You can use the Network Intelligence Service (NIS) for bidirectional path analysis to diagnose connectivity issues in VPC peering connections caused by configuration errors.
Scenario
A company has created VPC1 in the China (Beijing) region and VPC2 in the China (Shanghai) region, with a peering connection to facilitate network connectivity between them.
Despite setting up the VPC peering connection, ECS1 and ECS2 cannot communicate with each other. Path analysis is required for troubleshooting.
Prerequisites
Network Intelligence Service (NIS) is activated. You can activate NIS on the Service activation page.
If this is the first time that you perform an instance diagnostic, the system automatically creates the service-linked role AliyunServiceRoleForNis. For more information, see Service-linked roles.
A VPC peering connection that requires path analysis has been created. For more information, see Use VPC peering connection to enable VPC private network connectivity.
Procedure
Because the path analysis is a virtual process that does not transmit real packets, it does not impact your operations.
Step 1: Configure path analysis
Log on to the VPC console.
In the left-side navigation pane, click VPC Peering Connection.
Select the target region from the top navigation bar.
On the VPC Peering Connection page, find the VPC peering connection instance that you want to manage, and initiate path analysis using one of the following methods:
In the Diagnose column, select and set the parameters in the Reachability Analyzer panel.
Click the instance ID and configure the parameters on the Reachability Analyzer tab.
Configure the parameters as follows and click Start Analyzing.
Step 2: Troubleshooting
After the reachability analysis is completed, the system will display details for each node along the virtual network path that connects the source and destination.
If the path is Unreachable, consider the following steps for troubleshooting:
Unreachable: Ensure that the VPC route table contains a route whose destination CIDR block is that of the peer VPC, and the next hop is the VPC peering connection.
The request matches security group rules or is denied by default: Ensure the security group of the ECS instance in the VPC permits traffic from the peer VPC. Modify the inbound or outbound rules as necessary.
The request matches network ACL deny rules or is denied by default: Check if the network ACLs of vSwitches permit traffic from the peer VPC. Modify the inbound or outbound rules as necessary.
If the status is Reachable, you may select Reverse Path Analysis to go to the Start Analyzing page on the Network Intelligence Service console, where you can set up the reverse path to verify network connectivity.
References
For more information on the reachability analyzer of Network Intelligence Service, see Work with the reachability analyzer.
Use the troubleshooting feature to examine issues, such as connectivity between VPC and the Internet, costs, and resource quotas. For more information, see Troubleshooting.