Help Center/ Cloud Search Service/ Troubleshooting/ Ports/ Port 9200 Cannot Be Reached
Updated on 2025-10-11 GMT+08:00
View PDF
Share

Port 9200 Cannot Be Reached

Symptom

If a VPN or VPC peering connection is used to access the CSS cluster, no result is returned when the curl command is used to connect to an Elasticsearch cluster.

For example, if you run the following command to connect to the cluster, no result is returned:

curl -s 'http://< node private access address >:9200'

Possible Causes

If a VPN or VPC peering connection is used to access CSS, that means that the client and CSS are not in the same VPC. Therefore, the subnet of the CSS cluster must be in a different network segment from that of the VPC.

Suppose, for example, there is a CSS cluster in VPC vpc-8e28 on the CIDR block 192.168.0.0/16, the subnet subnet-4a81 of the VPC is selected, and it is also on 192.168.0.0/16. As the CSS subnet vpc-8e28 and the subnet it is being accessed from (subnet-4a81) are both 192.168.0.0/16, if the VPN or the VPC peering connection tries to access the CSS cluster, the host created on the subnet does not have a gateway corresponding to the VPC. As a result, the default route of the CSS service is affected and access to port 9200 fails.

Procedure

If port 9200 cannot be reached but the CSS cluster is available, perform the following steps to rectify the issue:

  1. Log in to the CSS management console.
  2. In the navigation pane on the left, expand Clusters. Select a cluster type based on the target cluster. The cluster list is displayed.
  3. In the cluster list, click the name of the target cluster. The cluster information page is displayed.
  4. Click the Overview tab.
  5. In the Configuration area, check the VPC and Current Subnet used by the cluster.
  6. Click the VPC name to go to the VPC details page. Check the CIDR block of the VPC and subnet.

    If the VPC and the subnet are on the same CIDR block, when a VPN private line or a VPC peering connection is used, access to port 9200 will fail.

  7. If the preceding error occurs, create another cluster and this time select a subnet that is different from the VPC subnet. If the subnet does not exist, create another subnet on the VPC management console.

    After a new CSS cluster is created, migrate the data of the old cluster to the new cluster, and then use the VPN or VPC peering connection to access the cluster.

    If you require a VPN connection or VPC peering connection to access the CSS cluster, ensure that the VPC and subnet of the newly created CSS are in different network segments.

Parent topic: Ports