Dear Alibaba Cloud User,

Currently, you can send packets with source IPs that are not from the elastic network interface (ENI) directly from the ECS instances, which supports scenarios such as self-built NAT gateways, self-built firewalls, and container services. To enhance security and stability, Alibaba Cloud has introduced source/destination IP checking at the elastic network interface level to ensure that the traffic sent and received by the instance originates from or is destined for the IP of the ECS's elastic network interface. If your instance runs NAT, self-built routing, or firewall services, you will need to disable the source/destination address checking feature on the elastic network interface.

Timeline and Impact:

Alibaba Cloud has already begun providing source/destination checks for IP forwarding at the network interface level, which is currently disabled by default.

Starting from April 22, 2025, at 00:00: All new customers and some existing customers will gradually have the source/destination IP checking feature enabled by default for newly added network interfaces under all VPCs. New ECS instances will ensure that the traffic sent and received uses the IP source/destination of the ECS's elastic network interface (this can be manually disabled). These changes will not affect any existing network interfaces and instances and are expected to have no adverse impact on your business.

The existing customers mentioned above include those who, after December 1, 2024, have not used the elastic network interface as the next hop type in VPC routing or have seen traffic being sent and received that does not use the IP of the said network interface.

To enhance the security and stability of your cloud services, we will gradually change the default behavior of source/destination IP checking for newly added instances and network interfaces for other existing customers in the future. We will issue further announcements and notifications at that time, so please stay tuned!

How to Disable:

If your instance needs to run services such as NAT, routing, or firewalls, or if scenarios with multiple network interfaces are not configured with proper source/destination checks, or if there is a requirement for virtual IPs for self-built load balancing (which poses security risks), you will need to follow the steps to "disable network interface source/destination checking" for the relevant ECS instances in those application scenarios to operate normally as before. Otherwise, the traffic may be blocked.

The specific operation is as follows:

You can modify the source/destination checking attribute for the network interface in the console or OpenAPI when creating the instance or network interface. The default setting is enabled, which you can change to disabled.

Invoke the `RunInstances`, `CreateNetworkInterface`, or `ModifyNetworkInterfaceAttribute` APIs and set the `SourceDestCheck` parameter to `false`.

You can also check whether the `SourceDestCheck` attribute is enabled via the `DescribeNetworkInterfaces` and `DescribeNetworkInterfaceAttribute` APIs. If enabled, it will ensure that the IP of the instance's network interface is the source or destination of any outgoing or incoming traffic.

For more details, refer to the documentation: Source/Destination Checking.

If you have any further questions, you can also communicate with us through tickets, and our professional service team will be available to assist you.

Best regards.