AWS Network Tools CLI - A hierarchical CLI for AWS networking
AWS Network Shell provides a comprehensive CLI for managing AWS networking resources with a familiar Cisco IOS-style interface. Navigate through contexts (VPC, Transit Gateway, Firewall, etc.) and execute commands with hierarchical command structures.
# Install
pip install -e .
# Launch shell
aws-net-shell
# Or with AWS profile
aws-net-shell -p production
# Run automated workflows
aws-net-runner "show vpcs" "set vpc 1" "show subnets"
# Debug mode for troubleshooting
aws-net-runner --debug "show vpns" "set vpn 1" "show tunnels"
# Logs to: /tmp/aws_net_runner_debug_<timestamp>.logThe CLI uses a hierarchical command structure with 10 contexts and 100+ commands.
Explore and validate the command hierarchy:
# Show command tree
aws-net> show graph
# Show statistics
aws-net> show graph stats
Total nodes: 103
Total edges: 145
Contexts: 10
Command paths: 78
Implemented: 100%
# Validate all handlers exist
aws-net> show graph validate
β Graph is valid - all handlers implemented
# Export Mermaid diagram
aws-net> show graph mermaid
# Find path to specific command
aws-net> show graph parent find-prefix
Paths to 'find-prefix':
β find-prefix
Context: route-table
Path: show route-tables β set route-table 1 β find-prefixshow graph- Display command tree structureshow graph stats- Show command statisticsshow graph validate- Verify all handlers implementedshow graph mermaid- Generate Mermaid diagramshow graph parent <command>- Show navigation path to commandvalidate-graph- Run full validation checkexport-graph [filename]- Export to markdown file
Complete AWS Network Firewall inspection and management:
# List all firewalls
aws-net> show firewalls
# Enter firewall context
aws-net> set firewall 1
aws-net>fi:1>
# Show firewall overview with rule groups
aws-net>fi:1> show firewall
π₯ Network Firewall: prod-firewall-1
βββ ID: 12345678-1234-1234-1234-123456789abc
βββ Region: us-east-1
βββ VPC: vpc-0123456789abcdef0
βββ Subnets: subnet-0a1b2c3d4e5f67890, subnet-0f9e8d7c6b5a43210
Rule Groups
βββββ³βββββββββββββββββββββββ³ββββββββββββ³ββββββββ³βββββββββββ
β # β Name β Type β Rules β Capacity β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 1 β drop-remote-outbound β STATELESS β 2 β 2/2 β
β 2 β allow-domains β STATEFUL β 2 β 2/100 β
βββββ΄βββββββββββββββββββββββ΄ββββββββββββ΄ββββββββ΄βββββββββββ
# Show policy with rule groups
aws-net>fi:1> show policy
# Show rule groups (with selection index)
aws-net>fi:1> show rule-groups
# Enter rule group context
aws-net>fi:1> set rule-group 1
aws-net>fi:1>ru:1>
# Show detailed rules (STATELESS)
aws-net>fi:1>ru:1> show rule-group
βββββ³βββββββββββ³βββββββββββ³ββββββββββββ³βββββββββββββββ³ββββββββββββ³βββββββββββββββ³βββββββββββββ
β # β Priority β Actions β Sources β Destinations β Protocols β Source Ports β Dest Ports β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 1 β 1 β aws:drop β 0.0.0.0/0 β 0.0.0.0/0 β 6 β 22 β 22 β
β 2 β 2 β aws:drop β 0.0.0.0/0 β 0.0.0.0/0 β 27 β Any β Any β
βββββ΄βββββββββββ΄βββββββββββ΄ββββββββββββ΄βββββββββββββββ΄ββββββββββββ΄βββββββββββββββ΄βββββββββββββ
# Show detailed rules (STATEFUL with Suricata format)
aws-net>fi:1> set rule-group 2
aws-net>fi:1>ru:2> show rule-group
1. pass tcp any any <> $EXTERNAL_NET 443 (msg:"Allowing TCP in port 443"; flow:not_established; sid:892123; rev:1;)
2. pass tls any any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazon.com"; endswith; msg:"Allowing .amazon.com HTTPS requests"; sid:892125; rev:1;)- Contexts: firewall β rule-group (2-level hierarchy)
- Commands: show firewall, show rule-groups, show policy, set rule-group, show rule-group
- Display: Complete rule details including ports, protocols, actions, and Suricata rules
- Navigation: Index-based selection for easy context switching
Complete Site-to-Site VPN tunnel inspection and management:
# List all VPN connections
aws-net> show vpns
Site-to-Site VPN Connections
βββββ³βββββββββββββββββ³ββββββββββββββββββ³ββββββββββββ³ββββββββββ³ββββββββββββ
β # β Name β ID β State β Type β Region β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 1 β corporate-vpn β vpn-0abcdef123β¦ β available β ipsec.1 β us-east-1 β
βββββ΄βββββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββ΄ββββββββββ΄ββββββββββββ
# Enter VPN context
aws-net> set vpn 1
aws-net>vp:1>
# Show VPN overview with tunnel summary
aws-net>vp:1> show detail
VPN: corporate-vpn
βββββββββ³ββββββββββββββββββββββββ
β Field β Value β
β‘ββββββββββββββββββββββββββββββββ©
β id β vpn-0abcdef123456789a β
β state β available β
β type β ipsec.1 β
βββββββββ΄ββββββββββββββββββββββββ
Tunnels (2):
UP 203.0.113.10
UP 203.0.113.20
# Show detailed tunnel status
aws-net>vp:1> show tunnels
VPN Tunnels: corporate-vpn
ββββββββββββββββ³βββββββββ³βββββββββββββββββ³βββββββββ
β Outside IP β Status β Status Message β Routes β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββ©
β 203.0.113.10 β UP β 3 BGP ROUTES β 3 β
β 203.0.113.20 β UP β 3 BGP ROUTES β 3 β
ββββββββββββββββ΄βββββββββ΄βββββββββββββββββ΄βββββββββ- Context: vpn (1-level hierarchy)
- Commands: show detail, show tunnels
- Display: IPSec tunnel status with outside IPs, BGP route counts, status messages
- Status Colors: Green (UP), Red (DOWN) for immediate visual identification
- Data Source: AWS VgwTelemetry with tunnel health and BGP session information
aws_net_shell/
βββ src/
β βββ aws_network_tools/
β βββ cli.py # CLI entry point
β βββ core/ # Core functionality
β β βββ base.py # Base shell class
β β βββ graph.py # Command graph logic
β β βββ ip_resolver.py # IP address resolution
β β βββ spinner.py # Loading spinners
β β βββ renderer.py # Output rendering
β βββ models/ # Data models
β βββ modules/ # AWS service modules
β βββ shell/ # Shell implementation
β β βββ base.py # Base shell handlers
β β βββ graph.py # Graph command implementation
β β βββ handlers/ # Command handlers by context
β β βββ main.py # Main shell entry
β βββ traceroute/ # Traceroute functionality
βββ tests/ # Test suite
β βββ conftest.py # Pytest fixtures
β βββ test_shell.py # Shell tests
β βββ test_*.py # Unit tests
βββ docs/ # Documentation
β βββ command-hierarchy-split.md # Split command diagrams
β βββ command-hierarchy-flow.md # Context flow diagrams
β βββ README.md # This file
βββ README.md # Main documentation
βββ pyproject.toml # Project configuration
βββ quick_test.sh # Quick test script
# Clone repository
cd /Users/taylaand/code/personal/aws_net_shell
# Install dependencies
pip install -e .
# Run AWS network shell
aws-net-shell
# Or with specific profile
aws-net-shell -p production# Run all unit tests
pytest tests/
# Run with verbose output
pytest tests/ -v
# Quick test script
./quick_test.sh- Root commands: 42 commands
- Context commands: 35+ commands
- Total coverage: 77+ commands
- Contexts: 9 (global-network, vpc, transit-gateway, firewall, ec2-instance, elb, vpn, core-network, route-table)
aws-net> show vpcs
aws-net> show global-networks
aws-net> set vpc 1
aws-net> show detail# Enter VPC context
aws-net> set vpc 1
vpc> show subnets
vpc> show route-tables
vpc> exit
# Enter Transit Gateway context
aws-net> set transit-gateway 1
tgw> show attachments
tgw> show route-tables
tgw> exit# Trace between IPs
aws-net> trace 192.168.1.10 10.0.0.5
# Find IP address
aws-net> find_ip 10.1.32.100
# Find null routes
aws-net> find_null_routes# Scenario: ELBs haven't finished provisioning yet
aws-net> show elbs
No load balancers found
# Wait for provisioning, then refresh cache
aws-net> refresh elb
Refreshed elb cache
# Now re-fetch will get latest data
aws-net> show elbs
βββββ³ββββββββββββ³ββββββββββββββ³ββββββββββ
β # β Name β Type β State β
β‘ββββββββββββββββββββββββββββββββββββββββ©
β 1 β prod-alb β application β active β
βββββ΄ββββββββββββ΄ββββββββββββββ΄ββββββββββ
# Refresh current context data (when inside a context)
aws-net> set elb 1
elb:1> refresh
Refreshed elb cache
# Clear all caches
aws-net> refresh all
Cleared 5 cache entriesclear_cache- Clear all cached data permanentlyrefresh [target|all]- Refresh cached data selectivelyrefresh- Refresh current context (e.g., in ELB context, clears ELB cache)refresh elb- Clear and re-fetch ELB data on nextshow elbsrefresh vpcs- Clear and re-fetch VPC datarefresh all- Clear all caches globally
- Network Resources:
vpcs,transit_gateways,firewalls,elbs,vpns - Compute:
ec2-instances,enis - Connectivity:
dx-connections,peering-connections - Security:
security-groups,rule-groups,unused-sgs - DNS:
resolver-endpoints,resolver-rules - Monitoring:
network-alarms,alarms-critical - Global:
global-networks,global-accelerators - System:
config,cache,routing-cache
vpc,transit-gateway,global-network,core-networkfirewall,ec2-instance,elb,vpn
write <file>,trace <src> <dst>,find_ip <ip>find_prefix <cidr>,find_null_routesreachability,populate_cache,clear_cachecreate-routing-cache,export_graph
Purpose: Pre-fetch ALL topology data across all modules for comprehensive analysis
What it caches:
- VPCs, subnets, route tables, security groups, NACLs
- Transit Gateways, attachments, peerings, route tables
- Cloud WAN (global networks, core networks, segments, attachments)
- EC2 instances, ENIs
- ELBs, listeners, target groups
- VPNs, Direct Connect connections, Firewalls
- All discoverable resources across all regions
Use Case: Warm cache before comprehensive analysis or demos Duration: 30-60 seconds depending on account size
aws-net> populate_cache
Populating topology cache...
β Discovering VPCs...
β Discovering Transit Gateways...
β Discovering Cloud WAN...
β Discovering EC2 instances...
Cache populatedPurpose: Build specialized cache of ONLY routing data for fast route lookups and analysis
What it caches:
- VPC route table entries (all route tables across all VPCs)
- Transit Gateway route table entries (all TGW route tables)
- Cloud WAN route table entries (by core network, segment, and region)
Enables Commands:
find_prefix <cidr>- Find which route tables contain a prefixfind_null_routes- Find blackhole/null routes across all routing domainsshow routing-cache <filter>- View cached routes with filtering
Use Case: Fast routing troubleshooting and analysis without fetching data Duration: 10-20 seconds
aws-net> create_routing_cache
Building routing cache...
VPC routes: 373
Transit Gateway routes: 50
Cloud WAN routes: 300View Cached Routes:
# Summary
aws-net> show routing-cache
# Detailed views
aws-net> show routing-cache vpc # All VPC route table entries
aws-net> show routing-cache transit-gateway # All Transit Gateway routes
aws-net> show routing-cache cloud-wan # All Cloud WAN routes (by segment/region)
aws-net> show routing-cache all # Everything (comprehensive view)| Feature | populate_cache | create_routing_cache |
|---|---|---|
| Scope | Everything | Routes only |
| Purpose | General topology | Routing analysis |
| Speed | Slower (30-60s) | Faster (10-20s) |
| Data | All resources | Route tables only |
| Enables | All show commands | find_prefix, routing-cache commands |
| When to use | Before exploration/demos | Before routing troubleshooting |
Recommendation:
- Use
populate_cachefor general exploration and comprehensive analysis - Use
create_routing_cachespecifically for routing troubleshooting and prefix searches
Default configuration in pyproject.toml:
- Timeout: 120 seconds per command
- Regions: All enabled regions
- Cache: Enabled by default
- Output: Rich formatted tables
- Add handler in
src/aws_network_tools/shell/handlers/ - Update
HIERARCHYdict insrc/aws_network_tools/shell/base.py - Run tests:
pytest tests/
# Run all tests
pytest tests/ -vCore dependencies:
- boto3: AWS SDK
- rich: Terminal formatting
- cmd2: Shell framework
- pytest: Testing framework
See pyproject.toml for full dependency list.
MIT License - see LICENSE file for details
- Fork the repository
- Create a feature branch
- Add comprehensive tests
- Submit a pull request
- β VPN tunnel inspection: show tunnels displays VgwTelemetry data with UP/DOWN status
- β VPN detail view: show detail includes tunnel summary with outside IPs and BGP routes
- β Debug logging: aws-net-runner --debug flag with comprehensive logging to /tmp/
- β Network Firewall enhancements: rule-group context with detailed rule inspection
- β Enhanced firewall commands: show firewall, show rule-groups with indexes
- β STATELESS rules: Complete display with ports, protocols, actions
- β STATEFUL rules: Suricata rule format display
- β Graph commands: stats, validate, mermaid, parent path lookup
- β Persistent routing cache with SQLite (save/load commands)
- β Enhanced routing cache display: vpc, transit-gateway, cloud-wan filters
- β Terminal width detection for proper Rich table rendering
- β aws-net-runner tool for programmatic shell execution
- β ELB commands implementation (listeners, targets, health)
- β VPN context commands (detail, tunnels)
- β Firewall policy command
- β Core-network commands registration fix
- β Direct resource selection without show command
- β Automated issue resolution workflow
- β Consolidated CLI to aws-net-shell only
- β Multi-level context prompt fix
- β Comprehensive testing framework with pexpect integration
- β Graph-based command testing
- β Comprehensive command graph with context navigation
- β Dynamic command discovery (78+ commands)
- β Command graph Mermaid diagrams
- β Test coverage: 77+ commands