Docs
unet
Support
FAQ

FAQ

Bandwidth Related

Does the bandwidth I purchased refer to outbound bandwidth or inbound bandwidth, and is there a limit on inbound bandwidth?

The purchased bandwidth is the outbound bandwidth, which limits the bandwidth from the cloud to the external network.
When the outbound bandwidth is less than 50Mbps, the inbound bandwidth is fixed at 50Mbps; when the outbound bandwidth is greater than 50Mbps, the inbound bandwidth equals the outbound bandwidth.

How can I adjust the purchased bandwidth?

You can directly adjust the bandwidth of the public Elastic IP in the console, no need to stop the machine and it takes effect in real time.

Does it support multiple hosts sharing a single bandwidth?

Supported, use shared bandwidth.

Internet Access and Isolation

Internet Access

My host only has an internal IP, how can I access this machine?


Method One: Log in via the emergency login feature in the cloud host management interface.
Method Two: Access via port mapping configuration on a machine with external network
Users must have two machines in the same machine room at the same time, and one of the machines has an external network IP, taking the Centos system as an example:
Assuming Machine A has an internal IP: 1.1.1.1 and an external IP: 2.2.2.2, Machine B has an internal IP: 1.1.1.2
Use the ssh command to map the 22 port of the target B machine's IP to a certain port of the external IP of machine A
Command format:

ssh -C -f -N -g -L local_port:target_IP:target_port username@target_IP

Step: First log in to machine A, execute the ssh command:

ssh -C -f -N -g -L 5000:1.1.1.2:22 root@1.1.1.2

Afterwards, the B machine can be accessed from the external network using the following command:

ssh 2.2.2.2 -p 5000

Why can't I access my server on UCloud-Global in a certain location?

The server's accessibility from multiple locations can be tested using a third-party ping tool. If it is unreachable from all locations, the server's services may not be running properly. If it is unreachable from multiple locations, there may be a fault in the backbone network. If it is only unreachable from a specific location, there may be a problem with the local routing in that area, and you can appeal to the local service provider.

Private Network Isolation

Is the network isolated between different users, can others capture my data using tcpdump?

Complete Layer 2 and Layer 3 isolation between different users, unable to use packet capture tools to obtain other users' data.

What is the bandwidth of the intranet server?

Currently, there are no additional restrictions on intranet bandwidth. However, in the event of abnormal traffic such as intranet DDoS, the system will automatically limit speed and isolate.

Can a host within a subnet be moved to another subnet?

Not supported.

Why is the internal network latency so high?

Could you first check if the load on the host is very high? (For example, are CPU, memory, and bandwidth fully utilized?) If it's not caused by the host, you can contact technical support for assistance.

Firewall

Why can't I connect even though a certain port has already been opened in the firewall?

Please confirm the following two points: (1) The firewall rules have been applied to this host (2) The internal iptables of the host have been turned off. Whether the port is open can be checked through the nc command, for example, nc -nv 10.3.1.2 22. If the port is open but the service is unavailable, please check whether the service is running normally.
Another situation that causes inability to access is that the ISP operator actively blocks certain ports for reasons such as high-risk ports, such as port 445. The current port block list feedback from the operator is:
TCP: 42,135,137,138,139,445,593,1025,1068,1434,3127,3130,3332,4444,5554,6669,9996,12345,31337,54321
UDP: 135,445,593,1026,1027,1068,1434,4444,5554,9996

Why can't the host be pinged?

Please confirm the following two points: (1) The firewall rules have allowed icmp and have been applied to the host (2) The iptables inside the host have been turned off

How to open a certain port to all IPs?

Source IP Write: 0.0.0.0/0

How to restrict certain malicious users from accessing my host?

If you can obtain the access IP of a malicious user, you can add a block (Drop) rule containing that source IP in the host firewall.

Does the internal network have ACL function?

Supported, Network ACL can achieve subnet-level security isolation.

How can I isolate my internal network host from other people's hosts?

UCloud-Global's intranet uses Software Defined Networking (SDN) technology to achieve intranet isolation between different user hosts.

After modifying the firewall, will the new rules take effect immediately?
When users are using the firewall, they sometimes encounter problems where the modified rules do not take effect. This is caused by TCP long connections.
Under normal circumstances, firewall rules take effect immediately. However, in certain scenarios, the firewall rules do not take effect immediately.
Taking Nginx as an example, Nginx will send a FIN packet after triggering keepalive_timeout (default is 65 seconds), causing nf_conntrack_tcp_timeout_established to no longer work, and instead triggering the rule of nf_conntrack_tcp_timeout_time_wait, whose default rule is 120 seconds.
In this scenario, it takes up to two minutes for the firewall to take effect.
For long connection scenarios like MySQL, since the system kernel and parameter nf_conntrack_tcp_timeout_established set its default expiration time to 5 days, once the connection is established in this scenario, it is difficult to immediately block the connection by modifying the firewall.

Remedial measures for the firewall not taking effect immediately:

As mentioned in the MySQL scenario above, its port is 3306. Suppose in order to block connections from 1.2.3.4, you can use the "RAW" table of iptables in the UHost.

iptables -t raw -I PREROUTING -s 1.2.3.4 -p tcp -m tcp --dport 3306 -j DROP

The reason why this method works is because in the Netfilter of the Linux system, a RAW table with a higher priority is inserted before the conntrack of the PREROUTING and OUTPUT HOOKs. Through the RAW table, traffic that does not need to be conntracked can be separated.

What impact will there be on previously established connections after modifying the firewall?

The firewall will not block established connections, so it is not affected by the firewall.

Possible reasons for firewall rule modification failure:

Please check for duplicate firewall rules. If the protocol, port, source address, and action are repeated, it is considered as a duplicate rule. If duplicate rules exist, you need to delete all duplicate rules and resubmit the request.

EIP Usage Related

How long does it take for the binding of the external elastic IP to take effect?

Under normal circumstances, it takes effect within 5 seconds.

Can a cloud host be bound to multiple external elastic IPs?

Can bind any number of them.

Does one Elastic IP support binding to multiple cloud hosts?

A single Elastic IP for the public network can only be bound to one cloud host, but it can be transferred to another cloud host by unbinding and binding. If there is a need to bind multiple hosts, consider using a NAT gateway to solve this problem.

Other Issues

Using MTR, traceroute found serious packet loss at a certain hop, does this mean your line quality is very poor?

The principle of traceroute, if the packet loss of the N+1 hop is less than that of the N hop, it indicates that the packet loss of the N hop is caused by the router's ICMP limit or other policies, not a network problem. If the packet loss continues to increase after a certain hop, it may be a network problem. Please contact technical support for assistance.

After optimizing the tw_recycle parameter, connections to the UHost often timeout.

Please check if the result of the following command is 1:

sysctl -a | grep tw_recycle

A result of 1 can cause situations such as timeouts when clients behind NAT connect to cloud hosts. Currently, most internet scenarios are NAT, such as internet at home (via wireless router), and internet at the company (via gateway). The reason for the timeout is that Linux's tw_recycle is not compatible with NAT. Linux has requirements for the timestamp value in sockets that use timestamps. The reason why Windows has no problem is that Windows does not use the TCP timestamp feature.

After using a certain cloud host as an external network gateway, is it necessary to add other routes?

The traffic of the cloud host can be divided into vertical traffic: external network traffic, and horizontal traffic: internal communication between cloud hosts. After the default route is modified to the cloud host acting as the gateway, all traffic will become horizontal traffic, which will affect the efficiency of vertical traffic. The solution is to add a static route.

Example of Adding Route in Linux :

# The gateway is 10.4.0.1`
ip ro add 10.255.0.0/16 via 10.4.0.1`
ip ro add 10.4.0.0/16 via 10.4.0.1`
echo "ip ro add 10.255.0.0/16 via 10.4.0.1" >> /etc/rc.local`
echo "ip ro add 10.4.0.0/16 via 10.4.0.1" >> /etc/rc.local`

Note:
The method of writing into rc.local mentioned above is invalid in CentOS 7, and needs to be directly written into /etc/sysconfig/network-scripts/route-eth0
Example of adding routes in Windows:

# The gateway is 10.4.0.1`
route add 10.255.0.0 mask 255.255.0.0 10.4.0.1 /p`
route add 10.4.0.0 mask 255.255.0.0 10.4.0.1 /p`

What is a cloud security protection strategy?

The cloud security system will monitor the cloud platform in real time, and the monitoring mechanism mainly discovers external attack behaviors through network packet monitoring.
When the security system finds that the external access packet volume of a resource exceeds the normal threshold, the system will analyze the behavior of the network data packet of the resource. If the analysis results indicate an attack behavior, the security protection mechanism for the resource will be triggered, that is, the resource will enter a protection period.
Note:
When a resource triggers a protection mechanism, the resource will still run normally and provide services externally, but there may be network fluctuations, so if you receive a security alert, please handle it in time. If you have any questions, please contact technical support.

Sometimes I notice that my cloud host has some internal network addresses scanning TCP port 11. What could be the reason?

The public cloud operation and maintenance system will scan specific ports of the cloud platform to detect connectivity and confirm whether the network services of the public cloud platform are normal. This check will not cause any harm to the cloud host, nor will it affect your business.