The reachability analyzer in Network Intelligence Service (NIS) analyzes your virtual network configuration hop-by-hop and tells you whether traffic can reach its destination — without sending any actual packets. Use it to verify connectivity, pinpoint misconfigurations, and confirm that fixes work.
Use cases
-
Troubleshoot connectivity failures: Find exactly which node is blocking traffic and why.
-
Verify intended connectivity: Confirm that your network configuration matches what you designed.
-
Validate after changes: Re-analyze a saved path after updating security groups, routes, or firewall rules.
How it works
When you run an analysis, NIS traces the virtual network path between a source and a destination, checking each intermediate node's configuration — security groups, network access control lists (ACLs), route tables, and load balancer settings. The analysis returns one of three outcomes: reachable, unreachable (with the blocking node and error identified), or analysis error.
The reachability analyzer checks configuration only. It does not send data packets or inspect actual traffic. To analyze traffic in both directions, run two separate analyses with the source and destination swapped.
Supported intermediate nodes
vSwitches, vRouters, elastic network interfaces (ENIs), elastic IP addresses (EIPs), Classic Load Balancer (CLB) instances, transit routers, virtual border routers (VBRs), Internet NAT gateways, Cloud Firewall instances, VPN gateways, IPv4 gateways, and Express Connect routers (ECRs).
Supported scenarios
| Source | Destination | Notes |
|---|---|---|
| ECS instance | ECS instance (same region) | Connected via Cloud Enterprise Network (CEN), VPC peering, or transit routers. VPC firewalls can be identified. |
| ECS instance | ECS instance (different regions) | Connected via CEN, VPC peering, or transit routers. Source and destination can belong to different Alibaba Cloud accounts. VPC firewalls can be identified. |
| ECS instance | Public IP address | Internet firewalls can be identified. |
| Public IP address | Internal-facing CLB instance | — |
| ECS instance | Internet-facing CLB instance | — |
| ECS instance | Internet (via SNAT) | Uses SNAT entries of an Internet NAT gateway. |
| Internet (via DNAT) | ECS instance | Uses DNAT entries of an Internet NAT gateway. |
| ECS instance | Private IP address | Connected via VPN gateways. |
| VPC instance | On-premises site | Connected via VBRs. VPC firewalls can be identified. |
Limitations
Supported source and destination types
| Role | Supported resource types |
|---|---|
| Source | ECS instance, public IP address, vSwitch, VBR, VPN gateway, on-premises private IP address |
| Destination | ECS instance, public IP address, vSwitch, VBR, VPN gateway, on-premises private IP address, CLB instance |
If you specify public IP addresses as both the source and the destination, at least one must be the public IP address of an ECS instance. Otherwise, the analysis cannot proceed.
Quotas per Alibaba Cloud account
| Resource | Limit | Adjustable |
|---|---|---|
| Paths | 100 | No |
| Analysis records | 1,000 | |
| Concurrent analyses | 5 |
Prerequisites
Before you begin, ensure that you have:
-
An Alibaba Cloud account with access to the NIS console
-
The source and destination resources already created (ECS instances, VPN gateways, VBRs, CLB instances, or other supported types)
Create a path and run an analysis
-
Log on to the NIS console.
-
In the left-side navigation pane, choose Self-service Diagnostics > Reachability Analyzer.
-
On the Reachability Analyzer page, click Start Analyzing.
-
On the Start Analyzing page, configure the following parameters.
Parameter Description Source Set Source Type to one of the following: ECS (select an instance; optionally select a private IP address — the primary IP is used if none is selected), Public IP Address (enter a static public IP, an EIP, or a non-Alibaba Cloud public IP — at least one endpoint must be an Alibaba Cloud public IP), vSwitch, VBR, VPN gateway, or Private IP Address (enter an on-premises private IP reachable via VPN gateway or VBR). Destination Set Destination Type to one of the following: ECS, Public IP Address, vSwitch, VBR, VPN gateway, Private IP Address, or CLB. The same rules apply as for the source. Protocol Select TCP (default), UDP, or ICMP. Destination Port Enter the destination port number. Default: 80. Leave blank to check reachability across all ports. -
Choose whether to save the path for reuse. Default: No. Select Yes to save the path parameters so you can re-analyze the same path later without reconfiguring it.
-
Click Start Analyzing. NIS runs the analysis and opens the path analysis details page when complete.
Read the results
The path analysis details page shows the full hop-by-hop path from source to destination. Reachable nodes are displayed normally; blocked or failed nodes are highlighted with an error message.
Click the 
icon next to any node to see its configuration details.
Path is reachable
The source can reach the destination. All intermediate nodes are configured correctly.
The following figure shows an example where an ECS instance can reach a vSwitch in a different virtual private cloud (VPC) over a VPC peering connection.
Click the icon next to a node to view its details.
Path is unreachable
The analysis identified a node blocking the traffic. The page displays the blocking node and an error message explaining the cause.
The following figure shows an example where an ECS instance cannot reach a NAT gateway because the NAT gateway entries do not match.
Click the icon next to the highlighted node to see the configuration details and determine what to fix.
Analysis error
The analysis could not complete. The page displays an error message.
Troubleshooting
The following table lists error messages returned by the reachability analyzer and how to resolve them.
| Error message | How to fix |
|---|---|
| The source resource cannot be the same as the destination resource. | Choose different source and destination resources. |
| The reachability analyzer is not supported because the path has an unsupported intermediate node. | The path includes a node type that the reachability analyzer does not support. Verify that all intermediate nodes are in the supported list. |
| The resource does not exist. Check whether the resource is already deleted. | The source or destination resource was deleted. Recreate it or choose a different resource. |
| The resource is in an invalid state. Check whether the resource is running as expected. | The resource exists but is not in a running state. Check its status in the console. |
| The route is unreachable. Check the configuration of the route. | A route table entry is missing or misconfigured. For cross-region VPC peering, make sure both VPCs have routes pointing to each other's CIDR blocks. |
| The request does not match security group rules and is rejected by the default rule. | No security group rule matches the traffic. Add an allow rule for the required protocol, port, and source. |
| The request matches the deny rule of the security group. | A deny rule in the security group is blocking the traffic. Review and update the security group rules. |
| The request does not match network ACL rules and is denied by the default rule. | No network ACL rule matches the traffic. Add an allow rule for the required traffic. |
| The request matches the deny rule of the network ACL. | A deny rule in the network ACL is blocking the traffic. Update the network ACL rules. |
| The request matches the specified CLB instance denylist and is denied. | The source IP is on the CLB instance's denylist. Remove it from the denylist. |
| The request does not match the CLB instance allowlist and is denied by the default rule. | The CLB allowlist is enabled but does not include the source. Add the source IP to the allowlist. |
| The entries of the Internet NAT gateway do not match. Check the configurations of the Internet NAT gateway. | The SNAT or DNAT entry does not cover the source or destination. Verify the NAT gateway entries. |
| Internet connections cannot be established. Configure an EIP. | No EIP is associated with the resource. Associate an EIP to enable Internet access. |
| The IPv4 gateway route is unreachable. Add a route that points to the IPv4 gateway to the VPC route table. | The VPC route table is missing a route for the IPv4 gateway. Add the route. |
| Internet connections cannot be established because the IPv4 gateway is deleted after you activate the IPv4 gateway. Create an IPv4 gateway, activate the IPv4 gateway, and then add a route that points to the IPv4 gateway to the VPC route table. | The IPv4 gateway was deleted. Create and activate a new IPv4 gateway, then add the route to the VPC route table. |
| The route is unreachable. Check the route configuration of the IPv4 gateway. | The IPv4 gateway route is misconfigured. Review the route configuration. |
| The VPN gateway does not have a return route that points to the source IP address. | The VPN gateway is missing a return route. Add a route pointing to the source IP address. |
| The result is unknown because an error occurred. Try again later. | A transient error occurred. Retry the analysis. |
| The system has an internal error. Try again later. | An internal system error occurred. Retry the analysis. If the error persists, contact Alibaba Cloud support. |
Manage paths and analysis records
Re-analyze a path
On the path analysis details page, click Start Analyzing. A new analysis record is added to the Historical Analysis section. Use the Analyzed At column to distinguish records.
Delete an analysis record
-
On the Reachability Analyzer page, click a path ID in the Path ID column.
-
In the Historical Analysis section, find the record and click Delete in the Actions column.
-
Click OK to confirm.
Delete a path
On the Reachability Analyzer page:
-
To delete a single path: find the path and click Delete in the Actions column.
-
To delete multiple paths at once: select the paths and click Delete below the list.
Click OK to confirm.
Manage tags
Add tags to paths to group and filter them.
Add tags to multiple paths
-
Select the paths on the Reachability Analyzer page.
-
Choose Add Tag > Batch Add Tags.
-
In the Edit Tag dialog box, enter Tag Key and Tag Value, then click OK.
Remove tags from multiple paths
-
Select the paths on the Reachability Analyzer page.
-
Choose Add Tag > Batch Delete Tags.
-
Click OK to confirm.
For more information about tags, see Tag overview.
FAQ
Why does the analysis return "The reachability analyzer is not supported because the path has an unsupported intermediate node"?
The path includes a node type that the reachability analyzer does not support. Check whether all resources between the source and destination are in the supported intermediate nodes list.
Why does the analysis return "The request matches the deny rule of the security group"?
A security group rule is explicitly blocking the traffic. For example, if the security group on the destination ECS instance allows access only from a specific vSwitch, traffic from any other source is denied.
Open the ENI details on the destination ECS instance to see which security group rule is blocking the traffic, then update the rule to allow the required traffic.
Why does the analysis return "The route is unreachable. Check the configuration of the route"?
A route is missing from one of the VPC route tables. For cross-region paths using VPC peering, both VPCs must have routes pointing to the other's CIDR block. If VPC 1 (Region 1) does not have a route to VPC 2 (Region 2), traffic from ECS instances in VPC 1 is dropped at the vRouter. Add the missing route and re-analyze the path.
API reference
| API | Description |
|---|---|
| CreateNetworkPath | Creates a network path for reachability analysis. |
| CreateNetworkReachableAnalysis | Creates a task for analyzing network reachability. |
| CreateAndAnalyzeNetworkPath | Initiates a task for analyzing network reachability. |
| GetNetworkReachableAnalysis | Gets the result of a reachability analysis. |
| DeleteNetworkPath | Deletes a network path. |
| DeleteNetworkReachableAnalysis | Deletes a reachability analysis task. |