np-guard · ShiriMoran · Sep 9, 2024 · Sep 8, 2024 · Sep 8, 2024 · Sep 8, 2024
diff --git a/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt
@@ -0,0 +1,62 @@
+Explaining connectivity from private2 to private1 within mixed
+Interpreted source: r1[10.240.48.198]
+Interpreted destination: q2[10.240.32.122], q1[10.240.32.91]
+==============================================================
+
+Connections from r1[10.240.48.198] to q1[10.240.32.91]: No Connections
+
+Path:
+	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
+	subnet private1 -> network ACL acl1 -> security group GroupId:15 -> q1[10.240.32.91]
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Egress:
+		security group GroupId:22 allows connection with the following allow rules
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 9080-9080
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: inbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+		security group GroupId:15 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: udp, dstPorts: 0-65535
+
+------------------------------------------------------------------------------------------------------------------------
+
+Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
+
+Path:
+	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
+	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
+
+
+Details:
+~~~~~~~~
+Path is enabled; The relevant rules are:
+	Egress:
+		security group GroupId:22 allows connection with the following allow rules
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 9080-9080
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: inbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+		security group GroupId:9 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Egress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, direction: inbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/pkg/awsvpc/explainability_test.go b/pkg/awsvpc/explainability_test.go
@@ -34,6 +34,7 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 		DetailExplain: true,
 	},
 	// existing sub-connection between two endpoints of the same subnet
+	// todo: https://github.com/np-guard/vpc-network-config-analyzer/issues/859
 	{
 		Name:          "same_subnet_partial_connection",
 		InputConfig:   "aws_mixed",
@@ -44,10 +45,10 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 	},
 	// no connection between two endpoints of the same subnet
 	{
-		Name:          "same_subnet_no_connection",
+		Name:          "subnet_to_subnet",
 		InputConfig:   "aws_mixed",
-		ESrc:          "10.240.0.96",
-		EDst:          "10.240.3.70",
+		ESrc:          "private2",
+		EDst:          "private1",
 		Format:        vpcmodel.Text,
 		DetailExplain: true,
 	},

diff --git a/pkg/ibmvpc/examples/out/explain_out/externalToSubnet_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/externalToSubnet_all_vpcs_explain_detail.txt
@@ -0,0 +1,65 @@
+Explaining connectivity from 161.26.0.0 to subnet3-ky within test-vpc1-ky
+Interpreted source: 161.26.0.0 (external)
+Interpreted destination: vsi3a-ky[10.240.30.5], vsi3b-ky[10.240.30.4], db-endpoint-gateway-ky[10.240.30.6]
+=========================================================================
+
+No connections from Public Internet 161.26.0.0/32 to db-endpoint-gateway-ky[10.240.30.6];
+	connection is blocked at ingress and because there is no resource for external connectivity
+
+Ingress: network ACL acl3-ky allows connection; security group sg3-ky does not allow connection
+
+Path:
+	Public Internet 161.26.0.0/32 -> 
+	| no resource for external connectivity |
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Ingress:
+		network ACL acl3-ky allows connection with the following allow rules
+			direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+		security group sg3-ky has no relevant allow rules
+
+------------------------------------------------------------------------------------------------------------------------
+
+No connections from Public Internet 161.26.0.0/32 to vsi3a-ky[10.240.30.5];
+	connection is blocked at ingress and because there is no resource for external connectivity
+
+Ingress: network ACL acl3-ky allows connection; security group sg3-ky does not allow connection
+
+Path:
+	Public Internet 161.26.0.0/32 -> 
+	| no resource for external connectivity |
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Ingress:
+		network ACL acl3-ky allows connection with the following allow rules
+			direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+		security group sg3-ky has no relevant allow rules
+
+------------------------------------------------------------------------------------------------------------------------
+
+No connections from Public Internet 161.26.0.0/32 to vsi3b-ky[10.240.30.4];
+	connection is blocked at ingress and because there is no resource for external connectivity
+
+Ingress: network ACL acl3-ky allows connection; security group sg2-ky does not allow connection
+
+Path:
+	Public Internet 161.26.0.0/32 -> 
+	| no resource for external connectivity |
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Ingress:
+		network ACL acl3-ky allows connection with the following allow rules
+			direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+		security group sg2-ky has no relevant allow rules
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/pkg/ibmvpc/examples/out/explain_out/subnetToVsiSingleVpc_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/subnetToVsiSingleVpc_all_vpcs_explain_detail.txt
@@ -0,0 +1,31 @@
+Explaining connectivity from subnet1-ky to 10.240.20.4 within test-vpc1-ky
+Interpreted source: vsi1-ky[10.240.10.4]
+Interpreted destination: vsi2-ky[10.240.20.4]
+==========================================================================
+
+No connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4];
+	connection is blocked at egress
+
+Egress: security group sg1-ky does not allow connection; network ACL acl1-ky allows connection
+Ingress: network ACL acl2-ky allows connection; security group sg2-ky allows connection
+
+Path:
+	vsi1-ky[10.240.10.4] -> | security group sg1-ky |
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Egress:
+		security group sg1-ky has no relevant allow rules
+		network ACL acl1-ky allows connection with the following allow rules
+			direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+
+	Ingress:
+		network ACL acl2-ky allows connection with the following allow rules
+			direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+		security group sg2-ky allows connection with the following allow rules
+			direction: inbound, id: id:147, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, conns: protocol: all
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwSubnetToSubnet_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwSubnetToSubnet_all_vpcs_explain.txt
@@ -0,0 +1,17 @@
+Explaining connectivity from test-vpc1-ky/subnet11-ky to subnet32-ky
+Interpreted source: test-vpc1-ky/vsi11-ky[10.240.11.4]
+Interpreted destination: test-vpc3-ky/vsi32-ky[10.240.128.4]
+====================================================================
+
+No connections from test-vpc1-ky/vsi11-ky[10.240.11.4] to test-vpc3-ky/vsi32-ky[10.240.128.4];
+	connection is blocked at egress
+
+Egress: security group sg11-ky allows connection; network ACL acl11-ky blocks connection
+cross-vpc-connection: transit-connection tg_connection3 of transit-gateway local-tg-ky allows connection
+Ingress: network ACL acl31-ky allows connection; security group sg31-ky allows connection
+
+Path:
+	vsi11-ky[10.240.11.4] -> security group sg11-ky -> | network ACL acl11-ky |
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/pkg/ibmvpc/explainability_test.go b/pkg/ibmvpc/explainability_test.go
@@ -78,6 +78,22 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 		Format:        vpcmodel.Text,
 		DetailExplain: true,
 	},
+	{
+		Name:          "subnetToVsiSingleVpc",
+		InputConfig:   "sg_testing1_new",
+		ESrc:          "subnet1-ky",
+		EDst:          "10.240.20.4",
+		Format:        vpcmodel.Text,
+		DetailExplain: true,
+	},
+	{
+		Name:          "externalToSubnet",
+		InputConfig:   "sg_testing1_new",
+		ESrc:          "161.26.0.0",
+		EDst:          "subnet3-ky",
+		Format:        vpcmodel.Text,
+		DetailExplain: true,
+	},
 	{
 		Name:          "SimpleExternalSG1",
 		InputConfig:   "sg_testing1_new",
@@ -585,6 +601,13 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 		Format:        vpcmodel.Text,
 		DetailExplain: true,
 	},
+	{
+		Name:        "tgwSubnetToSubnet",
+		InputConfig: "tgw_larger_example",
+		ESrc:        "test-vpc1-ky/subnet11-ky",
+		EDst:        "subnet32-ky",
+		Format:      vpcmodel.Text,
+	},
 	// connection disabled by lack of cross-vpc router (tgw)
 	{
 		Name:          "multiVPCNoCrossVPCRouter",
@@ -759,8 +782,9 @@ func TestInputValiditySingleVPCContext(t *testing.T) {
 	// should fail since vsi's name has a typo
 	_, err5 := vpcConfigSg1.ExplainConnectivity(existingVsi, nonExistingVsi, nil)
 	fmt.Println(err5.Error())
-	require.NotNil(t, err5, "the test should fail since dst non existing vsi")
-	require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, or endpoint name", err5.Error())
+	require.NotNil(t, err5, "the test should fail since dst non existing vsi/subnet")
+	require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name",
+		err5.Error())
 
 	// should fail since src and dst are identical
 	_, err6 := vpcConfigSg1.ExplainConnectivity("10.240.10.4/32", "10.240.10.4", nil)
@@ -815,21 +839,23 @@ func TestInputValidityMultipleVPCContext(t *testing.T) {
 	_, err5 := vpcConfigMultiVpc.ExplainConnectivity(existingVsi, nonExistingVsi, nil)
 	fmt.Println(err5.Error())
 	require.NotNil(t, err5, "the test should fail since dst non existing vsi")
-	require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, or endpoint name", err5.Error())
+	require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name",
+		err5.Error())
 	fmt.Println()
 
 	// should fail since src vsi's name has a typo
 	_, err6 := vpcConfigMultiVpc.ExplainConnectivity(nonExistingVsi, existingVsi, nil)
 	fmt.Println(err6.Error())
 	require.NotNil(t, err6, "the test should fail since src non existing vsi")
-	require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, or endpoint name", err6.Error())
+	require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name",
+		err6.Error())
 	fmt.Println()
 
 	// should fail since src and dst vsi's name has a typo - err msg should be about src
 	_, err7 := vpcConfigMultiVpc.ExplainConnectivity(nonExistingVsi, existingVsi, nil)
 	fmt.Println(err7.Error())
 	require.NotNil(t, err7, "the test should fail since src and dst non existing vsi")
-	require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, or endpoint name", err7.Error())
+	require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name", err7.Error())
 	fmt.Println()
 
 	// src does not exist, dst is an internal address not connected to a vsi. should prioritize the dst error
@@ -844,7 +870,8 @@ func TestInputValidityMultipleVPCContext(t *testing.T) {
 	_, err9 := vpcConfigMultiVpc.ExplainConnectivity(cidr1, existingVsiWrongVpc, nil)
 	fmt.Println(err9.Error())
 	require.NotNil(t, err9, "the test should fail since the src vsi given with wrong vpc")
-	require.Equal(t, "illegal dst: test-vpc1-ky/vsi3a-ky is not a legal IP address, CIDR, or endpoint name", err9.Error())
+	require.Equal(t, "illegal dst: test-vpc1-ky/vsi3a-ky is not a legal IP address,"+
+		" CIDR, endpoint name or subnet name", err9.Error())
 
 	vpcConfigTgwDupNames := getConfig(t, "tgw_larger_example_dup_names")
 	dupSrcVsi := "vsi1-ky"