Language / 语言: Respond in the same language the user uses.
If the user speaks Chinese, use the Chinese (zh-CN) prompts below.
If the user speaks English, use the English (en) prompts below.
使用与用户相同的语言进行回复。
如果用户使用中文,请使用下面的中文(zh-CN)提示词。
如果用户使用英文,请使用下面的英文(en)提示词。
Guides an agent through interactive network reachability analysis using Alibaba Cloud NIS. Covers forward/reverse path analysis, topology visualization (Mermaid), and monitoring diagnostics for resources along the path.
架构: NIS (CreateAndAnalyzeNetworkPath + GetNetworkReachableAnalysis) + CloudMonitor (DescribeMetricData)
⚠️ CRITICAL / 关键: READ-ONLY OPERATIONS ONLY
>
This skill performs read-only network diagnostics. DO NOT create, modify, or delete any cloud resources.
本技能仅执行只读网络诊断操作。严禁创建、修改或删除任何云资源。
>
Allowed: CreateAndAnalyzeNetworkPath, GetNetworkReachableAnalysis, DescribeMetricData, Describe APIs
允许:分析任务创建与查询、监控数据查询、Describe 类查询 API
>
Forbidden: Create (except CreateAndAnalyzeNetworkPath), Modify, Delete, Start, Stop, Run APIs
禁止:创建类 API(除 CreateAndAnalyzeNetworkPath 外)、修改、删除、启停、执行类 API
核心工作流程
步骤 1:正向路径分析
aliyun nis create-and-analyze-network-path \
--source-id \
--source-type \
--target-id \
--target-type \
--protocol \
--target-port \
--source-ip-address \
--target-ip-address \
--region \
--user-agent AlibabaCloud-Agent-Skills
若 SourceType/TargetType 不是 vpn 或 vbr,可省略 --source-ip-address / --target-ip-address。
若 Protocol 是 icmp,可省略 --target-port。
记录返回的 NetworkReachableAnalysisId。
⚠️ 强制要求:正向分析完成后,必须执行反向路径分析。
>
必须在步骤 2 完成后立即执行步骤 3(反向路径分析)。严禁跳过或省略反向路径检查。
步骤 2:轮询正向结果
aliyun nis get-network-reachable-analysis \
--network-reachable-analysis-id \
--region \
--user-agent AlibabaCloud-Agent-Skills
重复执行直至 NetworkReachableAnalysisStatus 为 finish。提取 Reachable 和 NetworkReachableAnalysisResult。
步骤 3:反向路径分析
交换源和目的:
- 正向
SourceId/Type → 反向 TargetId/Type
- 正向
TargetId/Type → 反向 SourceId/Type
- 正向
SourceIpAddress → 反向 TargetIpAddress
- 正向
TargetIpAddress → 反向 SourceIpAddress
端口处理:
- 反向
--source-port = 正向 TargetPort(服务端监听端口)
- 反向
--target-port = 临时端口范围内的随机端口 49152 ~ 65535(客户端临时端口)
由于客户端发起连接时使用动态分配的临时端口,反向路径(服务端→客户端)的目的端口应使用临时端口范围(49152-65535)内的随机值来模拟真实回程流量。
aliyun nis create-and-analyze-network-path \
--source-id \
--source-type \
--target-id \
--target-type \
--protocol \
--source-port \
--target-port \
--source-ip-address \
--target-ip-address \
--region \
--user-agent AlibabaCloud-Agent-Skills
若源/目的类型不是 vpn 或 vbr,可省略 --source-ip-address / --target-ip-address。
步骤 4:轮询反向结果
与步骤 2 相同,使用反向的 NetworkReachableAnalysisId。
步骤 5:结果解读
关键:始终使用主动发起的分析任务返回的 topologyData.positive。
忽略任何响应中的 topologyData.reverse——它不可靠。
对正向和反向分别:
- 检查
Reachable 字段,true 表示可达。
- 若为
false,分析以下字段定位阻断点:
-
errorCode — 根因错误码
-
securityGroupData — 安全组拦截规则
-
routeData — 路由表丢包条目
步骤 6:拓扑可视化(Mermaid)
从 topologyData.positive 生成 Mermaid 图:
`` graph LR
nodeList 提取 nodeType 和 bizInsId
链接:从 linkList 构建有向边示例:
mermaid
graph LR
ECS_i-src["ECS: i-bp1xxx"] --> VRouter_vrt-1["VRouter: vrt-xxx"]
VRouter_vrt-1 --> VSW_vsw-1["VSW: vsw-xxx"]
VSW_vsw-1 --> ENI_eni-1["ENI: eni-xxx"]
ENI_eni-1 --> ECS_i-dst["ECS: i-bp2xxx"]
步骤 7:途经资源监控诊断
对
topologyData 中途经的资源 ID,若匹配以下前缀,查询最近 1 小时监控数据:
| 前缀 | 命名空间 | 指标 |
|---|
ecs- | acs_ecs_dashboard | CPUUtilization, ConnectionUtilization, DiskReadWriteIOPSUtilization, BurstCredit, DiskIOQueueSize |
eip- | acs_vpc_eip | out_ratelimit_drop_speed, net_out.rate_percentage, net_rxPkgs.rate |
nat- | acs_nat_gateway | ErrorPortAllocationCount, SessionLimitDropConnection, SessionActiveConnectionWaterLever, SessionNewConnectionWaterLever, BWRateOutToOutside, DropTotalPps |
clb- | acs_slb_dashboard | UnhealthyServerCount, UpstreamCode5xx, InstanceQpsUtilization, InstanceMaxConnectionUtilization, UpstreamRt, StatusCode4xx |
vbr- | acs_physical_connection | VbrHealthyCheckLossPercent, VbrHealthyCheckLatency, PkgsRateLimitDropOutFromVpcToVbr, RateOutFromVpcToIDC |
查询命令(CMS 使用
PascalCase API 风格,非插件模式):
bash
aliyun cms DescribeMetricData \
--Namespace \
--MetricName \
--Dimensions '[{"instanceId":""}]' \
--StartTime <1HourAgoTimestamp> \
--EndTime \
--Period 60 \
--user-agent AlibabaCloud-Agent-Skills
`
速率限制:每个账户每秒 10 次调用。跨多个指标的批量查询应相应控制调用频率。
清理
NIS 可达性分析为只读操作——不会创建或修改任何云资源,无需清理。
使用限制
- 仅支持 IPv4 — 仅支持 IPv4 路径分析。
- 单向分析 — 每次分析为单向;反向路径需要单独的任务并交换源/目的。
- CMS 配额 — DescribeMetricData
与其他 CMS 查询 API 共享每月 1,000,000 次免费调用。
- CMS 频控 — 每账户每秒 10 次调用(包括 RAM 用户)。
最佳实践
- 始终执行正向+反向分析以确认双向连通性。
- 路径不可达时,优先检查安全组规则和路由表。
- vpn
/vbr` 场景务必提供云下私网 IP。
- 使用 Mermaid 拓扑图帮助用户可视化流量路径。
- 仅查询实际路径上的资源监控数据以减少 API 调用。
- 将监控异常与可达性结果一并呈现,提供完整诊断。
参考文件
# NIS Network Reachability Analysis / NIS 网络可达性分析
Language / 语言: Respond in the same language the user uses.
If the user speaks Chinese, use the Chinese (zh-CN) prompts below.
If the user speaks English, use the English (en) prompts below.
Guides an agent through interactive network reachability analysis using Alibaba Cloud NIS.
Covers forward/reverse path analysis, topology visualization (Mermaid), and monitoring diagnostics
for resources along the path.
Architecture:
NIS (CreateAndAnalyzeNetworkPath + GetNetworkReachableAnalysis) + CloudMonitor (DescribeMetricData)
⚠️ CRITICAL / 关键: READ-ONLY OPERATIONS ONLY
>
This skill performs read-only network diagnostics. DO NOT create, modify, or delete any cloud resources.
>
本技能仅执行只读网络诊断操作。严禁创建、修改或删除任何云资源。
>
Allowed: CreateAndAnalyzeNetworkPath, GetNetworkReachableAnalysis, DescribeMetricData, Describe APIs
>
允许:分析任务创建与查询、监控数据查询、Describe 类查询 API
>
Forbidden: Create (except CreateAndAnalyzeNetworkPath), Modify, Delete, Start, Stop, Run APIs
>
禁止:创建类 API(除 CreateAndAnalyzeNetworkPath 外)、修改、删除、启停、执行类 API
Installation
Pre-check: Aliyun CLI >= 3.3.1 required
Run aliyun version to verify >= 3.3.1. If not installed or version too low,
see references/cli-installation-guide.md for installation instructions.
Then [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
``
bash
aliyun version
aliyun configure set --auto-plugin-install true
`
Authentication
Pre-check: Alibaba Cloud Credentials Required
>
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
is FORBIDDEN)
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use aliyun configure set
with literal credential values
- ONLY use aliyun configure list
to check credential status
>
`
bash
aliyun configure list --user-agent AlibabaCloud-Agent-Skills
`
Check the output for a valid profile (AK, STS, or OAuth identity).
>
If no valid profile exists, STOP here.
1. Obtain credentials from Alibaba Cloud Console
2. Configure credentials outside of this session (via
aliyun configure
in terminal or environment variables in shell profile)
3. Return and re-run after aliyun configure list
shows a valid profile
RAM Permissions
See references/ram-policies.md for the full RAM policy.
Required actions: nis:CreateAndAnalyzeNetworkPath
, nis:GetNetworkReachableAnalysis
, cms:DescribeMetricData
.
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance IDs, IP addresses,
protocol, ports, resource types, etc.) MUST be confirmed with the user.
Do NOT assume or use default values without explicit user approval.
Collect the following parameters interactively:
| Parameter | Required | Description (EN) | 说明 (ZH) | Default |
|-----------|----------|-------------------|-----------|---------|
| RegionId | Yes | Region of the analysis task | 分析任务所在地域 | — |
| SourceType | Yes | ecs
, vsw
, internetIp
, vpn
, vbr
| 源端类型 | — |
| SourceId | Yes | Source resource ID (or public IP if internetIp
) | 源资源 ID(公网 IP 类型直接填 IP) | — |
| SourceIpAddress | Conditional | On-Premise IP, required for vpn
/vbr
| 云下私网 IP,vpn
/vbr
时必填 | — |
| TargetType | Yes | ecs
, vsw
, internetIp
, vpn
, vbr
, clb
| 目的端类型 | — |
| TargetId | Yes | Target resource ID (or public IP if internetIp
) | 目的资源 ID(公网 IP 类型直接填 IP) | — |
| TargetIpAddress | Conditional | On-Premise IP, required for vpn
/vbr
| 云下私网 IP,vpn
/vbr
时必填 | — |
| Protocol | Yes | tcp
, udp
, or icmp
| 协议类型 | — |
| TargetPort | Conditional | Required for tcp
/udp
| tcp
/udp
时必填 | — |
| SourcePort | Optional | Source port | 源端口 | — |
Interactive Collection Logic / 交互收集逻辑
Use the prompts matching the user's language:
Step 1 — Ask resource types / 询问资源类型
| EN | ZH |
|----|-----|
| "What is the source resource type? (ecs / vsw / internetIp / vpn / vbr)" | "请问源端资源类型是什么?(ecs / vsw / internetIp / vpn / vbr)" |
| "What is the target resource type? (ecs / vsw / internetIp / vpn / vbr / clb)" | "请问目的端资源类型是什么?(ecs / vsw / internetIp / vpn / vbr / clb)" |
Step 2 — Type-specific prompts / 按类型提示
| Condition | EN Prompt | ZH Prompt |
|-----------|-----------|-----------|
| internetIp
| "For public IP analysis, please provide the public IP address directly as the ID." | "分析公网路径时,请直接提供公网 IP 地址作为 ID 传入。" |
| vpn
/ vbr
| "For hybrid cloud analysis, besides the resource ID, please also provide the On-Premise IP (private IP on your side)." | "连接云下环境时,除了资源 ID,请务必提供您的云下私网 IP (On-Premise IP) 以确保分析准确。" |
Step 3 — Protocol & ports / 协议和端口
| EN | ZH |
|----|-----|
| "What protocol? (tcp / udp / icmp) And what is the target port?" | "请问使用什么协议?(tcp / udp / icmp)目的端口是多少?" |
Core Workflow
Step 1: Forward Path Analysis / 正向路径分析
`
bash
aliyun nis create-and-analyze-network-path \
--source-id \
--source-type \
--target-id \
--target-type \
--protocol \
--target-port \
--source-ip-address \
--target-ip-address \
--region \
--user-agent AlibabaCloud-Agent-Skills
`
Omit
--source-ip-address
/ --target-ip-address
if SourceType/TargetType is not vpn
or vbr
.
Omit --target-port
if Protocol is icmp
.
Record the returned NetworkReachableAnalysisId
.
⚠️ MANDATORY / 强制: ALWAYS perform reverse path analysis after forward analysis completes.
>
MUST execute Step 3 (Reverse Path Analysis) immediately after Step 2 finishes. Do NOT skip or omit reverse path check.
>
必须在正向分析完成后立即执行 Step 3(反向路径分析)。严禁跳过或省略反向路径检查。
Step 2: Poll for Forward Result / 轮询正向结果
`
bash
aliyun nis get-network-reachable-analysis \
--network-reachable-analysis-id \
--region \
--user-agent AlibabaCloud-Agent-Skills
`
Repeat until NetworkReachableAnalysisStatus
is finish
. Extract Reachable
, NetworkReachableAnalysisResult
.
Step 3: Reverse Path Analysis / 反向路径分析
Swap source and target / 交换源和目的:
SourceId/Type
→ Reverse TargetId/Type
Forward TargetId/Type
→ Reverse SourceId/Type
Forward SourceIpAddress
→ Reverse TargetIpAddress
Forward TargetIpAddress
→ Reverse SourceIpAddress
Port handling / 端口处理:
--source-port
= Forward TargetPort
(server listening port / 服务端监听端口)
Reverse --target-port
= Random ephemeral port in range 49152 ~ 65535 (client ephemeral port / 客户端随机端口)
Since the client initiates the connection with a dynamically assigned ephemeral port, the reverse path (server → client) should use a random port in the ephemeral range (49152-65535) as the target port to simulate real return traffic.
>
由于客户端发起连接时使用动态分配的临时端口,反向路径(服务端→客户端)的目的端口应使用临时端口范围(49152-65535)内的随机值来模拟真实回程流量。
`
bash
aliyun nis create-and-analyze-network-path \
--source-id \
--source-type \
--target-id \
--target-type \
--protocol \
--source-port \
--target-port \
--source-ip-address \
--target-ip-address \
--region \
--user-agent AlibabaCloud-Agent-Skills
`
Omit
--source-ip-address
/ --target-ip-address
if SourceType/TargetType is not vpn
or vbr
.
若源/目的类型不是 vpn
或 vbr
,可省略 --source-ip-address
/ --target-ip-address
。
Step 4: Poll for Reverse Result / 轮询反向结果
Same as Step 2, using the reverse NetworkReachableAnalysisId
.
Step 5: Result Interpretation / 结果解读
CRITICAL / 关键: Always use
topologyData.positive
from the actively initiated analysis task.
IGNORE topologyData.reverse
in any response — it is unreliable.
>
始终使用主动发起的分析任务返回的
topologyData.positive
。
忽略任何响应中的 topologyData.reverse
——它不可靠。
For each direction (forward/reverse) / 对正向和反向分别:
Reachable
field. If true
, path is connected. / 检查 Reachable
字段,true
表示可达。
If false
, analyze from NetworkReachableAnalysisResult
: / 若为 false
,分析以下字段定位阻断点:
- errorCode
— root cause code / 根因错误码
- securityGroupData
— security group rules blocking traffic / 安全组拦截规则
- routeData
— route table entries causing drops / 路由表丢包条目
Step 6: Topology Visualization / 拓扑可视化 (Mermaid)
Generate a Mermaid diagram from topologyData.positive
:
`
graph LR
`
nodeType
and bizInsId
from nodeList
Links: Build directional edges from linkList
Example:
`
mermaid
graph LR
ECS_i-src["ECS: i-bp1xxx"] --> VRouter_vrt-1["VRouter: vrt-xxx"]
VRouter_vrt-1 --> VSW_vsw-1["VSW: vsw-xxx"]
VSW_vsw-1 --> ENI_eni-1["ENI: eni-xxx"]
ENI_eni-1 --> ECS_i-dst["ECS: i-bp2xxx"]
`
Step 7: Resource Monitoring Diagnostics / 途经资源监控诊断
For resource IDs found in topologyData
, if they match the prefixes below, query monitoring data for the last 1 hour:
对 topologyData
中途经的资源 ID,若匹配以下前缀,查询最近 1 小时监控数据:
| Prefix | Namespace | Metrics |
|--------|-----------|---------|
| ecs-
| acs_ecs_dashboard
| CPUUtilization
, ConnectionUtilization
, DiskReadWriteIOPSUtilization
, BurstCredit
, DiskIOQueueSize
|
| eip-
| acs_vpc_eip
| out_ratelimit_drop_speed
, net_out.rate_percentage
, net_rxPkgs.rate
|
| nat-
| acs_nat_gateway
| ErrorPortAllocationCount
, SessionLimitDropConnection
, SessionActiveConnectionWaterLever
, SessionNewConnectionWaterLever
, BWRateOutToOutside
, DropTotalPps
|
| clb-
| acs_slb_dashboard
| UnhealthyServerCount
, UpstreamCode5xx
, InstanceQpsUtilization
, InstanceMaxConnectionUtilization
, UpstreamRt
, StatusCode4xx
|
| vbr-
| acs_physical_connection
| VbrHealthyCheckLossPercent
, VbrHealthyCheckLatency
, PkgsRateLimitDropOutFromVpcToVbr
, RateOutFromVpcToIDC
|
Query command (CMS uses PascalCase API-style, not plugin mode):
`
bash
aliyun cms DescribeMetricData \
--Namespace \
--MetricName \
--Dimensions '[{"instanceId":""}]' \
--StartTime <1HourAgoTimestamp> \
--EndTime \
--Period 60 \
--user-agent AlibabaCloud-Agent-Skills
`
Rate limit: 10 calls/second per account. Batch queries across multiple metrics should be paced accordingly.
Cleanup / 清理
NIS reachability analysis is read-only — no cloud resources are created or modified.
No cleanup is required.
NIS 可达性分析为只读操作——不会创建或修改任何云资源,无需清理。
Constraints / 使用限制
- IPv4 only / 仅支持 IPv4 — Only IPv4 path analysis is supported.
- Unidirectional / 单向分析 — Each analysis is one-way; reverse path requires a separate task with swapped source/target.
- CMS quota / CMS 配额 —
DescribeMetricData
shares 1,000,000 free calls/month with other CMS query APIs.
CMS rate limit / CMS 频控 — 10 calls/second per account (including RAM users).
Best Practices / 最佳实践
- Always perform both forward and reverse analysis to confirm bidirectional connectivity. / 始终执行正向+反向分析以确认双向连通性。
- When path is unreachable, check security group rules and route tables first. / 路径不可达时,优先检查安全组规则和路由表。
- For
vpn
/vbr
scenarios, always provide On-Premise IP. / vpn
/vbr` 场景务必提供云下私网 IP。
Use Mermaid topology diagrams to visualize traffic paths. / 使用 Mermaid 拓扑图帮助用户可视化流量路径。
Query monitoring data only for resources on the actual path. / 仅查询实际路径上的资源监控数据以减少 API 调用。
Present monitoring anomalies alongside reachability results. / 将监控异常与可达性结果一并呈现,提供完整诊断。
References / 参考文件
| Reference | Contents (EN) | 内容 (ZH) |
|-----------|---------------|-----------|
|
references/ram-policies.md | Required RAM permissions | 所需 RAM 权限策略 |
|
references/verification-method.md | Step-by-step verification commands | 逐步验证命令 |
|
references/acceptance-criteria.md | Correct/incorrect CLI patterns | 正确/错误 CLI 模式对照 |
|
references/cli-installation-guide.md | Aliyun CLI installation guide | 阿里云 CLI 安装指南 |