All Products
Search
Document Center

Elastic Compute Service:ECS network connectivity diagnostic items

Last Updated:Apr 27, 2026

ECS Network Connectivity Diagnostics checks instances, ENIs, and vSwitches for issues that affect network connectivity.

Diagnostic items

The feature diagnoses the following resources:

Each diagnostic item has one of the following severity levels:

  • Critical: Determines network connectivity. An exception means connectivity issues occurred.

  • Non-critical: May affect network connectivity. An exception means connectivity issues may occur.

ECS instance diagnostics

Category

Diagnostic item

Severity

Description

Suggestion

SSH service

Whether the SSH service is started

Critical

Checks whether the SSH service is started and which port it listens on.

  • If the sshd process status is normal, the SSH service is started and listens on port 22 (Linux) or port 3389 (Windows).

  • If the sshd process listens on a non-standard port (such as port 1234) and the destination port to diagnose is 22 or 3389, the SSH service is started but on a different port.

  • If the sshd process status is not started, the SSH service is not running.

  • If the SSH service listens on a non-standard port, connect to the instance on that port, or change the default port to 22 or 3389.

  • If the SSH service is not started, log on to the instance by using VNC and start the service.

Whether critical SSH files and directories exist

Critical

Checks the integrity of SSH configuration files and directories.

If an SSH configuration file or directory is missing, restore it based on the diagnostic message.

Whether SSH allows the root user to log on

Non-critical

Checks whether SSH allows root user logons.

If SSH denies root logons and you want to allow them, modify the SSH configurations. See Resolve the "Permission denied, please try again" error for SSH connections to a Linux instance

NIC configurations

Whether the Dynamic Host Configuration Protocol (DHCP) service is started

Critical

If an instance with a DHCP-capable image lacks a static IP address and DHCP is not started, a message indicates that DHCP is not started.

Log on to the instance by using VNC and start the DHCP service.

Whether NIC IP addresses are correct

Critical

If a message similar to Invalid IP address appears, the detected IP address differs from the configured one.

Correct the static IP address of the NIC. See Secondary private IP.

Whether NIC masks are correct

Non-critical

If a message similar to No mask is configured for the <eniId> NIC appears, the NIC has no mask or an incorrect mask.

Use the default mask or configure the correct mask for the NIC.

Instance security policies

Whether iptables rules are configured to allow or block traffic

Critical

  • If a message similar to The hit iptables rule <ruleName> blocks traffic appears, an iptables rule blocks traffic on the instance.

  • If a message similar to iptables rules allow traffic appears, an iptables rule allows traffic on the instance.

  • To stop blocking traffic, delete the Block iptables rule.

  • To stop allowing traffic, configure a Block iptables rule or change the Allow rule to a Block rule.

Whether blackhole filtering is triggered on the public IP address of an instance

Critical

If DDoS attacks exceed the instance's mitigation capability, blackhole filtering is triggered and all inbound traffic to the public IP address is blocked. A message similar to Blackhole filtering is triggered on <Public IP address>, and the IP address cannot be accessed appears.

See Alibaba Cloud blackhole policy for details on blackhole filtering and deactivation.

System routing configurations

Whether routing policies are configured

Critical

If no routing policy is configured, the check fails. If a routing policy exists, a message similar to The policyName routing policy forwards traffic appears.

Check for and delete incorrect routing policies.

Instance system load

CPU load

Non-critical

Checks whether the CPU load exceeds 80%.

If the CPU load stays above 80%, consider upgrading to an instance type with more vCPUs. See Change the instance type.

Public bandwidth load

Non-critical

Checks whether the public bandwidth load exceeds 90%.

If the public bandwidth load stays above 90%, consider increasing the public bandwidth. See Modify the maximum public bandwidth.

Internal bandwidth load

Non-critical

Checks whether the internal bandwidth load exceeds 90%.

If the internal bandwidth load stays above 90%, consider upgrading to an instance type with higher base bandwidth. See Change the instance type.

User service status

Whether processes are listening on specified destination ports

Critical

Checks whether processes listen on the specified destination ports. If not, the check fails.

Connect to the instance and start processes to listen on the specified destination ports.

Instance status

Whether an instance has expired

Critical

If an expired instance is detected, a message appears.

Renew the instance as soon as possible.

Overdue payments in your Alibaba Cloud account

Critical

If overdue payments are detected in your Alibaba Cloud account, a message appears.

Add funds to your account as soon as possible.

ENI diagnostics

Category

Diagnostic item

Severity

Description

Suggestion

ENI status

Underlying status

Critical

If the underlying status of an ENI is abnormal, a message appears.

Check the ENI status and troubleshoot any exceptions.

Security group configurations

Security groups

Critical

Security groups control traffic to and from ENIs based on group types and rules.

  • Basic security groups:

    • If the source and destination in a path belong to the same security group with no rules, they can communicate with each other.

    • If the source and destination belong to different security groups with no rules, outbound traffic from the source is allowed and inbound traffic to the destination is denied.

  • Advanced security groups:

    If security groups contain no rules, outbound traffic from the source and inbound traffic to the destination are denied.

  • If security groups contain rules, traffic is denied or allowed based on the group attributes and rules. See Overview.

Verify that security groups implement access control as expected. If not, configure them based on your needs.

vSwitch diagnostics

Category

Diagnostic item

Severity

Description

Suggestion

Network ACL

Network ACL configurations

Critical

  • If no network ACL is associated with a vSwitch, the vSwitch allows all traffic by default.

  • If the source and destination are on the same vSwitch, traffic between them is exempt from the network ACL rules.

  • If the source and destination are on different vSwitches with associated network ACLs, the vSwitches allow or deny traffic based on the ACL rules. See Network ACLs.

Verify that the vSwitch implements access control as expected. If not, configure a network ACL based on your needs.