What do I do if I cannot access an external network from a Windows instance? -

This topic describes how to resolve the issue that you cannot access an external network from a Windows Elastic Compute Service (ECS) instance.

Problem description

You cannot use a browser on a Windows instance to access an external network.

Causes

The preceding issue may occur because of the following reasons, which are similar to the causes of the issue that is described in How to access a Windows instance from the internet?

Internet service providers (ISPs) implement control policies.
The Windows instance does not work as expected, and Alibaba Cloud security policies block access to the external network.
The security groups of the Windows instance are incorrectly configured.
The Windows instance has performance issues.
The firewall policies on the Windows instance block access to the external network.
Third-party antivirus software is installed on the Windows instance and blocks access to the external network.
The Windows instance is infected by trojans or viruses.
The TCP/IP stack on the instance has bugs or compatibility issues.
The routing or remote connection services that are installed on the instance are incorrectly configured.
The route tables or network settings of the instance are incorrectly configured.

Solutions

To identify the cause of the issue and resolve the issue, use the following methods.

Note

In the examples, an instance that runs a Windows Server 2019 Datacenter 64-bit (English) operating system is used. The operations that you must perform may vary based on the operating system of the instance.

Method 1: Perform a comparison test and check different configurations

Perform one or more of the following troubleshooting operations based on the actual conditions:

Go to the Security Center console to check the status of the instance

In the Security Center console, go to the Host page and check whether risks are detected in the Windows instance.
For more information, see Manage servers.
Click the ID of the Windows instance to go to the Instance Details page and view the information of the instance, such as system vulnerabilities, application vulnerabilities, defensive status, security settings, and alerts. Then, handle issues based on the alerts or notifications to ensure that the Windows instance works as expected.
Check whether the CIDR clock to which the external website that you attempted to access belongs is reachable from the Windows instance.
If the CIDR block to which the external website belongs is not reachable from the instance, the issue may be caused by the control policies of an ISP. In this case, run the ping <CIDR block> command in Command Prompt to check the connectivity with multiple CIDR blocks, and then compare the command outputs.
Note
The ping <CIDR block> command is suitable for scenarios in which only a specific network is not reachable and is not suitable for scenarios in which no networks are reachable.
1. Start Command Prompt.
  1. In the lower-left corner of the desktop, click the icon and enter cmd in the search box.
  2. Click Command Prompt.
    Open the Command Prompt window.
2. In the Command Prompt window, run the ping <CIDR block> command to ping different CIDR blocks and compare the command outputs.

Run the `ipconfig /all` command in the Command Prompt window to check network interface controller (NIC) configurations

Start Command Prompt.
1. In the lower-left corner of the desktop, click the icon and enter cmd in the search box.
2. Click Command Prompt.
  Open the Command Prompt window.
Run the ipconfig /all command to check NIC configurations.
On the desktop, enter ncpa.cpl in the search box to open Network Connections. Then, check whether NICs send and receive packets as expected.
1. In the lower-left corner of the desktop, click the icon, enter ncpa.cpl in the search box, and then click ncpa.cpl in the search results.
2. In the Network Connections window, double-click the NIC that you want to check.
  Check whether the NIC sends and receives packets as expected. If yes, the NIC is enabled and works as expected.

Run the `nslookup` or `ping` command in the Command Prompt window to check for DNS issues

For more information, see What do I do if the domain name of a website is resolved to different IP addresses on a Windows instance and an on-premises machine and I cannot access the website from the instance?

Check whether performance issues occurred on the Windows instance

The Windows instance may encounter performance issues, such as high CPU utilization, memory exhaustion, bandwidth exhaustion, and exhaustion of dynamic ports. To troubleshoot the issues, use the following methods:

Use tools to analyze the memory usage on the instance. For more information, see Introduction to Windows memory analysis tools.
View the performance data of the instance in the ECS console or CloudMonitor console. For more information, see View the monitoring information of an ECS instance.

Check the security group rules associated with the Windows instance

View the security group rules that are associated with the Windows instance. If the security group rules are incorrectly configured, add new rules or modify existing rules to allow all traffic on all ports, and then access the external website again.

For information about how to view the security group rules associated with an instance, see the "View the information about a single instance on the Instance Details page" section of View the information about a single instance on the Instance Details page.
For information about how to add or modify security group rules, see Add a security group rule or Modify security group rules.

Check firewall policies on the Windows instance

Disable the firewall on the Windows instance and then check whether you can access the external website from the instance. If you can access the external website from the instance after the firewall is disabled, check firewall policies.

In the lower-left corner of the desktop, choose > Server Manager.
In the Server Manager window, click Local Server in the left-side navigation pane.
In the PROPERTIES section, click the firewall status to the right of Windows Defender Firewall.
In the Windows Security dialog box, follow the on-screen instructions to disable the firewall.
Access the external website again.
If you can access the external website from the instance, check firewall policies. For more information, see Configure Windows Firewall rules for Windows Server instances.

Disable or uninstall third-party antivirus software on the Windows instance

Disable or uninstall third-party antivirus software that is installed on the Windows instance, and then access the external website again. For information about how to disable or uninstall third-party antivirus software, see the relevant document about the software.

Run Windows Update to install the latest updates

This operation can be used to troubleshoot the TCP/IP stack issues of the operating system. Perform the following steps:

In the lower-left corner of the desktop, click the icon, enter update in the search box, and then click Check for updates in the search results.
On the Windows Update page, click Download to install the latest updates.
Access the external website again.

Method 2: Use tools to capture packets and analyze the packets

Use a tool such as Wireshark to capture packets on the Windows instance. Then, analyze the captured packets to check for issues, such as DNS resolution issues, Address Resolution Protocol (ARP) resolution issues, and failures to establish TCP connections. For more information, see How to access a Windows instance from the internet?.