I cannot connect to an ApsaraDB RDS instance, and the "Destination Host Unreachable" error message is displayed when I ping the internal endpoint of the instance.
Problem description
The internal endpoint of the RDS instance cannot be pinged from an Elastic Compute Service (ECS) instance, and the "Destination Host Unreachable" error message is displayed.
PING rm-bpxxxx.mysql.rds.aliyuncs.com (172.17.0.31) 56(84) bytes of data.
From xxxx (172.17.0.1) icmp_seq=1 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=2 Destination Host Unreachable
From xxxx (172.17.0.1) icmp_seq=3 Destination Host UnreachableCauses
The internal CIDR block of the RDS instance conflicts with the CIDR block of another service.
Issue analysis
Ping the internal endpoint of the RDS instance to obtain the private IP address of the instance. In this example, the private IP address of the instance is 172.17.0.31.
Run the
route-ncommand to view the route in a Linux system. The Linux system is used as example. The following information is returned:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.2.253 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 172.17.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-350b446c181aThe command output shows that the CIDR block of the br-350b446c181a NIC is 172.17.0.0/24 and conflicts with the private IP address of the RDS instance. As a result, the traffic from the ECS instance cannot be routed to the RDS instance.
In most cases, the cause is that the CIDR block of a container service conflicts with the CIDR block of the RDS instance. The following section describes how to resolve route conflicts on a container service.
Solutions
Solution 1: Modify the default CIDR block of the container service
This solution is not suitable for RDS for SQL Server instances. If your RDS instance runs SQL Server, refer to Solution 2: Change the vSwitch of the RDS instance.
If you stop the Docker service or change the default CIDR block of the Docker service, services are interrupted . We recommend that you perform the operation during off-peak hours.
When you change the default CIDR block of the Docker service, make sure that the new CIDR block is compatible with the network settings of existing containers and applications to prevent connectivity issues.
In this example, Linux is used.
Stop the Docker service.
sudo systemctl stop dockerModify the configuration file of the Docker service. In most cases, the configuration file is saved in /etc/docker/daemon.json or /etc/docker/daemon.conf. The file name may vary.
sudo vim /etc/docker/daemon.jsonUse the following code snippet:
{ "bip": "New CIDR block" }In this example, the CIDR block 192.168.0.0/16 is used.
Save and close the configuration file.
Start the Docker service for the modification to take effect.
sudo systemctl start docker
Solution 2: Change the vSwitch of the RDS instance
You can change the vSwitch of the RDS instance to ensure that the CIDR block of the vSwitch does not conflict with the CIDR block of the container service.
By default, different virtual private clouds (VPCs) cannot communicate with each other over an internal network. We recommend that you do not change the VPC of the RDS instance. This way, the internal network-based connections between the RDS instance and other Alibaba Cloud services are not affected.