Diagnose and resolve ECS public IP ping failures caused by security groups, firewalls, ENI issues, routing, or network ACLs.
Problem description
A local client cannot ping the public IP address of an ECS instance. Examples:
-
On a Linux client, pinging the public IP address returns no response:

-
On a Windows client, pinging the public IP address returns a Request timed out error:

Use the Diagnostics tool
The Diagnostics tool checks security group configurations, instance firewalls, and application port status, and generates a diagnostic report.
Click to open the Diagnostics page and select the target region.
If the tool cannot identify the issue, proceed with manual troubleshooting.
Manual troubleshooting
If your local network works correctly and you can access other websites, the ping failure may be caused by the following issues.
|
Possible causes |
Solutions |
|
The ECS instance is not in the Running state |
|
|
The ENI of the ECS instance is not working correctly |
|
|
Incorrect routing after IPv4 gateway centralized control mode is enabled for the VPC |
|
|
The network access control list (ACL) of the vSwitch does not allow ICMP traffic |
|
|
The security group does not allow ICMP traffic |
|
|
The firewall of the ECS instance drops inbound ICMP requests |
|
|
Resource bottlenecks on the ECS instance cause network issues |
|
|
Cross-border carrier network fluctuations cause Internet access issues |
|
|
Missing ICP filing or domain name resolution failure |
|
|
An issue with the client or an intermediate network node |
|
|
The ECS instance is in blackhole filtering |
|
|
The ECS instance is compromised |
Check the instance status
An ECS instance can provide services only when it is in the Running state.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
-
Find the ECS instance, click its ID to open the details page, and check the instance status.
If the instance is not in the Running state, see Start an instance.
Check the ENI status
A functioning elastic network interface (ENI) is required for ping and remote connections. Connect to the instance using VNC and check the ENI status.
-
Check whether the ENI is enabled.
-
For a Linux instance: Run the
ip acommand. The primary ENI eth0 should be visible withstate UP.
-
If the primary ENI eth0 is not in the UP state, run the
sudo ifup eth0orsudo ip link set eth0 upcommand to re-enable the ENI. -
If you configured a secondary ENI for the instance, some OS images may not recognize it automatically. You must configure it within the instance. For example, associating an EIP with an unconfigured secondary ENI causes Internet communication failure. See Step 2: Configure the ENI in Linux.
-
-
For a Windows instance: A malfunctioning ENI driver can cause communication failures.
-
-
Verify that the IP address, subnet mask, and gateway match the assigned values.
ECS instances use IP mapping between public and private IP addresses for Internet communication. If the private IP address is misconfigured, Internet communication fails. The private IP address must be a valid assigned IP address.
-
For a Linux instance: Run the
ip acommand. The primary private IPv4 address for the ENI should be visible.
-
Keep the default DHCP automatic IP address assignment. When the network changes (such as switching VPCs or changing IP addresses), internal configuration updates automatically. See How to configure DHCP for a network in a Linux image.
-
If you manually apply a static configuration, ensure it matches the assigned values. Mismatches cause abnormal network communication. See Resolve IP address inconsistency between the ENI configuration file and the console for a Linux instance.
-
By default, the ENI only recognizes the primary private IP address. If you assigned a secondary private IP address, you must configure it inside the instance. Associating an EIP with an unconfigured secondary private IP address causes communication failure. See Configure an operating system to recognize a secondary private IP address.
-
-
For a Windows instance, verify the internal network connection information.
-
Check the VPC IPv4 gateway configuration
By default, VPC resources communicate with the Internet directly through a public IP address. If you enable an IPv4 gateway, all Internet traffic is managed by the gateway, and changes to its policy affect all instances in the VPC.
For example, deleting the default route entry after activating an IPv4 gateway, or selecting private mode when deleting the gateway, disrupts Internet access for all VPC resources including ECS instances.
-
Check whether the VPC is in centralized control mode of the IPv4 gateway.
If your VPC is not under centralized control of an IPv4 gateway, skip this check.
-
To keep centralized IPv4 gateway management, verify the gateway routing configuration.
-
-
If you configured other custom route entries, verify that the routing links are correct.
-
-
If you no longer need centralized IPv4 gateway management, delete the IPv4 gateway in public mode.
See IPv4 Gateway.
Check the vSwitch network ACL
A network ACL controls network access in a Virtual Private Cloud (VPC). If you associate a network ACL with the vSwitch, inbound and outbound traffic for the instance is restricted by the ACL rules.
-
Log on to the VPC console.
-
In the navigation pane on the left, choose .
-
In the upper-left corner, select the region of the ECS instance.
-
Check whether a network ACL exists for the VPC.
-
If no ACL exists or is not associated with the vSwitch: Skip this check.
-
If an ACL exists and is associated with the vSwitch: Ensure the ACL rules do not contain a deny policy for your test client IP. Add an allow policy for the desired source address, protocol type (ICMP must be allowed for ping), and port range.
-
By default, when a vSwitch is associated with a network ACL, rules allow all traffic in both inbound and outbound directions. Deleting these rules restricts access.
Inbound rule:

Outbound rule:

-
Configure the source/destination address and protocol type (ICMP must be allowed for ping) based on your business needs, following the principle of least privilege. Avoid opening all ports (use ::/0 or 0.0.0.0/0 with caution). See Create and manage a network ACL.
-
-
Check the security group rules
The security group must allow the ICMP protocol for ping to work. If the ICMP rule is deleted, ping fails.
Go to ECS Console - Security Group.
In the upper-left corner of the page, select a region and resource group.
-
Find the security group associated with the ECS instance. In the Actions column, click Manage Rules.
-
Check whether an ICMP protocol rule exists for the inbound direction.

If no inbound ICMP rule exists, add a security group rule.
Set Action to Allow, keep the default Priority, set Protocol to All ICMP - IPv4, set Port to
-1/-1, and for Source, allow access only from specific IP addresses. -
Check the outbound rules based on the security group type.
-
Basic security group: Outbound direction allows all access by default. No additional rules are needed.

-
Advanced security group: Outbound direction denies all access by default. You must add a rule allowing ICMP traffic for the outbound direction. See Basic security groups and enterprise security groups.

-
Check the firewall configuration of the ECS instance
If the firewall is enabled and blocks external access, remote connections may fail. Check the configuration based on your instance OS.
Check the kernel parameters and firewall configuration of the Linux system
Whether a Linux system allows ping is determined by both the icmp_echo_ignore_all kernel parameter and firewall settings. If either denies the request, the instance cannot be pinged.
Check the kernel parameters of the Linux system
-
Check the value of the
icmp_echo_ignore_allkernel parameter.cat /proc/sys/net/ipv4/icmp_echo_ignore_all-
If the command returns 0, all ICMP requests are allowed. Proceed to Check the Linux firewall configuration.
-
If the command returns 1, all ICMP requests are denied. Proceed to step 3.
-
-
Set the
icmp_echo_ignore_allkernel parameter to 0 to allow ICMP requests.-
Temporarily allow:
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all -
Permanently allow:
echo net.ipv4.icmp_echo_ignore_all=0 >> /etc/sysctl.conf sysctl -p
-
Check the Linux firewall configuration
-
Connect to the ECS instance using a VNC connection.
-
View the firewall rules.
iptables -L-
If the following result is returned, ICMP is not blocked.
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-reque -
If ICMP is blocked, run the following commands to allow it:
#Chain INPUT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #Chain OUTPUT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-
Check the Windows firewall configuration
This example uses Windows Server 2012. Steps for other versions are similar.
-
Click the
icon to open Server Manager. -
In the upper-right corner, choose Tools > Windows Defender Firewall with Advanced Security.

-
On the Windows Defender Firewall with Advanced Security page, check whether ICMP-related protocols in Inbound Rules and Outbound Rules are blocked.
If ICMP protocols are blocked, enable the rule.

Check CPU and bandwidth usage
Resource bottlenecks such as high CPU usage, full bandwidth, memory exhaustion, or excessive disk I/O can cause ping failures.
When CPU or memory is exhausted, the protocol stack may delay ICMP responses until they time out or are dropped. Sustained bandwidth saturation blocks packet transmission and reception. Extreme disk I/O load can freeze the system (e.g., processes in D state), indirectly slowing network services. These issues compound in high-load scenarios — a traffic burst can overload both CPU and bandwidth, and low memory causes swapping that increases disk I/O pressure.
Use Health Diagnostics or CloudMonitor to view bandwidth, memory, and CPU metrics. Use tools such as sar and atop on Linux or Resource Monitor on Windows to identify abnormal processes. To resolve the issue, free up resources or scale out your instance. See Troubleshoot and resolve high instance load issues.
Check for blackhole filtering
Check whether you received a blackhole notification. During blackhole filtering, ping and remote connections are blocked.
Check for security alerts in Security Center
Check Security Center for unusual security alerts. A malicious intrusion can also make an instance unpingable. See View security risks of an ECS instance.
Check the instance region
International egress bandwidth between carriers in different regions is limited. Cross-regional traffic passes through multiple routing hops, leading to high latency, packet loss, and jitter from line congestion, BGP route detours, or rate limiting. If you access an instance in China (Hong Kong) or a region outside China from the Chinese mainland, link quality may be affected. Try again later.
Follow the principle of proximity. Customers in the Chinese mainland should access servers in mainland regions (such as North China or East China). Customers outside the Chinese mainland should access nearby nodes (such as China (Hong Kong) or Singapore) to ensure stability and regulatory compliance.
If your business relies on cross-border communication, use Global Accelerator (GA) to optimize routing, or use Cloud Enterprise Network (CEN) to build a cross-border private connection.
Perform a bidirectional link diagnosis from the client to the ECS instance
If only a specific client cannot ping the instance while others can, run a bidirectional link test from both the client and the instance to identify intermediate network node or local configuration issues. See Use the MTR tool for network link analysis.
Check the ICP filing or domain name resolution configuration
If you can ping the public IP address but not the domain name, the issue may be a missing ICP filing or a DNS resolution error.
A domain name that resolves to a server in the Chinese mainland must have an ICP filing before it can serve website traffic. Websites without an ICP filing are blocked by the Alibaba Cloud monitoring system.
-
If the domain name lacks an ICP filing, see What is an ICP filing?
-
If the domain name already has an ICP filing, check whether the domain name resolution is invalid. For more information, see Test whether a DNS record has taken effect.
icon and select Open Network and Sharing Center.







