NetworkingNetwork+

Cloud Network Troubleshooting for CompTIA Network+ N10-009

Cloud network troubleshooting addresses connectivity and performance issues specific to cloud-hosted infrastructure. CompTIA Network+ N10-009 tests cloud troubleshooting as part of the Troubleshooting domain. Cloud environments introduce unique failure modes — misconfigured security groups, VPC routing issues, and hybrid connectivity problems — that require cloud-specific diagnostic approaches.

7 min

3 sections · 7 exam key points

1 practice questions

Common Cloud Network Issues

Security group misconfiguration: the most common cloud connectivity problem. A cloud instance cannot be reached because an inbound security group rule is missing or incorrect. Security groups are stateful — outbound traffic automatically allows return traffic. Check: inbound rules allow the required port from the correct source, correct security group is attached to the instance.

VPC/subnet routing: traffic cannot flow between subnets or from a subnet to the internet. Check: route table for the subnet includes the correct routes (internet gateway route for public subnets, NAT gateway route for private subnets). Verify the internet gateway is attached to the VPC. Verify the NAT gateway has an elastic IP.

Network ACL issues (cloud): cloud NACLs are stateless and applied at the subnet level. Both inbound AND outbound rules must permit the traffic (unlike security groups). Check NACLs if security groups are correct but traffic still fails — NACLs may be blocking return traffic.

Hybrid Connectivity Troubleshooting

VPN to cloud: on-premises resources cannot reach cloud VPC. Check: VPN tunnel status (both Phase 1 and Phase 2), route propagation (cloud side must have routes to on-premises subnets and vice versa), security group rules on cloud instances must permit traffic from on-premises subnets.

Direct Connect / ExpressRoute: dedicated private circuit to cloud provider. If the circuit is up but traffic fails, check: BGP session status (the circuit uses BGP for route exchange), route filters (some providers require explicit route filters), VLAN configuration on the customer router.

DNS in cloud: VPC DNS resolver must be enabled for instances to resolve DNS. Hybrid environments need DNS forwarding rules: on-premises DNS forwards cloud domain queries to the cloud resolver; cloud DNS forwards corporate domain queries to on-premises DNS. Missing DNS forwarding rules break name resolution in hybrid environments.

Cloud Diagnostic Tools

Cloud provider tools: VPC Flow Logs (AWS/Azure) capture metadata about traffic flowing through VPC — source/destination IP, port, protocol, action (ACCEPT/REJECT). Essential for diagnosing security group and NACL issues. AWS Reachability Analyzer: tests network path between two resources and shows where traffic is blocked. Azure Network Watcher: similar — connection troubleshoot, packet capture, topology view.

On-instance testing: SSH or RDP into a cloud instance and run the same diagnostic tools as on-premises — ping, traceroute, curl, netstat. The instance's perspective confirms whether traffic issues are inbound (reaching the instance) or outbound (from the instance).

Key exam facts — Network+

Security group = instance-level, stateful; NACL = subnet-level, stateless
NACL requires both inbound AND outbound rules (unlike stateful security groups)
VPC Flow Logs: captures accept/reject decisions — diagnoses SG and NACL issues
Route table: public subnets need internet gateway route; private subnets need NAT gateway
VPN to cloud: check tunnel status, route propagation, security group rules
Cloud DNS: VPC resolver must be enabled; hybrid DNS needs forwarding rules
AWS Reachability Analyzer / Azure Network Watcher: cloud-native path troubleshooting

Common exam traps

Cloud security groups and NACLs work the same way

Security groups are stateful (return traffic is automatically allowed) and applied at the instance level. NACLs are stateless (both inbound and outbound rules required for bidirectional traffic) and applied at the subnet level. A common error is configuring security groups correctly but forgetting NACL return traffic rules

Practice questions — Cloud Troubleshooting

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A cloud VM has its web server accessible on port 80 from the internet. After adding a NACL rule to deny inbound traffic from a suspicious IP range, HTTPS (port 443) stops working for all users even though no 443 rules were changed. What is the most likely cause?

A.The security group doesn't allow port 443

B.The new NACL rule has a lower rule number than the existing permit for port 443, and NACL rules are processed by number

C.The web server's SSL certificate expired

D.The NAT gateway is not configured

Explanation: NACLs process rules in numerical order and stop at the first match. If the new deny rule (lower number) matches traffic before the existing permit rule for port 443, all 443 traffic is denied — even though 443 wasn't the intended target. Review NACL rule numbers: the new deny rule number must be higher than the permit rules for legitimate traffic, or the permit rules must be more specific.

Frequently asked questions — Cloud Troubleshooting

What are VPC Flow Logs and how do they help troubleshooting?

VPC Flow Logs capture metadata about IP traffic flowing through network interfaces in a VPC — source IP, destination IP, source port, destination port, protocol, packet count, byte count, and most importantly the action (ACCEPT or REJECT). When a connection fails, enable Flow Logs and check if traffic reaches the instance and what action was taken. REJECT entries identify the security group or NACL rule blocking the traffic. Flow Logs are stored in CloudWatch Logs or S3 and queried with Athena or CloudWatch Insights.

Practice this topic

Network+practice questions

Test yourself on Cloud Troubleshooting

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime