Elastic Compute Service:Network connectivity FAQ

Why am I prompted with "Sorry, your access is blocked because the URL you are trying to access may pose a security threat to the website" when I access a website on an ECS instance?

• Symptom: When you access a website that is hosted on an ECS instance, the "Sorry, your access is blocked because the URL you are trying to access may pose a security threat to the website" message appears.

• Cause: The application firewall of Security Center determines that your URL access is an attack and blocks the access for security.

• Solution: Add your local public IP address to the whitelist of the application firewall in Security Center. For more information, see Resolve IP address blocking due to false positives by setting a whitelist.

Why can't my Windows instance access the Internet after I configure a secondary private IP address?

• Symptom: A Windows instance cannot access the Internet after a secondary private IP address is configured.

• Cause: In Windows Server 2008 and later, the outbound IP policy was changed to select the IP address that has the shortest prefix match with the next hop IP address. This may cause network connection failures.

• Solution: Use the Netsh command to set the secondary private IP address and set the skipassource parameter to true.

  The command is as follows:

  Netsh int ipv4 add address <Interface> <IP Addr> [<Netmask>] [skipassource=true]

  The following table describes the parameters.

  Secondary private IP address information	Description	Example
  <Interface>	The network interface for the secondary private IP address.	'Ethernet'
  <IP Addr>	The secondary private IP address.	192.168.0.100
  <Netmask>	The subnet mask of the secondary private IP address.	255.255.255.0

  The following example shows how to set a secondary private IP address using Netsh:

  Netsh int ipv4 add address 'Ethernet' 192.168.0.100 255.255.255.0 skipassource=true

How do I request a reverse DNS lookup for an ECS instance?

Reverse DNS lookup is often used for email services. After you enable this feature, you can reject messages from all addresses that do not have a registered domain name. Most spammers use dynamically allocated IP addresses or IP addresses without registered domain names to send spam and evade tracking. You can configure your mail server to reject messages from sites that do not have a domain name to reduce the amount of spam.

To request a reverse DNS lookup, you can submit a ticket. In the ticket, specify the region, public IP address, and registered domain name of the ECS instance to speed up the process.

To request a reverse DNS lookup, submit a ticket. In the ticket, specify the region, public IP address, and registered domain name of the ECS instance to speed up the process.

dig -x 121.196.255.** +trace +nodnssec

1.255.196.121.in-addr.arpa. 3600 IN PTR ops.alidns.com.

Can one IP address point to multiple reverse DNS lookup domain names?

No. Only one reverse DNS lookup domain name is supported. For example, 121.196.255.** cannot be set to point to multiple reverse DNS lookup domain names, such as mail.abc.com, mail.ospf.com, and mail.zebra.com.

What is a security group?

A security group is a virtual firewall that controls inbound and outbound traffic for ECS instances. You can place ECS instances that have the same security requirements and trust each other into the same security group to create security domains and ensure the security of your cloud resources.

When creating an ECS instance, you must associate it with at least one security group. The rules from all associated security groups are sorted by priority to determine whether to allow or deny traffic.

For more information, see Security group overview.

What do I do if no security group is created before I create an ECS instance?

If no security group exists in the VPC where the ECS instance resides, the system creates a default security group when you create the instance. For more information, see Default security groups.

Why am I prompted that the rule quota is exceeded when I add an ECS instance to a security group?

The total number of rules, including inbound and outbound rules, in all security groups that are associated with a single ENI of an ECS instance cannot exceed 1,000.

If you are prompted with the The operation cannot be performed because the maximum number of security group rules that can take effect on the instance is reached message, the total number of rules for the current ECS instance has exceeded the quota. We recommend that you check and clear redundant rules in the security group.

When does a security group use default security group rules?

Default security group rules are used in the following cases:

• Use the default rules of a default security group: When you create an ECS instance for the first time in a region in the ECS console, if you have not created a security group, you can select the default basic security group that is automatically created by the system. The default security group uses default security rules. The inbound rules allow traffic over the Internet Control Message Protocol (ICMP) (IPv4) protocol, SSH port 22, and RDP port 3389 from all Classless Inter-Domain Routing (CIDR) blocks (0.0.0.0/0) with a priority of 100. You can also select to allow traffic over HTTP port 80 and HTTPS port 443. The outbound rules allow all access. For more information, see Default security groups.

  Important

  Default security groups are provided to simplify the first-time creation of ECS instances. The default security group rules in default security groups, which allow TCP access from all IP addresses (0.0.0.0/0) on SSH port 22 and RDP port 3389 and allow ICMP (IPv4) access from all IP addresses on all ports, allow any users to connect to ECS instances contained in the default security groups. This poses security risks and exposes ECS instances to brute-force attacks. For security reasons, we recommend that you configure security group rules to allow access only from specific IP addresses. We also recommend that you create custom security groups or modify the default security group rules in default security groups based on your business requirements, instead of using the default security group rules.

• Create a security group with default rules: When you create a security group in the ECS console, the default security group rules allow inbound traffic over the ICMP (IPv4) protocol, SSH port 22, RDP port 3389, HTTP port 80, and HTTPS port 443 from all CIDR blocks (0.0.0.0/0).

You can query security group rules in the console or by calling an API operation. For more information, see Query security group rules.

How do I enable internal network communication between ECS instances in different security groups?

For examples of how to enable internal network communication between different security groups, see Case 5: Enable internal communication between instances in different security groups and Enable internal communication between classic network-type instances in different security groups.

How do I isolate ECS instances within the same security group over the internal network?

Two internal access control policies are available for security groups: the internal interconnectivity policy that allows access between ECS instances in a security group over the internal network and the internal isolation policy that denies access between ECS instances in a security group over the internal network. Basic security groups support the internal interconnectivity policy. The internal interconnectivity policy of a basic security group can be considered as a special Allow rule that references the basic security group. You can switch between the internal interconnectivity policy and the internal isolation policy to allow or deny access between ECS instances in basic security groups over the internal network. By default, advanced security groups use the internal isolation policy. You cannot change the internal isolation policy of advanced security groups to the internal interconnectivity policy.

For more information, see Intra-group connectivity.

How do I isolate traffic between two ENIs on the same ECS instance?

If an ECS instance is attached to two ENIs, you cannot use security groups to isolate traffic between them. This is because security groups are applied to virtual network devices outside the operating system of the ECS instance. By default, traffic between two ENIs on the same ECS instance is routed and forwarded within the operating system. The network traffic between the two ENIs does not pass through security groups. Therefore, you cannot use security groups to isolate the traffic.

You can use the namespace mechanism of the operating system to add the two ENIs of the ECS instance to different namespaces. This way, the network traffic between the two ENIs is sent outside the operating system. The network traffic then passes through security groups, and you can use security groups to isolate the traffic.

Why is my service still inaccessible after I configure security group rules?

If you find that your service is inaccessible after you add security group rules, you must check whether the service is started and whether the service port is the same as the port specified in the security group rule. For more information, see Troubleshoot the issue that security group rules for an ECS instance do not take effect.

How do I change the security group for an ENI?

• The rules of a security group associated with an ECS instance apply to the primary ENI of the instance. The primary ENI is added to the same security group as the instance. You cannot modify the security group associated with the primary ENI separately. You can change the security group of the primary ENI by changing the security group of the ECS instance. For more information, see Add an instance to, remove an instance from, or change the security group of an instance.

• A secondary ENI attached to an ECS instance can be associated with a security group in the same zone of the same VPC. This security group can be different from the one the instance belongs to. You can specify the security group to associate with the ENI when you create the ENI, or you can change the security group associated with the ENI after it is created.

Can basic security groups and enterprise security groups be converted into each other?

No. Basic security groups and enterprise security groups cannot be converted into each other.

You can create a security group of the destination type, and then export the rules from the source security group and import them to the new security group.

In VPCs, advanced security groups can contain more private IP addresses than basic security groups. If the number of private IP addresses in a cluster exceeds the capacity of a basic security group, we recommend that you use an advanced security group for the cluster.

For more information, see Basic security groups and enterprise security groups.

When do I need to add security group rules?

When a security group is associated with an ECS instance, implicit default access control rules are enabled by default, such as allowing internal network communication between instances within the same basic security group. If your business scenario requires cross-security group instance communication, public network access control, Workbench remote logon, source IP address restriction, or allowing specific ports, you must explicitly configure corresponding rules. Otherwise, access may fail due to default rule restrictions. For more information, see Security group application guide and cases.

What is the relationship between protocols and ports in security group rules?

In a security group rule, the protocol and port are core parameters that work together to define traffic access permissions. When you add a security group rule, you must specify the communication port and protocol. The security group then determines whether to forward data to the ECS instance based on the allow or deny policy. For more information, see Components of a security group rule.

For information about common ports and their use cases, see Common ports.

Why can't I access TCP port 25?

TCP port 25 is the default email service port. For security reasons, access to port 25 on ECS instances is restricted by default. We recommend that you use port 465 to send emails.

For more use cases, see Security group application guide and cases.

Why can't I access port 80?

For information about how to troubleshoot port 80 failures, see Check whether TCP port 80 is working.

Why are many internal network-related security group rules automatically added to my security group?

Many rules may be automatically added to your security group in the following two cases:

• If you have added a self-managed database on an ECS instance to Data Management (DMS), the system adds the IP address blocks of DMS to the security group of the instance. Corresponding rules are automatically added to the security group.

• If you have recently migrated data using Data Transmission Service (DTS), the system adds rules related to the service IP addresses of DTS to the security group.

What are the impacts of misconfigured security group rules?

Are inbound and outbound security group rules counted separately?

There is no distinction.

The total number of rules, including inbound and outbound rules, in all security groups that are associated with a single ENI of an ECS instance cannot exceed 1,000.

For more information, see Limits.

Can I increase the maximum number of security group rules?

No, you cannot.

The total number of rules, including inbound and outbound rules, in all security groups that are associated with a single ENI of an ECS instance cannot exceed 1,000.

How do I audit and create alerts for non-compliant changes to security group rules?

If a security group rule opens high-risk ports, such as port 22 (SSH service) and port 3389 (RDP), to all CIDR blocks (0.0.0.0/0), it poses severe security risks to the system. You can use Cloud Config to continuously check security group configurations and automatically fix non-compliant configuration items to ensure system security. For more information, see Automatically audit and fix non-compliant security group rules.

How do I prevent RAM users from configuring security group rules?

• To prevent a RAM user from configuring security group rules, you can create the following custom policy and grant the policy to the RAM user to deny permissions to call the API operations that are used to configure security group rules.

  {
    "Version": "1",
    "Statement": [
      {
        "Effect": "Deny",
        "Action": [
          "ecs:AuthorizeSecurityGroup",
          "ecs:AuthorizeSecurityGroupEgress",
          "ecs:RevokeSecurityGroup",
          "ecs:RevokeSecurityGroupEgress",
          "ecs:ModifySecurityGroupRule",
          "ecs:ModifySecurityGroupEgressRule",
          "ecs:ModifySecurityGroupPolicy",
          "ecs:ModifySecurityGroupAttribute",
          "ecs:ConfigureSecurityGroupPermissions"
        ],
        "Resource": "*"
      }
    ]
  }

• You can also grant a RAM user one or more custom policies that contain RAM condition keys to restrict the permissions of the RAM user to create security groups or add security group rules. For example, you can prohibit the RAM user from adding security group rules that contain specific IP addresses and protocols, restrict the scope of security group rules that the RAM user can add, or prohibit the RAM user from using the default security group when creating an ECS instance. This improves the security of your Alibaba Cloud account. For more information, see Prohibit RAM users from creating high-risk security group rules.

How do I view resource quotas?

To view the usage restrictions and quotas of resources, see Limits.

Add a static route on system startup in Ubuntu

1. Log on to the ECS instance.

   1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

   2. Go to the details page of the target instance. Click Connect and select Workbench. Follow the prompts on the page to log on to the terminal.

2. Create the /etc/systemd/system/add-route.service file and add the following content. Replace <CIDR_block> and <gateway> with the actual destination CIDR block and gateway address.

   For example, the CIDR block is 172.xxx.xxx.0/20 and the gateway is 172.xxx.xxx.253.

   /sbin/route add -net 172.18.xxx.0/20 gw 172.30.xxx.253 dev eth0

   /sbin/route del -net 172.18.xxx.0/20 gw 172.30.xxx.253 dev eth0

   [Unit]
   Description=Add custom route 
   After=network.target
   [Service]
   Type=oneshot
   ExecStart=/sbin/route add -net <CIDR_block> gw <gateway> dev eth0
   ExecStop=/sbin/route del -net <CIDR_block> gw <gateway> dev eth0
   RemainAfterExit=yes
   [Install]
   WantedBy=multi-user.target

3. Enable the service to start on boot. The static route will be added automatically after each system startup.

   systemctl enable add-route.service

Why does nslookup show 127.0.0.53 as the DNS server on Ubuntu?

By default, Ubuntu uses the systemd-resolved service as a local DNS resolver. All DNS queries are first sent to this local address (127.0.0.53) and then forwarded to the actual upstream DNS servers.

To view the upstream DNS servers that systemd-resolved is currently using, run the following command.

• Ubuntu 20.04

  systemd-resolve --status

• Ubuntu 22.04 and later

  resolvectl status

How to configure a custom DNS server on Ubuntu

1. To prevent cloud-init from automatically overwriting network settings, edit the /etc/cloud/cloud.cfg file and add the following content to the end of the file:

   network:
     config: disabled

2. Modify the Netplan configuration file /etc/netplan/50-cloud-init.yaml. Add a nameservers block under the network interface configuration, such as eth0.

   nameservers: 
     addresses: ["Custom DNS1", "Custom DNS2"]

3. Apply the new configuration to make it take effect immediately.

   sudo netplan apply

How to configure an Ubuntu OS to use only custom DNS server addresses

Disable DHCP and configure a static network to ensure that the system uses only the specified DNS servers.

Modify the Netplan network configuration. Edit the /etc/netplan/50-cloud-init.yaml configuration file.

Change the configuration of the network interface, such as eth0, to the following static mode. Replace <DNS1> and <DNS2> with the actual DNS addresses.

network:
    ethernets:
        eth0:
            dhcp4: false
            dhcp6: false
            match:
                macaddress: XX:XX:XX:XX
            addresses:
              - XXX.XXX.XXX.XXX/XX
            routes:
              - to: default
                via: XXX.XXX.XXX.XXX
            set-name: eth0
            nameservers:
                addresses: [<DNS1>, <DNS2>]
    version: 2