Practical guides on AWS cost optimization, network topology, and compliance for engineering teams.
Define which environment groups must never connect — production ↔ staging, CDE ↔ development — and Netway checks on every scan whether a routing path exists between them. How the BFS engine works, common configurations, and what isolation rules explicitly don't cover.
Read article →VPC Flow Logs not showing up in CloudWatch or S3? Run one CLI command to get DeliverLogsErrorMessage — it tells you exactly what's broken. Covers IAM permission gaps, missing log groups, delivery delays, and wrong region.
Read article →IAM policy looks correct but S3 returns AccessDenied from a private subnet? Without a VPC Gateway Endpoint, traffic goes through NAT Gateway to S3's public endpoint. A free endpoint fixes it — and eliminates the $0.045/GB NAT charge on S3 traffic.
Read article →A NAT Gateway in Failed state can't be recovered — it must be deleted and recreated. But first, check FailureCode: the three causes are no available Elastic IP (EIP limit), wrong subnet type (private instead of public), or no Internet Gateway on the VPC.
Read article →VPC peering fails when both VPCs share overlapping IP ranges — common when both were created with AWS's default 10.0.0.0/16. You can't change a VPC's primary CIDR. Your options: add a secondary CIDR, use PrivateLink, or recreate one VPC.
Read article →A blackhole route means the route target (NAT Gateway, EC2 instance, VPC endpoint) no longer exists — packets are silently dropped. One CLI command finds all blackhole routes across every route table. AWS does not clean them up automatically.
Read article →Internet Gateway itself is free — no hourly charge. The costs on your bill come from EC2 data transfer at $0.09/GB. Here's the full breakdown of what you pay, why private subnet traffic costs more than public, and how to reduce it.
Read article →NAT Gateway charges $0.045/hr plus $0.045/GB processed. Here's what that means in practice — with monthly cost examples for small, medium, and high-throughput environments — and a comparison against VPC endpoints.
Read article →The AWS console shows you individual VPCs, not the map. This post covers five approaches — VPC Resource Map, Network Manager, Reachability Analyzer, CLI scripting, and dedicated tools — with what each shows and where it breaks down.
Read article →VPC Flow Logs record metadata about every network connection in your VPC — and they're the only source that tells you what your NAT Gateway is actually processing. Four Athena queries to find S3-via-NAT, cross-AZ traffic, internet egress by instance, and daily NAT cost breakdowns.
Read article →NAT Gateway silently processes traffic it was never meant to handle — S3 calls, AWS API traffic, ML checkpoints — because that's what the default private subnet setup produces. Here are the four patterns driving your bill and the exact commands to fix each one.
Read article →Most teams configure segmentation controls and then rely on an annual pen test to prove they work. QSAs increasingly ask how you know the controls are working today — not at the time of the last test. Here's what routing-plane evidence looks like and how to generate it automatically.
Read article →Transit Gateway route tables isolate environments at the TGW layer. But VPC peerings bypass that layer entirely — and they don't appear in the TGW console. One forgotten debugging peering is all it takes to create a direct path from staging into a PCI-scoped production VPC.
Read article →At seven VPCs nobody has a complete picture anymore. The AWS console shows you the parts but not the map — no cross-account view, no reachability analysis, no environment context. Here's how topology drift happens and how to get visibility back automatically.
Read article →We built a representative 7-VPC environment and ran one Netway scan. We found an isolation breach that bypasses Transit Gateway isolation, a CIDR conflict waiting to cause a routing failure, orphaned VPCs nobody knew about, and S3 traffic silently accumulating NAT charges. None of them were visible in the AWS console.
Read article →S3 traffic routing through NAT. Cross-AZ database queries. GPU training jobs paying internet egress rates. These patterns exist in most AWS environments — and AWS won't tell you which resources are responsible. Here's how to surface and fix them automatically.
Read article →