Diagnostic items of ECS Network Connectivity Diagnostics - Elastic Compute Service

This topic describes the diagnostic items supported by the Elastic Compute Service (ECS) Network Connectivity Diagnostics feature and elaborates the diagnostic scope and results.

Diagnostic items

The ECS Network Connectivity Diagnostics feature supports the following resources:

ECS instances. The feature checks the diagnostic items of ECS instances, including security policies, network interface controller (NIC) configurations, system load, and business status.
Elastic network interfaces (ENIs). The feature checks the underlying status and security group configurations of ENIs.
vSwitches. The feature checks the network access control list (ACL) configurations of vSwitches.

Diagnostic items are assigned the following severity levels:

Critical: A critical diagnostic item determines network connectivity. If a critical diagnostic item is diagnosed with exceptions, network connectivity issues occurred.
Non-critical: A non-critical diagnostic item may affect network connectivity. If a non-critical diagnostic item is diagnosed with exceptions, network connectivity issues may occur.

Diagnostic items of ECS instances

Category	Diagnostic item	Severity	Description	Suggestion
SSH service	Whether the SSH service is started	Critical	Checks whether the SSH service is started and on which port the service is listening on an instance. If the status of the sshd process is displayed as normal, the SSH service is started and is listening on port 22 on a Linux instance or port 3389 on a Windows instance. If the sshd process is displayed to be listening on a port other than ports 22 and 3389 (such as port 1234) and port 22 or 3389 is displayed as the destination port to be diagnosed, the SSH service is started and is listening on the port other than ports 22 and 3389. If the status of the sshd process is displayed as not started, the SSH service is not started.	If the SSH service is not listening on port 22 on a Linux instance or port 3389 on a Windows instance, select the port on which the SSH service is listening on to connect to the instance, or change the listening port to port 22 or 3389. For more information, see Change the default port used by an instance to accept connections. If the SSH service is not started, log on to the instance by using Virtual Network Computing (VNC) and start the service.
	Whether critical files or directories required by the SSH service exist	Critical	Checks the integrity of SSH configuration files and directories.	If a message is displayed indicating that an SSH configuration file or directory is missing, restore the file or directory based on the message.
	Whether SSH allows the root user to log on	Non-critical	Checks whether SSH allows the root user to log on.	If a message is displayed indicating that SSH denies logons by the root user and you want to lift this limit, troubleshoot the issue and modify SSH configurations. For more information, see What do I do if the "Permission denied, please try again" error message appears when I connect to a Linux instance from an SSH client?
NIC configurations	Whether the Dynamic Host Configuration Protocol (DHCP) service is started	Critical	If an instance whose image supports DHCP was not correctly assigned a static IP address and the DHCP service is not started on the instance, a message is displayed indicating that DHCP is not started.	Log on to the instance by using VNC and start the DHCP service.
	Whether NIC IP addresses are correct	Critical	For a NIC, if a message similar to Invalid IP address is displayed, the detected IP address is different from the configured one.	Modify the static IP address of the NIC. For more information, see Secondary private IP addresses.
	Whether NIC masks are correct	Non-critical	For a NIC, if a message similar to No mask is configured for the <eniId> NIC is displayed, the NIC does not have a mask or has an incorrect mask.	Use the default mask or configure a correct mask for the NIC.
Instance security policies	Whether iptables rules are configured to allow or block traffic	Critical	For an instance, if a message similar to The hit iptables rule <ruleName> blocks traffic is displayed, an iptables rule is configured on the instance to block traffic. For an instance, if a message similar to iptables rules allow traffic is displayed, an iptables rule is configured on the instance to allow traffic.	If you do not want to block the traffic, delete the Block iptables rule. If you do not want to allow the traffic, configure an iptables rule to block the traffic or change the Allow iptables rule into a Block one.
Instance security policies	Whether blackhole filtering is triggered on the public IP address of an instance	Critical	If an instance falls victim to DDoS attacks and the volume of the DDoS attacks exceeds the mitigation capability provided for the instance, blackhole filtering is triggered and all inbound traffic to the public IP address of the instance is blocked. If this occurs, a message similar to Blackhole filtering is triggered on <Public IP address>, and the IP address cannot be accessed is displayed.	For more information about blackhole filtering policies and how to deactivate blackhole filtering, see Blackhole filtering policy of Alibaba Cloud.
System routing configurations	Whether routing policies are configured	Critical	If no routing policies are configured on an instance, the check fails. If a routing policy is configured on an instance, a message similar to The policyName routing policy forwards traffic is displayed.	Check for and delete incorrect routing policies.
Instance system load	CPU load	Non-critical	Checks whether the CPU load of an instance exceeds 80%.	If the CPU load of an instance remains higher than 80%, decide whether to upgrade to an instance type with more vCPUs. For more information, see Change the instance type.
	Public bandwidth load	Non-critical	Checks whether the public bandwidth load of an instance exceeds 90%.	If the public bandwidth load of an instance remains higher than 90%, decide whether to increase the public bandwidth. For more information, see Modify the maximum public bandwidth.
	Internal bandwidth load	Non-critical	Checks whether the internal bandwidth load of an instance exceeds 90%.	If the internal bandwidth load of an instance remains higher than 90%, decide whether to upgrade to an instance type that provides a higher base bandwidth. For more information, see Change the instance type.
User service status	Whether processes are listening on specified destination ports	Critical	Checks whether processes are listening on the specified destination ports of an instance. If not, the check fails.	Connect to the instance and start processes to listen on the specified destination ports.
Instance status	Whether an instance has expired	Critical	If an expired instance is detected, a message is displayed.	Renew the instance at the earliest opportunity. For more information, see Renew a subscription instance.
Instance status	Overdue payments in your Alibaba Cloud account	Critical	If overdue payments are detected in your Alibaba Cloud account, a message is displayed.	Add funds to your account at the earliest opportunity.

Diagnostic items of ENIs

Category

Diagnostic item

Severity

Description

Suggestion

ENI status

Underlying status

Critical

If the underlying status of an ENI is abnormal, a message is displayed.

Check the status of the ENI. If an exception occurs, perform the corresponding operations to troubleshoot the exception.

Security group configurations

Security groups

Critical

Security groups control traffic to or from ENIs based on security group types and rules.

Basic security groups:
- If the source and destination diagnostic objects in a path belong to the same security group and the security group contains no rules, these diagnostic objects can communicate with each other.
- If the source and destination diagnostic objects in a path belong to different security groups that contain no rules, outbound traffic from the source diagnostic object is allowed and inbound traffic to the destination diagnostic object is denied.
Advanced security groups:
If security groups contain no rules, the security groups deny outbound traffic from source diagnostic objects and inbound traffic to destination diagnostic objects.
If security groups contain rules, the security groups deny or allow traffic based on their attributes and rules. For more information, see Overview.

Check whether security groups implement access control as expected. If not, configure the security groups based on your needs.

Diagnostic items of vSwitches

Category	Diagnostic item	Severity	Description	Suggestion
Network ACL	Network ACL configurations	Critical	If no network ACL is associated with a vSwitch, the vSwitch allows all traffic by default. If the source and destination diagnostic objects in a path are connected to the same vSwitch, the traffic between these diagnostic objects is exempt from the network ACL rules that are associated with the vSwitch. If the source and destination diagnostic objects in a path are connected to different vSwitches and network ACLs are associated the vSwitches, the vSwitches determine whether to allow traffic between the diagnostic objects based on the rules in the network ACLs. For more information, see Network ACLs.	Check whether a vSwitch implements access control as expected. If not, configure a network ACL for the vSwitch based on your needs.