All Products
Search

This Product

    ApsaraDB RDS:What do I do if I am unable to connect to an ApsaraDB RDS instance and the "Destination Host Unreachable" error message is displayed when I ping the internal endpoint of the instance?

    Document Center

    ApsaraDB RDS:What do I do if I am unable to connect to an ApsaraDB RDS instance and the "Destination Host Unreachable" error message is displayed when I ping the internal endpoint of the instance?

    Last Updated:Sep 28, 2023

    I cannot connect to an ApsaraDB RDS instance, and the "Destination Host Unreachable" error message is displayed when I ping the internal endpoint of the instance.

    Problem description

    The internal endpoint of the RDS instance cannot be pinged from an Elastic Compute Service (ECS) instance, and the "Destination Host Unreachable" error message is displayed. 

    PING rm-bpxxxx.mysql.rds.aliyuncs.com (172.17.0.31) 56(84) bytes of data.
From xxxx (172.17.0.1) icmp_seq=1 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=2 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=3 Destination Host Unreachable

    Causes

    The internal CIDR block of the RDS instance conflicts with the CIDR block of another service.

    Issue analysis

    1. Ping the internal endpoint of the RDS instance to obtain the private IP address of the instance. In this example, the private IP address of the instance is 172.17.0.31.

    2. Run the route-n command to view the route in a Linux system. The Linux system is used as example. The following information is returned: 

      Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.2.253    0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
172.17.0.0      0.0.0.0         255.255.255.0   U     0      0        0 br-350b446c181a

      The command output shows that the CIDR block of the br-350b446c181a NIC is 172.17.0.0/24 and conflicts with the private IP address of the RDS instance. As a result, the traffic from the ECS instance cannot be routed to the RDS instance.

      In most cases, the cause is that the CIDR block of a container service conflicts with the CIDR block of the RDS instance. The following section describes how to resolve route conflicts on a container service.

    Solutions

    Solution 1: Modify the default CIDR block of the container service

    Important

    • If you stop the Docker service or change the default CIDR block of the Docker service, services are interrupted . We recommend that you perform the operation during off-peak hours.

    • When you change the default CIDR block of the Docker service, make sure that the new CIDR block is compatible with the network settings of existing containers and applications to prevent connectivity issues.

    In this example, Linux is used.

    1. Stop the Docker service. 

      sudo systemctl stop docker

    2. Modify the configuration file of the Docker service. In most cases, the configuration file is saved in /etc/docker/daemon.json or /etc/docker/daemon.conf. The file name may vary. 

      sudo vim /etc/docker/daemon.json

      Use the following code snippet: 

      {
    "bip": "New CIDR block"
}

      In this example, the CIDR block 192.168.0.0/16 is used.

    3. Save and close the configuration file.

    4. Start the Docker service for the modification to take effect. 

      sudo systemctl start docker

    Solution 2: Change the vSwitch of the RDS instance

    You can change the vSwitch of the RDS instance to ensure that the CIDR block of the vSwitch does not conflict with the CIDR block of the container service.

    Important

    By default, different virtual private clouds (VPCs) cannot communicate with each other over an internal network. We recommend that you do not change the VPC of the RDS instance. This way, the internal network-based connections between the RDS instance and other Alibaba Cloud services are not affected.