Introducing Oracle Cloud Network Path Analyzer

June 28, 2022 | 9 minute read
Lilian Quan
Senior Principal Solutions Architect
Text Size 100%:


Organizations are deploying more workloads in the public clouds with increasingly complicated business requirements. This shift has led to increased scale and complexity in their cloud networks. More cloud network functions and design options for connectivity and security policy controls have been made available to accommodate the various business needs.

While our customers are embracing these rich network functionalities and flexible options, they’re also facing new types of challenges of managing and operating the larger and more complex cloud networks. We have recognized these challenges and taken it as our mission to provide you with a good set of network operations tools to make your jobs easier.

So, we have enabled a comprehensive set of metrics, flow visibility, and event logging to monitor network status and performance and an interactive network visualizer to visualize the network topology, connectivity status, and policy relationship. Now we’re introducing Network Path Analyzer as the newest member in the family of operations tools for easy network troubleshooting and configuration validation.

Oracle Cloud Network Path Analyzer is a powerful new tool for you to efficiently troubleshoot endpoint reachability issues in your hybrid and Oracle Cloud Infrastructure (OCI) networks. Oracle Cloud Network Path Analyzer takes both routing connectivity information and policy configuration and provides a visualization of the network path. With troubleshooting, it also helps you validate your network configuration during the initial deployment or the ongoing configuration change management.

What is Network Path Analyzer?

Network Path Analyzer is a network reachability analysis tool based on the real-time network configuration. Its primary data input is the network routing and security configuration in a customer tenancy, augmented with key network runtime state data, such as the status of a load balancer backend set or the state of a FastConnect virtual circuit. Under the hood, it uses Batfish for reachability analysis and to identify configuration errors. Batfish is an open source network configuration analysis tool maintained by Intentionet

Reachability for successful communication between endpoints in a network requires two equally important elements: Network connectivity and the appropriate security policies. Network connectivity between the endpoints builds possible paths for them to reach each other. The appropriate security policies along the path permit the communication between the endpoints. Only when the two pieces are both readily in place can the required reachability between the endpoints for the higher-level application functions be established.

By analyzing both dimensions thoroughly, Network Path Analyzer answers the following questions that are essential for the cloud network operations team to obtain an accurate and deep understanding of endpoint reachability in their cloud networks:

  • Can the two endpoints reach each other as the business needs them to?

  • If they can’t, why? What is missing?

  • If they can, how? Over which routing paths, using which security policies?

Finding the answers to these questions in a complex network can be labor-intensive and time-consuming. It involves analyzing the virtual network topologies, carefully walking through multiple route tables, scrutinizing different networks security groups (NSGs) or security lists along the multihop network paths. If done manually, it can be error-prone.

Network Path Analyzer turns this complicated and painful task into an automated reasoning process. To its users, the experience is equivalent to providing the parameters to a formula for automatic calculation. The parameters include the endpoints info, the communication protocol, as well as the source and destination ports. The outcomes of the calculation are the routing and security policy insights about the endpoint reachability. Network Path Analyzer also visualizes the network paths in the presentation of the analysis results.

Since most application communications are bi-directional, Network Path Analyzer is designed with the capability of bidirectional path analysis between a pair of endpoints.

Network Path Analyzer is a great network troubleshooting tool. Additionally, since it doesn’t use or need any traffic along the network paths because it operates solely on the configuration and runtime state data, it is also an effective tool for proactive configuration validation.

Benefits of Network Path Analyzer

Armed with Network Path Analyzer, you can realize the following benefits:

  • Troubleshoot reachability issues caused by misconfiguration much faster, significantly reducing the Mean Time to Resolution (MTTR) for this type of outage

  • Proactively verify and validate the network routing and security policy configuration for your reachability intents before even starting to send application traffic

  • A tool to perform on-demand validation of the logical network paths to match your intent

You can use Network Path Analyzer to analyze network paths within your OCI networks, or your hybrid cloud or multicloud networks where your on-premises sites or third-party cloud sites are connected to your OCI network through FastConnect virtual circuits or VPN tunnels. To support the common network designs with redundant paths, Network Path analyzer can analyze and visualize up to eight equal-cost-multi-pathing (ECMP) network paths between a pair of endpoints.

Network Path Analyzer is offered to our customers as a free service in all OCI regions. For more information, refer to the documentation.

How to use Network Path Analyzer

Network Path Analyzer is directly available under Networking on the Oracle Cloud Console. You only need to create a path analysis and run it. An API is available for you to programmatically create, manage, and run your path analyses.

When creating a path analysis, specify the source and destination endpoints, the network protocol and the source and the destination ports. For endpoints, you can select an IP address or an OCI resource. The viable OCI resource options include an IP address from a VCN subnet, a compute instance virtual network interface card (VNIC), an application load balancer or a network load balancer.

The following example creates an analysis between an on-premises IP device and a network load balancer in OCI. The communication travels through TCP from any source ports to the destination port 443.

create a path analysis

After creating a path analysis, you can run it by clicking the Run Analysis button and leae the rest to Network Path Analyzer. Depending on the complexity and the scale of your tenancy network configuration, it can take a few minutes to complete the analysis. The results are rendered with a visual graph of the path that’s enriched with hop-by-hop routing and policy information. The following image shows the result of the example path analysis.

Path Analysis Result Example

You can expand each hop in the displayed path to reveal more detail information, including the involved network components at this hop, the route table and the route rule that define the connectivity, and the NSG or security list rules for the policy control. The following image shows the expanded view of hop 4:

Details per Hop in a Path Analysis result

If no valid end-to-end path exists between the source and destination endpoints, Network Path Analyzer shows the partial path until the first missing link. It also tells you what’s missing, either a missing route in a route table or a missing security policy in an NSG or a security list.

Speed up troubleshooting with Network Path Analyzer

Many network issues are caused by misconfiguration. Having a good tool to analyze and verify the network configuration can directly improve the efficiency of the entire troubleshooting process and significantly reduce the MTTR. Network Path Analyzer automates the time-consuming configuration analysis process to a quick, easy task with high fidelity results.

Network Path Analyzer can quickly diagnose the routing and security policy configuration and tell you if a broken reachability is caused by misconfiguration. If it is, Network Path Analyzer also tells you what’s missing or wrong in the configuration, either incorrect routing, or lacking a required security rules in an NSG or security list. The displayed results also have embedded URLs for the involved network components that take you directly to where the problem is in the Console. You can directly cross-check the configuration on the console. If applicable, you can make the correction there. This availability facilitates a smoothly integrated workflow from Network Path Analyzer to the Console to resolve the pinpointed configuration issue.

Network Path Analyzer can assist with your troubleshooting process for the following reachability-related scenarios:

  • Virtual machines (VMs) in your multi-VCN applications can’t communicate with each other. You want to check the configured path.

  • Your frontend web server in a multitier application can’t reach the load balancer VIP of the application tier.

  • Your load balancer can’t reach some of the backends.

  • An on-premises endpoint in your hybrid cloud application can’t reach an OCI instance.

  • Your on-premises site can’t access a cloud application hosted by your Oracle instances.

Now let’s see how Network Path Analyzer can speed up your troubleshooting through some example cases.

Scenario 1

A cloud frontend instance can’t communicate with the application tier.

In this scenario, the frontend web server instance of a multitier application can’t access the network load balancer VIP of the application tier. Network Path Analyzer reveals that the routing connectivity is available between the two tiers, but the security list of the network load balancer subnet is missing the ingress policy to allow traffic from the web tier to the destination port 443.

Path Analysis example 1 for a broken path

Scenario 2

An on-premises instance can’t communicate with the application tier in the cloud.

In this scenario, the application tier is fronted by a network load balancer in the customer’s VCN. A bidirectional path analysis between the on-premises endpoint and the load balancer front-end determines that the issue is in the return path. While the forward path from the endpoint to the load balancer has the right routing connectivity and security policies, the first hop in the return path doesn’t have a route to reach back to the on-premises endpoint. The load balancer subnet route table doesn’t have a route for the on-premises subnet. With these insights, the investigation for this outage is concluded in a matter of a few minutes instead of hours.

Path Analysis example 2 for a broken path

Validate network configuration for intended reachability with Network Path Analyzer

Because Network Path Analyzer doesn’t require the actual application traffic to run through the network, you can use it for proactive configuration validation before any outages happen or even before the application goes online. For example, if the path analyses in the last section are carried out as precautious verification tests after the network configuration is implemented, the operations team can catch the mistakes in the configuration and prevent the actual outages.

With Network Path Analyzer, you can proactively create path analyses for your critical application communications and run them on-demand at any time. This effective tool helps you proactively validate your OCI network configuration against the intended reachability for your mission critical applications and business needs.

Another example includes network migration. A customer was migrating one of their on-premises applications to OCI. They deployed the OCI network with corresponding VCNs, subnets, Dynamic Routing Gateway, FastConnect, and routing. However, communication to the instances in the migrated subnet wasn’t working because their on-premises network was incorrectly configured to advertise an overlapping route for the migrated subnet.

As a result, traffic to the migrated network was taking a wrong path to the on-premises network. Network Path Analyzer can help them validate their configuration in advance and detect this misconfiguration before they moved the application workload to this subnet.

Network Path Analyzer can help shift the cloud network operations from reactive to proactive. If inserted into your configuration management workflow, it enables you to perform intent-based network configuration verification, starting from the initial configuration deployment and continuing with the ongoing change management.


Simplifying cloud network operations and increasing the operational efficiency are critical for our customers’ success in bringing and running their business in OCI. Network Path Analyzer is a tool to assist troubleshooting reachability issue by quickly identifying misconfiguration and reduce the MTTR caused by configuration issues. It’s also an effective tool for customers to proactively verify their network configuration against their reachability intents, so that they can proactively catch and correct misconfiguration and reduce outages.

At Oracle Cloud Infrastructure, we continuously enhance and evolve the cloud network operations tool set for our customers. We aim to help our customers retain operational simplicity and increase operational efficiency, while providing them with more advanced cloud network functions. Stay tuned for our newest developments!

Lilian Quan

Senior Principal Solutions Architect

Previous Post

Announcing contextual notifications for simpler notifications setup

Kay Singh | 4 min read

Next Post

Jump-start a KVM deployment with Oracle Linux in OCI

Julie Wong | 5 min read