This topic describes how to troubleshoot the issue that a service deployed on an Elastic Compute Service (ECS) instance cannot be accessed.
Possible causes and troubleshooting methods
The following table describes the possible causes of the preceding issue and how to troubleshoot the issue based on the cause.
Possible cause | Troubleshooting method |
The port of the service is not allowed by the security group rules of the ECS instance. | |
The service is disabled or not started, or the port of the service is not listened on. | Check the status of the service and the listening status of the port of the service. |
The firewall settings of the ECS instance are incorrectly configured. |
The following sections describe how to troubleshoot the issue that NGINX deployed on an ECS instance cannot be accessed. Port 80 (default NGINX port) is used. To troubleshoot other services, replace the service name and port number in the commands with actual values.
Check the security group rules of the ECS instance
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the instance list page, find the instance whose security group rules you want to check and click the instance ID.
On the Instance Details page, click the Security Groups tab.
On the Security Groups tab, find the security group whose rules you want to check and click the security group ID.
In the Access Rule section, check whether port 80 is allowed in the inbound direction.
If port 80 is not allowed, add an inbound rule to allow port 80. For more information, see Add a security group rule.
If port 80 is allowed, perform the operations in the Check the status of the service and the listening status of the port of the service section.
Check the status of the service and the listening status of the port of the service
Linux instance
In this example, an ECS instance that runs CentOS 7.9 is used. Operations may vary based on the operating system version of your Linux instance.
Connect to the Linux instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the following command to check the status of NGINX:
systemctl status nginxThe following sample command output indicates that NGINX is started.
If NGINX is not started, run the following command to start NGINX:
systemctl start nginx
Run the following command to check whether port 80 is listened on:
netstat -an | grep 80The following sample command output indicates that port 80 is listened on as expected. In this case, perform the operations in the Check the firewall settings of the ECS instance section.
If the preceding command output is not returned, port 80 is not listened on. The port may already be used by another service. You can release the port from the service to ensure that NGINX can listen on the port. You can also configure NGINX to listen on another port. For more information, see How to modify the Linux address of Web services such as Nginx and Tomcat in an listening port ECS instance.
Windows instance
In this example, an ECS instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.
Connect to the Windows instance.
For more information, see Connect to a Windows instance by using a password or key.
Choose Start > Run. Enter
service.mscand then click OK to open the Services window.Check the status of NGINX.
If no status is displayed for NGINX, right-click NGINX and select Start.
If the status of NGINX is Running, proceed to step 4.
Run the following command in Windows PowerShell to check whether port 80 is listened on:
netstat -ano | findstr "80"The following sample command output indicates that port 80 is listened on as expected. In this case, perform the operations in the Check the firewall settings of the ECS instance section.
If the preceding command output is not displayed, port 80 is not listened on. The port may already be used by another service. You can release the port from the service to ensure that NGINX can listen on the port. You can also configure NGINX to listen on another port. For more information, see How to modify the Linux addresses of Web services such as NGINX and Tomcat in an listening port ECS instance.
Check the firewall settings of the ECS instance
Linux instance
In this example, an ECS instance that runs CentOS 7.9 is used. Operations may vary based on the operating system version of your Linux instance.
Connect to the Linux instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the following command to check the status of the firewall:
systemctl status firewalldIf the
Active: inactive (dead)message is displayed in the command output, the firewall is disabled. In this case, no additional operation is required.If the
Active: active (running)message is displayed in the command output, the firewall is enabled. In this case, proceed to Step 3.
Run the following command to check the ports that are allowed by the firewall:
firewall-cmd --list-allIf the ports: 80/tcp message is displayed in the command output, the firewall allows port 80. In this case, no additional operation is required.
If the ports: 80/tcp message is not displayed in the command output, run the following command to allow port 80:
firewall-cmd --zone=public --add-port=80/tcp --permanentIf
successis returned, TCP port 80 is allowed.
Windows instance
In this example, an ECS instance that runs Windows Server 2012 is used. Operations for instances that run other Windows Server versions are similar.
Connect to the Windows instance.
For more information, see Connect to a Windows instance by using a password or key.
In the lower-left corner of the desktop, click the
icon to start Server Manager. In the upper-right corner of the Server Manager window, choose Tools > Windows Defender Firewall with Advanced Security.
Check the status of the firewall.
If the firewall is disabled, no additional operation is required.
If the firewall is enabled, perform the following operations:
On the Windows Firewall with Advanced Security page, click Inbound Rules.
Check the status of Windows Remote Management - Compatibility Mode (HTTP-In).
If the inbound rule for Windows Remote Management - Compatibility Mode (HTTP-In) is enabled, no additional operation is required.
If the inbound rule for Windows Remote Management - Compatibility Mode (HTTP-In) is disabled, right-click Windows Remote Management - Compatibility Mode (HTTP-In) and then select Enable Rule.
