided: Destination port Source port ICMP options	A bidirectional check flag, enabled by default for TCP and UDP. You have the flexibility to turn off this flag to check unidirectional connectivity and path (source to destination). This flag is disabled for non- TCP/UDP protocols.

Source options

Destination options

Protocol

Port Information

Bi-directional flag

An IP address (within OCI, on-premises or internet)
Compute instance VNIC
LBaaS
NLB

An IP address (within OCI, on-premises or internet)
Compute instance VNIC
LBaaS
NLB

Any IP protocol supported in the current security list.

Depending on the protocol type provided:

Destination port
Source port
ICMP options

A bidirectional check flag, enabled by default for TCP and UDP. You have the flexibility to turn off this flag to check unidirectional connectivity and path (source to destination). This flag is disabled for non- TCP/UDP protocols.

An analysis is done using a full configuration snapshot, but the resulting network path displayed is limited to the entities that you have permission to view. When you do not have the needed permission to view objects in the path, the test output does not show those objects or any further details.

Network Path Analyzer uses Batfish, an open source network configuration analysis library. NPA uses Batfish to perform reachability analysis and identify configuration errors. Intentionet maintains the Batfish library.

Required Permissions

Oracle recommends that you always set the following permissions policies at the tenancy level (setting these permissions at a compartment level can make the path analysis results less accurate) to use Network Path Analyzer:

allow group <group-name> to manage vn-path-analyzer-test in tenancy 
allow any-user to inspect compartments in tenancy where all { request.principal.type = 'vnpa-service' }
allow any-user to read instances in tenancy where all { request.principal.type = 'vnpa-service' }
allow any-user to read virtual-network-family in tenancy where all { request.principal.type = 'vnpa-service' }
allow any-user to read load-balancers in tenancy where all { request.principal.type = 'vnpa-service' }
allow any-user to read network-security-group in tenancy where all { request.principal.type = 'vnpa-service' }

Where <group-name> is the name of the administrator group for networking resources.

Note

Granting permissions to use this tool might lead to overexposure of information about network configuration and network security settings to a user of the tool. Observing reachability status can be used by a malicious user to infer the presence of network services and related routing and security information. Access to the tool should be given only to trusted users and administrators.

Refer to the path-analyzer-test section of Details for the Network Monitoring Service for more details on NPA permissions.

Known caveats and limitations

The following NPA use cases are unsupported:

Source and destinations that are within the same subnet and with a different Private IP will produce incorrect results.
When a subnet's route table has a next-hop defined as a private IP, it might incorrectly show the status as No-Route.
If LPGs are peered across tenancies, the response for the Path Analysis is Indeterminate.
If RPC connections cross tenancies or regions, the response for the Path Analysis is Indeterminate.
NPA does not support IPv6. IPv6 addresses cannot be used as sources or destinations. IPv6 routing and security settings are ignored and do not affect the results.
NPA does not detect routing loops, and if routing loops are present the results can be inconclusive or indicate a failure.
Intra-VCN routing and internet gateway routing are not yet supported in NPA and can cause inaccurate Path Analysis results.
Currently NPA will not function if the number of compartments in the tenancy requesting the Path Analysis is more than 100. For these tenancies you must raise a support request to use NPA.

Special use cases

When some entities are in the path for a path analysis and they are neither the source or the destination, the following behaviors are seen. You can use the indicated solution for these use cases, if one is available.

Node in Path	NPA Outcome	Solution
Network Virtual Appliance (NVA)	Indeterminate	Create two Path Analysis checks, one from the source to the NVA and one from the NVA to the destination.
NLB deployed in non-transparent mode with SNAT configured	No Route	Create two Path Analysis checks, one from the source to the NLB and one from the NLB to the destination.
Network Load Balancer in transparent mode	Indeterminate	Create two Path Analysis checks, one from the source to the NLB and one from the NLB to the destination.
Load Balancer	No Route	Create two Path Analysis checks, one from the source to the LB and one from the LB to the destination.
FWaaS	Indeterminate	Create two Path Analysis checks, one from the source to the FWaaS and one from the FWaaS to the destination.
Cross-region using RPC	Indeterminate	Create two Path Analysis checks, one for each region.
Cross-tenancy using LPG	Indeterminate	Create two Path Analysis checks, one for each tenancy.
DRG v1	Indeterminate	Upgrade to DRG v2.

The following diagram shows one of the use cases where the path analysis must be split in two.

Figure showing a situation where a path analysis must be split in two.

Working with Network Path Analyzer

Using the Console

Creating a Network Path Analysis

In the Console, confirm you're viewing the wanted region and compartment.
Open the navigation menu, click Networking, and then click Network Path Analyzer, found in the Network Command Center group.
Click Create Network Path Analysis.
Assign the following parameters and attributes to the analysis:
1. Name: A descriptive name for the Network Path Analysis. It doesn't have to be unique, and it cannot be changed later in the Console. Avoid entering confidential information. If you don't choose a name, one is generated for you.
2. Create in Compartment: The default is the current viewing compartment.
3. Protocol: You can choose TCP, UDP, ICMP, SSH, or many other protocol types. You can also specify the source and destination ports.
4. Source: Select a resource that begins the path you are testing.
  
  You can provide the IP address of the source, or you can find an OCI resource to use as the source. The supported OCI resource types include subnet IP address, VLAN IP address, VNIC on a compute instance, VNIC, LB, or NLB. Once you've selected a type, choose a specific resource from the list of resources with that type.
  
  When subnet IP address is selected as an option, the specified IP address must belong to one of the subnet CIDRs. The IP itself does not have to be active.
5. Destination: Select a resource that ends the path you are testing.
  You can provide the IP address of the destination, or you can find an OCI resource to use as the destination. The supported OCI resource types include subnet IP address, VLAN IP address, VNIC on a compute instance, VNIC, LB, or NLB. Once you've selected a type, choose a specific resource from the list of resources with that type. When designating an OCI LB or NLB as a destination, you need to specify which listener you would like to use for the analysis.
  Note
  
  When using IP addresses to select the source or destination of a path analysis, the following scenarios may occur due to your network configuration and create ambiguity that will prevent the NPA analysis or make an NPA analysis based on an unintended source or destination:
  1. VCNs with overlapping CIDRs: In this situation, if you specify an IP address that belongs to the overlapped portion of the CIDR, NPA will not be able to determine which VCN and VCN subnet the IP address belongs to. NPA will not perform the path analysis. To resolve this issue, use the find resource option and select the source or destination by specifying its type and selecting from available resources of that type.
  2. VCN and On-premises network with overlapping CIDRs In this case, one or more VCNs have CIDRs that overlap with your on-premises network. If you select an IP address in the overlapped CIDR, NPA will not be able to determine where the endpoint is. In this scenario, NPA will assume the endpoint is in the on-premises network and perform the path analysis accordingly. If you intend to select an endpoint in a VCN subnet, use the find resource option and select the source or destination by specifying its type and selecting from available resources of that type.
6. Test direction: Choose between Bi-directional to test both the forward and reverse paths, or Uni-directional to test the forward path only. These choices are mutually exclusive.
(Optional) Tags: You can optionally apply a tag to the test you create, to do this click Show tagging options. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
Click Run analysis.

The test you have configured runs, which might take up to a minute or more (depending on the total number of hops needed) to complete. See Step 4 onward for details on running tests. Since you might not want to save every test you run, you cannot save the test yet.
(Optional) After you run the test, click Save analysis to save your new analysis parameters.
(Optional) Click Cancel to exit the Path Analysis workflow without saving the test.

Running a Path Analysis

A path analysis can be run after it has been saved, or immediately after it has been configured. If you are running a path analysis immediately after configuring it, skip to step 4.

To run a previously configured path analysis in the Console, confirm you're viewing the wanted region and compartment.
Open the navigation menu, click Networking, and then click Network Path Analyzer, found in the Network Command Center group.
Click the name of a previously saved analysis, then click Run Analysis.
Allow the analysis to run, which might take up to a minute to complete. Traffic does not need to actually traverse the network. Network Path Analyzer collects and analyzes the network configuration to determine how the paths between the source and the destination function or fail.
After the analysis runs, the screen shows the options configured for the analysis and might produce up to eight possible paths discovered between source and destination.
Each tab representing a path has a visualization of the forward path and (if configured) the return path for traffic between the source and destination.

The diagram for a successful test shows green arrows representing each successful hop between nodes in the overall path. The Path Status is Reachable.

An unsuccessful test shows green arrows representing each successful hop in the overall path, and a red arrow for the hop or network segment that is unreachable.
Click View diagram information to see more detail on each hop. You can determine whether a hop failed because of a misconfiguration in a specific node's routing or security configuration. You can also click a specific arrow to get details about a particular hop.
Routing info for the hop can be forwarded (when the relevant route table allows the traffic), no route (when the route table does not explicitly allow the traffic or security blocks traffic), or indeterminate (when the route table can't be analyzed). The info provided links directly to the relevant route rule if the node is an OCI resource. Indeterminate states can be caused by your console account not having the required permissions, or because the node routing information is unavailable for any other reason.

Security info for the hop can be allowed, blocked, or indeterminate. The info provided links directly to the relevant security list or rule if the node is an OCI resource. Indeterminate states can be caused by your console account not having the required permissions, or when the node security information is unavailable for any reason.
(Optional) After you run the test, click Save Analysis to save any changes to the test.
(Optional) After you run the test, click Previous and make changes to the analysis.
(Optional) Click Cancel to exit the workflow without saving the test.

Moving a Path Analysis to a different compartment

Open the navigation menu, click Networking, and then click Network Path Analyzer, found in the Network Command Center group.
Find the Path Analysis in the list, click the Actions menu, and then click Move Resource.
Choose the destination compartment from the list.
Click Move Resource.

Deleting a Path Analysis

Open the navigation menu, click Networking, and then click Network Path Analyzer, found in the Network Command Center group.
Find the Path Analysis in the list, click the Actions menu, and then click Delete.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Network Path Analyzer uses the following Network Monitoring API operations.

Oracle Cloud Infrastructure Documentation