This topic lists FAQ related to ECS network.

What are the inbound and outbound bandwidths of ECS instances?

Bandwidth type Description
Inbound bandwidth The bandwidth for inbound traffic of an ECS instance. For example:
  • Traffic that occurs when you download external resources to your ECS instances
  • Traffic that occurs when you upload resources to your ECS instances by using an FTP client
Outbound bandwidth The bandwidth for outbound traffic of an ECS instance. For example:
  • Traffic that occurs when your ECS instances provide external access
  • Traffic that occurs when you download resources from your ECS instances by using an FTP client

I bought 5 Mbit/s of public bandwidth for my ECS instance. What is the difference between the inbound bandwidth and outbound bandwidth of the instance?

The 5 Mbit/s you bought is the outbound bandwidth. The inbound bandwidth of your instance is capped at 100 Mbit/s.
  • Outbound bandwidth is also called downstream bandwidth. The outbound bandwidth of an ECS instance is capped at 200 Mbit/s regardless of whether the instance resides in a VPC or classic network.
  • Inbound bandwidth is also called upstream bandwidth. The maximum inbound bandwidth varies depending on the outbound bandwidth:
    • When the outbound bandwidth is less than or equal to 100 Mbit/s, the maximum inbound bandwidth is 100 Mbit/s.
    • When the outbound bandwidth is greater than 100 Mbit/s, the inbound bandwidth is the same as the outbound bandwidth.

Does my ECS instance use its public bandwidth exclusively or share the bandwidth with other instances?

Your ECS instance uses its public bandwidth exclusively.

How is the public bandwidth of ECS instances billed?

For details, see Billing of Internet bandwidth.

Why is 200 Kbit/s of inbound traffic already consumed on my newly created ECS instance?

This traffic was generated by Address Resolution Protocol (ARP) broadcast packets. Your new ECS instance is assigned to a large network segment. When an ARP request packet is sent to the gateway to request the IP address of an ECS instance within the network segment, the gateway broadcasts the ARP request packet to all the ECS instances within that network segment. Your new ECS instance receives the packet, and inbound traffic is generated. If the IP address of your new ECS instance is not requested, the instance does not reply with an ARP response packet.

How can I view the public traffic statistics of my ECS instance?

To view the public traffic statistics about your ECS instance, perform the following steps:
  1. Log on to the ECS console.
  2. In the top navigation bar of the ECS console, choose Billing Management > Billing Management.
  3. In the left-side navigation pane, choose Bill > Bill.
  4. On the Bills page that appears, click the Bills tab. Specify a billing period. Then, click the filter icon to the right of Product Detail and select Elastic Compute Service (ECS) - Pay by quantity from the option list.
  5. Click Export Billing Overview (CSV). In the Export Billing Overview (CSV) dialog box, enter the captcha and click OK.
  6. Open the exported CSV file to view the public traffic statistics about your ECS instance.

Why is the bandwidth usage of my ECS instance displayed in CloudMonitor different from that displayed in the ECS console?

ECS instances function as back-end servers of SLB instances and use the Layer 7 HTTP forwarding model. In this forwarding model, SLB instances forward client requests to ECS instances, and the ECS instances use their outbound bandwidth to return responses to the corresponding users. The bandwidth consumed by these responses is not displayed in the ECS console, but the traffic generated by the responses is counted towards the outbound traffic of the SLB instances and displayed in CloudMonitor. Therefore, the bandwidth usage of your ECS instance displayed in CloudMonitor is different from that displayed in the ECS console.

My ECS instance has been stopped. Why am I still billed for outbound traffic from it on a pay-as-you-go basis?

  • Problem description: Your ECS instance is in the Stopped state when viewed from the ECS console, but is in the Cleaning state when viewed from the Anti-DDoS basic console. You are billed for outbound traffic from the instance on a pay-as-you-go basis every hour.
  • Cause: HTTP flood protection is enabled for your ECS instance. After HTTP flood protection is enabled, the security mechanism sends probe packets to potential attack sources, which generates a large volume of outbound traffic.
  • Solution: Disable HTTP flood protection for your ECS instance.

How can I query the IP addresses of my ECS instance?

  • Linux instance

    Run the Ifconfig command to view NIC information. View the IP addresses, subnet masks, gateways, DNS servers, and MAC address in the command output.

  • Windows instance

    In the CLI, run the ipconfig /all command to view NIC information. View the IP addresses, subnet masks, gateways, DNS servers, and MAC address in the command output.

How can I disable the public NIC of my ECS instance?

  • Linux instance
    1. Run the ifconfig command to view the public NIC name of your instance.
    2. Run the Ifdown command to disable the public NIC. For example, if the public NIC name is eth1, use the ifdown eth1 command.
      Note You can also run the Ifup command to re-enable the NIC. For example, if the public NIC name is eth1, use the ifup eth1 command.
  • Windows instance
    1. In the CLI, run the ipconfig command to view information about the public NIC.
    2. Open the Control Panel and choose Network and Internet > View network status and tasks. In the Network and Sharing Center window that appears, click Change adapter settings in the left-side navigation pane to disable the public NIC.

Why can't I access a website hosted on an ECS instance? A message similar to "Sorry, your access is blocked because the requested URL may pose a security threat to the website" is displayed.

  • Problem description: When you access a website built on an ECS instance, you are prompted with a message similar to "Sorry, your access is blocked because the requested URL may pose a security threat to the website."
  • Cause: Web Application Firewall (WAF) identifies your access to the requested URL as an attack and blocks your access.
  • Solution: Add the public IP address, Elastic IP Address, or NAT IP address of the ECS instance to the WAF whitelist. For more information, see Avoid Anti-DDoS Basic false positives by using a whitelist.

An unusual logon to my ECS instance has been detected. What can I do?

Perform the following steps to solve the problem:
  1. Check the logon time to see whether this logon is performed by you or another administrator.
  2. If no, it is an unauthorized logon. Perform the following steps:
    1. Reset the password.
    2. Check whether the ECS instance is infected by viruses..
    3. Configure security groups to allow only specific IP addresses to log on.

What is traffic scrubbing?

The traffic scrubbing service monitors the inbound traffic to ECS instances in real time, and provides quick identification of unusual traffic, such as DDoS attacks. Anti-DDoS Basic, which includes the traffic scrubbing service, is enabled on ECS instances by default. When ECS instances are under attack, the traffic scrubbing service automatically detects the attacks and scrubs the traffic for ECS instances without affecting your services. When an anomaly is detected, the traffic scrubbing service redirects suspicious traffic from the network where the destination ECS instance resides to the scrubbing device. The scrubbing device identifies and removes malicious traffic and returns legitimate traffic to the network. This ensures only legitimate traffic is forwarded to the destination ECS instance.

How can I cancel traffic scrubbing for my ECS instance?

  1. Log on to the Alibaba Cloud Security Anti-DDoS Basic console.
  2. Click the ECS tab. Then in the ECS instance list, find the IP address of your ECS instance that is in the cleaning state. In the Actions column, click View Details.
  3. Click Cancel cleaning.

How can I request reverse lookup for my ECS instance?

Reverse lookup is used in mail services. It enables mail servers to reject all mails sent from the IP addresses that are mapped to unregistered domain names. Most of spammers use dynamic IP addresses or IP addresses that are mapped to unregistered domain names to send unwanted emails and escape tracking. After reverse lookup is enabled on a mail server, the server rejects the mails that are sent from dynamic IP addresses and unregistered domains. This greatly reduces the number of spams.

You can submit a ticket in the ticket system to request reverse lookup for your ECS instance. We recommend that you specify the region, public IP address, and registered domain name of your ECS instance in the ticket to improve the ticket processing efficiency.

After your request is approved, you can use the dig command to check whether reverse lookup has taken effect for your instance. For example:
dig -x 121.196.255.** +trace +nodnssec
If information similar to the following is displayed in the command output, reverse lookup has taken effect for your instance.
1.255.196.121.in-addr.arpa. 3600 IN PTR ops.alidns.com.

Can an IP address point to multiple reverse lookup domain names?

No, each IP address can point to only one reverse lookup domain name. For example, you cannot configure an IP address such as 255.196.121.1 to be reversely resolved to multiple domain names such as mail.abc.com, mail.ospf.com, and mail.zebra.com.

Can I change the public IP (IPv4) address of my ECS instance six hours after the instance is created? How?

  • For instances in a VPC network, the public IP address can be converted into an Elastic IP Address (EIP). For information about how to convert the IP address, see Convert public IP address to EIP address.
  • For instances in a classic network, the public IP address cannot be changed if an instance has been created for more than six hours.

Why can't I find the option to change the public IP address of my ECS instance in the ECS console?

  • By default, the Change Public IP Address option is not displayed for instances that were created more than six hours ago.
  • If you enable the no fees for stopped VPC instances feature for an instance, make sure that this feature is disabled when you stop the instance. Otherwise, the instance will be temporarily released and the Change Public IP Address option is not displayed. You can disable this feature by selecting the Keep Stopped Instances and Continue Billing check box in the Stop dialog box.

Apart from the public IP address, can I change the private IP address of my ECS instance?

  • This operation is allowed for instances in a VPC network. For information about how to change the private IP address, see Change the private IP of an ECS instance.
  • This operation is not allowed for instances in a classic network.

If no public IP (IPv4) address has been assigned to my ECS instance when the instance was created, how can I assign a public IP address to the instance?

  • For a Subscription instance, you can obtain the public IP address by upgrading or downgrading the network bandwidth configuration. For more information, see Overview of configuration changes.
  • For a Pay-As-You-Go instance, you cannot obtain the public IP address after the instance is created. You can only bind an EIP address.

What is a BGP data center?

Border Gateway Protocol (BGP) is primarily used for interconnection between Internet autonomous systems (AS). The main function of BGP is to control route propagation and select the best routes. A BGP data center is a data center that uses BGP to implement dual-line or multi-line interconnection.

China Netcom, China Telecom, China Railcom, and some large privately owned IDC carriers all have autonomous system numbers (ASNs). Most major network carriers in China use BGP to achieve multi-line interconnection with their own ASNs.

To achieve multi-line interconnection in this manner, an IDC must obtain a CIDR block and an ASN from the China Internet Network Information Center (CNNIC) or Asia-Pacific Network Information Center (APNIC), and then broadcast this CIDR block to the networks of other carriers through BGP. After networks are interconnected through BGP, the backbone routers of the network carriers will determine the optimal routes to the CIDR block of the IDC to ensure high-speed access for users of different network carriers.

What are WAN and LAN?

  • A wide area network (WAN) is also known as an external or public network. It is a telecommunications network that connects different smaller networks, including local area networks (LANs) and metro area networks (MANs). Each WAN extends over a large geographical area, such as across cities, states, or countries, and may cover continents to provide telecommunications services and form an international telecommunications network. WAN is not equal to Internet.
  • A LAN is also known as an internal network. A LAN is a network that interconnects computers within a small area. Users can manage files, share application software and printers, schedule work for work groups, and communicate with each other such as sending emails or faxes within a LAN. A LAN is a closed network that can consist of two computers in an office or thousands of computers in a company. In Alibaba Cloud public cloud, ECS instances in the same region can be created in the same type of networks and communicate with each other through internal networks. ECS instances in different regions are isolated from each other.

How can I express a subnet mask?

You can express a subnet mask in either of the following method:
  • Dotted decimal notation. For example:

    The default subnet mask of a class A network is 255.0.0.0.

  • Append a forward slash (/) and a number ranging from 1 to 32 to the end of an IP address to define a subnet mask. The number indicates the length of the network identification bit in the subnet mask. For example:

    192.168.0.3/24.

How can I plan subnets?

For the best practices of planning subnets, see Plan and Design VPC.