ECS Network Connectivity Diagnostics checks instances, ENIs, and vSwitches for issues that affect network connectivity.
Diagnostic items
The feature diagnoses the following resources:
-
ECS instances: security policies, NIC configurations, system load, and business status.
-
Elastic network interfaces (ENIs): The underlying status and security group configurations.
-
vSwitches: network ACL configurations.
Each diagnostic item has one of the following severity levels:
-
Critical: Determines network connectivity. An exception means connectivity issues occurred.
-
Non-critical: May affect network connectivity. An exception means connectivity issues may occur.
ECS instance diagnostics
|
Category |
Diagnostic item |
Severity |
Description |
Suggestion |
|
SSH service |
Whether the SSH service is started |
Critical |
Checks whether the SSH service is started and which port it listens on.
|
|
|
Whether critical SSH files and directories exist |
Critical |
Checks the integrity of SSH configuration files and directories. |
If an SSH configuration file or directory is missing, restore it based on the diagnostic message. |
|
|
Whether SSH allows the root user to log on |
Non-critical |
Checks whether SSH allows root user logons. |
If SSH denies root logons and you want to allow them, modify the SSH configurations. See Resolve the "Permission denied, please try again" error for SSH connections to a Linux instance |
|
|
NIC configurations |
Whether the Dynamic Host Configuration Protocol (DHCP) service is started |
Critical |
If an instance with a DHCP-capable image lacks a static IP address and DHCP is not started, a message indicates that DHCP is not started. |
Log on to the instance by using VNC and start the DHCP service. |
|
Whether NIC IP addresses are correct |
Critical |
If a message similar to Invalid IP address appears, the detected IP address differs from the configured one. |
Correct the static IP address of the NIC. See Secondary private IP. |
|
|
Whether NIC masks are correct |
Non-critical |
If a message similar to No mask is configured for the <eniId> NIC appears, the NIC has no mask or an incorrect mask. |
Use the default mask or configure the correct mask for the NIC. |
|
|
Instance security policies |
Whether iptables rules are configured to allow or block traffic |
Critical |
|
|
|
Whether blackhole filtering is triggered on the public IP address of an instance |
Critical |
If DDoS attacks exceed the instance's mitigation capability, blackhole filtering is triggered and all inbound traffic to the public IP address is blocked. A message similar to Blackhole filtering is triggered on <Public IP address>, and the IP address cannot be accessed appears. |
See Alibaba Cloud blackhole policy for details on blackhole filtering and deactivation. |
|
|
System routing configurations |
Whether routing policies are configured |
Critical |
If no routing policy is configured, the check fails. If a routing policy exists, a message similar to The policyName routing policy forwards traffic appears. |
Check for and delete incorrect routing policies. |
|
Instance system load |
CPU load |
Non-critical |
Checks whether the CPU load exceeds 80%. |
If the CPU load stays above 80%, consider upgrading to an instance type with more vCPUs. See Change the instance type. |
|
Public bandwidth load |
Non-critical |
Checks whether the public bandwidth load exceeds 90%. |
If the public bandwidth load stays above 90%, consider increasing the public bandwidth. See Modify the maximum public bandwidth. |
|
|
Internal bandwidth load |
Non-critical |
Checks whether the internal bandwidth load exceeds 90%. |
If the internal bandwidth load stays above 90%, consider upgrading to an instance type with higher base bandwidth. See Change the instance type. |
|
|
User service status |
Whether processes are listening on specified destination ports |
Critical |
Checks whether processes listen on the specified destination ports. If not, the check fails. |
Connect to the instance and start processes to listen on the specified destination ports. |
|
Instance status |
Whether an instance has expired |
Critical |
If an expired instance is detected, a message appears. |
Renew the instance as soon as possible. |
|
Overdue payments in your Alibaba Cloud account |
Critical |
If overdue payments are detected in your Alibaba Cloud account, a message appears. |
Add funds to your account as soon as possible. |
ENI diagnostics
|
Category |
Diagnostic item |
Severity |
Description |
Suggestion |
|
ENI status |
Underlying status |
Critical |
If the underlying status of an ENI is abnormal, a message appears. |
Check the ENI status and troubleshoot any exceptions. |
|
Security group configurations |
Security groups |
Critical |
Security groups control traffic to and from ENIs based on group types and rules.
|
Verify that security groups implement access control as expected. If not, configure them based on your needs. |
vSwitch diagnostics
|
Category |
Diagnostic item |
Severity |
Description |
Suggestion |
|
Network ACL |
Network ACL configurations |
Critical |
|
Verify that the vSwitch implements access control as expected. If not, configure a network ACL based on your needs. |