This topic describes the diagnostic items supported by the Elastic Compute Service (ECS) Network Connectivity Diagnostics feature and elaborates the diagnostic scope and results.

Diagnostic items

The ECS Network Connectivity Diagnostics feature supports the following resources:
  • ECS instances. The ECS Network Connectivity Diagnostics feature checks the diagnostic items of ECS instances, including security policies, network interface controller (NIC) configurations, system load, and business states.
  • Elastic network interfaces (ENIs). The ECS Network Connectivity Diagnostics feature checks the underlying states and security group configurations of ENIs.
  • vSwitches. The ECS Network Connectivity Diagnostics feature checks the network access control list (ACL) configurations of vSwitches.
Diagnostic items are assigned the following severity levels:
  • Critical: A critical diagnostic item determines network connectivity. If it is diagnosed with exceptions, network connectivity issues have occurred.
  • Non-critical: A non-critical diagnostic item may affect network connectivity. If it is diagnosed with exceptions, network connectivity issues may occur.

Diagnostic items of ECS instances

Category Diagnostic item Severity Description Suggestion
SSH service Whether the SSH service has started Critical Checks whether the SSH service has started and on which port the service is listening on an instance.
  • If the state of the sshd process is displayed as normal, the SSH service has started and is listening on port 22 on a Linux instance or port 3389 on a Windows instance.
  • If the sshd process is displayed to be listening on a port other than ports 22 and 3389 (such as port 1234) and port 22 or 3389 is displayed as the destination port to be diagnosed, the SSH service has started and is listening on the port other than ports 22 and 3389.
  • If the state of the sshd process is displayed as not started, the SSH service has not started.
  • If the SSH service is not listening on port 22 on a Linux instance or port 3389 on a Windows instance, select the port on which the SSH service is listening on to connect to the instance, or change the listening port to port 22 or 3389. For more information, see Modify the default port used by an instance to accept connections.
  • If the SSH service has not started, log on to the instance by using Virtual Network Console (VNC) and start the service.
Whether critical files or directories required by the SSH service exist Critical Checks the integrity of SSH configuration files and directories. If a message is displayed indicating that an SSH configuration file or directory is missing, recover the file or directory based on the message.
Check whether SSH allows the root user to log on Non-critical Checks whether SSH allows the root user to log on. If a message is displayed indicating that SSH denies logons by the root user and you want to lift this limit, troubleshoot the issue and modify SSH configurations. For more information, see The error "Permission denied, please try again" is returned when the root user logs on to a Linux instance through SSH.
NIC configurations Whether the Dynamic Host Configuration Protocol (DHCP) service has started Critical If an instance whose image supports DHCP was not correctly assigned a static IP address and the DHCP service has not started on the instance, a message is displayed indicating that DHCP has not started. Log on to the instance by using VNC and start the DHCP service.
Whether NIC IP addresses are correct Critical For a NIC, if a message similar to "Invalid IP address" is displayed, it indicates that the detected IP address is different from the configured one. Modify the static IP address of the NIC. For more information, see Assign secondary private IP addresses.
Whether NIC masks are correct Non-critical For a NIC, if a message similar to "No mask is configured for the <eniId> NIC" is displayed, it indicates that the NIC does not have a mask or has an incorrect mask. Use the default mask or manually configure a correct mask for the NIC.
Instance security policies Whether iptables rules are configured to allow or block traffic Critical
  • For an instance, if a message similar to "The hit iptables rule <ruleName> blocks traffic" is displayed, it indicates an iptables rule is configured on the instance to block traffic.
  • For an instance, if a message similar to "iptables rules allow traffic" is displayed, it indicates that an iptables rule is configured on the instance to allow traffic.
  • If you do not want to block the traffic, delete the Block iptables rule.
  • If you do not want to allow the traffic, configure an iptables rule to block the traffic or change the Allow iptables rule into a Block one.
Whether blackhole filtering is triggered on the public IP address of an instance Critical If an instance falls victim to DDoS attacks and the volume of the DDoS attacks exceeds the mitigation capability provided for the instance, blackhole filtering is triggered and all inbound traffic to the public IP address of the instance is blocked. If this occurs, a message similar to "Blackhole filtering is triggered on <Public IP address>, and the IP address cannot be accessed" is displayed. For more information about blackhole filtering policies and how to deactivate blackhole filtering, see Blackhole filtering policy of Alibaba Cloud.
System routing configurations Whether routing policies are configured Critical If no routing policies are configured on an instance, the check fails. If a routing policy is configured on an instance, a message similar to "The policyName routing policy forwards traffic" is displayed. Check for and delete incorrect routing policies.
Instance system load CPU load Non-critical Checks whether the CPU load of an instance exceeds 80%. If the CPU load of an instance remains higher than 80%, decide whether to upgrade to an instance type with more vCPUs. For more information, see Change instance types.
Public bandwidth load Non-critical Checks whether the public bandwidth load of an instance exceeds 90%. If the public bandwidth load of an instance remains higher than 90%, decide whether to increase the public bandwidth. For more information, see Modify public bandwidth.
Internal bandwidth load Non-critical Checks whether the internal bandwidth load of an instance exceeds 90%. If the internal bandwidth load of an instance remains higher than 90%, decide whether to upgrade to an instance type that provides a higher base bandwidth. For more information, see Change instance types.
User service state Whether processes are listening on specified destination ports Critical Check whether processes are listening on the specified destination ports of an instance. If not, the check fails. Connect to the instance and start processes to listen on the specified destination ports.
Instance state Whether an instance has expired Critical If an expired instance is detected, a message is displayed. Renew the instance at your earliest convenience. For more information, see Renewal overview.
Overdue payments in your Alibaba Cloud account Critical If overdue payments are detected in your Alibaba Cloud account, a message is displayed. Add funds to your account at your earliest convenience.

Diagnostic items of ENIs

Category Diagnostic item Severity Description Suggestion
ENI state Underlying state Critical If the underlying state of an ENI is abnormal, a message is displayed. Checks the state of the ENI. If an exception occurs, perform the corresponding operations to troubleshoot the exception.
Security group configurations Security groups Critical Security groups control traffic to or from ENIs based on security group types and rules.
  • Basic security groups:
    • If the source and destination diagnostic objects in a path belong to the same security group and the security group contains no rules, these diagnostic objects can communicate with each other.
    • If the source and destination diagnostic objects in a path belong to different security groups that contain no rules, outbound traffic from the source diagnostic object is allowed and inbound traffic to the destination diagnostic object is denied.
  • Advanced security groups:

    If security groups contain no rules, the security groups deny outbound traffic from source diagnostic objects and allow inbound traffic to destination diagnostic objects.

  • If security groups contain rules, the security groups deny or allow traffic based on their attributes and rules. For more information, see Overview.
Checks whether security groups implement access control as expected. If not, configure them based on your needs.

Diagnostic items of vSwitches

Category Diagnostic item Severity Description Suggestion
Network ACL Network ACL configurations Critical
  • If no network ACL is associated with a vSwitch, the vSwitch allows all traffic by default.
  • If the source and destination diagnostic objects in a path are connected to the same vSwitch, the traffic between these diagnostic objects is exempt from the network ACL rules that are associated with the vSwitch.
  • If the source and destination diagnostic objects in a path are connected to different vSwitches and network ACLs are associated the vSwitches, the vSwitches determine whether to allow traffic between the diagnostic objects based on the rules in the network ACLs. For more information, see Overview of network ACLs.
Checks whether a vSwitch implements access control as expected. If not, configure a network ACL for the vSwitch based on your needs.