Associate multiple EIPs with an ECS instance in NAT mode - Best practices| Alibaba Cloud Documentation Center

Background information

You can assign multiple secondary private IP addresses to a secondary ENI. If a secondary ENI is in the Available state, you can assign up to 10 secondary private IP addresses to the secondary ENI.
Each secondary private IP address can be associated with an EIP in NAT mode. For more information about the NAT mode, see Association modes.
ECS instances can communicate with the Internet only if they have public IP addresses. If you do not use a secondary ENI, each ECS instance can be assigned only one static public IP address or associated with only one EIP. To assign multiple public IP addresses to an ECS instance, you can associate EIPs with a secondary ENI, and then associate the secondary ENI with the ECS instance. If the ECS instance hosts multiple applications, each application uses an independent public IP address to communicate with the Internet. This way, you can improve the utilization of the ECS instance.

Scenarios

This scenario in the following figure is used an as example. A company has created an ECS instance on Alibaba Cloud and associated an EIP with the ECS instance. To meet business requirements, the company needs to associate three EIPs with the ECS instance.

You can assign two secondary private IP addresses to a secondary ENI. In this case, the secondary ENI has one primary private IP address and two secondary private IP addresses. Then, associate EIPs with the private IP addresses in NAT mode, and associate the secondary ENI with the ECS instance. This way, the ECS instance is associated with multiple EIPs. Scenarios

Prerequisites

An ECS instance is created. For more information, see Create an instance by using the wizard.
A secondary ENI is created and meets the following requirements:
- The secondary ENI and the ECS instance to be associated with the secondary ENI are deployed in the same virtual private cloud (VPC).
- The vSwitch of the secondary ENI and the vSwitch of the ECS instance to be associated with the secondary ENI are deployed in the same zone.
For more information, see Create an ENI.
Three EIPs are created in the same region as the ENI. For more information, see Apply for an EIP.

Procedure

Step 1: Assign multiple secondary private IP addresses to a secondary ENI

You can assign multiple secondary private IP addresses to a secondary ENI and associate the secondary ENI with an ECS instance. This ensures high utilization and service availability of the ECS instance.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > ENIs.
In the upper-left corner, select the region where the secondary ENI is deployed.
On the Network Interfaces page, find the ENI that you want to manage and click Manage Secondary Private IP Address in the Actions column.
In the Manage Secondary Private IP Address dialog box, click Assign New IP and click OK.
Click Assign New IP twice in this example. This way, two secondary private IP addresses are automatically assigned to the secondary ENI.

Note You can also manually enter a secondary private IP address that falls within the IPv4 private CIDR clock. If you do not manually enter a secondary private IP address, the system assigns an idle IP address from the IPv4 private CIDR block.
On the Network Interfaces page, find the secondary ENI, and click Manage Secondary Private IP Address in the Actions column to view the assigned secondary private IP addresses.

Step 2: Associate EIPs with the secondary private IP addresses

Log on to the Elastic IP Address console.
In the upper-left corner, select the region where the EIPs are created.
On the Elastic IP Addresses page, find the EIP that you want to manage and click Bind Resource in the Actions column.
In the Bind Elastic IP Address to Resources dialog box, set the following parameters and click OK.
- Instance Type: Select Secondary ENI.
- Mode: Select NAT Mode.
- Select an instance to bind: Select the secondary ENI with which you want to associate the EIP.
  In this example, the primary private IP address of the secondary ENI is selected.
Repeat the preceding steps to associate the other two EIPs with the secondary private IP addresses of the secondary ENI. Make sure that each EIP is associated with a separate secondary private IP address.

Step 3: Associate the secondary ENI with the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region where the ECS instance is deployed.
On the Instances page, find the ECS instance, and choose More > Network and Security Group > Bind Secondary ENI in the Actions column.
In the Bind Secondary ENI dialog box, select the secondary ENI to be associated and click OK.

Step 4: Configure the secondary private IP addresses

After you associate the secondary ENI with the ECS instance, you must configure the secondary private IP addresses for the ECS instance.

An ECS instance that runs CentOS 7 is used in the following example to describe how to configure the secondary private IP addresses for the ECS instance. For more information about how to configure ECS instances that run other operating systems, see Configure secondary private IPv4 addresses in a Windows instance and Configure secondary private IPv4 addresses in a Linux instance.

Log on to the ECS instance.
For more information about how to connect to an ECS instance, see Overview.
Run the ip address command to view the media access control (MAC) address of the secondary ENI.

Configure the secondary private IP addresses for the secondary ENI.

Run the following command to open the configuration file of the secondary ENI:
vi /etc/sysconfig/network-scripts/ifcfg-eth1

Press the i key to enter the edit mode. Modify the configuration file based on the following information.

DEVICE=eth1  # indicates that this is the configuration file of eth1, the newly configured secondary ENI.
BOOTPROTO=no
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=nol
IPV6INIT=no
PERSISTENT_DHCLIENT=yes
HWADDR=00:16:**:**:fd:d6  # Configure the MAC address of the secondary ENI.
IPADDR0=192.xx.xx.5     # Configure the primary private IP address of the secondary ENI.
IPADDR1=192.xx.xx.8     # Configure one of the secondary private IP address of the secondary ENI.
IPADDR2=192.xx.xx.9     # Configure the other secondary private IP address of the secondary ENI.
DEFROUTE=no  # indicates that the ENI is not the default route. To prevent changing the default route of the ECS instance when you bring up the secondary ENI, do not specify eth1 as the default route.

After you modify the configuration file, press the Esc key. Then, enter :wq! and press the Enter key to save the configuration file and exit the edit mode.

Run the following command to restart the network service:
service network restart

After you configure the secondary private IP addresses, you can run the ip address command to view the configured secondary private IP addresses.

Step 5: Verify network connectivity

An ECS instance that runs CentOS 7 is used in the following example to describe how to test the connectivity between the ECS instance and the destination network.

Log on to the ECS instance.
For more information about how to connect to an ECS instance, see Overview.
Run the following command to configure a static route in which the source IP address is set to one of the secondary private IP addresses:
ip route add <destination network>/<prefix length of the subnet> via <gateway of the secondary private IP address> src <secondary private IP address>
Run the following command to verify the connectivity between the secondary private IP address and the destination network:
ping <destination network> -I <secondary private IP address>
The test result shows that packets sent from the secondary private IP address can reach the destination network. This means that the ECS instance can access the Internet by using the EIPs associated with the private IP addresses.