Updated on 2024-06-21 GMT+08:00

Why Does My Linux ECS Fail to Access the Internet?

Symptom

Your attempt to access the Internet from your Linux ECS failed.

Fault Locating

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped, or has no EIP bound.

Check whether the ECS is in Running state and has an EIP bound. For details, see Checking the ECS Status.

The ECS is overloaded.

Check whether the bandwidth and vCPU usage of the ECS are too high. For details, see Checking Whether the ECS Is Overloaded.

The EIP bandwidth exceeds the limit.

Increase the bandwidth and try again. For details, see Checking Whether the EIP Bandwidth Exceeded the Limit.

The DNS configuration is incorrect.

Change the DNS server to a private one. For details, see Checking the DNS Configuration.

Specified resolution has been configured in the hosts file.

Check whether the mappings in the hosts configuration file are correct. For details, see Checking the hosts Configuration File.

Both Network and NetworkManager are enabled.

Use either of the two tools to prevent incompatibility issues. For details, see Checking Whether Both Network and NetworkManager Have Been Enabled.

The security group is incorrectly configured.

Check whether the security group allows the network traffic in the outbound direction. For details, see Checking Whether the Security Group Is Correctly Configured.

A network ACL has been associated with the ECS.

Disassociate the network ACL with the ECS and try again. For details, see Checking ACL Rules.

The EIP is blocked.

If the EIP is blocked, the ECS cannot access the Internet. For details, see Checking Whether the EIP Is Blocked.

The private IP address is lost.

Check whether the dhclient process is running. If it is not running, the private IP address may be lost. For details, see Checking Whether a Private IP Address Can Be Obtained.

NICs are incorrectly configured.

Check whether the NIC and DNS configurations are correct. For details, see Checking the NIC Configuration.

Firewall is enabled on the ECS.

Disable the firewall and try again. For details, see Checking the Firewall Configuration.

Checking the ECS Status

  • Check whether the ECS is in the Running state on the management console.
  • Check whether an ECS has an EIP bound.

    An ECS can access the Internet only if it has an EIP bound.

    For details, see Binding an EIP.

Checking Whether the ECS Is Overloaded

If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Linux ECS Running Slowly?

Checking Whether the EIP Bandwidth Exceeded the Limit

An ECS with an EIP bound accesses the Internet using the bandwidth configured for the EIP.

If Internet access fails, check whether the EIP bandwidth exceeds the limit.

Checking the DNS Configuration

Private DNS servers resolve domain names for the ECSs created using a public image by default. The private DNS servers do not affect the domain name resolution for the ECSs to access the Internet. Additionally, you can use the private DNS servers to directly access the internal addresses of other cloud services, such as OBS. Compared with the access through the Internet, this access mode features high performance and low latency.

For Linux ECSs, run the following command to check the DNS configuration:

cat /etc/resolv.conf

If the command output shown in Figure 1 is displayed, the domain name is resolved using the private DNS server.

Figure 1 DNS configuration

If the domain name of the ECS is resolved using a non-private DNS server and you want to switch to a private DNS server, change the DNS server to a private one.

Checking the hosts Configuration File

If the DNS configuration is correct but the ECS still cannot access the Internet, check whether the mapping information in the hosts configuration file is correct. In case of any incorrect mapping, comment them out.

For Linux, run the following command to view the hosts configuration:

vim /etc/hosts

If there is an incorrect domain name mapping, comment it out and save the hosts file.

Checking Whether Both Network and NetworkManager Have Been Enabled

Network and NetworkManager are two network management tools, and either one of them can be enabled each time. If both of them are enabled, they are incompatible with each other.

Take CentOS 7 as an example. NetworkManager is recommended for CentOS 7.

  1. Check the Network or NetworkManager running status.

    systemctl status network

    systemctl status NetworkManager

  1. Run the following commands to disable Network:

    systemctl stop network

    systemctl disable network

  1. Run the following commands to enable NetworkManager:

    systemctl start NetworkManager

    systemctl enable NetworkManager

Checking Whether the Security Group Is Correctly Configured

Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.

Checking ACL Rules

By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.

  1. Check whether the subnet of the ECS has been associated with a network ACL.

    If an ACL name is displayed, the network ACL has been associated with the ECS.

  2. Click the ACL name to view its status.
  3. Disassociate the network ACL from the subnet of the ECS.
    On the page providing details about the network ACL, choose Associated Subnets > Disassociate.

    The default network ACL rule denies all incoming and outgoing packets. If a network ACL is disabled, the default rule is still effective.

  4. Try to access the Internet through the ECS again.

Checking Whether the EIP Is Blocked

IP address blocking indicates that all traffic is destined to a null route. If the EIP is blocked, the ECS cannot access the Internet.

Generally, blocked EIPs will be automatically unblocked after 24 hours if no subsequent attack occurs.

Checking Whether a Private IP Address Can Be Obtained

Private IP addresses may be lost if the dhclient process is not running or the target NIC is not managed by NetworkManager because NetworkManager automatic startup is not enabled. Perform the following operations to locate the fault:

Consider an ECS running CentOS 7 as an example.

  1. Run the following command to check whether dhclient is running:

    ps -ef |grep dhclient |grep -v grep

  2. If dhclient is not detected, run the following command to check whether NetworkManager is running:

    systemctl status NetworkManager

    • If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:

      systemctl is-enabled NetworkManager

      If the command output is disabled, run the following command to enable NetworkManager automatic startup:

      systemctl enable NetworkManager && systemctl start NetworkManager

    • If NetworkManager is in Active: active (running) state, run the following command to check whether the target NIC is managed by NetworkManager:

      nmcli device status

      If the NIC is in unmanaged state, run the following command to enable it to be managed by NetworkManager:

      nmcli device set eth0 managed yes

  3. Run the following commands to restart NetworkManager:

    systemctl restart NetworkManager

  4. Run the following command to check whether the private IP address can be allocated:

    ip add

Checking the NIC Configuration

  1. Run the following command to open the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Modify the following configuration in this file.

    Consider an ECS running CentOS 7 as an example.

    DEVICE="eth0"
    BOOTPROTO="dhcp"
    ONBOOT="yes"
    TYPE="Ethernet"
    PERSISTENT_DHCLIENT="yes"
  3. Run the following command to restart the network:

    service network restart

Checking the Firewall Configuration

Consider an ECS running CentOS 7 as an example. Check whether the firewall is enabled.

firewall-cmd --state

The command output is as follows:

[root@ecs-centos7 ~]# firewall-cmd --state 
running

Run the following command to disable the firewall:

systemctl stop firewalld.service

Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.