This topic describes the diagnostic items supported by the Elastic Compute Service (ECS) Network Connectivity Diagnostics feature and elaborates the diagnostic scope and results.
Diagnostic items
The ECS Network Connectivity Diagnostics feature supports the following resources:
- ECS instances. The ECS Network Connectivity Diagnostics feature checks the diagnostic items of ECS instances, including security policies, network interface controller (NIC) configurations, system load, and business states.
- Elastic network interfaces (ENIs). The ECS Network Connectivity Diagnostics feature checks the underlying states and security group configurations of ENIs.
- vSwitches. The ECS Network Connectivity Diagnostics feature checks the network access control list (ACL) configurations of vSwitches.
Diagnostic items are assigned the following severity levels:
- Critical: A critical diagnostic item determines network connectivity. If it is diagnosed with exceptions, network connectivity issues have occurred.
- Non-critical: A non-critical diagnostic item may affect network connectivity. If it is diagnosed with exceptions, network connectivity issues may occur.
Diagnostic items of ECS instances
Category | Diagnostic item | Severity | Description | Suggestion |
---|---|---|---|---|
SSH service | Whether the SSH service has started | Critical | Checks whether the SSH service has started and on which port the service is listening
on an instance.
|
|
Whether critical files or directories required by the SSH service exist | Critical | Checks the integrity of SSH configuration files and directories. | If a message is displayed indicating that an SSH configuration file or directory is missing, recover the file or directory based on the message. | |
Check whether SSH allows the root user to log on | Non-critical | Checks whether SSH allows the root user to log on. | If a message is displayed indicating that SSH denies logons by the root user and you want to lift this limit, troubleshoot the issue and modify SSH configurations. For more information, see The error "Permission denied, please try again" is returned when the root user logs on to a Linux instance through SSH. | |
NIC configurations | Whether the Dynamic Host Configuration Protocol (DHCP) service has started | Critical | If an instance whose image supports DHCP was not correctly assigned a static IP address and the DHCP service has not started on the instance, a message is displayed indicating that DHCP has not started. | Log on to the instance by using VNC and start the DHCP service. |
Whether NIC IP addresses are correct | Critical | For a NIC, if a message similar to "Invalid IP address" is displayed, it indicates that the detected IP address is different from the configured one. | Modify the static IP address of the NIC. For more information, see Assign secondary private IP addresses. | |
Whether NIC masks are correct | Non-critical | For a NIC, if a message similar to "No mask is configured for the <eniId> NIC" is displayed, it indicates that the NIC does not have a mask or has an incorrect mask. | Use the default mask or manually configure a correct mask for the NIC. | |
Instance security policies | Whether iptables rules are configured to allow or block traffic | Critical |
|
|
Whether blackhole filtering is triggered on the public IP address of an instance | Critical | If an instance falls victim to DDoS attacks and the volume of the DDoS attacks exceeds the mitigation capability provided for the instance, blackhole filtering is triggered and all inbound traffic to the public IP address of the instance is blocked. If this occurs, a message similar to "Blackhole filtering is triggered on <Public IP address>, and the IP address cannot be accessed" is displayed. | For more information about blackhole filtering policies and how to deactivate blackhole filtering, see Blackhole filtering policy of Alibaba Cloud. | |
System routing configurations | Whether routing policies are configured | Critical | If no routing policies are configured on an instance, the check fails. If a routing policy is configured on an instance, a message similar to "The policyName routing policy forwards traffic" is displayed. | Check for and delete incorrect routing policies. |
Instance system load | CPU load | Non-critical | Checks whether the CPU load of an instance exceeds 80%. | If the CPU load of an instance remains higher than 80%, decide whether to upgrade to an instance type with more vCPUs. For more information, see Change instance types. |
Public bandwidth load | Non-critical | Checks whether the public bandwidth load of an instance exceeds 90%. | If the public bandwidth load of an instance remains higher than 90%, decide whether to increase the public bandwidth. For more information, see Modify public bandwidth. | |
Internal bandwidth load | Non-critical | Checks whether the internal bandwidth load of an instance exceeds 90%. | If the internal bandwidth load of an instance remains higher than 90%, decide whether to upgrade to an instance type that provides a higher base bandwidth. For more information, see Change instance types. | |
User service state | Whether processes are listening on specified destination ports | Critical | Check whether processes are listening on the specified destination ports of an instance. If not, the check fails. | Connect to the instance and start processes to listen on the specified destination ports. |
Instance state | Whether an instance has expired | Critical | If an expired instance is detected, a message is displayed. | Renew the instance at your earliest convenience. For more information, see Renewal overview. |
Overdue payments in your Alibaba Cloud account | Critical | If overdue payments are detected in your Alibaba Cloud account, a message is displayed. | Add funds to your account at your earliest convenience. |
Diagnostic items of ENIs
Category | Diagnostic item | Severity | Description | Suggestion |
---|---|---|---|---|
ENI state | Underlying state | Critical | If the underlying state of an ENI is abnormal, a message is displayed. | Checks the state of the ENI. If an exception occurs, perform the corresponding operations to troubleshoot the exception. |
Security group configurations | Security groups | Critical | Security groups control traffic to or from ENIs based on security group types and
rules.
|
Checks whether security groups implement access control as expected. If not, configure them based on your needs. |
Diagnostic items of vSwitches
Category | Diagnostic item | Severity | Description | Suggestion |
---|---|---|---|---|
Network ACL | Network ACL configurations | Critical |
|
Checks whether a vSwitch implements access control as expected. If not, configure a network ACL for the vSwitch based on your needs. |