Elastic Compute Service (ECS) Network Connectivity Diagnostics is a feature provided by ECS to diagnose the network connectivity between diagnostic objects within a virtual private cloud (VPC). The diagnostic objects can be instances or elastic network interfaces (ENI)s. You can use this feature to check network connectivity and identify the causes of network connectivity issues. This topic elaborates the ECS Network Connectivity Diagnostics feature and describes how to use this feature.

Prerequisites

The following requirements are met:
  • The instances that you want to use as diagnostic objects are in the Running state.
  • The Cloud Assistant client is installed on the instances. For more information, see Install the Cloud Assistant client.
  • If you want to use secondary ENIs as diagnostic objects, make sure that the ENIs are bound to instances. For more information, see Bind an ENI.

Background information

Perform the following steps to use the ECS Network Connectivity Diagnostics feature:
  1. Specify a path.

    Each path includes all information required to execute a diagnostic task, such as a VPC and diagnostic objects (instances or ENIs). You can create or clone a path. For more information, see Create a path and Clone a path.

  2. Initiate a diagnostic task.

    A diagnostic task is a diagnosis performed to check the real-time network connectivity between the source and destination diagnostic objects configured in a path. After a path is created or cloned, the system immediately initiates a diagnostic task for the path. You can also manually initiate a diagnostic task for an existing path. For more information, see Diagnose a path.

    During diagnostic tasks, the ECS Network Connectivity Diagnostics feature checks the network configurations of instances, configurations of ENIs, access control settings of security groups, and access control settings of vSwitches.

  3. View diagnostic results.

    In the diagnostic task list, you can view the results and details of diagnostic tasks. For more information, see Manage diagnostic tasks.

    Note The ECS Network Connectivity Diagnostics feature is used as an auxiliary tool to provide insight into critical network connectivity configurations, but its diagnostic results cannot fully reflect whether communication over networks is allowed or denied.

When you create a path and initiate a diagnostic task, the system checks whether the AliyunServiceRoleForECSNetworkInsights service-linked role exists. If the role does not exist, the system creates the role. For more information, see Manage the service-linked role for ECS Network Connectivity Diagnostics.

The following limits apply to the ECS Network Connectivity Diagnostics feature:
  • This feature is applicable only to VPCs.
    Note The diagnostic objects configured in a single path must belong to the same VPC.
  • The following table describes the quotas on the numbers of paths and diagnostic tasks.

Create a path

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Troubleshooting.
  3. In the top navigation bar, select a region.
  4. Click the Network Connectivity Diagnostics tab.
  5. Click Create Path.
  6. Configure the parameters described in the following table and click Create.
    Parameter Description
    Path Name Enter a name for the path. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), and colons (:). It cannot start with a special character, a digit, http://, or https://.
    VPC Select a VPC.
    Source and Destination Specify the source and destination diagnostic objects. Select ECS Instance or ENI as the diagnostic object type for Source and Destination. Then, select an instance or ENI as the source diagnostic objects and another instance or ENI as the destination diagnostic object.
    Note The source and destination diagnostic objects cannot be the same instance, the same ENI, or the ENIs that are bound to the same instance.
    Destination Port and Protocol Specify the destination port and protocol. The supported destination port is determined by the selected protocol.
    • If you set Protocol to Custom TCP or Custom UDP, select a port from the drop-down list or enter a port number for Destination Port.

      SSH (22), Telnet (23), HTTP (80), HTTPS (443), MS SQL (1433), Oracle (1521), MySQL (3306), RDP (3389), PostgreSQL (5432), and Redis (6379) are displayed on the drop-down list.

    • If you set Protocol to All ICMP(IPv4) or All GRE, the Destination Port is automatically set to -1/-1.
    After the path is created, the system initiates a diagnostic task to diagnose the network connectivity over the specified protocol from the source diagnostic object to the specified port of the destination diagnostic object.
    Note It takes a few minutes for a diagnostic task to be completed. You can view the status and diagnostic result of a diagnostic task in the path list. Alternatively, you can go to the details page of the path to view the status and diagnostic result of the task in the diagnostic task list. For more information, see Manage diagnostic tasks.

Clone a path

You can clone an existing path and modify some settings, such as the source or destination diagnostic object, to quickly create a path.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Troubleshooting.
  3. In the top navigation bar, select a region.
  4. Click the Network Connectivity Diagnostics tab.
  5. Click Clone in the Actions column corresponding to a path.
  6. Configure the parameters described in the following table and click Create.
    Parameter Description
    Path Name Enter a name for the path. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), and colons (:). It cannot start with a special character, a digit, http://, or https://.
    VPC Select a VPC.
    Source and Destination Specify the source and destination diagnostic objects. Select ECS Instance or ENI as the diagnostic object type for Source and Destination. Then, select an instance or ENI as the source diagnostic objects and another instance or ENI as the destination diagnostic object.
    Note The source and destination diagnostic objects cannot be the same instance, the same ENI, or the ENIs that are bound to the same instance.
    Destination Port and Protocol Specify the destination port and protocol. The supported destination port is determined by the selected protocol.
    • If you set Protocol to Custom TCP or Custom UDP, select a port from the drop-down list or enter a port number for Destination Port.

      SSH (22), Telnet (23), HTTP (80), HTTPS (443), MS SQL (1433), Oracle (1521), MySQL (3306), RDP (3389), PostgreSQL (5432), and Redis (6379) are displayed on the drop-down list.

    • If you set Protocol to All ICMP(IPv4) or All GRE, the Destination Port is automatically set to -1/-1.
    After a path is cloned, the system initiates a diagnostic task to diagnose the network connectivity over the specified protocol from the source diagnostic object to the specified port of the destination diagnostic object.
    Note It takes a few minutes for a diagnostic task to be completed. You can view the status and diagnostic result of a diagnostic task in the path list. Alternatively, you can go to the details page of the path to view the status and diagnostic result of the task in the diagnostic task list. For more information, see Manage diagnostic tasks.

Diagnose a path

You can manually initiate a diagnostic task for an existing path. However, each path can have only a single diagnostic task ongoing. If a diagnostic task is being executed on a path, no other diagnostic tasks can be initiated for the path.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Troubleshooting.
  3. In the top navigation bar, select a region.
  4. Click the Network Connectivity Diagnostics tab.
  5. Click Diagnose in the Actions column corresponding to a path.
  6. Click Continue.

Manage diagnostic tasks

The latest diagnostic results are displayed for paths in the path list. However, you may want to view diagnostic task details or historical diagnostic tasks. For example, when Unconnectable is displayed as the diagnostic result for a path, you may want to look into the details of the diagnostic task for the cause of this issue. The records of a limited number of diagnostic tasks can be retained for each path. We recommend that you delete diagnostic tasks that are no longer needed on a regular basis.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Troubleshooting.
  3. In the top navigation bar, select a region.
  4. Click the Network Connectivity Diagnostics tab.
  5. Click the ID of a path.
  6. Perform the following operations based on your business requirements:
    • To view details of a specific diagnostic task, click the unfold icon in the Diagnosis List section.
    • To initiate a diagnostic task, click Diagnose and then click Continue.
    • To delete a diagnostic task, find the task and click Delete in the Actions column. Then, click Continue.
    Examples about diagnostic task details:
    Figure 1. Details of a sample diagnostic task whose result is Connectable
    can-connect
    Figure 2. Details of a sample diagnostic task whose result is Unconnectable
    cannot-connect
    The following table describes the check items of the diagnostic tasks.
    Check item type Check item Description
    Network configurations of instances Source or destination instance The network configurations of the instance that is used as the source or destination diagnostic object or of the instance associated with the ENI that is used as the source or destination diagnostic object.

    If this item passes the check, the check result indicates that the instance is correctly configured. If this item fails the check, the check result includes exception information.

    Configurations of ENIs Source or destination ENI The configurations of the ENI that is used as the source or destination diagnostic object or of the primary ENI of the instance that is used as the source or destination diagnostic object.

    If this item passes the check, the check result indicates that the ENI is correctly configured. If this item fails the check, the check result includes exception information.

    Access control settings of security groups Source or destination security group The access control settings of the security group to which the instance or ENI belongs.

    If the security group allows traffic, the check result includes the reason why the traffic is allowed. For example, the check result may indicate that the security group allows the traffic by default or that the security group contains corresponding allow rules. If the security group denies traffic, the check result includes suggestions about allowing the traffic.

    Access control settings of vSwitches Source or destination network ACL The access control settings of the vSwitch that is connected to the instance or ENI. This check item is available only when the source and destination diagnostic objects are connected to different vSwitches.

    If traffic is allowed for the vSwitch, the check result includes the reason why the traffic is allowed. For example, the check result may indicate that the vSwitch has the traffic allowed by default or that the vSwitch is associated with network ACLs that allow traffic. If traffic is denied for the vSwitch, the check result includes suggestions about allowing the traffic.

Delete a path

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Troubleshooting.
  3. In the top navigation bar, select a region.
  4. Click the Network Connectivity Diagnostics tab.
  5. Click Delete in the Actions column corresponding to a path.
  6. Click Continue.