All Products
Search
Document Center

Elastic IP Address:EIP troubleshooting

Last Updated:Jun 10, 2026

If an EIP is unreachable, run instance diagnosis, Reachability Analyzer, and traffic analysis to troubleshoot connectivity and configuration issues.

Prerequisites

  • You have activatedNetwork Intelligence Service (NIS).

  • When you run a diagnosis for the first time, the system automatically creates the service-linked roleAliyunServiceRoleForNis to obtain the required permissions.

Instance diagnosis

Run automated health checks on an EIP to identify issues related to configuration, capacity, security, and billing, and receive remediation suggestions.

  1. Go to the EIP console, select a region, and then click the ID of the target EIP.

  2. On the Diagnose tab, run a diagnosis. You can select Show All Diagnostic Items to view all diagnostic results. You can also go to the NIS instance diagnosis page to view historical results.

    Diagnostic items

    Category

    Checks

    Configuration Diagnostics

    • Instance Status

    • EIP Allocation Status

    Quota Limit Diagnostics

    • High EIP Bandwidth Usage

    • Packets Dropped Due to EIP Bandwidth Throttling

    Security Policy Diagnostics

    • Anti-DDoS Origin Basic Status

    • Interception by Cloud Firewall

    • Penalty for Security Control

    • Suspension for Security Reasons

    Cost Diagnostics

    • Alerts for Overdue Payments

    • Alerts for Expiration

  3. To further investigate issues related to public network ISPs, click Internet Diagnostics at the bottom of the page. You can then set an access region to check the public network connectivity to the target EIP from ISPs both within and outside the Chinese mainland.

    Common causes of connectivity issues

    Cause

    Actions

    Cloud security policies

    • DDoS blocking: Anti-DDoS Basic automatically sets a scrubbing threshold based on the EIP bandwidth. If inbound traffic exceeds the protection capacity of Anti-DDoS Basic, a blackhole route is triggered and all inbound traffic is blocked. Check the protection threshold in the Anti-DDoS console.

    • WAF blocking: After you add your website to Web Application Firewall (WAF), access exceptions may occur.

    • Cloud Firewall blocking: Cloud Firewall inspects traffic for public IP assets. Check whether any access control policies are blocking the traffic.

    Resource-side security policies

    Check the iptables rules, operating system (OS) firewall, third-party security software, and network interface card (NIC) drivers on the associated resource instance.

    ISP blocking

    Run a diagnosis to identify the affected area. If ISP blocking occurs:

    1. Contact the ISP to confirm the cause.

    2. To view public network performance data, add the VPC Flow Logs of the elastic network interface (ENI) to an NIS traffic analyzer.

    3. If the service is critical, you can replace the EIP: unbind the original EIP and then bind a new EIP.

Reachability Analyzer

If an EIP is unreachable, you can use Reachability Analyzer to test the connectivity between the EIP and a destination resource and diagnose network configuration issues. The analysis does not send real data packets or affect your services.

  1. Go to the EIP console, select a region, and in the Diagnose column of the target EIP, click Diagnose > Reachability Analyzer.

  2. Select the Source and Destination resources, configure the Protocol, Destination Port, and an analysis name, and then click Start Analyzing.

  3. After the analysis is complete, Reachability Analyzer displays a hop-by-hop virtual network path from the source to the destination. If the path is blocked, the analyzer identifies the blocking point and its cause.

Traffic analysis

EIPs integrate with the public traffic analysis feature of NIS. You can use an NIS traffic analyzer to view the volume and ranking of inbound and outbound EIP traffic, displayed as 2-tuples or 5-tuples. You can use this traffic data and monitoring metrics to troubleshoot issues.

The traffic analysis feature on the EIP monitoring page is part of the NIS traffic analyzer and requires NIS activation. If NIS is not activated, the traffic analysis status on the EIP monitoring page is displayed as "Not activated". For activation instructions, see the Prerequisites section of this topic.

During its public preview, NIS traffic analysis was automatically enabled for some accounts, allowing them to view data without manual activation. After the commercial release, all new accounts must manually activate NIS to use this feature.

  • Traffic analyzers provide analysis services by detecting Internet traffic in VPC flow logs. VPC flow logs only collect traffic information from Elastic Network Interfaces (ENIs). In Internet scenarios, traffic analyzers cannot guarantee collection of the Internet traffic of IP Target and Classic Load Balancer (CLB).

  • VPC flow logs only support traffic collection at three granularity levels: VPC, switch, and ENI. Collection of only Internet traffic is not yet supported. If you want to obtain all Internet traffic analysis data using a traffic analyzer, we recommend that you enable traffic analysis for the corresponding VPC as needed. The traffic analyzer will provide Internet traffic analysis services by parsing Internet traffic in VPC network logs. If you want to obtain traffic analysis data for a specific public IP address, you can enable traffic analysis for the ENI to which the public IP address is mounted.

  1. Create an NIS traffic analyzer.

  2. Create VPC Flow Logs as a data source. To collect traffic data from an elastic network interface (ENI) that is bound to an EIP, set Resource Type and Resource Instance to the target ENI.

  3. View public traffic analysis charts.

Self-service troubleshooting

Go to the self-service troubleshooting page, select an issue category, and follow the on-page guidance to find relevant documentation and recommended actions.