Cloud network troubleshooting addresses connectivity and performance issues specific to cloud-hosted infrastructure. CompTIA Network+ N10-009 tests cloud troubleshooting as part of the Troubleshooting domain. Cloud environments introduce unique failure modes — misconfigured security groups, VPC routing issues, and hybrid connectivity problems — that require cloud-specific diagnostic approaches.
Practice this topic
Security group misconfiguration: the most common cloud connectivity problem. A cloud instance cannot be reached because an inbound security group rule is missing or incorrect. Security groups are stateful — outbound traffic automatically allows return traffic. Check: inbound rules allow the required port from the correct source, correct security group is attached to the instance.
VPC/subnet routing: traffic cannot flow between subnets or from a subnet to the internet. Check: route table for the subnet includes the correct routes (internet gateway route for public subnets, NAT gateway route for private subnets). Verify the internet gateway is attached to the VPC. Verify the NAT gateway has an elastic IP.
Network ACL issues (cloud): cloud NACLs are stateless and applied at the subnet level. Both inbound AND outbound rules must permit the traffic (unlike security groups). Check NACLs if security groups are correct but traffic still fails — NACLs may be blocking return traffic.
VPN to cloud: on-premises resources cannot reach cloud VPC. Check: VPN tunnel status (both Phase 1 and Phase 2), route propagation (cloud side must have routes to on-premises subnets and vice versa), security group rules on cloud instances must permit traffic from on-premises subnets.
Direct Connect / ExpressRoute: dedicated private circuit to cloud provider. If the circuit is up but traffic fails, check: BGP session status (the circuit uses BGP for route exchange), route filters (some providers require explicit route filters), VLAN configuration on the customer router.
DNS in cloud: VPC DNS resolver must be enabled for instances to resolve DNS. Hybrid environments need DNS forwarding rules: on-premises DNS forwards cloud domain queries to the cloud resolver; cloud DNS forwards corporate domain queries to on-premises DNS. Missing DNS forwarding rules break name resolution in hybrid environments.
Cloud provider tools: VPC Flow Logs (AWS/Azure) capture metadata about traffic flowing through VPC — source/destination IP, port, protocol, action (ACCEPT/REJECT). Essential for diagnosing security group and NACL issues. AWS Reachability Analyzer: tests network path between two resources and shows where traffic is blocked. Azure Network Watcher: similar — connection troubleshoot, packet capture, topology view.
On-instance testing: SSH or RDP into a cloud instance and run the same diagnostic tools as on-premises — ping, traceroute, curl, netstat. The instance's perspective confirms whether traffic issues are inbound (reaching the instance) or outbound (from the instance).
Cloud security groups and NACLs work the same way
Security groups are stateful (return traffic is automatically allowed) and applied at the instance level. NACLs are stateless (both inbound and outbound rules required for bidirectional traffic) and applied at the subnet level. A common error is configuring security groups correctly but forgetting NACL return traffic rules
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A cloud VM has its web server accessible on port 80 from the internet. After adding a NACL rule to deny inbound traffic from a suspicious IP range, HTTPS (port 443) stops working for all users even though no 443 rules were changed. What is the most likely cause?
Explanation: NACLs process rules in numerical order and stop at the first match. If the new deny rule (lower number) matches traffic before the existing permit rule for port 443, all 443 traffic is denied — even though 443 wasn't the intended target. Review NACL rule numbers: the new deny rule number must be higher than the permit rules for legitimate traffic, or the permit rules must be more specific.
VPC Flow Logs capture metadata about IP traffic flowing through network interfaces in a VPC — source IP, destination IP, source port, destination port, protocol, packet count, byte count, and most importantly the action (ACCEPT or REJECT). When a connection fails, enable Flow Logs and check if traffic reaches the instance and what action was taken. REJECT entries identify the security group or NACL rule blocking the traffic. Flow Logs are stored in CloudWatch Logs or S3 and queried with Athena or CloudWatch Insights.
Try free Cloud Troubleshooting practice questions with explanations, topic links and progress tracking.