This topic provides answers to some frequently asked questions about associating an elastic IP address (EIP) with and disassociating an EIP from a cloud resource.

What are the cloud resources with which I can associate EIPs?

You can associate EIPs with Elastic Compute Service (ECS) instances, internal-facing Server Load Balancer (SLB) instances, secondary elastic network interfaces (ENIs), NAT gateways, and high-availability virtual IP addresses (HAVIPs). The ECS instances, internal-facing SLB instances, and secondary ENIs must be deployed in VPCs.

Can I associate an EIP with multiple cloud resources?

No. You can associate an EIP with only one cloud resource.

Can I associate an EIP with a cloud resource that is deployed in another region?

No.

The EIP and the cloud resource with which you want to associate must be deployed in the same region. For example, an EIP deployed in the China (Beijing) region cannot be associated with a cloud resource deployed in the China (Hangzhou) region.

Can I associate an EIP with a cloud resource that is deployed in another zone?

Yes.

Zones do not apply to EIPs. If a cloud resource and an EIP are deployed in the same region, you can associate the EIP with the cloud resource.

How many EIPs can I associate with one cloud resource?

  • NAT gateways

    You can associate a NAT gateway with at most 20 EIPs, among which at most 10 pay-by-data-transfer EIPs can be associated.

    You can go to the Quota Management page to increase the quota. For more information, see Quota management.

  • HAVIPs

    Each HAVIP can be associated with only one EIP.

  • SLB instances

    Each internal-facing SLB instance can be associated with only one EIP.

Can I associate an EIP with an SLB instance?

You can associate an EIP with only an internal-facing SLB instance instead of an Internet-facing SLB instance. Each internal-facing SLB instance can be associated with only one EIP. You must associate an EIP with an internal-facing SLB instance in the EIP console instead of the SLB console.

Why am I unable to see the associated SLB instance in the EIP console?

Possible reasons are:
  • The resource group ID of the EIP is different from that of the SLB instance.
  • If you log on to the EIP console as a RAM user, switch to your Alibaba Cloud account.

Why am I unable to associate an EIP with a NAT gateway?

If you purchased a NAT bandwidth plan before January 26, 2018, you must use the NAT bandwidth plan to provide public IP addresses to the NAT gateway. To associate an EIP with a NAT gateway, submit a ticket.

If an ECS instance is associated with an EIP, can I use the DNAT feature of NAT Gateway to provide services to the Internet?

No.

The limits are:
  • If an ECS instance is associated with an EIP, you cannot use the Destination Network Address Translation (DNAT) feature of NAT Gateway to provide services over the Internet.

    Before you can use the DNAT feature, you must disassociate the EIP from the ECS instance. After you disassociate the EIP, you can add DNAT entries to the ECS instance. For more information, see Disassociate an EIP from a NAT gateway and Create a DNAT entry to provide Internet-facing services.

  • If you have already added DNAT entries to an ECS instance, you cannot associate an EIP with the ECS instance.

    Before you can associate an EIP with the ECS instance, you must delete the DNAT entries. After you delete the DNAT entries, you can associate an EIP with the ECS instance. For more information, see Delete a NAT gateway and Associate an EIP with a NAT gateway.

Note If DNAT entries are added to an ECS instance that is associated with an EIP, the ECS instance preferably uses the EIP to communicate with the Internet.

Why am I unable to associate an EIP with an ECS instance?

Possible reasons are:

  • You can associate an EIP with only an ECS instance that is deployed in a VPC. If the ECS instance is not deployed in a VPC, you cannot associate an EIP with the ECS instance.
  • The EIP and ECS instance are deployed in different regions.
  • The state of the ECS instance does not support the association action. You can associate an EIP with only an ECS instance that is in the Running or Stopped state.
  • The ECS instance is already assigned a public IP address or associated with another EIP.

Why am I unable to view the EIP on the ENI of an ECS instance after I associate the EIP with the ECS instance?

An EIP is configured on the Internet-facing gateway and mapped to the private ENI of the ECS instance through NAT. Therefore, you cannot view the EIP on the private ENI of the ECS instance.

When you associate an EIP with a secondary ENI, you can select the cut-through mode or multi-EIP to ENI mode.
  • Cut-through mode

    In this mode, the EIP replaces the private IP address of the secondary ENI. The secondary ENI becomes a pure Internet network interface controller (NIC) and its private network feature is no longer available. You can view the EIP on the ENI of the operating system and run the ifconfig or ipconfig command to obtain the public IP address of the ENI. For more information, see Associate an EIP with a secondary ENI in cut-through mode.

  • Multi-EIP to ENI mode

    In this mode, the private network feature of the secondary ENI is available. You can view the EIP on the ENI. After the operating system is configured with a static IP address, you can run the ifconfig or ipconfig command to obtain the public IP address of the ENI. For more information, see Associate EIPs with secondary ENIs in multi-EIP-to-ENI mode.

How can I associate multiple EIPs with one ECS instance?

You can associate multiple EIPs with one ECS instance in the following ways:
  • Associate an EIP with a secondary ENI, repeat the step, and then associate the secondary ENIs with an ECS instance. The number of secondary ENIs that can be associated with an ECS instance varies based on the specification of the ECS instance. For more information, see Instance families.
  • If you associate an EIP with a secondary ENI in NAT Mode, you can associate multiple EIPs with the secondary private IP address of the secondary ENI. Then, you can associate the secondary ENI with an ECS instance. For more information, see Associate multiple EIPs with a secondary ENI in NAT mode.
  • If you associate an EIP with a secondary ENI in Multi-EIP to ENI Mode, you can associate multiple EIPs with the secondary ENI. Then, you can associate the secondary ENI with an ECS instance. For more information, see Associate EIPs with secondary ENIs in multi-EIP-to-ENI mode.

Why am I unable to access services over the Internet after I associate an ECS instance or an ENI with an EIP?

If an application that requires access to the Internet is deployed in the ECS instance, you must modify the default route of the ECS instance or configure specific routes. By default, packets are transmitted from the primary ENI. You can adjust route priorities to allow packets to access the Internet through the secondary ENI. You can also configure specific routes to forward packets to the Internet through multiple ENIs or a random ENI to implement load balancing.

Can I use an EIP as the origin IP address for Web Application Firewall (WAF)?

Yes.