Help Center/ Virtual Private Cloud/ FAQs/ Connectivity/ Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?
Updated on 2024-10-25 GMT+08:00

Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?

Symptom

An ECS has a single NIC and failed to communicate with others after the ECS has a firewall installed. An example scenario is as follows:

In a VPC, there are three ECSs. Services are deployed on ECS 1 and ECS 2, and a third-party firewall is installed on ECS X. Traffic from ECS 1 and ECS 2 needs to be filtered by the firewall of ECS X.

Fault Locating

The issues here are described in order of how likely they are to occur.

Troubleshoot the issue by ruling out the causes described here, one by one.

Table 1 Fault locating

Possible Cause

Solution

Security group rules

See Whether Security Group Rules Are Configured

Source/destination check

See Whether Source/Destination Check Is Disabled

VPC custom routes

See Whether VPC Custom Routes Are Added

Whether Security Group Rules Are Configured

Subnets in the same VPC can communicate with each other. If your service ECS cannot communicate with the ECS that has firewall installed, check whether they are in the same security group.

If the ECSs are in different security groups, you need to add rules to the security groups to allow access from each other.

For details, see Adding a Security Group Rule.

Whether Source/Destination Check Is Disabled

Check whether the source/destination check function is disabled on the NIC of the ECS with firewall installed. If the function is not disabled, perform the following operations to disable it:

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click Service List and choose Compute > Elastic Cloud Server.
  4. In the ECS list, click the target ECS name.

    The Summary tab page of the ECS is displayed.

  5. Click the Network Interfaces tab, click to expand information about the primary NIC, and check whether Source/Destination Check is disabled.

    If it is not disabled, disable it.

Whether VPC Custom Routes Are Added

Check whether the subnet route table of the service VPC has a route pointing to the ECS with firewall installed.

If there is no such a route, add a custom route with next hop set to ECS and destination set to the ECS with the firewall installed.

For details, see Adding a Custom Route.