All Products
Search
Document Center

Elastic Compute Service:Network FAQ

Last Updated:Aug 21, 2024

This topic provides answers to frequently asked questions about networks used by Elastic Compute Service (ECS) instances.

What is the packet loss rate when instances within different regions communicate over the Internet?

When instances within different regions communicate over the Internet, a p99 of the hourly packet loss rate of less than 0.0001% can be expected.

How is the network latency for instances within the same region that communicate over the internal network?

You can achieve minimal latency when instances within the same zone and region communicate with each other over the internal network. The one-way latency at the 99th percentile is less than 180 us for communication between instances within the same zone.

How is the performance of connections guaranteed for instances for which the maximum number of connections is not specified?

If an instance family does not have the maximum number of connections specified, this instance family does not ensure that a specific maximum number of connections can be established to a single instance. We recommend that you perform business stress tests on instances to select appropriate instance types.

Note

After a connection is established, the connection counts towards the number of connections before its aging period ends. The displayed number of connections may be greater than the number of connections actually in use.

What do I do if the performance of an ECS instance is unstable when a UDP PPS test or TCP bandwidth test is performed on the instance?

When a network performance test is performed on an ECS instance, the test result may be affected by a number of factors. These factors include the common performance tuning methods such as non-uniform memory access (NUMA) topology adaptation, binding vCPUs for tasks, and binding vCPUs for interrupts.

For example, during a single-stream TCP bandwidth test, if a receive task such as a netserver process and a network interface controller (NIC) receive queue interrupt are bound to the same vCPU, the NIC triggers an interrupt to interrupt the receive task when the NIC receives data frames. If the receive task is frequently interrupted, the test result may not meet your expectations. In this case, you can bind the receive task and the NIC receive queue interrupt to different vCPUs and obtain a better test result by using the performance advantages of multiple vCPUs.

What are the inbound and outbound bandwidths of ECS instances?

Bandwidth type

Description

Inbound bandwidth (Free)

The bandwidth for inbound traffic for an ECS instance, including the following traffic:

  • Traffic generated when you download external resources to the ECS instance

  • Traffic generated when you upload resources to the ECS instance by using an FTP client

Outbound bandwidth (Charge)

The bandwidth for outbound traffic for an ECS instance, including the following traffic:

  • Traffic generated when the ECS instance provides external access

  • Traffic generated when you download resources from the ECS instance by using an FTP client

I purchased a public bandwidth of 5 Mbit/s for an ECS instance. How is this bandwidth used as outbound or inbound bandwidth of the instance?

The 5 Mbit/s that you purchased is used as the outbound bandwidth for the instance. The inbound bandwidth of this instance is capped at 10 Mbit/s.

  • Outbound bandwidth is consumed when data is transferred from the ECS instance. The maximum outbound bandwidth of an ECS instance is capped at 100 Mbit/s or 200 Mbit/s regardless of whether the instance resides in a virtual private cloud (VPC) or the classic network. The maximum available outbound bandwidth depends on the billing method of the instance.

  • Inbound bandwidth is consumed when data is transferred to the ECS instance. The maximum inbound bandwidth is determined by the outbound bandwidth:

    • If the outbound bandwidth is less than 10 Mbit/s, the maximum inbound bandwidth is 10 Mbit/s.

    • If the outbound bandwidth is greater than 10 Mbit/s, the maximum inbound bandwidth is the same as the purchased outbound bandwidth.

Important

If the pay-by-traffic billing method is used for network usage, the maximum inbound and outbound bandwidths are used as upper limits of bandwidths instead of the guaranteed performance. In scenarios where demand outstrips resource supplies, these maximum bandwidth values may be limited. If you require guaranteed bandwidths for your instance, use the pay-by-bandwidth billing method for network usage.

Is public bandwidth exclusive to each ECS instance, or is public bandwidth shared among multiple instances?

The public bandwidth of each instance is exclusive to the instance.

How am I billed for the network usage of ECS instances?

For information about billing for the network usage of ECS instances, see Public bandwidth.

Why is 200 Kbit/s of inbound traffic already consumed on a new ECS instance?

This traffic was generated by Address Resolution Protocol (ARP) broadcast packets. Each ECS instance is assigned to a large CIDR block. When the gateway receives an ARP request packet for an ECS instance, the gateway broadcasts this packet to all ECS instances within the same CIDR block. The new instance also receives the packet. If the request is not destined for the new instance, the instance does not reply with an ARP reply packet.

How do I view the Internet traffic bills of an ECS instance?

To view the Internet traffic bills of an ECS instance, perform the following steps:

  1. Log on to the ECS console.

  2. In the top navigation bar, choose Expenses.

  3. In the left-side navigation pane, choose Bills > Bill Details.

  4. Click the Usage Records tab.

  5. Set Product and Billable Item to Elastic Compute Service (ECS) and InternetTraffic, set Time Period and Time Unit.

  6. Click Export CSV.

  7. On the Export Record page, wait until the status of the exported file changes to Exported and click Download in the Actions column.

  8. Open the exported CSV file to view the Internet traffic bills of the ECS instance.

Why is the bandwidth usage of my ECS instance displayed in the CloudMonitor console different from that displayed in the ECS console?

ECS instances function as backend servers of Server Load Balancer (SLB) instances and use the Layer 7 HTTP forwarding model. In this forwarding model, SLB instances forward client requests to ECS instances, and the ECS instances use their own outbound bandwidth to return responses to the corresponding users. The bandwidth consumed by these responses is not displayed in the ECS console, but the traffic generated by the responses counts towards the outbound traffic of the SLB instances and is displayed in the CloudMonitor console. Therefore, the bandwidth usage of your ECS instance displayed in the CloudMonitor console is different from that displayed in the ECS console.

My ECS instance has been stopped. Why am I still being charged for its outbound traffic on a pay-as-you-go basis?

  • Problem description: Your instance is in the Stopped state in the ECS console but is in the Cleaning state in the Anti-DDoS Basic console. You are charged for outbound traffic from the instance on a pay-as-you-go basis every hour.

  • Cause: HTTP flood protection is enabled for the ECS instance. When HTTP flood protection is enabled, the security mechanism sends probe packets to potential attack sources. Therefore, a large volume of outbound traffic is generated.

  • Solution: Disable HTTP flood protection for the ECS instance. For more information, see Configure HTTP flood protection.

How do I enable public bandwidth for an ECS instance?

You can enable public bandwidth for an ECS instance by assigning a public IP address to the instance when you create the instance. For more information, see Enable public bandwidth for an ECS instance. You can also enable public bandwidth for an ECS instance by associating an elastic IP address (EIP) with the instance after you create the instance. For more information, see the Associate one or more EIPs with an instance section of the "Associate or disassociate an EIP" topic. You can use Anycast EIPs to improve Internet access based on the stable Border Gateway Protocol (BGP) lines and the global transmission network of Alibaba Cloud. For information about Anycast EIPs, see What is Anycast EIP? You can assign an IPv6 address to an ECS instance and enable IPv6 public bandwidth for the instance. For more information, see Step 3: Enable IPv6 public bandwidth for a Windows instance or Step 3: Enable IPv6 public bandwidth for a Linux instance.

How do I query the IP addresses of ECS instances?

  • Linux instances

    Run the ifconfig command to view NIC information. You can view the IP addresses, subnet masks, gateways, Domain Name System (DNS) servers, and MAC addresses in the command output.

  • Windows instances

    In Command Prompt, run the ipconfig /all command to view NIC information. You can view the IP addresses, subnet masks, gateways, DNS servers, and MAC addresses in the command output.

For more information, see View IP addresses.

How do I disable the public NIC of an ECS instance?

  • Linux instance

    1. Run the ifconfig command to view the name of the public NIC of the instance.

    2. Run the ifdown command to disable the public NIC. For example, if the name of the public NIC is eth1, enter ifdown eth1.

      Note

      You can run the ifup command to re-enable the NIC. For example, if the name of the public NIC is eth1, enter ifup eth1.

  • Windows instance

    1. In Command Prompt, run the ipconfig command to view information about the public NIC.

    2. Open the Control Panel and click View network status and tasks in the Network and Internet section. In the Network and Sharing Center window, click Change adapter settings in the left-side navigation pane to disable the public NIC.

How do I configure an IPv6 address for an ECS instance?

For more information, see Configure an IPv6 address for an ECS instance.

When I attempt to access a website on an ECS instance, a message similar to "Sorry, your access has been blocked because the requested URL may pose a security threat to the website" appears. Why?

  • Problem description: When you attempt to access a website built on an ECS instance, you are prompted with a message similar to "Sorry, your access has been blocked because the requested URL may pose a security threat to the website."

  • Cause: Web Application Firewall (WAF) has identified your access request to the URL as an attack and blocked your access.

  • Solution: Add the source public IP address that you use to access the website to the WAF whitelist. For more information, see Avoid Anti-DDoS Basic false positives by using a whitelist.

After I configure a secondary private IP address for a Windows instance, the instance cannot connect to the Internet. Why?

  • Problem description: After you configure a secondary private IP address for a Windows instance, the instance cannot connect to the Internet.

  • Cause: In Windows 2008 and later, the longest prefix match algorithm is used to select next hop IP addresses based on destination IP addresses of outbound traffic. This may lead to network connection failures.

  • Solution: Run the Netsh command with skipassource set to true to configure a secondary private IP address for the Windows instance.

    Netsh command:

    Netsh int ipv4 add address <Interface> <IP Addr> [<Netmask>] [skipassource=true]

    The following table describes the parameters in the Netsh command.

    Parameter

    Description

    Example value

    <Interface>

    The network interface with which to associate the secondary private IP address

    'Ethernet'

    <IP Addr>

    The secondary private IP address

    192.168.0.100

    <Netmask>

    The mask of the secondary private IP address

    255.255.255.0

    Sample command:

    Netsh int ipv4 add address 'Ethernet' 192.168.0.100 255.255.255.0 skipassource=true

An abnormal logon has been detected on one of my ECS instances. What do I do?

Perform the following operations to solve the problem:

  1. Check the logon time to see whether the logon was performed by yourself or another administrator.

  2. If the logon was not performed by yourself or another administrator, it is an unauthorized logon. Perform the following steps:

    1. Reset the password. For more information, see Reset the logon password of an instance.

    2. Check whether the ECS instance is infected.

    3. Configure security groups to allow access only from specific IP addresses. For more information, see Security groups for different use cases.

What is traffic scrubbing?

The traffic scrubbing service monitors inbound traffic to ECS instances in real time and identifies abnormal traffic such as DDoS attacks. By default, Anti-DDoS Basic is enabled on ECS instances to provide traffic scrubbing. When ECS instances are under attack, the traffic scrubbing service detects the attack and scrubs malicious traffic without affecting ECS instance services. When suspicious traffic is detected, suspicious traffic is redirected from the destination network to a scrubbing device. The device identifies and removes malicious traffic and then returns legitimate traffic to the network to be forwarded to the ECS instances.

How do I cancel traffic scrubbing for an ECS instance?

When traffic scrubbing is enabled and inbound traffic to an ECS instance reaches a specific threshold, traffic scrubbing is triggered regardless of whether the traffic is normal. This may affect or interrupt normal business. You can disable traffic scrubbing for ECS instances. For more information, see Cancel traffic cleaning.

How do I request reverse lookup for an ECS instance?

Reverse lookup is used in mail services to reject mail from IP addresses mapped to unregistered domain names. Most spammers use dynamic IP addresses or IP addresses mapped to unregistered domain names to send unwanted mail and avoid being tracked. When reverse lookup is enabled on a mail server, the server rejects mail sent from dynamic IP addresses or unregistered domain names to reduce the amount of spams received.

You can submit a ticket to request reverse lookup for your ECS instance. To make your ticket easier to process, we recommend that you specify the region, public IP address, and registered domain name of your ECS instance in the ticket.

After your request is approved, you can run the dig command to check whether reverse lookup takes effect on your instance. Example:

dig -x 121.196.255.** +trace +nodnssec

If reverse lookup takes effect on your instance, a command output similar to the following one is displayed:

1.255.196.121.in-addr.arpa. 3600 IN PTR ops.alidns.com.

Can an IP address point to multiple reverse lookup domain names?

No, each IP address can point only to a single reverse lookup domain name. For example, you cannot configure the IP address 121.196.255.** to resolve to multiple domain names such as mail.abc.com, mail.ospf.com, and mail.zebra.com.

Can I change the public IPv4 address of an instance after the instance has been created?

You can change the public IPv4 address of an instance within 6 hours after the instance is created. For more information, see Change the public IP address of an instance.

After 6 hours, the instance network type determines whether the public IP address of the instance can be changed.

Why am I unable to find the option to change the public IP address of an ECS instance in the ECS console?

  • Within 6 hours after a pay-as-you-go instance is created: If the billing method of an instance is pay-as-you-go and the network type of the instance is VPC, you must enable the standard mode for the instance when you stop the instance. If you enable the economical mode for the instance, the Change Public IP Address option is not displayed in the ECS console.

  • More than 6 hours after the instance is created: You cannot change the public IP address, and the Change Public IP Address option is not displayed.

Can I change the private IP address of an instance?

If no public IPv4 address was assigned to an ECS instance when the instance was being created, how do I assign a public IP address to the instance?

What is a BGP data center?

Border Gateway Protocol (BGP) is used to connect autonomous systems (AS) over the Internet. The main purpose of BGP is to control route propagation and select the optimal routes.

China Netcom, China Telecom, China Railcom, and some large privately owned IDC service providers all have autonomous system numbers (ASNs). Most major network carriers in China use BGP to implement multi-line connections between their ASNs.

To implement multi-line interconnection in this manner, an IDC must obtain a CIDR block and an ASN from the China Internet Network Information Center (CNNIC) or Asia-Pacific Network Information Center (APNIC), and then broadcast this CIDR block to the networks of other carriers by using BGP. After BGP is used to connect different networks, the backbone routers of the network carriers determine the optimal routes to the CIDR block of the IDC to ensure high-speed access for users of different network carriers.

What are WAN and LAN?

  • A wide area network (WAN) is also known as an external or public network. A WAN is a telecommunications network that connects smaller networks such as LANs and metro area networks (MANs). Each WAN extends over a large geographical area that can range in size from as small as a city or as large as an entire continent to provide telecommunications services and form an international telecommunications network. WAN is not the same as the Internet.

  • A LAN is also known as an internal network. A LAN is a network that interconnects computers within a small area. Users can manage files, share application software and printers, schedule work for work groups, and communicate with each other such as by sending emails or faxes within a LAN. A LAN is a closed network that can be as small as consisting of two computers in an office or as large as consisting of thousands of computers in a company. In Alibaba Cloud, ECS instances of the same network type within the same region can communicate with each other over the internal network. ECS instances within different regions are isolated from each other.

What is CIDR?

CIDR is an addressing scheme for the Internet that allows for IP addresses to be assigned in a more efficient manner than the traditional scheme based on classes A, B, and C. CIDR notation is used to denote IP addresses and IP ranges. It consists of an IP address and a forward slash followed by a decimal number that denotes how many bits are in the network prefix.

  • Example 1: Convert a CIDR block into an IP address range

    For example, you can convert the 10.0.0.0/8 CIDR block into a 32-bit binary IP address of 00001010.00000000.00000000.00000000. In this CIDR block, /8 represents an 8-bit network ID. The first 8 bits of the 32-bit binary IP address are fixed, and the corresponding IP addresses are from 00001010.00000000.00000000.00000000 to 00001010.11111111.11111111.11111111. After you convert the preceding IP addresses into IP addresses in the decimal format, the 10.0.0.0/8 CIDR block indicates the IP addresses from 10.0.0.0 to 10.255.255.255 with a subnet mask of 255.0.0.0.

  • Example 2: Convert an IP address range into a CIDR block

    For example, you have a range of IP addresses from 192.168.0.0 to 192.168.31.255. You can convert the last two parts of the first and last IP addresses to binary numbers from 00000000.00000000 to 00011111.11111111. The first 19 (8 × 2 + 3) bits are fixed. After you convert the IP addresses to IP addresses in the CIDR format, the corresponding CIDR block is 192.168.0.0/19.

How do I express a subnet mask?

You can use one of the following methods to express a subnet mask:

  • Use dotted decimal notation.

    The default subnet mask of a Class A network is 255.0.0.0.

  • Append a forward slash (/) and a number ranging from 1 to 32 to the end of an IP address to define a subnet mask. This number indicates the length of the network identification bit in the subnet mask.

    Example: 192.168.0.3/24.

How do I plan subnets?

For information about the best practices for planning subnets, see Plan networks.

Do all ECS instances support classic network and VPC as network types?

No. If you purchase your first ECS instance after 17:00, June 14, 2017 (UTC+8), you cannot select classic network as the network type.

Can I change the network type of an ECS instance?

ECS instances can be migrated only from the classic network to a VPC. For more information, see Migrate ECS instances from the classic network to a VPC.

Important

After you migrate an ECS instance from the classic network to a VPC, you cannot migrate the instance back to the classic network. Make sure that you understand this limitation and plan your network before you migrate your ECS instances.

How can I view the resource quota?

For more information about how to view the limits and quotas of resources, see Limits.