All Products
Document Center

You cannot ping an ECS instance after you delete the default security group rule of an ECS instance

Last Updated: Apr 28, 2022


You cannot ping the ECS instance. Troubleshoot the configurations such as the firewall and network interface controller IP of the ECS instance. There are no exceptions. Even if you roll back the operating system of the ECS instance, you still cannot ping the ECS instance.


By default, the security group of an ECS instance contains rules that enable the ICMP protocol. That is, the ECS instance is allowed to be pinged. If this rule is deleted, the ECS instance cannot be pinged. For more information about the default security group rules of ECS instances, see More information.


Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

Follow these steps to add the ICMP security group rule again. After you confirm that the security group rule is added, you can ping the ECS instance.

  1. Log on to the ECS console and click Instances.
  2. In the upper-left corner of the top navigation bar, select a region.
  3. On the Instances page, click the ID of the instance.
  4. On the Instance Details page, click Security Groups. In the Security Groups section, click the ID of the security group.
  5. On the Security Group Rules page, set Inbound to Manually Add, set Authorization Policy to Allow, set Priority to Default, set Protocol Type to All ICMP(IPv4), set Port Range to -1/-1, set Authorization Object to, set Description, and click Save.

More information

When you create an ECS instance in a region by using the ECS console, a Default Security Group is created if no security group has been created within the current account in this region. The default security group is a normal security group. The network type is the same as that of an ECS instance. 
By default, the default security group has the following security group rules:
  • Inbound:
    • Default permission: ICMP, SSH port 22, and RDP port 3389. The authorization object is
    • You can also allow traffic over HTTP port 80 and HTTPS port 443.
    • Rule priority: 100
      Note: The priority of the default security group rules created by the system before May 27, 2020 is 110.
  • Outbound: All access requests are allowed.

Applicable scope

  • ECS