All Products
Search
Document Center

Troubleshoot connection issues between a classic network and a VPC after you establish a ClassicLink connection

Last Updated: Jul 26, 2021

Problem description

A ClassicLink connection is established between a classic network and a virtual private cloud (VPC), but Elastic Compute Service (ECS) instances in the classic network cannot access cloud resources in the VPC.

Troubleshooting methods

You can use the following procedures to troubleshoot connection issues in different scenarios:

Troubleshoot connection issues between an ECS instance in a classic network and an ECS instance in a VPC

  1. Check whether the prerequisites for using the ClassicLink feature are met. For more information about the limits and use scenarios of the ClassicLink feature, see Overview.
  2. Check the configuration of the ClassicLink feature.
    1. Check whether the ClassicLink feature is enabled for the VPC. For more information, see Enable the ClassicLink feature.
    2. Check whether the correct VPC is selected for the ECS in the classic network.
  3. Check the security group settings for the ECS instances.
    • If a ClassicLink rule is added, check the authorization mode of the rule. We recommend you select the Classic <=> VPC mode.
    • If no ClassicLink rule is added, check whether the inbound rule of the security group to which each ECS instance belongs allows access from the other ECS instance.
  4. Run the following commands to check the route configurations of the ECS instances. If Docker or VPN software is used on the ECS instances, the routes configured for the instances are changed.
    • Windows: route print
    • Linux: route -ne
  5. Check the configuration of the Cloud Enterprise Network (CEN) instance to which the VPC belongs. Check the vSwitches that are created in other VPCs that are attached to the CEN instance. If a vSwitch has the same IP address as the ECS instance in the classic network, you must detach the VPC in which the vSwitch is created from the CEN instance.

Troubleshoot connection issues between an ECS instance in a classic network and an ApsaraDB RDS instance in a VPC

  1. For more information, see Troubleshoot connection issues between an ECS instance in a classic network and an ECS instance in a VPC.
  2. Check the whitelist configuration of the ApsaraDB RDS instance.
    Note: To allow an ECS instance in a classic network to access an ApsaraDB RDS instance in a VPC, make sure that the whitelist of the ApsaraDB RDS instance allows access from hybrid clouds or VPCs, instead of classic networks.

Solutions

  1. Collect the following information before you troubleshoot issues:
    • The ID of the ECS instance in the classic network.
    • The ID of the ECS instance or cloud resource in the VPC.
    • The cause of the issue: an ECS instance or cloud resource cannot be pinged or a port cannot be accessed.
  2. After you establish a ClassicLink connection between the classic network and the VPC, you must check the inbound rule of the security group to which each ECS instance belongs, and make sure that the inbound rule allows access from the other ECS instance.
  3. In the ECS console, navigate to the Instances page and check whether the ECS instance in the classic network is connected to the VPC.

    • The Disconnected state indicates that the ECS instance is not connected to a VPC.
    • The Connected state indicates that the ECS instance is connected to a VPC. You can check the specific VPC that the ECS instance is connected to.
  4. If you want to connect the ECS instance in the classic network to a VPC whose CIDR block is 192.168.0.0/16, you must add a route to the ECS instance that points to 192.168.0.0/16 and to the internal gateway.
    Note: ECS instances of earlier versions are configured with routes that point to 192.168.0.0/16. ECS instances of the latest version are not configured with such routes. Therefore, you must manually add the routes.
  5. Check whether the security group rules, routes, self-managed Docker containers, or VPN software configured on the ECS instances restrict traffic or direct traffic to third-party destinations. Disable the relevant policies based on your business requirements.
  6. Connection issues may also arise due to the following reasons:
    • The CEN instance to which the VPC is attached contains other VPCs whose routes point to CIDR blocks that fall within 10.0.0.0/8 and contain the private CIDR block of the classic network.
    • If the CIDR block of the VPC is 10.0.0.0/8, make sure that the CIDR block of the vSwitch that is used to communicate with the ECS instance in the classic network falls within 10.111.0.0/16.
  7. To connect the ECS instance in the classic network to an ApsaraDB RDS instance in the VPC, you must configure the whitelist of the ApsaraDB RDS instance. Make sure that the whitelist allows access from VPCs or hybrid clouds, and the private IP address of the ECS instance is included in the whitelist.

References

Application scope

  • VPC