Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?
Symptom
An ECS has a single NIC and failed to communicate with others after the ECS has a firewall installed. An example scenario is as follows:
In a VPC, there are three ECSs. Services are deployed on ECS 1 and ECS 2, and a third-party firewall is installed on ECS X. Traffic from ECS 1 and ECS 2 needs to be filtered by the firewall of ECS X.
Fault Locating
The issues here are described in order of how likely they are to occur.
Troubleshoot the issue by ruling out the causes described here, one by one.
Possible Cause |
Solution |
---|---|
Security group rules |
|
Source/destination check |
|
VPC custom routes |
Whether Security Group Rules Are Configured
Subnets in the same VPC can communicate with each other. If your service ECS cannot communicate with the ECS that has firewall installed, check whether they are in the same security group.
If the ECSs are in different security groups, you need to add rules to the security groups to allow access from each other.
For details, see Adding a Security Group Rule.
Whether Source/Destination Check Is Disabled
Check whether the source/destination check function is disabled on the NIC of the ECS with firewall installed. If the function is not disabled, perform the following operations to disable it:
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project.
- Click Service List and choose Compute > Elastic Cloud Server.
- In the ECS list, click the target ECS name.
- Click the NICs tab, click
to expand information about the primary NIC, and check whether Source/Destination Check is disabled.
If it is not disabled, disable it.
Whether VPC Custom Routes Are Added
Check whether the subnet route table of the service VPC has a route pointing to the ECS with firewall installed.
If there is no such a route, add a custom route with next hop set to ECS and destination set to the ECS with the firewall installed.
For details, see Adding a Custom Route.
Connectivity FAQs
- Does a VPN Allow Communication Between Two VPCs?
- Why Are Internet or Internal Domain Names in the Cloud Inaccessible Through Domain Names When My ECS Has Multiple NICs?
- What Are the Priorities of the Custom Route and EIP If Both Are Configured for an ECS to Enable the ECS to Access the Internet?
- Why Are There Intermittent Interruptions When a Local Host Accesses a Website Built on an ECS?
- Why Do ECSs Using Private IP Addresses in the Same Subnet Only Support One-Way Communication?
- Why Does Communication Fail Between Two ECSs in the Same VPC or Packet Loss Occur When They Communicate?
- Why Can't My ECS Use Cloud-init?
- Why Can't My ECS Access the Internet Even After an EIP Is Bound?
- Why Is My ECS Unable to Communicate at a Layer 2 or Layer 3 Network?
- How Do I Handle a BMS Network Failure?
- Why Does My ECS Fail to Obtain an IP Address?
- How Do I Handle a VPN or Direct Connect Connection Network Failure?
- Why Can My Server Be Accessed from the Internet But Cannot Access the Internet?
- Why Can't I Access Websites Using IPv6 Addresses After IPv4/IPv6 Dual Stack Is Configured?
- Why Does My ECS Fail to Communicate with Other After It Has Firewall Installed?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
more