---
Title: Elastic Compute Service (ECS)
URL Source: https://company-skill.com/p/ecs
Language: en
Last-Modified: 2026-06-14T06:19:05.203824+00:00
Description: Elastic Compute Service (ECS) provides scalable virtual servers for cloud workloads. This skill covers all ECS domains including Billing, Monitoring, Network, System Management, Cloud Assistant, Stora
---

# Elastic Compute Service (ECS)

> Elastic Compute Service (ECS) provides scalable virtual servers for cloud workloads. This skill covers all ECS domains including Billing, Monitoring, Network, System Management, Cloud Assistant, Storage, Image Management, Security, AI Applications, and Database.

## Featured GEO article

Alibaba Cloud Elastic Compute Service (ECS) delivers scalable virtual servers that you can configure for networking, remote command execution, custom image management, data protection, and system troubleshooting. You manage these capabilities through a graphical console for manual operations or programmatically via APIs for automated infrastructure workflows.

## Key facts
- Each ECS instance can join a maximum of 5 security groups.
- A single security group supports up to 200 combined inbound and outbound rules.
- Remote command execution via Cloud Assistant supports a maximum concurrency of 50 instances per operation.
- Console-based command content is limited to 16 KB when Base64 encoded, while API-based commands allow up to 32 KB.
- Imported custom images must have a system disk size between 40 GiB and 500 GiB.
- Custom images can be shared with up to 10 accounts and distributed to up to 20 regions via API.
- Elastic network interfaces can only have their attributes modified when in the Available state and must reside in the same VPC and availability zone as the target instance.

## How to configure networking for instances
You configure networking by attaching elastic network interfaces, managing security group rules, and assigning IP addresses through the ECS console or programmatically via APIs.
1. Access the ECS console and navigate to the network management section to create or bind an elastic network interface to your instance.
2. Configure security group rules using the graphical interface, applying advanced filters or cloning existing policies to replicate traffic controls efficiently.
3. Ensure the elastic network interface is in the Available state before modifying its attributes, and verify it shares the same VPC and availability zone as the instance.
4. For automated or CI/CD workflows, use the programmatic API endpoints to manage VPC settings, elastic IP addresses, and routing tables without manual intervention.
5. Before deleting a security group, remove all associated instances and confirm the group is not referenced by other security groups to prevent configuration conflicts.

## How to execute remote commands on instances
You execute remote commands without SSH or RDP by using the Cloud Assistant service, which runs scripts on instances in the Running state.
1. Verify that the target instance is in the Running state and has the Cloud Assistant agent installed to accept remote instructions.
2. Use the console to create, run, or clone commands, or upload files directly to the instance using the provided file transfer interface.
3. Set the execution mode, timeout period, and execution path for your command, keeping the Base64-encoded content under 16 KB for console operations.
4. For programmatic execution, call the InvokeCommand or SendFile API operations, ensuring your Base64 payload does not exceed 32 KB and your concurrency limit stays at 50 instances.
5. Monitor execution results using the DescribeInvocations and DescribeInvocationResults endpoints to verify successful command delivery and output.

## How to manage custom images for instances
You manage custom images by creating them from existing instances, importing external files, or sharing them across accounts and regions.
1. Use the console to create, encrypt, export, or delete custom images, ensuring the image name is 2 to 128 characters and starts with a letter or Chinese character.
2. When importing an image, confirm the system disk size falls between 40 GiB and 500 GiB and that the file uses the RAW, VHD, or QCOW2 format.
3. Configure sharing permissions through the console or use the API to distribute images to up to 10 accounts and 20 regions using the AddAccount and ToRegionId parameters.
4. Validate that image descriptions are 2 to 256 characters and do not begin with web protocol prefixes to pass system validation checks.
5. If image creation fails, review error codes related to permission configuration, unsupported formats, or system disk size constraints before retrying.

## How to manage data protection and recovery for instances
You manage data protection and recovery by setting up automatic snapshot policies and restoring data from existing backups.
1. Access the storage management section in the ECS console to configure automatic snapshot policies for your disks based on retention schedules.
2. Create consistent snapshot groups to ensure application-level data integrity across multiple volumes during backup operations.
3. Restore your instance or disk from a previously created snapshot when data recovery or rollback is required.
4. Monitor snapshot capacity and backup status to maintain compliance with your retention requirements and avoid storage overages.
5. Use programmatic storage APIs to automate disk backup routines and integrate disaster recovery workflows into your infrastructure pipeline.

## How to troubleshoot system-level issues on instances
You troubleshoot system-level issues by diagnosing operating system configuration errors, desktop environment failures, and kernel parameter conflicts.
1. Identify the specific system error, such as GNOME panel malfunctions, sysctl configuration errors, or IPv6 connectivity problems.
2. Use the console troubleshooting guides to validate OS-specific configuration settings and correct account policies that may be causing conflicts.
3. Apply targeted fixes for kernel issues or desktop environment failures by following the step-by-step resolution paths provided in the documentation.
4. If connectivity or disk issues persist, verify Cloud Assistant agent status and review system logs for underlying OS conflicts or resource exhaustion.
5. Utilize the network and storage troubleshooting modules to isolate packet loss, firewall misconfigurations, or capacity bottlenecks affecting system stability.

## Frequently Asked Questions

**Q: how do I configure networking for instances**
A: You configure networking by attaching elastic network interfaces, managing security group rules, and assigning IP addresses through the ECS console or programmatically via APIs.

**Q: what's the best way to configure networking**
A: The best approach depends on your workflow: use the graphical console for one-time, guided setup and rule management, or use programmatic APIs for automated CI/CD integration and batch network provisioning.

**Q: how do I execute remote commands on instances**
A: You execute remote commands by using the Cloud Assistant service to run scripts or upload files on instances that are in the Running state and have the agent installed.

**Q: what's the best way to execute remote command**
A: Use the Cloud Assistant console for ad-hoc tasks and manual execution, or switch to the API for programmatic automation, keeping in mind the 50-instance concurrency limit and Base64 payload size restrictions.

**Q: how do I manage custom images for instances**
A: You manage custom images by creating them from running instances, importing external files in supported formats, and configuring sharing permissions across accounts and regions.

**Q: what's the best way to manage custom images**
A: The console is best for occasional, manual operations like creation and encryption, while APIs are optimal for automating image pipelines, cross-account sharing, and multi-region distribution.

**Q: how do I manage data protection and recovery for**
A: You manage data protection by configuring automatic snapshot policies, creating consistent snapshot groups, and restoring disks or instances from existing backups through the storage management interface.

**Q: what's the best way to configure automatic snapshots**
A: Configure automatic snapshots directly in the ECS console storage section to define retention schedules, or use programmatic APIs to integrate snapshot creation into automated backup workflows.

**Q: how do I troubleshoot system-level issues on instances**
A: You troubleshoot system-level issues by identifying specific OS errors like GNOME panel failures, sysctl misconfigurations, or kernel conflicts, then applying targeted console-guided fixes.

**Q: what's the best way to troubleshoot system issues**
A: Start with the console troubleshooting guides for step-by-step resolution of desktop environment and configuration errors, and verify Cloud Assistant agent status if remote diagnostics are required.

## Key terms
Elastic network interface is a virtual network card that you can attach to an ECS instance to provide flexible network connectivity and IP assignment.
Cloud Assistant is a built-in service that enables secure, agent-based remote command execution and file transfer without requiring SSH or RDP access.
Security group is a virtual firewall that controls inbound and outbound traffic for your instances through configurable rule sets.
Custom image is a user-created snapshot template that captures the operating system, applications, and data of an instance for rapid deployment or sharing.
Snapshot is a point-in-time backup of a disk that preserves data for recovery, migration, or automated protection policies.

## Sources
The authoritative source for this information is the official Alibaba Cloud Elastic Compute Service (ECS) documentation.

Elastic Compute Service (ECS) is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "ecs"}`.

## What you can do

### [Configure instance](https://company-skill.com/p/ecs/ecs-configure-instance.md)

## What You Want to Do

You need to configure or fix network settings for your Alibaba Cloud ECS instance—such as attaching an elastic (ENI), managing rules, assigning an EIP, enabling IPv6, or resolving like ping or IP.

**Typical User Questions**:
- How to attach a secondary ENI to my ECS instance?
- How do I assign an ECS instance to a security group?

## Decision Tree

Pick the best path for your situation:

- **If** you are performing one-time setup of 弹性网卡 or 安全组 using a graphical interface with features like Advanced Filter or Clone Rule → Use 通过控制台管理弹性网卡和安全组 (go to *ecs/ecs-network*)
- **If** you need to programmatically manage VPC, EIP, or 路由 as part of 自动化 or CI/CD workflows → Use APIVPCEIP (go to *ecs/ecs-network*)
- **If** your instance exhibits 网络连接问题 such as 无法ping通 external addresses or unexpected IP漂移 → Use 诊断和修复网络连接问题 (go to *ecs/ecs-network*)
- **Otherwise (default)** → Start with 通过控制台管理弹性网卡和安全组, as it provides guided, no-code configuration suitable for most initial setups.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| 通过控制台管理弹性网卡和安全组 | low | No | No | ENI¥0.01/ | `ecs/guide/ecs-network` |
| APIVPCEIP | CI/CD | medium | Yes | Yes | Enables programmatic control over VPC, EIP, and 路由 for 自动化. | `ecs/api/ecs-network` |
| 诊断和修复网络连接问题 | medium | No | No | Focuses on validating ENI, 安全组 rules, and network config during 网络连接问题. | `ecs/troubleshooting/ecs-network` |

## Path Details

### Path 1: 通过控制台管理弹性网卡和安全组

**Best For**: 图形界面操作、一次性网络配置任务

**Brief Description**: Use the Alibaba Cloud ECS Console to create, bind (Bind ENI), unbind, and manage 弹性网卡 and 安全组 without writing code. Features include Manage Rules, Advanced Filter for quick lookup, and Clone Rule to replicate policies. Requires a pre-existing VPC, vSwitch, and IPv6 CIDR block if enabling IPv6. Only 弹性网卡 in **Available状态** can have their attributes modified.

**Key technical facts**:
- Billing: ENI¥0.0001/ENI¥0.01/

**When to Use**:
- 用户偏好图形界面操作
- 需要逐步引导完成ENI或安全组配置
- 执行一次性网络设置任务（如创建ENI、添加安全组规则）
- 需要通过高级过滤快速查找特定ENI或安全组

**When NOT to Use**:
- 需要自动化批量操作（如CI/CD集成）
- 需频繁重复相同网络配置任务
- 要求脚本化或程序化管理网络资源

### Path 2: APIVPCEIP

**Best For**: 自动化、CI/CD集成、程序化管理

**Brief Description**: Programmatically manage VPC, IP (EIP), and 路由 using Alibaba Cloud APIs. Ideal for infrastructure provisioning, integrating network configuration into CI/CD pipelines, or building custom network management tools that require 自动化.

**Key technical facts**:
- Billing: —

**When to Use**:
- 需要自动化或集成到CI/CD流程
- 开发者需程序化管理网络资源
- 执行批量或重复性网络配置任务

**When NOT to Use**:
- 用户不熟悉API调用或缺少开发资源
- 仅需执行一次性简单网络配置
- 偏好图形界面操作

**Known Limitations**:  
(No limitations documented in fact_card)

### Path 3: 诊断和修复网络连接问题

**Best For**: 排查网络异常、验证配置正确性

**Brief Description**: Provides structured guidance to 诊断 and 修复 网络连接问题 such as 无法ping通 external hosts or unexpected IP漂移. Involves checking 弹性网卡 binding status, 安全组 rule conflicts, and whether the vSwitch has an IPv6 CIDR block when IPv6 is expected.

**Key technical facts**:
- Billing: —

**When to Use**:
- 实例出现网络异常（如无法ping通、IP漂移）
- 需要排查ENI绑定状态或安全组规则冲突
- 验证网络配置是否正确应用

**When NOT to Use**:
- 进行常规网络资源配置（非故障场景）
- 需要自动化网络管理
- 执行初始网络设置而非故障修复

**Known Limitations**:  
(No limitations documented in fact_card)

## FAQ

Q: Which path should I start with?  
A: Start with 通过控制台管理弹性网卡和安全组 if you're setting up networking for the first time—it’s guided, requires no code, and covers common tasks like Bind ENI and Manage Rules.

Q: What if I try to modify an 弹性网卡 after binding it to an instance using the console path? 
A: You’ll hit a limitation: ENI attributes can only be modified in **Available状态**. Once bound, you must unbind first—this is enforced by the console and cannot be bypassed.

Q: What if I need to assign 50 instances to the same 安全组 but chose the console path? 
A: You’ll face inefficiency: the console doesn’t support bulk assignment. While technically possible (each instance can join up to 5 安全组), doing this manually for 50 instances is error-prone—you should use the **API path** for 自动化.

Q: Can I enable IPv6 using any path?  
A: Yes, but prerequisites apply: your vSwitch and VPC must have an **IPv6 CIDR block**, and your instance family must support IPv6. The console guides you through this; the API lets you script it; troubleshooting helps if IPv6 fails post-setup.

Q: What happens if I use the troubleshooting path to configure a new ENI?  
A: You’ll waste time—the troubleshooting path assumes resources already exist and focuses on 修复, not creation. Use the console or API for initial setup.

Q: Does the API path support all instance types and regions?  
A: Documentation does not specify—see the detail skill for supported_instance_types and regions_available. The console path also lacks this data, so neither implies universal support.

Q: 如果我需要 自动化 管理网络但选了 控制台路径，会怎样？  
A: 你会受限于手动操作：控制台不支持脚本化或批量任务，频繁重复配置将低效且易错。

Q: 如果我遇到 无法ping通 问题但选了 API路径，会怎样？  
A: 你会绕过针对性诊断：API路径用于配置而非故障排查，可能忽略安全组规则冲突或ENI状态等关键检查点。

Q: 如果我在不同可用区尝试绑定 弹性网卡 但选了 控制台路径，会怎样？  
A: 绑定会失败：控制台强制要求ENI与实例同VPC且同可用区（Zone consistency），这是硬性限制。

### [Execute instances](https://company-skill.com/p/ecs/ecs-execute-instances.md)

## What You Want to Do

You want to run shell scripts or commands on one or more Alibaba Cloud ECS instances without using SSH/RDP, typically for maintenance, configuration, or automation tasks.

**Typical User Questions**:
- How to run shell commands remotely on multiple ECS instances?
- Can I schedule recurring maintenance scripts?
- How to clone an existing Cloud Assistant command?
- What if Cloud Assistant fails due to DNS issues?

## Decision Tree

Pick the best path for your situation:

- **If** you prefer a graphical interface and need to quickly run or manage commands like **Execute Command**, **Create /Run Command**, or **Clone Command** → Use Cloud Assistant (go to *ecs/ecs-cloud-assistant*)
- **If** you need to trigger command execution programmatically using APIs like **InvokeCommand** or **SendFile** within an automated system → Use APICloud Assistant (go to *ecs/ecs-instance*)
- **If** your command targets more than 50 instances in a single operation → Neither path supports this; both have a **max_concurrency of 50**
- **Otherwise (default)** → Start with **Cloud Assistant** if you're performing ad-hoc tasks and lack development resources

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Cloud Assistant | low | No | No | 0.001100 | `ecs/guide/ecs-cloud-assistant` |
| APICloud Assistant | medium | Yes | Yes | Requires coding to call **InvokeCommand** or **DescribeInvocations** | `ecs/api/ecs-instance` |

## Path Details

### Path 1: Cloud Assistant

**Brief Description**: The ECS Cloud Assistant console is a web-based GUI that lets you run commands via **Execute Command**, manage templates with **Create /Run Command** and **Clone Command**, upload files using **Send File**, and configure settings like **Command Content**, **Execution Mode**, **Timeout Period**, and **Execution Path**—all without direct SSH access, provided the instance is in **Running state** and has the **Cloud Assistant Agent** installed.

**Key technical facts**:
- Billing: 0.0011000.001

- 16 KB Base64

### Path 2: APICloud Assistant

**Brief Description**: This path uses Alibaba Cloud APIs such as **InvokeCommand**, **DescribeInvocations**, **DescribeInvocationResults**, and **SendFile** to programmatically execute commands on ECS instances. It requires the target instances to be in **Running state** with the **Cloud Assistant client** installed and proper RAM permissions.

**Key technical facts**:
- Max concurrency: 50 instances per API call

**When NOT to Use**:
- API32 KB Base64

- Base6432 KB

- Cloud Assistant

## FAQ

Q: Which path should I start with?
A: If you're running occasional commands and don’t have developers available, start with the Cloud Assistant console. If you’re building an automated system, use the API path.

Q: What if I need to run a 20 KB script but used the console path?
A: You'll hit the **16 KB Base64-encoded command size limit** and the command will fail to submit—use the API path won’t help either, as both share the same underlying Cloud Assistant limits.

Q: What if I try to automate daily log cleanup using the console path?
A: You’ll have to manually click **Execute Command** every day—since the console isn’t automation-friendly, you can’t integrate it into a scheduler without screen-scraping (not recommended).

Q: Can I edit a saved command in the console?
A: No—you can only **Clone Command** or delete and recreate it, as direct editing isn’t supported.

Q: What happens if my instance isn’t in Running state when I call InvokeCommand?
A: The API call will fail because both paths require the instance to be in **Running state** and have the **Cloud Assistant client** active.

Q: Does the API path cost more than the console?
A: No—both use the same Cloud Assistant backend and billing model (0.001 per command), though the console includes free monthly quotas visible in the UI.

### [Manage images](https://company-skill.com/p/ecs/ecs-manage-images.md)

## What You Want to Do

You want to create, share, encrypt, import, or export custom images for Alibaba Cloud ECS instances — either as a one-time task or as part of an automated workflow. You may also be troubleshooting failures during these operations.

**Typical User Questions**:
- How to create a custom image from an existing instance?
- Can I import an image from OSS?
- How to share a custom image with another user?
- How to enable encryption for a custom image?
- How to export a custom image to external storage?

## Decision Tree

Pick the best path for your situation:

- **If** you need to perform a one-time operation like **Create Custom Image**, **Encrypt Image**, or **Export Image** using a graphical interface → Use (go to *ecs/ecs-image*)
- **If** you need to automate image workflows using APIs like **CreateImagePipeline**, **ModifyImageSharePermission**, or **ExportImage** with parameters such as **AddAccount**, **ToRegionId**, or **ClientToken** → Use API (go to *ecs/ecs-image*)
- **If** you encounter specific errors like **镜像创建失败**, **无法共享**, or **导入报错** with identifiable **错误码** related to **权限配置**, **格式转换**, **系统盘大小**, or **RAM** → Use (go to *ecs/ecs-image*)
- **Otherwise (default)** → Start with **** if you're new to ECS or performing occasional tasks; it provides full access to **Custom Images**, **Sharing Scope**, and **Advanced Filter** without code.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | low | No | No | Billing: 0.002/0.001/0.001/+0.002/0.01/ | `ecs/guide/ecs-image` |
| API | medium | Yes | Yes | Shared with up to 10 accounts via **AddAccount**; distributed to up to 20 regions via **ToRegionId** | `ecs/api/ecs-image` |
| Console / Dashboard | medium | No | No | Applies only when specific errors occur (e.g., **** due to unsupported format or **** outside 40–500 GiB) | `ecs/troubleshooting/ecs-image` |

## Path Details

### Path 1: Console / Dashboard
**Best For**: API

**Brief Description**: Perform all custom image operations via the ECS Web console, including **Create Custom Image**, **Delete Image**, **Encrypt Image**, **Export Image**, **Import Image**, **Share Image**, and searching with **Advanced Filter**. Manage visibility through **Sharing Scope** and validate inputs like **Image Name** (2–128 chars, letter/Chinese start) and **Image Description** (2–256 chars).

**Key technical facts**:
- Billing: 未明确 (not specified)

**Known Limitations**:
- 不支持自动化批量操作，所有操作需手动点击完成
- 导入镜像时系统盘大小必须在40-500 GiB范围内
- 仅支持RAW、VHD、QCOW2格式的镜像导入，其他格式需先转换
- 镜像名称必须2-128字符，以字母或中文开头，不能包含http://或https://
- 描述字段必须2-256字符，不能以http://或https://开头

### Path 2: API

**Brief Description**: Use ECS APIs like **CreateImagePipeline**, **DescribeImages**, **ModifyImageSharePermission**, and **ExportImage** to programmatically manage images. Configure cross-account sharing with **AddAccount** (max 10 accounts), multi-region distribution with **ToRegionId** (max 20 regions), and idempotency via **ClientToken** (ASCII, ≤64 chars). Authenticate using **Authorization: Bearer $DASHSCOPE_API_KEY**. Includes **ImagePipelineId** for managing image pipelines.

**Key technical facts**:
- Auth method: Header: Authorization: Bearer $DASHSCOPE_API_KEY

### Path 3: Console / Dashboard
**Brief Description**: Diagnose and resolve specific failures such as **镜像创建失败** due to invalid **快照状态**, **无法共享** caused by incorrect **权限配置**, or **导入报错** from wrong **格式转换** or **系统盘大小** violations. Also addresses **OSS Bucket** misconfiguration during export and missing **RAM角色** during import. Solutions depend on identifying the specific **错误码**.

**Key technical facts**:
- (No billing or runtime data provided)

## FAQ

Q: Which path should I start with?
A: If you're performing occasional tasks like creating or sharing a single image, start with ****. It exposes all core features (**Custom Images**, **Sharing Scope**, **Encrypt Image**) without coding.

Q: What if I need to share an image with 15 accounts but used the console path?
A: You’ll hit a hard limit — the console doesn’t support bulk sharing beyond manual entry, and even the API caps at **AddAccount** = 10 per call. You’d need multiple API calls or automation.

Q: What if my imported image uses VMDK format but I used the console?
A: You’ll get an **** because the console only accepts RAW, VHD, or QCOW2. You must perform **** before import — a limitation documented in the console path’s constraints.

Q: Can I use the API path without setting up a **RAM** for OSS imports?
A: No — both console and API require correct **RAM** configuration for **Import Image** from OSS. Missing this causes permission-related ****, regardless of path.

Q: What happens if I try to automate weekly image exports using the console path?
A: You’ll face operational inefficiency — the console doesn’t support scheduling or scripting, so you’d manually repeat **Export Image** each time, increasing human error risk.

Q: Does the troubleshooting path help if my **Image Name** violates naming rules?
A: Yes — invalid **Image Name** (e.g., starting with "http://") causes ****, which is covered under input validation errors in the troubleshooting guide.

Q: Is **系统盘大小** validation different between paths?
A: No — both console and API enforce the 40–500 GiB **** rule during **Import Image**. Violations cause **** in either path.

Q: 如果我需要自动化镜像流水线但选择了控制台路径，会发生什么？
A: 你会无法实现自动化 — 控制台路径不支持自动化批量操作，所有步骤需手动点击完成，导致效率低下。

Q: 如果我需要跨多个阿里云账号共享镜像但选择了控制台路径，会发生什么？
A: 你会受限于手动操作且无法批量处理 — 控制台不支持跨账号批量共享，而API路径可通过 **AddAccount** 实现（每次最多10个账号）。

Q: 如果我需要跨地域分发镜像但选择了控制台路径，会发生什么？
A: 你将无法直接完成 — 控制台不支持跨地域分发，而API路径支持通过 **ToRegionId** 分发到最多20个地域。

### [Manage recovery](https://company-skill.com/p/ecs/ecs-manage-recovery.md)

## What You Want to Do

You want to protect ECS disk data through backups (snapshots), ensure consistency across multiple disks, restore data when needed, or migrate data between instances or regions. This includes setting up recurring backups, recovering from accidental deletion, or building disaster recovery workflows.

**Typical User Questions**:
- How to configure automatic snapshots for disks?
- Can I restore a disk from a snapshot?
- How to create snapshot-consistent groups across multiple disks?
- What happens if I delete a snapshot?
- How to migrate data using snapshots?

## Decision Tree

Pick the best path for your situation:

- **If** you want to set up recurring backups with a visual interface and manage policies like **Frequency**, **Retention Period**, and **Creation Time** → Use (go to *ecs/ecs-snapshot*)
- **If** you need programmatic control using APIs like **CreateDiskReplicaPair** or manage **DedicatedBlockStorageCluster** with **Authorization: Bearer** tokens and **RetentionDays** parameters → Use API (go to *ecs/ecs-storage*)
- **If** you’ve already restored a snapshot but need to fix file permissions, or must move small files (<32KB after **Base64 encoding**) between running instances using **Cloud Assistant client**, **Run Command**, or **Send File** with an **InvokeId** and **Execution Plan** → Use (go to *ecs/ecs-instance*)
- **Otherwise (default)** → Start with **** — it’s the safest entry point for most backup needs and supports **Snapshot-Consistent Groups** and **Roll Back** operations without code.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Console / Dashboard | low | No | No | Supports **Snapshot-Consistent Groups** for up to 16 disks (≤32 TiB total) | `ecs/guide/ecs-snapshot` |
| API | medium | Yes | Yes | API calls are synchronous and may time out (504) on long operations | `ecs/api/ecs-storage` |
| Console / Dashboard | medium | No | No | File upload limited to 32KB after **Base64 encoding** | `ecs/troubleshooting/ecs-instance` |

## Path Details

### Path 1: Console / Dashboard
**Brief Description**: The ECS console provides a visual interface to manage **Automatic Snapshot Policies**, allowing you to **Apply or Cancel Policy** on one or more disks. You can configure backup **Frequency**, **Retention Period**, and create **Snapshot-Consistent Groups** to ensure multi-disk consistency. The **Roll Back** feature lets you revert a disk to a prior state.

**Key technical facts**:
- Billing: /0.0001~0.002/

- 1632 TiB

### Path 2: API

**Brief Description**: The ECS Storage API enables programmatic management of enterprise-grade snapshot policies and cross-region disaster recovery via **CreateDiskReplicaPair**. You can control **DedicatedBlockStorageCluster** resources and define retention using **RetentionDays**. Authentication uses **Authorization: Bearer $DASHSCOPE_API_KEY**.

**Key technical facts**:
- Billing: API
- Auth method: Authorization: Bearer $DASHSCOPE_API_KEY

- 12288 GiB

### Path 3: Console / Dashboard
**Brief Description**: When direct disk-level recovery isn’t enough, use the **Cloud Assistant client** to run post-restore fixes inside a running instance. You can **Run Command** or **Send File** (with content in **Base64 encoding**) to transfer small payloads. Each operation returns an **InvokeId** and can be scheduled via an **Execution Plan**.

**Key technical facts**:
- Prerequisites: , Cloud Assistant, 

- Cloud Assistant

- WindowsAliyun Assist Service

## FAQ

Q: Which path should I start with?
A: Start with **** if you’re setting up routine backups — it supports **Snapshot-Consistent Groups**, **Roll Back**, and doesn’t require code.

Q: What if I need to back up 20 disks consistently but used the console path?
A: You’ll hit the **16-disk limit** in **Snapshot-Consistent Groups** — the operation will fail. Use the API path only if you can work around this (e.g., split into groups), but note the 32 TiB total cap still applies.

Q: What if I try to migrate a 100KB config file using Cloud Assistant’s **Send File**?
A: The transfer will fail because **Base64 encoding** of a 100KB file exceeds the 32KB payload limit. You’d need to split the file or use alternative methods (not covered here).

Q: Can I use the API path without storing **Authorization: Bearer** keys securely?
A: No — if your environment can’t protect API credentials (e.g., shared dev machine), you risk unauthorized access. In that case, stick to the console.

Q: Does the console path let me change retention for existing snapshots?
A: No — modifying **Retention Period** in **Automatic Snapshot Policies** only affects *new* snapshots. Existing ones retain their original expiry, per the limitations.

Q: If I need real-time progress on snapshot creation, which path should I avoid?
A: Avoid the **API** path — its synchronous design means no callbacks or webhooks; you must poll manually, and long operations may return 504 errors.

Q: Can I use **Cloud Assistant client** to fix a corrupted filesystem after **Roll Back**?
A: Only if the OS is running and the issue is file-level (e.g., wrong permissions). If the filesystem itself is damaged (disk-level), you must stop the instance and use disk attach/repair — Cloud Assistant can’t help there.

### [Troubleshoot issues](https://company-skill.com/p/ecs/ecs-troubleshoot-issues.md)

## What You Want to Do

You're encountering unexpected behavior or errors on your ECS instance at the operating system level—either because something is broken (e.g., GNOME panel missing, `sysctl -p` fails) or because you want to proactively configure system policies (e.g., enforce account lockout or skip Windows privacy prompts).

**Typical User Questions**:
- How to fix missing GNOME top panel on Ubuntu?
- Why does sysctl -p show 'unknown key' for IPv6 settings?
- How to disable privacy setup on first Windows login?
- How to set up account lockout policy on Ubuntu 20.04?

## Decision Tree

Pick the best path for your situation:

- **If** you are trying to **proactively configure system behavior** such as an **account lockout policy using `pam_faillock.so`** or disable **Windows OOBE privacy setup via Group Policy** → Use (go to *ecs/ecs-system*)
- **If** you are **fixing a specific OS error**, such as `sysctl -p` reporting **"unknown key" for `net.ipv6.conf.all.disable_ipv6`** or needing to run `modprobe ipv6` to restore IPv6 functionality → Use (go to *ecs/ecs-system*)
- **Otherwise (default)** → Start with ****, as most user-reported issues involve diagnosing and repairing unexpected system behavior rather than proactive policy configuration.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Console / Dashboard | low | No | No | Requires domain-joined Windows instances for GPO-based privacy suppression | `ecs/guide/ecs-system` |
| Alibaba Cloud LinuxUbuntuWindows | medium | No | No | Only covers documented errors like `net.ipv6.conf.all.disable_ipv6 is an unknown key` | `ecs/troubleshooting/ecs-system` |

## Path Details

### Path 1: Console / Dashboard
**Best For**: behavior 

**Brief Description**: This path uses system-level tools like the PAM module `pam_faillock.so` and its configuration file `faillock.conf` to enforce an **account lockout policy** on Ubuntu 20.04. On Windows, it leverages the **Group Policy Management Console (GPMC)** to apply the policy **"Don’t launch privacy settings experience on user logon"**, which skips the **OOBE (Out-of-Box Experience)** privacy setup during first login.

**Key technical facts**:
- Billing: free

**When to Use**:
- Ubuntu 20.04
- Windows ECS
- Active DirectoryGPO

**When NOT to Use**:
- Ubuntu 20.04Windows

- Root`even_deny_root`
- Ubuntu 20.04WindowsECS

### Path 2: Console / Dashboard
**Best For**: Alibaba Cloud LinuxUbuntuWindows

**Brief Description**: This path addresses concrete OS-level failures, such as when running `sysctl -p` returns an **"unknown key"** error for the parameter `net.ipv6.conf.all.disable_ipv6`. The fix typically involves verifying that the **IPv6** kernel module is loaded (via `modprobe ipv6`) and ensuring correct syntax in `sysctl.conf`. It focuses on adjusting **kernel parameters** for known, documented issues.

**Key technical facts**:
- Billing: free

**When to Use**:
- `sysctl -p``net.ipv6.conf.all.disable_ipv6 is an unknown key`
- IPv6`sysctl.conf`
- Linuxroot shell

**When NOT to Use**:
- IPv6`sysctl`

## FAQ

Q: Which path should I start with?
A: Start with **** unless you are explicitly setting up an **account lockout policy** or disabling **Windows privacy setup on first login**—those are the only clear triggers for the configuration path.

Q: What if I’m using Ubuntu 18.04 but try to use the account lockout policy path?
A: You’ll hit a limitation: the configuration path **does not support non-Ubuntu 20.04 systems**, so `pam_faillock.so` behavior may differ or lack documentation.

Q: What if my Windows ECS instance is not joined to a domain but I try to disable OOBE privacy via Group Policy?
A: The setting **"Don’t launch privacy settings experience on user logon"** will have no effect—this method **only works on domain-joined devices**, per the limitations.

Q: Can I use the troubleshooting path to fix GNOME panel disappearance on Ubuntu?
A: Yes—if the issue matches a documented OS-specific problem (like desktop environment corruption), it falls under this path. However, note that the fact cards only explicitly validate coverage for **IPv6/sysctl** errors; other issues may not be covered.

Q: What happens if I try to use the policy path to fix an "unknown key" error from `sysctl -p`?
A: You’ll waste time—the policy path deals with **authentication and login behavior**, not **kernel parameter** errors like `net.ipv6.conf.all.disable_ipv6`. The fix requires `modprobe ipv6` and `sysctl.conf` edits, which are in the troubleshooting path.

Q: Does the troubleshooting path work for Windows registry issues?
A: No—the fact card states it **does not cover Windows generic faults** unless tied to documented scenarios (which currently focus on Linux). Windows issues outside OOBE privacy setup are not addressed.

Q: Is there a risk of locking myself out when configuring `even_deny_root` in `faillock.conf`?
A: Yes—enabling `even_deny_root` can **lock the root account** after failed attempts, creating serious **operational risk**. Always keep a second active root session during testing.


## Frequently asked questions

### When should I use the API vs. the console?

Use the console for one-off tasks, exploration, or when you prefer GUIs. Use the API/SDK for automation, integration into scripts/apps, or managing large numbers of resources.

### How do I get started with Cloud Assistant?

First install the Cloud Assistant client on your instance (Linux/Windows), then use the console or API to create and run commands remotely.

### Why can’t I ping my ECS instance’s public IP?

Check security group rules (must allow ICMP), instance firewall settings, and whether the instance is running. See Network > troubleshooting for detailed diagnostics.

### How do I reset a forgotten instance password?

Stop the instance, then use the console (Instances > More > Reset Password) or API (`ModifyInstanceAttribute`) to set a new password.

### What’s the difference between a system disk and data disk?

The system disk contains the OS and is required. Data disks are optional, used for application data, and can be detached independently. Both support snapshots and encryption.

### How to scale ECS

Use auto-scaling groups to horizontally scale ECS instances based on CPU/memory metrics.

## Cross-product integrations

- [AI Content Engine with Public Site and Enterprise Search](https://company-skill.com/p/_combos/ai-content-engine-with-public-site-and-enterpris-9db7c8.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform on Managed Infrastructure](https://company-skill.com/p/_combos/ai-content-platform-on-managed-infrastructure-265158.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Search and Frontend](https://company-skill.com/p/_combos/ai-content-platform-with-search-and-frontend-d3ca31.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Site and Search](https://company-skill.com/p/_combos/ai-content-platform-with-site-and-search-7bf25b.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI-Driven Search Knowledge Platform](https://company-skill.com/p/_combos/ai-driven-search-knowledge-platform-803ad0.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI-Powered Contact Center Intelligence Platform](https://company-skill.com/p/_combos/ai-powered-contact-center-intelligence-platform-cbbc60.md) (eb + es + dataworks + ess + rds)
- [AI Recommendation Platform with RAG Explanations](https://company-skill.com/p/_combos/ai-recommendation-platform-with-rag-explanations-8803cd.md) (airec + alinux + opensearch + bailian + pai)
- [Auto Scaling Group Data Protection with Monitoring](https://company-skill.com/p/_combos/auto-scaling-group-data-protection-with-monitori-122c14.md) (eb + ess)

## Use with an AI agent

```bash
curl -s https://company-skill.com/api/route \
  -H 'Content-Type: application/json' \
  -d '{"query": "...", "product": "ecs"}'
```

MCP server: https://company-skill.com/api/mcp/ecs.py

---
Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml