Network Intelligence Service (NIS) provides the network inspection feature to allow you to diagnose cloud networks in terms of stability, security, performance, cost optimization, and operational excellence. You can use the cloud network architecture observability service provided by network inspection to identify exceptions and obtain suggestions.
Use scenarios
When you deploy or maintain networks or resources, your network configurations may not meet the requirement for best practices if you are unfamiliar with the cloud services that you use. After continuous network optimizations, you may need to manage an excessive number of network instances. Configuring, verifying, and inspecting these resources require large amounts of manpower. To meet this challenge, you can use the network inspection feature, which can help you diagnose the network architecture and resources deployed in the network and provide network optimization suggestions.
Inspection items
Inspected resource | Inspection category | Inspection item | Description | Risks | Severity level |
Elastic IP Address (EIP) | Network stability | EIP bandwidth usage check | Check the bandwidth usage of EIPs and the frequency of packet loss due to high or excess usage of bandwidth within an inspection cycle. This helps you assess whether the current bandwidth usage meets the business development requirement and identify network risks that may cause business interruptions due to insufficient bandwidth. | An alert indicating that the usage of Internet bandwidth is about to exceed the upper limit is triggered within the last inspection cycle. | Medium |
An alert indicating that packet loss occurs because the usage of Internet bandwidth exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
EIP status check | Check whether EIPs run as expected. | The EIP is in the Disabled or Inactive state. | Low | ||
Network cost optimization | Idle EIP check | Check whether idle EIPs exist. | No instance is associated with the EIP. | Low | |
NAT | Network stability | NAT gateway load check | Check the loads of NAT gateways within an inspection cycle, including the number of concurrent connections, number of new connections, traffic processing rate, and loads of SNAT source ports. This helps you assess whether the current resource configuration meets the business development requirements and identify network risks that may cause business interruptions due to insufficient resources. | An alert indicating that connections are dropped because the number of NAT sessions exceeds the upper limit is triggered within the last inspection cycle. | Medium |
An alert indicating that new NAT sessions are dropped because the number of new NAT sessions exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
An alert indicating an SNAT source port allocation failure is triggered within the last inspection cycle. | High | ||||
The bandwidth usage of the NAT gateway exceeds the upper limit. | Medium | ||||
CEN | Network stability | Inter-region bandwidth usage check | Check the usage of the inter-region bandwidth of Cloud Enterprise Network (CEN) instances and collect statistics on the frequencies of packet loss due to high or excessive bandwidth usage during the interval between the last inspection and the current inspection. This helps you assess whether the current bandwidth limit meets your business requirements and identify network risks that may cause business interruptions due to insufficient bandwidth. | An alert indicating that packet loss occurs because the bandwidth usage of inter-region connections exceeds the upper limit is triggered within the last inspection cycle. | High |
Packet loss occurs because traffic throttling is triggered by the quality of service (QoS) queues of inter-region connections. | High | ||||
Transit router connection high availability check | Check the high availability of connections between network instances and transit routers. To ensure network high availability, after you connect a network instance to a transit router, we recommend that you configure redundant connections on the transit router. | Only one zone (vSwitch) of the virtual private cloud (VPC) is connected to a transit router. When the zone is down, you cannot switch to other zones. This may cause business interruptions. | High | ||
Transit router routing configuration check | Check whether potential risks exist in the routing configuration of the current transit router and provide suggestions on how to optimize the configuration. | The number of routes in the route table of the Basic Edition transit router has reached 80% of the quota limit. When the quota limit is reached, routes can no longer be added to the route table, which may lead to network failures. | Medium | ||
Route check for VPCs connected to transit routers | Check whether route conflicts or risks exist in VPCs connected to transit routers and provide suggestions on how to optimize the routes. | ACL deny rules are configured for the vSwitches of the VPC that are connected to a transit router. Consequently, partial traffic is denied. This may cause business interruptions. | Medium | ||
VPC connection bandwidth usage check | Check the bandwidth usage of connections between VPCs and CEN instances and the frequency of packet loss due to excessive bandwidth usage within an inspection cycle. This helps you assess whether the current bandwidth meets the business development requirements and identify network risks that may cause business interruptions due to insufficient bandwidth. | An alert indicating that packet loss occurs because the bandwidth usage of VPC connections exceeds the upper limit is triggered within the last inspection cycle. | High | ||
VPN | Network stability | VPN gateway load check | Check the loads of VPN gateways, risks of excessive bandwidth usage, frequency of Border Gateway Protocol (BGP) route advertisement overage within an inspection cycle. This helps you assess the health of VPN gateways and identify network risks that may cause business interruptions due to insufficient resources. | The number of SSL-VPN connections is about to reach the upper limit. | Medium |
An alert indicating that the number of BGP dynamic routes exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
The CIDR blocks of the SSL client and SSL server do not have sufficient idle IP addresses. | Medium | ||||
An alert indicating that the bandwidth usage of the VPN gateway exceeds the upper limit is triggered within the last inspection cycle. | Medium | ||||
VPN redundancy check | Check the VPN redundancy configuration. | One tunnel in the IPsec-VPN dual-tunnel mode is failed to be negotiated. Consequently, cross-zone high availability (HA) becomes invalid. | High | ||
The VPN gateway is deployed in one zone. Therefore, it does not support cross-zone HA for disaster recovery. | High | ||||
ALB | Network stability | ALB instance VIP load check | Check the loads of the virtual IP addresses (VIPs) of Application Load Balancer (ALB) instances within an inspection cycle, including sessions, connections, queries per second (QPS), and bandwidth. This helps you assess whether the current resource configuration meets the business development requirements and identify network risks that may cause business interruptions due to insufficient resources. | An alert indicating that new connections are dropped because the number of ALB sessions exceeds the upper limit is triggered within the last inspection cycle. | High |
An alert indicating that the number of ALB connection failures sharply increases is triggered within the last inspection cycle. | High | ||||
An alert indicating that the QPS of the ALB instance exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
An alert indicating that the QPS of the ALB instance exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
ALB deployment high availability check | Check whether the backend servers associated with the ALB listener are spread across zones to ensure the high availability of the application. | The backend servers of the ALB listener are deployed in one zone (default backend server group). | Medium | ||
NLB | Network stability | NLB instance VIP load check | Check the loads of the VIPs of NLB instances within an inspection cycle, including new connections and concurrent connections. This helps you assess whether the current resource configuration meets the business development requirements and identify network risks that may cause business interruptions due to insufficient resources. | An alert indicating that the number of NLB connection failures sharply increases is triggered within the last inspection cycle. | High |
An alert indicating that new NLB connections are dropped is triggered within the last inspection cycle. | High | ||||
An alert indicating that the number of NLB new connections exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
An alert indicating that the number of NLB concurrent connections exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
NLB deployment high availability check | Check whether the backend servers associated with the NLB listener are spread across zones to ensure the high availability of the application. | Multiple backend servers of an NLB listener are deployed in a single zone. | Medium | ||
CLB | Network stability | CLB instance load check | Check the loads of CLB instances within an inspection cycle, including sessions, connections, and bandwidth. This helps you assess whether the current resource configuration meets the business development requirements and identify network risks that may cause business interruptions due to insufficient resources. | An alert indicating that the packet loss occurs because the bandwidth usage of the CLB instance exceeds the upper limit is triggered within the last inspection cycle. | High |
An alert indicating that new connections are dropped because the number of CLB new sessions exceeds the upper limit is triggered within the last inspection cycle. | High | ||||
An alert indicating that the number of CLB connection failures sharply increases is triggered within the last inspection cycle. | High | ||||
VBR | Network stability | VBR BGP route quota check | Check the number of BGP routes for Virtual Border Routers (VBRs). | The number of BGP routes in the route table of the VBR exceeds the upper limit. | High |
BGP connection status check | Check the status of BGP connections created over Express Connect circuits and the frequency of Express Connect circuit failures within an inspection cycle. This helps you monitor the quality of leased lines and identify stability risks at the earliest opportunity. | An alert indicating a BGP connection failure is triggered within the last inspection cycle. | High | ||
Express Connect circuit check | Check the status of Express Connect circuits and the frequency of BGP connection failures within an inspection cycle. This helps you monitor the quality of leased lines and identify stability risks at the earliest opportunity. | An alert indicating an Express Connect circuit or connection failure is triggered within the last inspection cycle. | High | ||
VBR health check configuration inspection | Check whether health checks are configured for VBR connections. | A static route is configured for the VBR to point to on-premises resources, but health check is not configured. If Express Connect circuits fail, automatic switching cannot be performed. | High | ||
Health check is not configured for the VBR. If Express Connect circuits fail, automatic switching cannot be performed. | High | ||||
VBR connection redundancy check | Check the integrity of VBR connection redundancy to identify stability risks in scenarios in which Express Connect circuits are used. | No redundant connection is configured between the VPC and VBR. | High | ||
Redundant routing is not configured for some connections between the transit router and VBR. | High | ||||
Redundant routing is not configured for some connections between the VPC and VBR. | High | ||||
No redundant connection is configured between the transit router and VBR. | High |
Disable a network inspection task
You cannot create custom network inspection tasks. By default, NIS creates a free network inspection task for you. The task inspects your network on a weekly basis and generates reports.
You can disable the default network inspection task.
Log on to the NIS console.
In the left-side navigation pane, click Network Inspection.
On the Network Inspection page, find the default network inspection task and click Stop Inspection in the Actions column.
In the message that appears, click OK.
View network inspection reports
The retention period of network inspection reports is one year.
Log on to the NIS console.
In the left-side navigation pane, click Network Inspection.
On the Network Inspection page, find the default network inspection task. Then, you can perform the following operations.
View the details of the latest report.
In the Newest Inspection Report column, click View the report to obtain network optimization suggestions.
On the report details page, you can view Basic Information, Inspection Summary, and Inspection Details.
In the Inspection Details section, you can view abnormal inspection items, optimization suggestions, and affected resources.
View historical network inspection reports
In the Newest Inspection Report column, click View historical reports.
In the Historical Inspection Reports section of the Historical Reports page, find the report that you want to view and click its ID. You can also click View Report in the Actions column of the report.
On the report details page, you can view Basic Information, Inspection Summary, and Inspection Details.
In the Inspection Details section, you can view abnormal inspection items, optimization suggestions, and affected resources.