Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Elastic Cloud Server/ User Guide (ME-Abu Dhabi Region)/ FAQs/ Network Configurations/ Why Does My Linux ECS Fail to Access the Internet?

Why Does My Linux ECS Fail to Access the Internet?

Updated on 2024-06-21 GMT+08:00

Symptom

Your attempt to access the Internet from your Linux ECS failed.

Fault Locating

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped, or has no EIP bound.

Check whether the ECS is in Running state and has an EIP bound. For details, see Checking the ECS Status.

The ECS is overloaded.

Check whether the bandwidth and vCPU usage of the ECS are too high. For details, see Checking Whether the ECS Is Overloaded.

The EIP bandwidth exceeds the limit.

Increase the bandwidth and try again. For details, see Checking Whether the EIP Bandwidth Exceeded the Limit.

The DNS configuration is incorrect.

Change the DNS server to a private one. For details, see Checking the DNS Configuration.

Specified resolution has been configured in the hosts file.

Check whether the mappings in the hosts configuration file are correct. For details, see Checking the hosts Configuration File.

Both Network and NetworkManager are enabled.

Use either of the two tools to prevent incompatibility issues. For details, see Checking Whether Both Network and NetworkManager Have Been Enabled.

The security group is incorrectly configured.

Check whether the security group allows the network traffic in the outbound direction. For details, see Checking Whether the Security Group Is Correctly Configured.

A network ACL has been associated with the ECS.

Disassociate the network ACL with the ECS and try again. For details, see Checking ACL Rules.

The EIP is blocked.

If the EIP is blocked, the ECS cannot access the Internet. For details, see Checking Whether the EIP Is Blocked.

The private IP address is lost.

Check whether the dhclient process is running. If it is not running, the private IP address may be lost. For details, see Checking Whether a Private IP Address Can Be Obtained.

NICs are incorrectly configured.

Check whether the NIC and DNS configurations are correct. For details, see Checking the NIC Configuration.

Firewall is enabled on the ECS.

Disable the firewall and try again. For details, see Checking the Firewall Configuration.

Checking the ECS Status

  • Check whether the ECS is in the Running state on the management console.
  • Check whether an ECS has an EIP bound.

    An ECS can access the Internet only if it has an EIP bound.

    For details, see Binding an EIP.

Checking Whether the ECS Is Overloaded

If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Linux ECS Running Slowly?

Checking Whether the EIP Bandwidth Exceeded the Limit

An ECS with an EIP bound accesses the Internet using the bandwidth configured for the EIP.

If Internet access fails, check whether the EIP bandwidth exceeds the limit.

Checking the DNS Configuration

Private DNS servers resolve domain names for the ECSs created using a public image by default. The private DNS servers do not affect the domain name resolution for the ECSs to access the Internet. Additionally, you can use the private DNS servers to directly access the internal addresses of other cloud services, such as OBS. Compared with the access through the Internet, this access mode features high performance and low latency.

For Linux ECSs, run the following command to check the DNS configuration:

cat /etc/resolv.conf

If the command output shown in Figure 1 is displayed, the domain name is resolved using the private DNS server.

Figure 1 DNS configuration

If the domain name of the ECS is resolved using a non-private DNS server and you want to switch to a private DNS server, change the DNS server to a private one.

For details, see How Can I Configure the NTP and DNS Servers for an ECS?

Checking the hosts Configuration File

If the DNS configuration is correct but the ECS still cannot access the Internet, check whether the mapping information in the hosts configuration file is correct. In case of any incorrect mapping, comment them out.

For Linux, run the following command to view the hosts configuration:

vim /etc/hosts

If there is an incorrect domain name mapping, comment it out and save the hosts file.

Checking Whether Both Network and NetworkManager Have Been Enabled

Network and NetworkManager are two network management tools, and either one of them can be enabled each time. If both of them are enabled, they are incompatible with each other.

Take CentOS 7 as an example. NetworkManager is recommended for CentOS 7.

  1. Check the Network or NetworkManager running status.

    systemctl status network

    systemctl status NetworkManager

  1. Run the following commands to disable Network:

    systemctl stop network

    systemctl disable network

  1. Run the following commands to enable NetworkManager:

    systemctl start NetworkManager

    systemctl enable NetworkManager

Checking Whether the Security Group Is Correctly Configured

Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.

Checking ACL Rules

By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.

  1. Check whether the subnet of the ECS has been associated with a network ACL.

    If an ACL name is displayed, the network ACL has been associated with the ECS.

  2. Click the ACL name to view its status.
  3. Disassociate the network ACL from the subnet of the ECS.
    On the page providing details about the network ACL, choose Associated Subnets > Disassociate.
    NOTE:

    The default network ACL rule denies all incoming and outgoing packets. If a network ACL is disabled, the default rule is still effective.

  4. Try to access the Internet through the ECS again.

Checking Whether the EIP Is Blocked

IP address blocking indicates that all traffic is destined to a null route. If the EIP is blocked, the ECS cannot access the Internet.

Generally, blocked EIPs will be automatically unblocked after 24 hours if no subsequent attack occurs.

Checking Whether a Private IP Address Can Be Obtained

Private IP addresses may be lost if the dhclient process is not running or the target NIC is not managed by NetworkManager because NetworkManager automatic startup is not enabled. Perform the following operations to locate the fault:

Consider an ECS running CentOS 7 as an example.

  1. Run the following command to check whether dhclient is running:

    ps -ef |grep dhclient |grep -v grep

  2. If dhclient is not detected, run the following command to check whether NetworkManager is running:

    systemctl status NetworkManager

    • If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:

      systemctl is-enabled NetworkManager

      If the command output is disabled, run the following command to enable NetworkManager automatic startup:

      systemctl enable NetworkManager && systemctl start NetworkManager

    • If NetworkManager is in Active: active (running) state, run the following command to check whether the target NIC is managed by NetworkManager:

      nmcli device status

      If the NIC is in unmanaged state, run the following command to enable it to be managed by NetworkManager:

      nmcli device set eth0 managed yes

  3. Run the following commands to restart NetworkManager:

    systemctl restart NetworkManager

  4. Run the following command to check whether the private IP address can be allocated:

    ip add

Checking the NIC Configuration

  1. Run the following command to open the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Modify the following configuration in this file.

    Consider an ECS running CentOS 7 as an example.

    DEVICE="eth0"
    BOOTPROTO="dhcp"
    ONBOOT="yes"
    TYPE="Ethernet"
    PERSISTENT_DHCLIENT="yes"
  3. Run the following command to restart the network:

    service network restart

Checking the Firewall Configuration

Consider an ECS running CentOS 7 as an example. Check whether the firewall is enabled.

firewall-cmd --state

The command output is as follows:

[root@ecs-centos7 ~]# firewall-cmd --state 
running

Run the following command to disable the firewall:

systemctl stop firewalld.service

CAUTION:

Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback