All Products
Search
Document Center

Configure ECS instances that are assigned static public IP addresses to use the same NAT IP address to access the Internet

Last Updated: Sep 03, 2021

To better manage your workloads, you can configure Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to use the same NAT IP address to access the Internet. This topic describes how to configure ECS instances that are assigned static public IP addresses to use the same NAT IP address to access the Internet.

Prerequisites

SNAT is configured for the VPC of the ECS instances that are assigned static public IP addresses. For more information, see Configure SNAT to access the Internet.

Background information

NAT gateways support the SNAT feature. SNAT enables ECS instances in a VPC to access the Internet when the ECS instances do not have public IP addresses. If some ECS instances in a VPC are alreadyassignedstatic public IP addresses, the ECS instances preferably use the static public IP addresses to access the Internet. ECS instances that are not assigned static public IP addresses access the Internet through the SNAT service provided by a NAT gateway. Consequently, the ECS instances in the VPC use different IP addresses to access the Internet, which complicates management operations.

You can configure ECS instances in the VPC to use the same NAT IP address to access the Internet by associating elastic network interfaces (ENIs) with the ECS instances.

In the following example, you can create an ENI for the ECS instance, convert the static public IP address to an elastic IP address (EIP), and then associate the EIP with the ENI.Then, the ECS instance uses the ENI to receive requests from the Internet and accesses the Internet through the NAT gateway.

Step 1: Convert a static public IP address to an EIP

The method that you can use to convert a static public IP address to an EIP varies based on the billing method of the ECS instance.

  • For a pay-as-you-go ECS instance, you can directly convert its static public IP address to an EIP.

  • For a subscription ECSECSinstance, you cannot directly convert its static public IP address to an EIP. Before you can convert the static public IP address of a subscription ECS instance to an EIP, you must change the billing method of the ECS instance to pay-as-you-go. For more information, see Change the billing method of an instance from subscription to pay-as-you-go.

To convert a static public IP address that is assigned to a pay-as-you-go ECS instance to an EIP, perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region where the ECS instance that you want to manage is deployed.

  4. On the Instances page, find the ECS instance that you want to manage and choose More > Network and Security Group > Convert to an EIP in the Actions column.Convert a static public IP address to an EIP

  5. In the message that appears, click OK.

  6. Refresh the ECS instance list.

    After the static public IP address is converted to an EIP, the static public IP address is labeled as EIP.The static public IP address is converted to an EIP.

Step 2: Create an ENI

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > ENIs.

  3. Select the region where you want to create the ENI.

    Note

    The ENI and the ECS instance must belong to the same region.

  4. On the Network Interfaces page, click Create ENI.

  5. In the Create ENI dialog box, set the following parameters and click OK:

    • ENI Name: Enter a name for the ENI.

    • VPC: Select the VPC where the ECS instance is created.

    • VSwitch: Select the vSwitch of the zone where the ECS instance is deployed.

    • Primary Private IP: Optional. Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created. In this example, the primary private IP address is not specified.

    • Secondary Private IP Addresses: Optional. You can specify this parameter based on your business requirements. In this example, Not set is selected.

    • Security Group: Select a security group that is created for the selected VPC.

For more information, see Create an ENI.

Step 3: Associate the ENI with the ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > ENIs.

  3. Select the region where the ENI is deployed.

  4. On the Network Interfaces page, find the ENI that you want to manage and click Bind to Instance in the Actions column.

  5. In the dialog box that appears, select the ECS instance with which you want to associate the ENI and click OK.

Step 4:Disassociate the EIP from the ECS instance

  1. Log on to the EIP console.

  2. Select the region where the EIP is created.

  3. On the Elastic IP Addresses page, find the EIP that you want to manage and click Unbind in the Actions column.

  4. In the message that appears, click OK.

Step 5:Associate the EIP with the ENI

  1. Log on to the EIP console.

  2. Select the region where the EIP is created.

  3. On the Elastic IP Addresses page, find the EIP that you want to associate and click Bind Resources in the Actions column.

  4. In the Bind Elastic IP Address to Resources dialog box, set the following parameters and click OK:

    • Instance Type: Select Secondary ENI.

    • Resource Group: Optional. Select the resource group to which the EIP belongs. In this example, the default resource group is selected.

    • Binding Mode: Optional. Select the mode in which you want to associate the EIP with the ENI. In this example, Normal is selected.

    • Select an instance to bind: Select the secondary ENI with which you want to associate the EIP.

Step 6: Configure routes for the ENIs of the ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > ENIs.

  3. The following figure shows the details of the ENIs.ENI

  4. Connect to the ECS instance from a remote device. For more information, see Connection method overview.

  5. Run the ip a command to view the information about the ENIs.The information about the ENIs

    The following result is returned:

    eth0: the primary ENI. The private IP address of eth0 is 192.168.3.10.

    eth1: a secondary ENI. The private IP address of eth1 is 192.168.3.11, and the public IP address is 118.190.XX.XX

  6. Set the metric value of the default route for each ENI in the route table based on your business requirements.

    Run the following command to view the Gateway and metric values:

    route -n

    The following result is returned:metric

    Note

    In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If multiple secondary ENIs are used, you must configure metric values based on your business requirements. For more information, see Configure an ENI.

  7. Create a route table and configure policy-based routing (PBR).

    1. If you want to add PBR rules for the ENI of the ECS instance only once, perform the following steps:

      Note

      After the ECS instance is restarted, the PBR rules for the ENI become invalid.

      1. Run the following command to create a route table:

        ip -4 route add default via 192.168.3.13 dev eth1 table 101

        Note

        We recommend that you keep the name of the route table the same as the metric value of the default route. In this example, 101 is used.

      2. Run the following command to check whether the route table is created:

        ip route list table 101

        The following result is returned:Routes

      3. Run the following command to add a PBR rule:

        ip -4 rule add from 192.168.3.11 lookup 101

      4. Run the following command to view all of the PBR rules:

        ip rule list

        The following result is returned:Policy-based routing

    2. If you want to add PBR rules for the ENI of the ECS instance multiple times, perform the following steps:

      Note

      After the ECS instance is restarted, the PBR rules for the ENI are still valid.

      1. Run the following command to open the /etc/rc.local script.

        vi /etc/rc.local

      2. At the end of the configuration file, press the i key to enter the edit mode.

      3. Add the following information to the end of the script:

        ip -4 route add default via 192.168.3.13 dev eth1 table 101
        ip -4 rule add from 192.168.3.11 lookup 101
        Note

        In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If multiple secondary ENIs are used, you must add the command that sets the metric value to the script. For more information about the command that sets the metric value, see Configure an ENI.

      4. Press the Esc key to exit the edit mode. Then, enter :wq and press the Enter key to save and close the script.

      5. Run the following command to make the /etc/rc.d/rc.local script executable:

        chmod +x /etc/rc.d/rc.local

        Note

        The /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script. Therefore, you must run the preceding command to make the /etc/rc.d/rc.local script executable. You can run the ls -l /etc/rc.local command to check whether the /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script.

Step 7: Verify the network connectivity

Perform the following operations to checkwhether the ECS instance can use the EIP that is associated with the ENIto receive requests from the Internet. In this example, an on-premises Linux machine is used to remotely connect to the ECS instance.

Note

To remotely connect to the ECS instance, make sure that the security group rules of the ECS instance allow network traffic on SSH port 22. For more information, see Add security group rules.

  1. Log on to the on-premises Linux machine.

  2. Run the ssh root @ public IP command and enter the password of the ECS instance to check whether you can remotely connect to the ECS instance.

    If the message Welcome to Alibaba Cloud Elastic Compute Service ! appears,you are connected to the ECS instance.Verification

Perform the following operations to check whether the ECS instance can access the Internet through the SNAT service provided by the NAT gateway. The following example shows how to view the NAT IP address on the ECS instance:

  1. Log on to the ECS instance.

  2. Run the curl https://myip.ipip.net command to check the NAT IP address that the ECS instance uses to access the Internet.

    If the NAT IP address is the same as the one in the SNAT entry that is created for the ECS instance, it indicates that the ECS instance preferably uses the SNAT service to access the Internet.Verification 2