v0.7.0

What's Changed

• Properly modelling IBM Cloud's service-network by @olasaadi99 in #896
• Support segments in "synthesis" output format by @olasaadi99 in #870
• Diagrams to show CIDR when endpoints can be represented using a single CIDR by @ShiriMoran in #895
• Fixing inconsistencies in diagrams with overlapping CIDRs by @ShiriMoran in #908
• Fixed divide by zero bug + do not bypass small intervals by @haim-kermany in #900
• Fix two small inaccuracies in lint README by @zivnevo in #890
• Better integrate lint in overall tool flow by @ShiriMoran in #891
• Refactoring testing mechanisms by @ShiriMoran in #875 and in #882
• Tests for linting AWS VPCs by @ShiriMoran in #884
• Added a diff test focused on non-trivial manipulations on the ports by @ShiriMoran in #880
• Bump github.com/np-guard/models from 0.4.0 to 0.5.2 by @olasaadi99 in #915
• Bump github.com/IBM/vpc-go-sdk from 0.57.0 to 0.63.1 by @dependabot in #925
• Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.163.0 to 1.192.0 by @dependabot in #926
• Bump github.com/np-guard/cloud-resource-collector from 0.16.0 to 0.17.0 by @dependabot in #927

Full Changelog: v0.6.1...v0.7.0

v0.6.1

What's Changed

• Explainability: subnet name can now be used for specifying source or destination (with the --src and --dst flags) by @ShiriMoran in #858
• Explainability: report when a Network ACL or a Security Group only partially allows the queried traffic pattern by @ShiriMoran in #868
• Explainability: improve reporting in cases where connectivity is blocked, partly at ingress and partly at egress by @ShiriMoran in #872
• HTML diagrams: now always showing an icon for the entire public internet. By selecting this icon, one can obtain a detailed explanation for why a VPC endpoint is not connected to the internet. The Public Internet frame can now also be selected. By @haim-kermany in #857
• Bug fix: connections to public internet may mistakenly be routed through a transit gateway in diagrams by @haim-kermany in #873
• Bump github.com/IBM/vpc-go-sdk from 0.56.0 to 0.57.0 by @dependabot in #834

Full Changelog: v0.6.0...v0.6.1

v0.6.0

What's Changed

• A new sub-command, vpcanalyzer lint, provides various best-practice checks. See more details here. Work by @ShiriMoran , @haim-kermany and @kyorav .
• Initial support for analyzing connectivity in AWS VPCs. In the command-line, specify the --provider aws flag, or otherwise use an AWS configuration file from cloud-resource-collector. See the list of currently supported resources. Work by @olasaadi99 , @haim-kermany , @kyorav , @ShiriMoran , @adisos and @zivnevo .
• Basic support for Virtual Network Interfaces (VNIs) in IBM Cloud. Currently, ignoring protocol state filtering. Work by @haim-kermany .
• A new output format, synthesis, allows using connectivity reports as the input for vpc-network-config-synthesis by @olasaadi99 in #688
• vpcanalyzer explain has a new flag --detail which provides a more detailed connectivity explanation. The debug output format, which was previously used for this purpose, is no longer available. Work by @haim-kermany in #714
• The --vpc flag can now be specified multiple times in the command-line. This allows filtering results to only include a subset of VPCs by @olasaadi99 in #827
• Unifying TCP and non-TCP edges in diagrams into one edge by @haim-kermany in #760
• Improved printing of Security Group rules and Network ACL rules (in lint and in explain) by @ShiriMoran in #802 , in #826 and in #856
• vpcanalyzer explain to show full analysis also when a gateway/router is missing by @ShiriMoran in #854
• Specifying an output file in the command-line suppresses output to stdout by @zivnevo in #791
• Various improvements to how a connection path is printed in vpcanalyzer explain by @ShiriMoran
• Various improvements to documentation by @adisos , @ShiriMoran and @zivnevo
• Bug fix - Connectivity to/from Floating IPs should be affected by Network ACL rules by @ShiriMoran in #777
• Bug fix - Routers are ignored in diagrams in non-grouping mode by @haim-kermany in #719
• Bug fix - Diagrams show a connection source/destination that is not attached to a square/icon by @haim-kermany in #727
• Bug fix - Diagrams do not show connections to public internet as routed through public gateways by @haim-kermany in #741
• Bug fix - In vpcanalyzer explain the case of two SGs of which only one enables a connection is now correctly handled by @ShiriMoran in #768
• Bug fix - Load-balancer should not block TCP response by @haim-kermany in #788
• Bump github.com/np-guard/cloud-resource-collector from 0.12.0 to 0.14.0 by @dependabot in #709

Full Changelog: v0.5.2...v0.6.0

v0.5.2

What's Changed

• Some command-line flags renaming
  • --vpc-config changed to --config
  • --format changed to --output
  • --output-file changed to --filename and a shortcut -f flag was added
    by @adisos in #694
• Updated README to reflect new report routing command by @adisos in #681
• Improvements to the output of explain by @ShiriMoran and @haim-kermany in #697 in #691 and in #687
• Bug fix for #702 - crash with an empty Transit Gateway connection - by @adisos in #703
• Bug fix for #701 - error with security groups referring to empty security groups - by @adisos in #704
• Bump github.com/IBM/vpc-go-sdk from 0.53.0 to 0.54.0 by @dependabot in #684

Full Changelog: v0.5.1...v0.5.2

v0.5.1

What's Changed

• A new vpcanalyzer report routing command shows how packets are routed from source to destination. The flags --src and --dst allow focusing on specific source and destination. by @adisos
• explain command now also explains why the return path for TCP packets is allowed or denied by @ShiriMoran in #627
• explain command now also explains the connectivity to/from a load balancer. Use the load-balancer name in either the --src or the --dst flag by @haim-kermany in #671
• Load-balancer connectivity is also explained in HTML-based connectivity graphs by @haim-kermany in #631
• --debug flag is no longer available. Use --verbose instead by @haim-kermany in #659
• Connectivity analysis for load-balancers no longer relies on the specific allocation of load-balancer private IPs by @haim-kermany in #619
• Analyze config files based on provider from config input (preparing for analyzing AWS VPC configs) by @olasaadi99 in #622
• Unified parser warnings by @adisos in #649
• Improved wording in explain command output by @ShiriMoran in #667
• Simplified connectivity reports with blocked TCP responses by @ShiriMoran in #670 and in #642
• Simplified diff reports with blocked TCP responses @ShiriMoran in #650
• Refactored analysis of TCP connections with or without response by @ShiriMoran in #606
• Bug fix: edges have too many bypass points by @haim-kermany in #652
• Bump github.com/np-guard/cloud-resource-collector from 0.10.2 to v0.12.0 by @zivnevo in #669
• Bump github.com/IBM/networking-go-sdk from 0.46.1 to 0.47.1 by @dependabot in #646
• Bump github.com/IBM/vpc-go-sdk from 0.51.0 to 0.53.0 by @dependabot in #664

Full Changelog: v0.5.0...v0.5.1

v0.5.0

What's Changed

• Changes to command line syntax, making it more compatible with other cloud CLIs, using cobra. See documentation in README.md. by @zivnevo in #573
• Basic support for Load-Balancer resources by @haim-kermany in #533
• Update analysis to consider new local field in Security Groups by @olasaadi99 in #551
• Optimize subnet grouping in diagrams by @haim-kermany in #578
• Better support VSIs with multiple Security-Group in drawio by @haim-kermany in #575
• Draw filters and Load Balancers in subnet mode as well by @haim-kermany in #586
• Unify tgw explain structs + multiple prefixes single connection by @ShiriMoran in #574
• Better handle diagrams with empty squares in subnet mode by @haim-kermany in #585
• Diff configs with different uids by @ShiriMoran in #593
• Fix issue with NACL splitting subnet connectivity by @adisos in #610
• multipleVPCConfigs as a struct by @haim-kermany in #572
• update models version by @haim-kermany in #565
• Bump github.com/IBM/vpc-go-sdk from 0.50.0 to 0.51.0 by @dependabot in #579

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Changes from v0.3.0

• New output formats for connectivity reports: svg and html. The html format also has several interactive features when clicking graph elements: double clicking an element hides all unrelated elements. Clicking a source endpoint and then a destination endpoint provides detailed information about the connectivity between the two.
• Regions are now drawn in all connectivity diagrams.
• Support for multiple config objects: the vpc-config flag can be specified multiple times with different configs (possibly from different accounts).
• The -dump-resources flag allows storing resources collected directly from the cloud provider (not through the collector).
• Allow using -resource-group and -region flags to filter resources specified with -vpc-config.
• In the explain analysis-type, the routing path between the source and destination endpoints is now printed.
• The explain analysis-type now supports multiple VPCs, IKS nodes and transit gateways.
• Improved logging with various verbosity levels. Use the -quiet and -verbose flags to get less or more informative messages respectively.
• Better identifying security groups for IKS nodes.
• Bump github.com/IBM/networking-go-sdk from 0.44.0 to 0.46.1
• Bump github.com/IBM/vpc-go-sdk from 0.48.0 to 0.50.0

Full Changelog: v0.3.0...v0.4.0

v0.4.0-rc.1

Changes from v0.3.0

• New output formats for connectivity reports: svg and html. The html format also has several interactive features when clicking endpoints in the graph.
• Regions are now drawn in all connectivity diagrams.
• Diagrams now show shortened text labels. The full text is available as a tool-tip when hovering over an entity.
• Support for multiple config objects: the vpc-config flag can be specified multiple times with different configs (possibly from different accounts).
• The -dump-resources flag allows storing resources collected directly from the cloud provider (not through the collector).
• Allow using -resource-group and -region flags to filter resources specified with -vpc-config.
• In the explain analysis-type, the routing path between the source and destination endpoints is now printed.
• The explain analysis-type now supports multiple VPCs and transit gateways.
• Initial support for ALBs.
• Improved logging with various verbosity levels. Use the -quiet and -verbose flags to get less or more informative messages respectively.
• Better identifying security groups for IKS nodes.
• Bump github.com/IBM/networking-go-sdk from 0.44.0 to 0.45.0
• Bump github.com/IBM/vpc-go-sdk from 0.48.0 to 0.50.0

Full Changelog: v0.3.0...v0.4.0-rc.1

v0.3.0

Changes from v0.2.1:

• Now showing cross-VPC connectivity, as implied by transit gateways. Transit gateways and their connections are also shown in drawio diagrams.
• Diffing: A new mode allows comparing connectivity in two sets of resource configuration. This can be used, for example, for comparing the current VPC connectivity with a previous state. The result is given in terms of added/removed/modified connections. In the command-line, specify -analysis-type diff_all_endpoints or -analysis-type diff_all_subnets, and provide a second configuration to compare against, using the -vpc-config-second flag.
• Explainability: A new mode provides explanation for why a given connection is allowed or denied, given source and destination endpoints. In the command-line, specify -analysis-type explain as well as -src <IP, CIDR or endpoint name> and -dst <IP, CIDR or endpoint name>. Optionally, provide -protocol <protocol name>, either with or without any of -src-min-port <port number>, -src-max-port <port number>, -dst-min-port<port number> and -dst-max-port<port number>.
• Resources can be collected directly by the analyzer, without running the collector first. In the command-line, instead of specifying -vpc-config, specify -provider <cloud provider>. Currently ibm is the only supported cloud provider. Optionally, specify -region <region> and -resource-group <resource group or id> to filter resources by region or resource group.
• Support for subnet grouping in drawio diagrams.
• Support for md format in the all_subnets analysis type.
• Tool version can be obtained by running vpcanalyzer -version.
• Improved headers in connectivity reports.
• Fixed #359: Message about unidirectional connectivity is only relevant to TCP connections.
• Fixed #292: Duplicate message about unidirectional connectivity.
• Bump github.com/IBM/vpc-go-sdk from 0.43.0 to 0.48.0.

v0.2.1

Changes from v0.2.0:

• Ignore floating IPs with no/unsupported targets