ApsaraMQ for Kafka blocks ICMP traffic by design. A failed ping does not indicate a connectivity problem. Use telnet, nc (Netcat), or openssl to verify that your client can reach the instance endpoint.
Symptoms
ping <endpoint>returns no response or times out.telnet <endpoint> <port>fails or times out.
Cause
| Symptom | Cause |
|---|---|
| Ping fails | ApsaraMQ for Kafka blocks ICMP for security. This is expected behavior. |
| Telnet fails on a VPC endpoint | The client and the ApsaraMQ for Kafka instance are not in the same VPC. |
| Telnet fails on a public endpoint | The client cannot reach the internet, or the client IP is not in the instance whitelist. |
Solution
Test connectivity
Because ping is blocked, use one of the following tools to test TCP connectivity to the ApsaraMQ for Kafka endpoint. Replace <endpoint> with the default endpoint of your instance, and <port> with the service port.
Telnet
telnet <endpoint> <port>Netcat
nc -zv <endpoint> <port>OpenSSL (also validates the TLS handshake)
openssl s_client -connect <endpoint>:<port>A successful telnet connection returns output similar to:
Trying 192.168.XX.XX...
Connected to <endpoint>.
Escape character is '^]'.If the connection times out, check the items below based on your endpoint type.
VPC endpoint
Verify the following:
The client is deployed in the same VPC as the ApsaraMQ for Kafka instance.
The client IP is added to the instance whitelist.
Public endpoint
Verify the following:
The client has outbound internet access.
The client IP is added to the instance whitelist.
If your instance only supports VPC access and you need a public endpoint, upgrade to an internet- and VPC-connected instance. See Upgrade instance configurations.