All Products
Search

This Product

    Elastic IP Address:EIP instance diagnosis

    Document Center

    Elastic IP Address:EIP instance diagnosis

    Last Updated:Dec 22, 2025

    If you encounter an issue with your Elastic IP address (EIP) instance, use the EIP instance diagnosis feature to troubleshoot. The EIP instance diagnosis feature checks the configuration and running status of an EIP instance and provides quick fixes for detected issues to help you resolve problems. This topic describes how to run a diagnosis on an EIP instance and view the diagnosis information.

    Prerequisites

    • You have activated Network Intelligence Service (NIS). You can activate the service on the Service Activation page.

    • If this is the first time that you run an instance diagnosis, the system automatically creates a service-linked role named AliyunServiceRoleForNis to grant the required permissions. For more information, see Service-linked Role.

    • You have created the EIP instance that you want to diagnose. For more information, see Apply for an EIP.

    Procedure

    1. Log on to the Elastic IP Address console.

    2. In the top navigation bar, select the region where the EIP is created.

    3. On the Elastic IP Addresses page, find the EIP instance that you want to diagnose. In the Diagnose column, click Diagnose > Instance Diagnosis.

    4. In the Instance Health Diagnosis panel, view the diagnosis progress, result summary, and details.

      In the Diagnostic Item Details section, click Show All Diagnostic Items to view the details of the EIP diagnosis. You can also click Go to NIS to view historical diagnoses at the top of the Instance Health Diagnosis panel. You will be redirected to the User Overview page of the Network Intelligence Service console to view more information about the EIP instance diagnosis. For more information about EIP instance diagnosis items, see Instance diagnosis items and details.

    5. To check for public network carrier issues, run a public network diagnosis on the EIP instance.

      1. At the bottom of the Diagnostic Item Details section in the Instance Health Diagnosis panel, click Public Network Diagnosis or Re-diagnose.

      2. In the Public Network Diagnosis dialog box, select an Access Area and a Target Instance, and then click OK.

      Based on the selected Access Area, the system checks the public network connectivity from carriers in the Chinese mainland and outside the Chinese mainland to the target EIP. If an access exception occurs, the system provides possible causes and suggested solutions. For more information, see Public network diagnosis results.

    Diagnosis items and details

    Instance diagnosis items and details

    The following table describes the supported diagnosis items for an EIP instance.

    Categorization

    Specific diagnosis item and description

    Configuration Diagnostics

    • Instance Service Status Check: Checks whether the service status of the EIP instance is normal.

    • EIP Allocation Status Check: Checks whether the EIP instance is attached to a cloud resource.

    Quota Limit Diagnostics

    • High EIP Bandwidth Usage: Checks whether the bandwidth usage of the EIP instance is normal.

    • Packet Loss Due to EIP Bandwidth Throttling: Checks whether packet loss occurs on the EIP instance because the bandwidth limit is exceeded.

    Security Policy Check

    • Anti-DDoS Basic Status: Checks whether the network behavior of the EIP instance is protected by Anti-DDoS.

    • Cloud Firewall Interception: Checks whether the network behavior of the EIP instance is intercepted by Cloud Firewall.

    • Security Control Penalty: Checks whether the network behavior of the EIP instance is penalized by Alibaba Cloud Security.

    • Risk Control Lock: Checks whether the EIP instance is locked for risk control.

    Cost Diagnostics

    • Overdue Payment Alert: Checks whether the EIP instance has an overdue payment.

    • Expiration Warning: Checks whether the EIP instance is in a warning state 15 days before expiration.

    Public network diagnosis results

    After you run a public network diagnosis on an EIP instance, the following table describes the possible causes of access exceptions and provides suggested solutions.

    Possible cause

    Suggestion

    Blocked by cloud security policies

    Check whether traffic is intercepted by the following cloud security policies:

    • DDoS interception

      Anti-DDoS Basic automatically sets a scrubbing threshold based on the bandwidth of the EIP instance. When traffic reaches the threshold, Alibaba Cloud Security starts to scrub traffic, regardless of whether it is normal service traffic. When the traffic from the Internet is greater than the DDoS mitigation capability, the traffic is routed to a blackhole to protect the entire cluster. This means all inbound traffic is blocked. To view the mitigation threshold of the EIP instance, see Anti-DDoS Basic.

    • WAF interception

      If a website encounters access exceptions after it is connected to Web Application Firewall (WAF), see Website access exceptions for the troubleshooting process.

    • Cloud Firewall interception

      The Internet firewall of Cloud Firewall helps you detect traffic between the Internet and assets that are assigned public IP addresses. If you enable Cloud Firewall for the EIP, traffic may be intercepted by an access control policy. To configure an access control policy, see Configure an access control policy for the Internet Border.

    Blocked by security policies of the attached resource

    Check whether traffic is intercepted by the security policies of the attached resource.

    For example, if the EIP is attached to an ECS instance, check the iptables rules, system firewall policies, and third-party security software of the ECS instance. Also, check whether the network interface card driver is correctly installed.

    Blocked by carrier

    After you check the cloud security policies and the security policies of the attached resource, if the EIP is still inaccessible, the EIP may be blocked by the carrier.

    You can use the EIP instance diagnosis feature to perform a public network diagnosis on the EIP and view the regions where access exceptions occur. For more information, see EIP instance diagnosis.

    If the EIP is blocked by a carrier, follow these suggestions:

    • Call the carrier to verify the specific reason.

    • Import the VPC flow logs to NIS Traffic Analyzer to view the corresponding public network performance and traffic data. When you configure the flow log, select the elastic network interface where the EIP is located as the collection target.

    • If your services are critical, you can replace the EIP. To replace the EIP, first detach the original EIP, and then attach a new EIP. For more information, see Attach an EIP to a cloud resource and Detach an EIP from a cloud resource.

    References

    • For more information about the instance diagnosis feature of Network Intelligence Service, see Use instance diagnosis.

    • You can also use the self-service troubleshooting feature. This feature helps you troubleshoot various issues with EIP instances, such as inaccessibility, access exceptions, quotas, and fees. For more information, see Self-service troubleshooting.