This topic provides answers to frequently asked questions about networks used by Elastic Compute Service (ECS) instances.
FAQ about network performance
FAQ about public bandwidth
FAQ about IP addresses
FAQ about network access and traffic direction
FAQ about public IP addresses
FAQ about network basics
FAQ about quotas
What is the packet loss rate when instances within different regions communicate over the Internet?
When instances within different regions communicate over the Internet, a p99 of the hourly packet loss rate of less than 0.0001% can be expected.
How is the network latency for instances within the same region that communicate over the internal network?
You can achieve minimal latency when instances within the same zone and region communicate with each other over the internal network. The one-way latency at the 99th percentile is less than 180 us for communication between instances within the same zone.
How is the performance of connections guaranteed for instances for which the maximum number of connections is not specified?
If an instance family does not have the maximum number of connections specified, this instance family does not ensure that a specific maximum number of connections can be established to a single instance. We recommend that you perform business stress tests on instances to select appropriate instance types.
After a connection is established, the connection counts towards the number of connections before its aging period ends. The displayed number of connections may be greater than the number of connections actually in use.
What do I do if the performance of an ECS instance is unstable when a UDP PPS test or TCP bandwidth test is performed on the instance?
When a network performance test is performed on an ECS instance, the test result may be affected by a number of factors. These factors include the common performance tuning methods such as non-uniform memory access (NUMA) topology adaptation, binding vCPUs for tasks, and binding vCPUs for interrupts.
For example, during a single-stream TCP bandwidth test, if a receive task such as a netserver process and a network interface controller (NIC) receive queue interrupt are bound to the same vCPU, the NIC triggers an interrupt to interrupt the receive task when the NIC receives data frames. If the receive task is frequently interrupted, the test result may not meet your expectations. In this case, you can bind the receive task and the NIC receive queue interrupt to different vCPUs and obtain a better test result by using the performance advantages of multiple vCPUs.
What are the inbound and outbound bandwidths of ECS instances?
Inbound bandwidth (Free)
The bandwidth for inbound traffic for an ECS instance, including the following traffic:
Outbound bandwidth (Charge)
The bandwidth for outbound traffic for an ECS instance, including the following traffic:
I purchased a public bandwidth of 5 Mbit/s for an ECS instance. How is this bandwidth used as outbound or inbound bandwidth of the instance?
The 5 Mbit/s that you purchased is used as the outbound bandwidth for the instance. The inbound bandwidth of this instance is capped at 10 Mbit/s.
Outbound bandwidth is consumed when data is transferred from the ECS instance. The maximum outbound bandwidth of an ECS instance is capped at 100 Mbit/s or 200 Mbit/s regardless of whether the instance resides in a virtual private cloud (VPC) or the classic network. The maximum available outbound bandwidth depends on the billing method of the instance.
Inbound bandwidth is consumed when data is transferred to the ECS instance. The maximum inbound bandwidth is determined by the outbound bandwidth:
If the outbound bandwidth is less than 10 Mbit/s, the maximum inbound bandwidth is 10 Mbit/s.
If the outbound bandwidth is greater than 10 Mbit/s, the maximum inbound bandwidth is the same as the purchased outbound bandwidth.
If the pay-by-traffic billing method is used for network usage, the maximum inbound and outbound bandwidths are used as upper limits of bandwidths instead of the guaranteed performance. In scenarios where demand outstrips resource supplies, these maximum bandwidth values may be limited. If you require guaranteed bandwidths for your instance, use the pay-by-bandwidth billing method for network usage.
Is public bandwidth exclusive to each ECS instance, or is public bandwidth shared among multiple instances?
The public bandwidth of each instance is exclusive to the instance.
How am I billed for the network usage of ECS instances?
For more information about billing for the network usage of ECS instances, see Public bandwidth.
Why is 200 Kbit/s of inbound traffic already consumed on a new ECS instance?
This traffic was generated by Address Resolution Protocol (ARP) broadcast packets. Each ECS instance is assigned to a large CIDR block. When the gateway receives an ARP request packet for an ECS instance, the gateway broadcasts this packet to all ECS instances within the same CIDR block. The new instance also receives the packet. If the request is not destined for the new instance, the instance does not reply with an ARP reply packet.
How do I view the Internet traffic bills of an ECS instance?
To view the Internet traffic bills of an ECS instance, perform the following steps:
Log on to the ECS console.
In the top navigation bar, choose.
In the left-side navigation pane, click Usage Records.
Set Product and Billable Item to Elastic Compute Service (ECS), set Time Period and Time Unit, and then enter the verification code in the Verification Code field.
Click Export CSV. In the message that appears, click OK.
On the Export Record page, wait until the status of the exported file changes to Exported and click Download in the Actions column.
Open the exported CSV file to view the Internet traffic bills of the ECS instance.
Why is the bandwidth usage of my ECS instance displayed in the CloudMonitor console different from that displayed in the ECS console?
ECS instances function as backend servers of Server Load Balancer (SLB) instances and use the Layer 7 HTTP forwarding model. In this forwarding model, SLB instances forward client requests to ECS instances, and the ECS instances use their own outbound bandwidth to return responses to the corresponding users. The bandwidth consumed by these responses is not displayed in the ECS console, but the traffic generated by the responses counts towards the outbound traffic of the SLB instances and is displayed in the CloudMonitor console. Therefore, the bandwidth usage of your ECS instance displayed in the CloudMonitor console is different from that displayed in the ECS console.
My ECS instance has been stopped. Why am I still being charged for its outbound traffic on a pay-as-you-go basis?
Problem description: Your instance is in the Stopped state in the ECS console but is in the Cleaning state in the Anti-DDoS Basic console. You are charged for outbound traffic from the instance on a pay-as-you-go basis every hour.
Cause: HTTP flood protection is enabled for the ECS instance. When HTTP flood protection is enabled, the security mechanism sends probe packets to potential attack sources. Therefore, a large volume of outbound traffic is generated.
Solution: Disable HTTP flood protection for the ECS instance. For more information, see Configure HTTP flood protection.
How do I query the IP addresses of ECS instances?
ifconfigcommand to view NIC information. You can view the IP addresses, subnet masks, gateways, Domain Name System (DNS) servers, and MAC addresses in the command output.
In Command Prompt, run the
ipconfig /allcommand to view NIC information. You can view the IP addresses, subnet masks, gateways, DNS servers, and MAC addresses in the command output.
For more information, see View IP addresses.
How do I disable the public NIC of an ECS instance?
ifconfigcommand to view the name of the public NIC of the instance.
ifdowncommand to disable the public NIC. For example, if the name of the public NIC is
You can run the ifup command to re-enable the NIC. For example, if the name of the public NIC is
In Command Prompt, run the
ipconfigcommand to view information about the public NIC.
Open the Control Panel and click View network status and tasks in the Network and Internet section. In the Network and Sharing Center window, click Change adapter settings in the left-side navigation pane to disable the public NIC.
How do I configure an IPv6 address for an ECS instance?
For more information, see Configure an IPv6 address for an ECS instance.
When I attempt to access a website on an ECS instance, a message similar to "Sorry, your access has been blocked because the requested URL may pose a security threat to the website" appears. Why?
Problem description: When you attempt to access a website built on an ECS instance, you are prompted with a message similar to "Sorry, your access has been blocked because the requested URL may pose a security threat to the website."
Cause: Web Application Firewall (WAF) has identified your access request to the URL as an attack and blocked your access.
Solution: Add the source public IP address that you use to access the website to the WAF whitelist. For more information, see Avoid Anti-DDoS Basic false positives by using a whitelist.
After I configure a secondary private IP address for a Windows instance, the instance cannot connect to the Internet. Why?
Problem description: After you configure a secondary private IP address for a Windows instance, the instance cannot connect to the Internet.
Cause: In Windows 2008 and later, the longest prefix match algorithm is used to select next hop IP addresses based on destination IP addresses of outbound traffic. This may lead to network connection failures.
Solution: Run the Netsh command with skipassource set to true to configure a secondary private IP address for the Windows instance.
Netsh int ipv4 add address <Interface> <IP Addr> [<Netmask>] [skipassource=true]
The following table describes the parameters in the Netsh command.
The network interface with which to associate the secondary private IP address
The secondary private IP address
The mask of the secondary private IP address
Netsh int ipv4 add address 'Ethernet' 192.168.0.100 255.255.255.0 skipassource=true
An abnormal logon has been detected on one of my ECS instances. What do I do?
Perform the following operations to solve the problem:
Check the logon time to see whether the logon was performed by yourself or another administrator.
If the logon was not performed by yourself or another administrator, it is an unauthorized logon. Perform the following steps:
What is traffic scrubbing?
The traffic scrubbing service monitors inbound traffic to ECS instances in real time and identifies abnormal traffic such as DDoS attacks. By default, Anti-DDoS Basic is enabled on ECS instances to provide traffic scrubbing. When ECS instances are under attack, the traffic scrubbing service detects the attack and scrubs malicious traffic without affecting ECS instance services. When suspicious traffic is detected, suspicious traffic is redirected from the destination network to a scrubbing device. The device identifies and removes malicious traffic and then returns legitimate traffic to the network to be forwarded to the ECS instances.
How do I cancel traffic scrubbing for an ECS instance?
When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether the traffic is normal. This may affect or interrupt normal business. You can disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning.
How do I request reverse lookup for an ECS instance?
Reverse lookup is used in mail services to reject mail from IP addresses mapped to unregistered domain names. Most spammers use dynamic IP addresses or IP addresses mapped to unregistered domain names to send unwanted mail and avoid being tracked. When reverse lookup is enabled on a mail server, the server rejects mail sent from dynamic IP addresses or unregistered domain names to reduce the amount of spams received.
You can submit a ticket to request reverse lookup for your ECS instance. To make your ticket easier to process, we recommend that you specify the region, public IP address, and registered domain name of your ECS instance in the ticket.
After your request is approved, you can run the dig command to check whether reverse lookup takes effect on your instance. Example:
dig -x 121.196.255.** +trace +nodnssec
If reverse lookup takes effect on your instance, a command output similar to the following one is displayed:
184.108.40.206.in-addr.arpa. 3600 IN PTR ops.alidns.com.
Can an IP address point to multiple reverse lookup domain names?
No, each IP address can point only to a single reverse lookup domain name. For example, you cannot configure the IP address 121.196.255.** to resolve to multiple domain names such as mail.abc.com, mail.ospf.com, and mail.zebra.com.
Can I change the public IPv4 address of an instance after the instance has been created?
You can change the public IPv4 address of an instance within 6 hours after the instance is created. For more information, see Change the public IP address of an instance.
After 6 hours, the instance network type determines whether the public IP address of the instance can be changed.
For an instance in a VPC, you can change the public IP address of the instance by converting the IP address into an elastic IP address (EIP). Then, to assign a new public IP address, you can disassociate the EIP from the instance and associate a new EIP with the instance or upgrade the public bandwidth of the instance. For more information, see Convert the public IP address of an ECS instance in a VPC to an EIP.
The public IP addresses of instances in the classic network cannot be changed. However, you can convert the public IP address of an instance into an EIP when you release the instance. For more information, see Convert the system-assigned public IP address of an instance in the classic network into an EIP.
Why am I unable to find the option to change the public IP address of an ECS instance in the ECS console?
Within 6 hours after a pay-as-you-go instance is created: If the billing method of an instance is pay-as-you-go and the network type of the instance is VPC, you must enable the standard mode for the instance when you stop the instance. If you enable the economical mode for the instance, the Change Public IP Address option is not displayed in the ECS console.
More than 6 hours after the instance is created: You cannot change the public IP address, and the Change Public IP Address option is not displayed.
Can I change the private IP address of an instance?
You can change the private IP addresses of instances in VPCs. For more information, see Modify the private IP address of an instance.
You cannot change the private IP addresses of instances in the classic network.
If no public IPv4 address was assigned to an ECS instance when the instance was being created, how do I assign a public IP address to the instance?
What is a BGP data center?
Border Gateway Protocol (BGP) is used to connect autonomous systems (AS) over the Internet. The main purpose of BGP is to control route propagation and select the optimal routes.
China Netcom, China Telecom, China Railcom, and some large privately owned IDC service providers all have autonomous system numbers (ASNs). Most major network carriers in China use BGP to implement multi-line connections between their ASNs.
To implement multi-line interconnection in this manner, an IDC must obtain a CIDR block and an ASN from the China Internet Network Information Center (CNNIC) or Asia-Pacific Network Information Center (APNIC), and then broadcast this CIDR block to the networks of other carriers by using BGP. After BGP is used to connect different networks, the backbone routers of the network carriers determine the optimal routes to the CIDR block of the IDC to ensure high-speed access for users of different network carriers.
What are WAN and LAN?
A wide area network (WAN) is also known as an external or public network. A WAN is a telecommunications network that connects smaller networks such as LANs and metro area networks (MANs). Each WAN extends over a large geographical area that can range in size from as small as a city or as large as an entire continent to provide telecommunications services and form an international telecommunications network. WAN is not the same as the Internet.
A LAN is also known as an internal network. A LAN is a network that interconnects computers within a small area. Users can manage files, share application software and printers, schedule work for work groups, and communicate with each other such as by sending emails or faxes within a LAN. A LAN is a closed network that can be as small as consisting of two computers in an office or as large as consisting of thousands of computers in a company. In Alibaba Cloud, ECS instances of the same network type within the same region can communicate with each other over the internal network. ECS instances within different regions are isolated from each other.
What is CIDR?
CIDR is an addressing scheme for the Internet that allows for IP addresses to be assigned in a more efficient manner than the traditional scheme based on classes A, B, and C. CIDR notation is used to denote IP addresses and IP ranges. It consists of an IP address and a forward slash followed by a decimal number that denotes how many bits are in the network prefix.
Example 1: Convert a CIDR block into an IP address range
For example, you can convert the 10.0.0.0/8 CIDR block into a 32-bit binary IP address of 00001010.00000000.00000000.00000000. In this CIDR block, /8 represents an 8-bit network ID. The first 8 bits of the 32-bit binary IP address are fixed, and the corresponding IP addresses are from 00001010.00000000.00000000.00000000 to 00001010.11111111.11111111.11111111. After you convert the preceding IP addresses into IP addresses in the decimal format, the 10.0.0.0/8 CIDR block indicates the IP addresses from 10.0.0.0 to 10.255.255.255 with a subnet mask of 255.0.0.0.
Example 2: Convert an IP address range into a CIDR block
For example, you have a range of IP addresses from 192.168.0.0 to 192.168.31.255. You can convert the last two parts of the first and last IP addresses to binary numbers from 00000000.00000000 to 00011111.11111111. The first 19 (8 × 2 + 3) bits are fixed. After you convert the IP addresses to IP addresses in the CIDR format, the corresponding CIDR block is 192.168.0.0/19.
How do I express a subnet mask?
You can use one of the following methods to express a subnet mask:
Use dotted decimal notation.
The default subnet mask of a Class A network is 255.0.0.0.
Append a forward slash (/) and a number ranging from 1 to 32 to the end of an IP address to define a subnet mask. This number indicates the length of the network identification bit in the subnet mask.
How do I plan subnets?
For more information about the best practices for planning subnets, see Plan networks.
How can I view the resource quota?
For more information about how to view the limits and quotas of resources, see Limits.