All Products
Search
Document Center

:Troubleshoot ECS public IP ping failures

Last Updated:Jun 25, 2026

Diagnose and resolve ECS public IP ping failures caused by security groups, firewalls, ENI issues, routing, or network ACLs.

Problem description

A local client cannot ping the public IP address of an ECS instance. Examples:

  • On a Linux client, pinging the public IP address returns no response:

    2023-05-28_16-53-11..png

  • On a Windows client, pinging the public IP address returns a Request timed out error:

    2023-05-28_16-52-16..png

Use the Diagnostics tool

The Diagnostics tool checks security group configurations, instance firewalls, and application port status, and generates a diagnostic report.

Click to open the Diagnostics page and select the target region.

If the tool cannot identify the issue, proceed with manual troubleshooting.

Manual troubleshooting

If your local network works correctly and you can access other websites, the ping failure may be caused by the following issues.

Possible causes

Solutions

The ECS instance is not in the Running state

Check the instance status

The ENI of the ECS instance is not working correctly

Check the ENI status

Incorrect routing after IPv4 gateway centralized control mode is enabled for the VPC

Check the VPC IPv4 gateway configuration

The network access control list (ACL) of the vSwitch does not allow ICMP traffic

Check the vSwitch network ACL

The security group does not allow ICMP traffic

Check the security group rules

The firewall of the ECS instance drops inbound ICMP requests

Check the firewall configuration of the ECS instance

Resource bottlenecks on the ECS instance cause network issues

Check CPU and bandwidth usage

Cross-border carrier network fluctuations cause Internet access issues

Check the instance region

Missing ICP filing or domain name resolution failure

Check ICP filing and DNS configuration

An issue with the client or an intermediate network node

Run a bidirectional link diagnosis

The ECS instance is in blackhole filtering

Check for blackhole filtering

The ECS instance is compromised

Check for security alerts in Security Center

Check the instance status

An ECS instance can provide services only when it is in the Running state.

  1. Go to ECS console - Instances.

  2. In the upper-left corner of the page, select a region and resource group.地域

  3. Find the ECS instance, click its ID to open the details page, and check the instance status.

    If the instance is not in the Running state, see Start an instance.

Check the ENI status

A functioning elastic network interface (ENI) is required for ping and remote connections. Connect to the instance using VNC and check the ENI status.

  1. Check whether the ENI is enabled.

    • For a Linux instance: Run the ip a command. The primary ENI eth0 should be visible with state UP.

      image

      • If the primary ENI eth0 is not in the UP state, run the sudo ifup eth0 or sudo ip link set eth0 up command to re-enable the ENI.

      • If you configured a secondary ENI for the instance, some OS images may not recognize it automatically. You must configure it within the instance. For example, associating an EIP with an unconfigured secondary ENI causes Internet communication failure. See Step 2: Configure the ENI in Linux.

    • For a Windows instance: A malfunctioning ENI driver can cause communication failures.

      Resolve Windows ENI or driver communication failures

      Note

      This operation uses Windows Server 2016 as an example. The user interface (UI) may vary by OS version. Adjust the steps accordingly.

      1. Connect to the Windows instance using VNC.

      2. In the notification area of the taskbar, right-click the screenshot_2025-03-26_15-15-50 icon and select Open Network and Sharing Center.

      3. Click Change adapter settings to check whether the network adapter is enabled.

        • If the network adapter is disabled, right-click the adapter name, select Enable, and then check whether the remote connection to the Windows instance is restored.

        • If the network adapter is enabled but still unavailable, proceed to the next step.

      4. Open the Run window, enter regedit, and click OK.

      5. In Registry Editor, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Class > {4d36e972-e325-11ce-bfc1-08002be10318}. Check whether the following information exists in the pane on the right. If not, right-click a blank area and select New to add it.

        Important

        After you modify the registry, you must restart the system for the changes to take effect.

        • Name: Installer32

        • Type: REG_SZ

        • Data: NetCfgx.dll,NetClassInstaller

      6. Open the Run window, enter devmgmt.msc, and click OK.

      7. On the Device Manager page, expand Network adapters, right-click the name of the network adapter, and select Update Driver Software....

      8. In the dialog box that appears, click Search automatically for updated driver software. After the update is complete, click Close.

      9. Try to ping the public IP address of the ECS instance again.

  2. Verify that the IP address, subnet mask, and gateway match the assigned values.

    ECS instances use IP mapping between public and private IP addresses for Internet communication. If the private IP address is misconfigured, Internet communication fails. The private IP address must be a valid assigned IP address.

    • For a Linux instance: Run the ip a command. The primary private IPv4 address for the ENI should be visible.

      image

    • For a Windows instance, verify the internal network connection information.

      View on Windows 2022

      1. Connect to the Windows instance using VNC.

      2. Open the Network and Sharing Center.

      3. Click change adapter settings.

      4. Double-click the primary network interface, Ethernet. In the Ethernet Status dialog box, click Type.

        image

      5. In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

        image

      6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Obtain an IP address automatically.

      1. If you select Use the following IP address, ensure the information matches the values assigned in the console.

        image

Check the VPC IPv4 gateway configuration

By default, VPC resources communicate with the Internet directly through a public IP address. If you enable an IPv4 gateway, all Internet traffic is managed by the gateway, and changes to its policy affect all instances in the VPC.

For example, deleting the default route entry after activating an IPv4 gateway, or selecting private mode when deleting the gateway, disrupts Internet access for all VPC resources including ECS instances.

  1. Check whether the VPC is in centralized control mode of the IPv4 gateway.

    View the IPv4 Internet access mode of the VPC

    1. Go to ECS console - Instances.

    2. In the upper-left corner of the page, select a region and resource group.地域

    3. On the Instance page, find the destination instance and click the instance ID to go to the Instance Details page.

    4. In the Configuration Information section, click the VPC instance ID to go to the VPC console.

    5. On the Basic Information page, if the VPC shows IPv4 Internet Access Mode as Centralized Control, Internet access for all resources in this VPC is managed by the gateway policy.

      image

    If your VPC is not under centralized control of an IPv4 gateway, skip this check.

  2. To keep centralized IPv4 gateway management, verify the gateway routing configuration.

    • Verify that a route entry pointing to the IPv4 gateway exists in the vSwitch route table

      When an IPv4 gateway is activated, the system adds a default route with destination CIDR block 0.0.0.0/0 pointing to the IPv4 gateway in your vSwitch route table, enabling Internet access.

      If the route table already has a default route with destination 0.0.0.0/0, you cannot add another for the IPv4 gateway. Manually deleting this default route disrupts Internet communication for the vSwitch.

      Verify the route entry as follows:

      1. Go to ECS console - Instances.

      2. In the upper-left corner of the page, select a region and resource group.地域

      3. On the Instance page, find the destination instance and click the instance ID to go to the Instance Details page.

      4. In the Configuration Information section, click the vSwitch ID to go to the VPC console.

      5. Click Route. A custom route entry should exist, automatically added when the IPv4 gateway was activated.

        image

        If you deleted it, click the route table ID and add the route entry shown above.

        image

        Add the route entry as follows:

        image

    • If you configured other custom route entries, verify that the routing links are correct.

  3. If you no longer need centralized IPv4 gateway management, delete the IPv4 gateway in public mode.

    Delete the IPv4 gateway in public mode

    1. Log on to the IPv4 Gateway console. In the top menu bar, select the region of the ECS instance.

    2. Find the IPv4 gateway associated with the VPC.

      • If the IPv4 gateway exists: Find it and delete it in Public Mode.

        Important

        If you delete the gateway in private mode, all resources within the VPC will be unable to communicate with the Internet. Proceed with caution.

        image

        After deletion, the VPC page shows IPv4 Internet Access Mode as Direct Internet Access, and ECS instance Internet traffic is no longer managed by the IPv4 gateway.

        image

      • If the IPv4 gateway does not exist: You may have already deleted it in private mode.

        • Solution 1: Re-create an IPv4 gateway for the VPC, then delete it in public mode.

        • Solution 2: If the instance configuration is simple (such as no secondary ENIs or secondary private IP addresses), change the VPC to one without an IPv4 gateway.

See IPv4 Gateway.

Check the vSwitch network ACL

A network ACL controls network access in a Virtual Private Cloud (VPC). If you associate a network ACL with the vSwitch, inbound and outbound traffic for the instance is restricted by the ACL rules.

  1. Log on to the VPC console.

  2. In the navigation pane on the left, choose ACL > > Network ACL.

  3. In the upper-left corner, select the region of the ECS instance.

  4. Check whether a network ACL exists for the VPC.

    • If no ACL exists or is not associated with the vSwitch: Skip this check.

    • If an ACL exists and is associated with the vSwitch: Ensure the ACL rules do not contain a deny policy for your test client IP. Add an allow policy for the desired source address, protocol type (ICMP must be allowed for ping), and port range.

      • By default, when a vSwitch is associated with a network ACL, rules allow all traffic in both inbound and outbound directions. Deleting these rules restricts access.

        Inbound rule:

        image

        Outbound rule:

        image

      • Configure the source/destination address and protocol type (ICMP must be allowed for ping) based on your business needs, following the principle of least privilege. Avoid opening all ports (use ::/0 or 0.0.0.0/0 with caution). See Create and manage a network ACL.

Check the security group rules

The security group must allow the ICMP protocol for ping to work. If the ICMP rule is deleted, ping fails.

  1. Go to ECS Console - Security Group.

  2. In the upper-left corner of the page, select a region and resource group.地域

  3. Find the security group associated with the ECS instance. In the Actions column, click Manage Rules.

  4. Check whether an ICMP protocol rule exists for the inbound direction.

    image

    If no inbound ICMP rule exists, add a security group rule.

    Set Action to Allow, keep the default Priority, set Protocol to All ICMP - IPv4, set Port to -1/-1, and for Source, allow access only from specific IP addresses.

  5. Check the outbound rules based on the security group type.

    • Basic security group: Outbound direction allows all access by default. No additional rules are needed.

      image

    • Advanced security group: Outbound direction denies all access by default. You must add a rule allowing ICMP traffic for the outbound direction. See Basic security groups and enterprise security groups.

      image

Check the firewall configuration of the ECS instance

If the firewall is enabled and blocks external access, remote connections may fail. Check the configuration based on your instance OS.

Check the kernel parameters and firewall configuration of the Linux system

Whether a Linux system allows ping is determined by both the icmp_echo_ignore_all kernel parameter and firewall settings. If either denies the request, the instance cannot be pinged.

Check the kernel parameters of the Linux system

  1. Connect to the instance using VNC.

  2. Check the value of the icmp_echo_ignore_all kernel parameter.

    cat /proc/sys/net/ipv4/icmp_echo_ignore_all
  3. Set the icmp_echo_ignore_all kernel parameter to 0 to allow ICMP requests.

    1. Temporarily allow:

      echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
    2. Permanently allow:

      echo net.ipv4.icmp_echo_ignore_all=0 >> /etc/sysctl.conf
      sysctl -p

Check the Linux firewall configuration

  1. Connect to the ECS instance using a VNC connection.

    See Connect to an instance using VNC.

  2. View the firewall rules.

    iptables -L
    • If the following result is returned, ICMP is not blocked.

      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-request        
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination  
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-reque
    • If ICMP is blocked, run the following commands to allow it:

      #Chain INPUT
      iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
      #Chain OUTPUT
      iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Check the Windows firewall configuration

This example uses Windows Server 2012. Steps for other versions are similar.

  1. Connect to the instance using VNC.

  2. Click the Server Manager icon icon to open Server Manager.

  3. In the upper-right corner, choose Tools > Windows Defender Firewall with Advanced Security.

    2023-05-28_20-21-16..png

  4. On the Windows Defender Firewall with Advanced Security page, check whether ICMP-related protocols in Inbound Rules and Outbound Rules are blocked.

    If ICMP protocols are blocked, enable the rule.

    2023-05-28_20-31-12..png

Check CPU and bandwidth usage

Resource bottlenecks such as high CPU usage, full bandwidth, memory exhaustion, or excessive disk I/O can cause ping failures.

When CPU or memory is exhausted, the protocol stack may delay ICMP responses until they time out or are dropped. Sustained bandwidth saturation blocks packet transmission and reception. Extreme disk I/O load can freeze the system (e.g., processes in D state), indirectly slowing network services. These issues compound in high-load scenarios — a traffic burst can overload both CPU and bandwidth, and low memory causes swapping that increases disk I/O pressure.

Use Health Diagnostics or CloudMonitor to view bandwidth, memory, and CPU metrics. Use tools such as sar and atop on Linux or Resource Monitor on Windows to identify abnormal processes. To resolve the issue, free up resources or scale out your instance. See Troubleshoot and resolve high instance load issues.

Check for blackhole filtering

Check whether you received a blackhole notification. During blackhole filtering, ping and remote connections are blocked.

See Alibaba Cloud blackhole filtering policy.

Check for security alerts in Security Center

Check Security Center for unusual security alerts. A malicious intrusion can also make an instance unpingable. See View security risks of an ECS instance.

Check the instance region

International egress bandwidth between carriers in different regions is limited. Cross-regional traffic passes through multiple routing hops, leading to high latency, packet loss, and jitter from line congestion, BGP route detours, or rate limiting. If you access an instance in China (Hong Kong) or a region outside China from the Chinese mainland, link quality may be affected. Try again later.

Follow the principle of proximity. Customers in the Chinese mainland should access servers in mainland regions (such as North China or East China). Customers outside the Chinese mainland should access nearby nodes (such as China (Hong Kong) or Singapore) to ensure stability and regulatory compliance.

If your business relies on cross-border communication, use Global Accelerator (GA) to optimize routing, or use Cloud Enterprise Network (CEN) to build a cross-border private connection.

Perform a bidirectional link diagnosis from the client to the ECS instance

If only a specific client cannot ping the instance while others can, run a bidirectional link test from both the client and the instance to identify intermediate network node or local configuration issues. See Use the MTR tool for network link analysis.

Check the ICP filing or domain name resolution configuration

If you can ping the public IP address but not the domain name, the issue may be a missing ICP filing or a DNS resolution error.

A domain name that resolves to a server in the Chinese mainland must have an ICP filing before it can serve website traffic. Websites without an ICP filing are blocked by the Alibaba Cloud monitoring system.

References