All Products
Search
Document Center

:Troubleshoot connectivity issues between a classic network and a VPC after you establish a ClassicLink connection

Last Updated:Jul 19, 2023

Issue

After you establish a ClassicLink connection, ECS instances in a classic network fail to communicate with the cloud resources deployed in a VPC.

Troubleshooting

You can use the following procedures to troubleshoot connectivity issues in different scenarios:

Troubleshoot connectivity issues between an ECS instance in a classic network and an ECS instance in a VPC

  1. Check whether the prerequisites for using the ClassicLink feature are met. For more information about the limits and use scenarios of the ClassicLink feature, see Overview.

  2. Check the configuration of the ClassicLink feature.

    1. Check whether the ClassicLink feature is enabled for the VPC. If not, enable the ClassicLink feature for the VPC. For more information, see Create a ClassicLink connection.

    2. Check whether the correct VPC is selected for the ECS in the classic network.

  3. Check the security group settings for the ECS instances.

    • If a ClassicLink security group is added, check the authorization mode. We recommend that you select the mutual authorization mode.

    • If no ClassicLink security group is added, check whether the inbound rules of the ECS instances in the VPC and the classic network allow access from each other.

  4. Run the following commands to check the route configurations of the ECS instances. If Docker or VPN software is used on the ECS instances, the routes configured for the instances are changed.

    • Windows: route print.

    • Linux: route -ne.

  5. Check the configuration of the Cloud Enterprise Network (CEN) instance to which the VPC is attached. Check the vSwitches that are created in other VPCs that are attached to the CEN instance. If a vSwitch has the same IP address as the ECS instance in the classic network, you must detach the VPC in which the vSwitch is created from the CEN instance.

Troubleshoot connectivity issues between an ECS instance in a classic network and an ApsaraDB RDS instance in a VPC

  1. For more information, see Troubleshoot connectivity issues between an ECS instance in a classic network and an ECS instance in a VPC.

  2. Check the whitelist configuration of the ApsaraDB RDS instance.

    Note

    To allow an ECS instance in a classic network to access an ApsaraDB RDS instance in a VPC, make sure that the whitelist of the ApsaraDB RDS instance allows access from hybrid clouds or VPCs, instead of classic networks.

Solution

  1. Collect the following information before you troubleshoot issues:

    • The ID of the ECS instance in the classic network.

    • The ID of the ECS instance or cloud resource in the VPC.

    • The cause of the issue: whether the ECS instance or cloud resource is inaccessible for ping packets or the port cannot be accessed.

  2. After you establish a ClassicLink connection between the classic network and the VPC, you must check the inbound rule of the security group to which each ECS instance belongs, and make sure that the inbound rule allows access from the other ECS instance.

  3. In the ECS console, navigate to the Instances page and check whether the ECS instance in the classic network is connected to the VPC.

    • The Disconnected state indicates that the ECS instance is not connected to a VPC.

    • The Connected state indicates that the ECS instance is connected to a VPC. You can check the specific VPC that the ECS instance is connected to.

  4. The CIDR block of the VPC configured in the route of the ECS instance in the classic network, which is 192.168.0.0/16. On the ECS instance, add a route whose destination CIDR block is 192.168.0.0/16 and whose next hop is the internal gateway.

    Note

    ECS instances of earlier versions are configured with routes that point to 192.168.0.0/16. ECS instances of the latest version are not configured with such routes. Therefore, you must manually add the routes.

  5. Check whether the security group rules, routes, self-managed Docker containers, or VPN software configured on the ECS instances restrict traffic or direct traffic to third-party destinations. Disable the relevant policies based on your business requirements.

  6. Connectivity issues may also arise due to the following reasons:

    • The CEN instance to which the VPC is attached contains other VPCs whose routes point to CIDR blocks that fall within 10.0.0.0/8 and contain the private CIDR block of the classic network.

    • If the CIDR block of the VPC is 10.0.0.0/8, make sure that the CIDR block of the vSwitch that is used to communicate with the ECS instance in the classic network falls within 10.111.0.0/16.

  7. To connect the ECS instance in the classic network to an ApsaraDB RDS instance in the VPC, you must configure the whitelist of the ApsaraDB RDS instance. Make sure that the whitelist allows access from VPCs or hybrid clouds, and the private IP address of the ECS instance is included in the whitelist.

References

Applicable scope

  • VPC