This topic describes how to associate multiple elastic IP addresses (EIPs) with a
secondary Elastic Network Interface (ENI) in NAT mode to make full use of Elastic
Compute Services (ECS) instances.
Background information
ECS instances can communicate with the Internet only after they are associated with
static public IP addresses or EIPs. Each ECS instance can be associated with only
one static public IP address or EIP.
Scenario
This topic takes the following scenario as an example. A company creates an ECS instance
on Alibaba Cloud and associates the ECS instance with an EIP. To meet business requirements,
the company needs to associate the ECS instance with three EIPs to make full use of
the ECS instance.
If you want to associate multiple EIPs with an ECS instance in NAT mode, you must
assign the same number of secondary private IP addresses to the secondary ENI of the
ECS instance. Then, map the EIPs to the secondary private IP addresses, respectively.
This way, you can make full use of the ECS instance.

Procedure
Step 1: Assign multiple secondary private IP addresses
You can assign multiple secondary private IP addresses to each secondary ENI. This
helps make full use of the ECS instance and mask the failure of the ECS instance by
rapidly remapping the EIP.
Take the following steps to assign multiple secondary private IP addresses to a secondary
ENI.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the upper-left corner, select the region where the secondary ENI is deployed.
- On the Network Interfaces page, find the target ENI, and click Manage Secondary Private IP Address in the Actions column.
- In the Manage Secondary Private IP Address dialog box, click Assign New IP one or more times. Then, one or more secondary private IP addresses are automatically
assigned to the secondary ENI.
Click
Assign New IP two times in this example. Then, two secondary private IP addresses are automatically
assigned to the secondary ENI.
Note You can manually enter a secondary private IP address. The private IP addresses must
be within the range of IPv4 private CIDR blocks. If you do not manually enter a secondary private IP address, the system assigns
an idle IP address from the IPv4 private CIDR blocks.

- Click OK.
- On the Network Interfaces page, find the target secondary ENI, and click Manage Secondary Private IP Address in the Actions column to view the assigned secondary private IP addresses.
Step 2: Map EIPs to the secondary private IP addresses
Take the following steps to map an EIP to a secondary private IP address of the secondary
ENI.
- In the upper-left corner, select the region where the EIP is deployed.
- On the Elastic IP Addresses page, find the target EIP and click Bind Resource in the Actions column.
- In the Bind Elastic IP Address to Resources dialog box, set the following parameters and click OK.
- Repeat the preceding steps to map the remaining EIPs to the secondary private IP addresses
of the secondary ENI. Make sure that each EIP is mapped to a separate secondary private
IP address.
Step 3: Associate the secondary ENI with an ECS instance
Take the following steps to associate the secondary ENI with an ECS instance
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the target ECS instance is deployed.
- On the Instancespage, find the target ECS instance, and choose in the Actions column.
- In the Bind Secondary ENI dialog box, select the secondary ENI to be associated and click OK.
Step 4: Configure the secondary private IP addresses
After you associate the secondary ENI with the ECS instance, you must configure the
secondary private IP addresses for the ECS instance.
An ECS instance that runs CentOS 7 is used in the following example to describe how
to configure the secondary private IP addresses for the ECS instance. For more information
about how to configure ECS instances that run other operating systems, see Assign a secondary private IP address for a Windows instance and Assign a secondary private IP address to a Linux instance.
- Log on to the ECS instance.
- Run the following command to query the MAC address of the secondary ENI:
ip address

- Configure the secondary private IP addresses for the secondary ENI.
- Run the following command to open the configuration file of the secondary ENI:
vi /etc/sysconfig/network-scripts/ifcfg-eth1
- Run the following command to enter the Edit mode:
i
- Run the following command to copy configurations to the configuration file of the
secondary ENI:
DEVICE=eth1 # This indicates the newly configured ENI.
BOOTPROTO=no
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=no
IPV6INIT=no
PERSISTENT_DHCLIENT=yes
HWADDR=00:16:**:**:cc:8d # Configure the MAC address of the secondary ENI.
IPADDR0=172.xx.xx.163 # Configure the primary private IP address of the secondary ENI.
IPADDR1=172.xx.xx.164 # Configure the secondary private IP address 1 of the secondary ENI.
IPADDR2=172.xx.xx.165 # Configure the secondary private IP address 2 of the secondary ENI.
DEFROUTE=no # This indicates that the ENI is not the default route. To avoid changing the active default route of the ECS instance while bring up the secondary ENI of the ECS instance, do not specify the eth1 as the default route.
- Run the following command to restart the network connection service:
service network restart
After you configure the secondary private IP addresses, you can run the
ip address command to view the configured secondary private IP addresses.

Step 5: Test the network connectivity
An ECS instance that runs Linux is used in the following example to describe how to
test the network connectivity.
- Log on to the ECS instance.
- Run the following command to configure a static route in which the source IP address
is set to one of the secondary private IP addresses:
ip route add <destination network>/<prefix length of the subnet> via <NAT gateway
of the secondary private IP addresses> src <secondary private IP address>
- Run the following command to verify the connectivity between the secondary private
IP addresses and the destination network:
ping <destination network> -I <secondary private IP addresses>
The test result shows that packets sent from the secondary private IP addresses can
reach the destination network. This means that the association between the secondary
private IP addresses and EIP takes effect.
