Insight groups and types

This page describes Network Analyzer insight groups and their corresponding insight types.

The results from Network Analyzer analyses are known as insights. An insight can include one of the following outcomes from an analysis:

  • A network failure, such as a service connectivity blockage caused by configuration issues.
  • A suboptimal configuration, such as reserved but unassigned IP addresses, or dynamic routes that overlap with static or subnet routes.
  • A preventive warning, such as IP utilization above 75 percent for a subnet range.
  • A summary of status, such as the list of reserved but unallocated IP addresses distributed by region or service projects.

Supported insight types

In addition to the Network Analyzer pages, insights are published as the following insight types:

Each of the following sections provides links to the Network Analyzer insight types. Each section also includes a table that shows the supported Recommender insight type and subtypes and the Cloud Logging insight types.

VPC network insights

VPC network insights cover basic VPC network setup and configuration issues, such as issues with IP addresses, routes, firewall rules, VPC Network Peering, and Shared VPC.

Routes with an invalid next hop

For details about this insight type, see Insights about routes with an invalid next hop.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.vpcnetwork.connectivityInsight
  • ROUTE_NEXT_HOP_VM_IP_FORWARDING_DISABLED
  • ROUTE_NEXT_HOP_VM_STOPPED
  • ROUTE_NEXT_HOP_VM_DELETED
  • ROUTE_NEXT_HOP_ILB_MISCONFIGURED
  • ROUTE_NEXT_HOP_ILB_BACKEND_IP_FORWARDING_DISABLED
  • ROUTE_NEXT_HOP_VPN_TUNNEL_DELETED

ROUTE_INVALID_NEXT_HOP_VM_IP_FORWARDING_DISABLED

ROUTE_INVALID_NEXT_HOP_VM_DELETED

ROUTE_INVALID_NEXT_HOP_VM_STOPPED

ROUTE_INVALID_NEXT_HOP_ILB_MISCONFIGURED

ROUTE_INVALID_NEXT_HOP_VPN_TUNNEL_DELETED

ROUTE_INVALID_NEXT_HOP_ILB_BACKEND_IP_FORWARDING_DISABLED

IP addresses

For details about this insight type, see the following:

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.vpcnetwork.ipAddressInsight
  • PRIMARY_IP_RANGE_UTILIZATION_HIGH
  • SECONDARY_IP_RANGE_UTILIZATION_HIGH
  • EXTERNAL_IP_UNASSIGNED
  • IP_UTILIZATION_SUMMARY
  • PSA_IP_UTILIZATION_SUMMARY

IP_UTILIZATION_IP_ALLOCATION_RATIO_HIGH

IP_UTILIZATION_IP_ALLOCATION_SUMMARY

Network services insights

Network services insights cover issues that you might encounter when using load balancers, such as issues with health checks, firewall rules, and backend services.

Load balancer

For details about this insight type, see Load balancer insights.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.networkservices.loadBalancerInsight
  • HEALTH_CHECK_FIREWALL_NOT_CONFIGURED
  • HEALTH_CHECK_FIREWALL_FULLY_BLOCKING
  • HEALTH_CHECK_FIREWALL_PARTIALLY_BLOCKING
  • HEALTH_CHECK_FIREWALL_INCONSISTENT
  • HEALTH_CHECK_PORT_MISMATCH
  • BALANCING_MODE_BREAKS_SESSION_AFFINITY

LOAD_BALANCER_HEALTH_CHECK_FIREWALL_HEALTH_CHECK_FIREWALL_NOT_CONFIGURED

LOAD_BALANCER_HEALTH_CHECK_FIREWALL_HEALTH_CHECK_RANGE_BLOCKED

LOAD_BALANCER_HEALTH_CHECK_FIREWALL_FIREWALL_CONFIG_INCONSISTENT

LOAD_BALANCER_HEALTH_CHECK_FIREWALL_HEALTH_CHECK_RANGE_PARTIALLY_BLOCKED

LOAD_BALANCER_BEST_PRACTICES_BACKEND_SERVICE_BALANCING_MODE_BREAKS_SESSION_AFFINITY

LOAD_BALANCER_BEST_PRACTICES_BACKEND_SERVICE_HEALTH_CHECK_PORT_MISMATCH

Hybrid connectivity insights

Hybrid connectivity insights cover issues related to hybrid connectivity for Cloud VPN, Cloud Interconnect, Cloud Router, BGP peering, dynamic routes, and Network Connectivity Center.

Shadowed dynamic routes

For details about this insight type, see Shadowed dynamic route insights.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.hybridconnectivity.dynamicRouteInsight
  • DYNAMIC_ROUTE_FULLY_SHADOWED
  • DYNAMIC_ROUTE_PARTIALLY_SHADOWED
  • PEERING_DYNAMIC_ROUTE_FULLY_SHADOWED
  • PEERING_DYNAMIC_ROUTE_PARTIALLY_SHADOWED

DYNAMIC_ROUTE_SHADOWED_FULLY_SHADOWED_BY_SUBNET_ROUTE

DYNAMIC_ROUTE_SHADOWED_FULLY_SHADOWED_BY_PEERING_SUBNET_ROUTE

DYNAMIC_ROUTE_SHADOWED_FULLY_SHADOWED_BY_STATIC_ROUTE

DYNAMIC_ROUTE_SHADOWED_FULLY_SHADOWED_BY_PEERING_STATIC_ROUTE

DYNAMIC_ROUTE_SHADOWED_PARTIALLY_SHADOWED_BY_SUBNET_ROUTE

DYNAMIC_ROUTE_SHADOWED_PARTIALLY_SHADOWED_BY_PEERING_SUBNET_ROUTE

DYNAMIC_ROUTE_SHADOWED_PARTIALLY_SHADOWED_BY_STATIC_ROUTE

DYNAMIC_ROUTE_SHADOWED_PARTIALLY_SHADOWED_BY_PEERING_STATIC_ROUTE

GKE insights

Google Kubernetes Engine (GKE) insights cover networking issues that can impact the operation and connectivity for GKE. Network Analyzer detects bidirectional connectivity issues caused by configurations when a connection is initiated between a GKE node and a GKE control plane. Network Analyzer also analyzes the IP utilization of GKE pods and runs a variety of checks for best practices for GKE clusters.

GKE connectivity

For details about this insight type, see the following:

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.container.connectivityInsight
  • NODE_TO_CONTROL_PLANE_BLOCKED_BY_ROUTING_ISSUE
  • NODE_TO_CONTROL_PLANE_BLOCKED_BY_EGRESS_FIREWALL
  • CONTROL_PLANE_TO_NODE_BLOCKED_BY_ROUTING_ISSUE
  • CONTROL_PLANE_TO_NODE_BLOCKED_BY_INGRESS_FIREWALL
  • CONTROL_PLANE_UNABLE_TO_ACCESS_CUSTOM_ROUTES
  • NEED_EXTENDED_AUTHORIZED_RANGE
  • PRIVATE_GOOGLE_ACCESS_DISABLED
  • MISSING_ROUTES_TO_GOOGLE_APIS_AND_SERVICES
google.networkanalyzer.container.serviceAccountInsight
  • NODE_SERVICE_ACCOUNT_DISABLED
  • NODE_SERVICE_ACCOUNT_IS_COMPUTE_ENGINE_DEFAULT
  • NODE_POOL_INSUFFICIENT_OAUTH_SCOPES

GKE_NODE_TO_CONTROL_PLANE_BLOCKED_BY_ROUTING_ISSUE

GKE_NODE_TO_CONTROL_PLANE_PUBLIC_ENDPOINT_BLOCKED_BY_EGRESS_FIREWALL

GKE_NODE_TO_CONTROL_PLANE_PRIVATE_ENDPOINT_BLOCKED_BY_EGRESS_FIREWALL

GKE_CONTROL_PLANE_TO_NODE_BLOCKED_BY_ROUTING_ISSUE

GKE_CONTROL_PLANE_TO_NODE_BLOCKED_BY_INGRESS_FIREWALL_ON_NODE

GKE IP address utilization

For details about this insight type, see GKE IP address utilization insights.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.container.ipAddressInsight
  • POD_RANGES_ALLOCATION_RATIO_HIGH
  • POD_RANGES_ALLOCATION_RATIO_LIMITS_AUTOSCALING

GKE_IP_UTILIZATION_POD_RANGES_ALLOCATION_HIGH

GKE_IP_UTILIZATION_POD_RANGES_ALLOCATION_LIMITS_AUTOSCALING

GKE service accounts

For details about this insight type, see GKE node service account insights.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.container.serviceAccountInsight
  • NODE_SERVICE_ACCOUNT_DISABLED
  • NODE_SERVICE_ACCOUNT_IS_COMPUTE_ENGINE_DEFAULT
  • NODE_SERVICE_ACCOUNT_INSUFFICIENT_OAUTH_SCOPES

GKE_NODE_SERVICE_ACCOUNT_SERVICE_ACCOUNT_DISABLED

GKE_NODE_SERVICE_ACCOUNT_DEFAULT_SERVICE_ACCOUNT_USED

GKE_NODE_SERVICE_ACCOUNT_BAD_OAUTH_SCOPES

Managed services insights

Managed services insights cover connectivity issues with Google managed services. You can use Google managed services to set up your applications by abstracting the details of underlying networking configurations. In such managed environments, configuration changes can break the managed services, such as firewall rules and routes. This is possible when the connection is from Google Cloud to Google Cloud or from on-premises to Google Cloud.

Network Analyzer supports detecting connectivity issues from an IP address in the same network and region to Cloud SQL instances with a private IP address.

Cloud SQL connectivity

For details about this insight type, see Cloud SQL connectivity insights.

For the related Recommender and Cloud Logging insight types, see the following table.

Recommender insight type and subtypes Cloud Logging insight types
google.networkanalyzer.managedservices.cloudSqlInsight
  • BLOCKED_BY_EGRESS_FIREWALL
  • BLOCKED_BY_ROUTING_ISSUE
  • INSTANCE_NOT_RUNNING

CLOUD_SQL_PRIVATE_IP_BLOCKED_BY_EGRESS_FIREWALL

CLOUD_SQL_PRIVATE_IP_BLOCKED_BY_ROUTING_ISSUE

CLOUD_SQL_PRIVATE_IP_INSTANCE_NOT_RUNNING