aws-network-ops

$npx mdskill add automateyournetwork/netclaw/aws-network-ops

Analyzes and troubleshoots AWS cloud networking configurations

  • Audits VPCs, checks Transit Gateway routes, and investigates connectivity issues
  • Uses AWS APIs for VPC, Transit Gateway, Cloud WAN, and Network Firewall
  • Leverages flow logs, route tables, and ENI metadata to trace network paths
  • Returns structured data and actionable insights via read-only operations

SKILL.md

.github/skills/aws-network-opsView on GitHub ↗
---
name: aws-network-ops
description: "AWS cloud networking — VPC, Transit Gateway, Cloud WAN, VPN, Network Firewall, ENI, flow logs. Use when auditing AWS VPCs, troubleshooting connectivity between EC2 instances, checking Transit Gateway routes, or investigating VPN tunnel status."
version: 1.0.0
license: Apache-2.0
tags: [aws, vpc, transit-gateway, cloud-wan, vpn, network-firewall, flow-logs]

netshell:
  mcp_tools:
    - mcp: aws-network-mcp
      tools:
        - get_path_trace_methodology
        - find_ip_address
        - get_eni_details
        - list_vpcs
        - get_vpc_details
        - get_vpc_route_tables
        - list_subnets
        - get_subnet_details
        - list_transit_gateways
        - get_transit_gateway_details
        - get_transit_gateway_route_tables
        - list_vpn_connections
        - get_vpn_connection_details
        - get_network_firewall_details
        - list_flow_logs
---

# AWS Network Operations

## MCP Server

- **Command**: `uvx awslabs.aws-network-mcp-server@latest` (stdio transport)
- **Requires**: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION` (or `AWS_PROFILE`)
- **Read-only**: All operations are Describe/Get/List — no create/modify/delete

## Available Tools (27)

### General (3)

| Tool | What It Does |
|------|-------------|
| `get_path_trace_methodology` | Guidance for tracing network paths across AWS resources |
| `find_ip_address` | Find which VPC/subnet/ENI an IP address belongs to |
| `get_eni_details` | Get Elastic Network Interface details — security groups, subnet, routes |

### VPC (3)

| Tool | What It Does |
|------|-------------|
| `list_vpcs` | List all VPCs in the account/region |
| `get_vpc_network_details` | Full VPC details — subnets, route tables, IGW, NAT GW, endpoints, NACLs |
| `get_vpc_flow_logs` | Query VPC flow logs for traffic analysis |

### Transit Gateway (7)

| Tool | What It Does |
|------|-------------|
| `list_transit_gateways` | List all Transit Gateways |
| `get_tgw_details` | Transit Gateway details — attachments, route tables, associations |
| `get_tgw_routes` | Get routes from a specific TGW route table |
| `get_all_tgw_routes` | Get routes from all TGW route tables |
| `get_tgw_flow_logs` | Query Transit Gateway flow logs |
| `list_tgw_peerings` | List TGW peering connections |
| `detect_tgw_inspection` | Detect if traffic inspection is configured on a TGW |

### Cloud WAN (10)

| Tool | What It Does |
|------|-------------|
| `list_core_networks` | List all Cloud WAN core networks |
| `get_cloudwan_details` | Core network details — segments, policies, attachments |
| `get_cloudwan_routes` | Get routes from a Cloud WAN segment |
| `get_all_cloudwan_routes` | Get routes from all Cloud WAN segments |
| `get_cloudwan_attachment_details` | Details for a specific Cloud WAN attachment |
| `detect_cloudwan_inspection` | Detect inspection configuration on Cloud WAN |
| `list_cloudwan_peerings` | List Cloud WAN peering connections |
| `get_cloudwan_peering_details` | Details for a specific Cloud WAN peering |
| `get_cloudwan_logs` | Query Cloud WAN logs |
| `simulate_cloud_wan_route_change` | Simulate a route change and predict impact |

### VPN (1)

| Tool | What It Does |
|------|-------------|
| `list_vpn_connections` | List all site-to-site VPN connections with tunnel status |

### Network Firewall (3)

| Tool | What It Does |
|------|-------------|
| `list_network_firewalls` | List all AWS Network Firewalls |
| `get_firewall_rules` | Get firewall rule groups and policies |
| `get_network_firewall_flow_logs` | Query Network Firewall flow logs |

## Workflow: VPC Network Audit

When a user asks "show me our AWS network" or "audit the VPCs":

1. **List VPCs**: `list_vpcs` to see all VPCs in the region
2. **For each VPC**: `get_vpc_network_details` — subnets, route tables, gateways, NACLs
3. **Check TGW**: `list_transit_gateways` to see cross-VPC connectivity
4. **Check VPN**: `list_vpn_connections` for hybrid connectivity
5. **Check firewalls**: `list_network_firewalls` for security posture
6. **Report**: Formatted summary of the cloud network architecture

## Workflow: Troubleshoot Connectivity

When a user asks "why can't EC2 instance X reach Y?":

1. **Find the IPs**: `find_ip_address` for both source and destination
2. **Get ENI details**: `get_eni_details` to check security groups, subnet, routes
3. **Check route tables**: `get_vpc_network_details` to see routing
4. **Check flow logs**: `get_vpc_flow_logs` to see if traffic is being dropped
5. **Check firewalls**: `get_firewall_rules` if traffic crosses a Network Firewall
6. **Check TGW**: `get_tgw_routes` if traffic crosses Transit Gateway
7. **Report**: Root cause analysis with fix recommendation

## Workflow: Transit Gateway Health

When checking multi-VPC connectivity:

1. **List TGWs**: `list_transit_gateways`
2. **Get details**: `get_tgw_details` for attachments and route tables
3. **Check routes**: `get_all_tgw_routes` for route table completeness
4. **Check peerings**: `list_tgw_peerings` for cross-region/cross-account
5. **Check inspection**: `detect_tgw_inspection` for security posture
6. **Flow logs**: `get_tgw_flow_logs` for traffic analysis

## Workflow: VPN Tunnel Monitoring

When checking hybrid connectivity:

1. **List VPNs**: `list_vpn_connections`
2. **Check tunnel status**: Up/Down for each tunnel (redundancy check)
3. **Check routes**: TGW or VGW routes for the VPN prefixes
4. **Flow logs**: VPC flow logs for traffic across VPN
5. **Report**: VPN health summary with any down tunnels flagged

## Important Rules

- **Read-only** — this MCP cannot create, modify, or delete any AWS resources
- **Region-specific** — results are scoped to the configured AWS_REGION
- **IAM permissions required** — EC2 Describe, Network Manager, Network Firewall Describe, CloudWatch Logs
- **Record in GAIT** — log all AWS network investigations for audit trail

## Environment Variables

- `AWS_ACCESS_KEY_ID` — AWS access key
- `AWS_SECRET_ACCESS_KEY` — AWS secret key
- `AWS_REGION` — AWS region (e.g., us-east-1)
- Or `AWS_PROFILE` — Named AWS CLI profile

More from automateyournetwork/netclaw

SkillDescription
aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology