Why Does My Linux ECS Fail to Access the Internet?
Symptom
Your attempt to access the Internet from your Linux ECS failed.
Fault Locating
The following fault causes are sequenced based on their occurrence probability.
If the fault persists after you have ruled out a cause, check other causes.
Possible Cause |
Solution |
---|---|
The ECS is frozen or stopped, or has no EIP bound. |
Check whether the ECS is in Running state and has an EIP bound. For details, see Checking the ECS Status. |
The ECS is overloaded. |
Check whether the bandwidth and vCPU usage of the ECS are too high. For details, see Checking Whether the ECS Is Overloaded. |
The EIP bandwidth exceeds the limit. |
Increase the bandwidth and try again. For details, see Checking Whether the EIP Bandwidth Exceeded the Limit. |
The DNS configuration is incorrect. |
Change the DNS server to a private one. For details, see Checking the DNS Configuration. |
Specified resolution has been configured in the hosts file. |
Check whether the mappings in the hosts configuration file are correct. For details, see Checking the hosts Configuration File. |
Both Network and NetworkManager are enabled. |
Use either of the two tools to prevent incompatibility issues. For details, see Checking Whether Both Network and NetworkManager Have Been Enabled. |
The security group is incorrectly configured. |
Check whether the security group allows the network traffic in the outbound direction. For details, see Checking Whether the Security Group Is Correctly Configured. |
A network ACL has been associated with the ECS. |
Disassociate the network ACL with the ECS and try again. For details, see Checking ACL Rules. |
The website you want to visit is outside the Chinese mainland. |
Optimize the website link configurations and try again. For details, see Checking Whether the Website to Be Visited Is Outside the Chinese Mainland. If the fault persists, use an HECS purchased in a region outside the Chinese mainland to access the website. |
The EIP is blocked. |
If the EIP is blocked, the ECS cannot access the Internet. For details, see Checking Whether the EIP Is Blocked. |
The private IP address is lost. |
Check whether the dhclient process is running. If it is not running, the private IP address may be lost. For details, see Checking Whether a Private IP Address Can Be Obtained. |
NICs are incorrectly configured. |
Check whether the NIC and DNS configurations are correct. For details, see Checking the NIC Configuration. |
Firewall is enabled on the ECS. |
Disable the firewall and try again. For details, see Checking the Firewall Configuration. |
Checking the ECS Status
- Check whether the ECS is in the Running state on the management console.
- Check whether an ECS has an EIP bound.
An ECS can access the Internet only if it has an EIP bound.
For details about how to bind an EIP to the ECS, see Assigning an EIP.
Checking Whether the ECS Is Overloaded
If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.
If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.
Checking Whether the EIP Bandwidth Exceeded the Limit
An ECS with an EIP bound accesses the Internet using the bandwidth configured for the EIP.
If Internet access fails, check whether the EIP bandwidth exceeds the limit.
Check whether the bandwidth exceeds the configured bandwidth size. For details, see How Do I Know If My EIP Bandwidth Limit Has Been Exceeded?
If the bandwidth exceeds the limit, increase the bandwidth. For details, see Changing an EIP Bandwidth.
Checking the DNS Configuration
Private DNS servers resolve domain names for the ECSs created using a public image by default. The private DNS servers do not affect the domain name resolution for the ECSs to access the Internet. Additionally, you can use the private DNS servers to directly access the internal addresses of other cloud services, such as OBS. Compared with the access through the Internet, this access mode features high performance and low latency.
For Linux ECSs, run the following command to check the DNS configuration:
cat /etc/resolv.conf
If the command output shown in Figure 1 is displayed, the domain name is resolved using the private DNS server.
If the domain name of the ECS is resolved using a non-private DNS server and you want to switch to a private DNS server, change the DNS server to a private one.
For details, see How Can I Configure the NTP and DNS Servers for an ECS?
Checking the hosts Configuration File
If the DNS configuration is correct but the ECS still cannot access the Internet, check whether the mapping information in the hosts configuration file is correct. In case of any incorrect mapping, comment it out.
For Linux, run the following command to view the hosts configuration:
vim /etc/hosts
If there is an incorrect domain name mapping, comment it out and save the hosts file.
Checking Whether Both Network and NetworkManager Have Been Enabled
Network and NetworkManager are two network management tools, and either one of them can be enabled each time. If both of them are enabled, they are incompatible with each other.
Take CentOS 7 as an example. NetworkManager is recommended for CentOS 7.
- Check the Network or NetworkManager running status.
systemctl status NetworkManager
Checking Whether the Security Group Is Correctly Configured
Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.
As shown in Figure 2, all network traffic in the outbound direction is permitted.
For instructions about how to permit a protocol or port, see Configuring Security Group Rules.
Checking ACL Rules
By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.
- Check whether the subnet of the ECS has been associated with a network ACL.
If an ACL name is displayed, the network ACL has been associated with the ECS.
Figure 3 Network ACL
- Click the ACL name to view its status.
Figure 4 Enabled network ACL
- Disassociate the network ACL from the subnet of the ECS.
- Try to access the Internet through the ECS again.
Checking Whether the Website to Be Visited Is Outside the Chinese Mainland
Websites outside the Chinese mainland may not be accessible or respond slowly when you access them through an ECS. This is caused by the slow access of a DNS server outside the Chinese mainland.
If you intend to access websites outside the Chinese mainland, select a region according to the website when purchasing an ECS.
Checking Whether the EIP Is Blocked
IP address blocking indicates that all traffic is destined to a null route. If the EIP is blocked, the ECS cannot access the Internet.
Generally, blocked EIPs will be automatically unblocked after 24 hours if no subsequent attack occurs.
Checking Whether a Private IP Address Can Be Obtained
Private IP addresses may be lost if the dhclient process is not running or the target NIC is not managed by NetworkManager because NetworkManager automatic startup is not enabled. Perform the following operations to locate the fault:
Consider an ECS running CentOS 7 as an example.
- Run the following command to check whether dhclient is running:
- If dhclient is not detected, run the following command to check whether NetworkManager is running:
systemctl status NetworkManager
- If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:
systemctl is-enabled NetworkManager
If the command output is disabled, run the following command to enable NetworkManager automatic startup:
systemctl enable NetworkManager && systemctl start NetworkManager
- If NetworkManager is in Active: active (running) state, run the following command to check whether the target NIC is managed by NetworkManager:
nmcli device status
If the NIC is in unmanaged state, run the following command to enable it to be managed by NetworkManager:
nmcli device set eth0 managed yes
- If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:
- Run the following commands to restart NetworkManager:
- Run the following command to check whether the private IP address can be allocated:
Checking the NIC Configuration
- Run the following command to open the /etc/sysconfig/network-scripts/ifcfg-eth0 file:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
- Modify the following configuration in this file.
Consider an ECS running CentOS 7 as an example.
DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" PERSISTENT_DHCLIENT="yes"
- Run the following command to restart the network:
Checking the Firewall Configuration
Consider an ECS running CentOS 7 as an example. Check whether the firewall is enabled.
firewall-cmd --state
The command output is as follows:
[root@ecs-centos7 ~]# firewall-cmd --state running
Run the following command to disable the firewall:
systemctl stop firewalld.service
Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.