Why Does Internet Access to an ECS Deployed with FTP Fail?
Symptom
- You cannot access a Windows ECS with FTP deployed by using an EIP.
- The FTP client cannot access the FTP server, and the connection times out.
- It takes a lot of time to upload files.
Possible Causes
- The security group associated with the target ECS denies inbound traffic from the Internet.
- The firewall of the ECS blocks the FTP process.
Enabling FTP Firewall Support
To allow a Huawei Cloud server to access an FTP server deployed on an ECS using an EIP, the FTP server must work in passive mode. In this case, enable FTP firewall support.
- Log in to the management console and then log in to the ECS using VNC.
- Choose Start > Server Manager.
- In Server Manager, choose Dashboard > Tools > Internet Information Services (IIS) Manager.
- Double-click FTP Firewall Support.
- Set parameters and click Apply.
- Data Channel Port Range: specifies the range of ports used for passive connections. The port range is 1025-65535. Configure this parameter based on site requirements.
- External IP Address of Firewall: specifies the public IP address of the ECS.
- Restart the ECS for the firewall configuration to take effect.
Setting the Security Group and Firewall
After deploying FTP, add a rule to the target security group to allow access to the FTP port in the inbound direction.
After enabling FTP firewall support, allow access to the ports used by the FTP site and the data channel ports used by the FTP firewall in the security group.
By default, the firewall allows access to TCP port 21 for FTP. If another port is used, add an inbound rule that allows access to that port on the firewall.
- Log in to the management console.
- Click in the upper left corner and select your region and project.
- Under Compute, click Elastic Cloud Server.
- On the Elastic Cloud Server page, click the name of the target ECS.
The page providing details about the ECS is displayed.
- Click the Security Groups tab and view security group rules.
- Click the security group ID.
The system automatically switches to the Security Group page.
- On the Inbound Rules tab, click Add Rule and configure the access rule for the inbound direction.
Set Source to the IP address segment containing the IP addresses allowed to access the ECS over the Internet.
The valid port range that can be specified in Enabling FTP Firewall Support is 1025-65535. For example, the configured data port range is 5000-6000.
The default source IP address 0.0.0.0/0 indicates that all IP addresses can access ECSs in the security group.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot