Help Center/
Cloud Container Engine/
User Guide/
Clusters/
Upgrading a Cluster/
Troubleshooting for Pre-upgrade Check Exceptions/
Security Groups
Updated on 2025-11-06 GMT+08:00
Security Groups
Check Items
Check whether the Protocol & Port of the worker node security groups is set to ICMP: All and whether the security group rule with the source IP address set to the master node security group has been deleted.
This check item is performed only for clusters using VPC networking. For clusters using other networking, skip this check item.
Solutions
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane, choose Overview. In the Networking Configuration area, view the default node security group.
Figure 1 Viewing the default node security group
- Click the name of the default node security group to go to the details page. Ensure that the inbound rules contain the rule in the figure below. This rule allows the master nodes to access worker nodes using the ICMP protocol.
Figure 2 Viewing node security group rules
- If the rule does not exist, click Add Rule to add the inbound rule to the node security group.
- Priority: Set it to 1.
- Action: Select Allow.
- Type: Select IPv4.
- Protocol & Port: Select Protocols/ICMP and select All for Port.
- Source: Select Security Group and set it to the master node security group. The master node security group is in the format of cluster-name-control-xxx. You can search for the security group by cluster name.
- Description: Enter Created by CCE,please don't modify! Used by the master node to access the worker node."
Figure 3 Allowing ICMP for the master node security group
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
