An elastic network interface (ENI) is a virtual network interface controller (NIC) that can be bound to an Elastic Compute Service (ECS) instance of the VPC type. You can use ENIs to deploy high availability clusters and perform low-cost failover and fine-grained network management.

Attributes

An ENI is a virtual network interface that must be bound to an instance of the VPC type before you can use the ENI. The following table describes the attributes of an ENI.
Attribute Description
ENI type ENIs consist of primary and secondary ENIs.
  • Primary ENIs: created together with the instance. The lifecycle of a primary ENI is the same as the instance to which the primary ENI is bound. You cannot unbind a primary ENI from the instance to which the primary ENI is bound.
  • Secondary ENIs: can be separately created. You can bind a secondary ENI to an instance or unbind a secondary ENI from an instance.
VPC Only instances of the VPC type support ENIs. An ENI must reside within the same VPC as the instance to which the ENI is bound.
Zone The vSwitch to which the ENI belongs must reside within the same zone as the instance to which the ENI is bound.
Security group An ENI must be added to at least one security group. The security group controls the inbound and outbound traffic of the ENI.
EIP An ENI can be associated with one or more elastic IP addresses (EIPs).
Primary private IP address The primary private IP address is an IP address customized by the user or assigned by the system during ENI creation. The primary private IP address must be an idle IP address within the CIDR block of the vSwitch.
Secondary private IP address The secondary private IP address must be an idle IP address within the CIDR block of the vSwitch. You can assign or revoke the secondary private IP address.
MAC address A media access control (MAC) address is a globally unique identifier of an ENI.

Features

An ENI is an independent virtual NIC that can be migrated among multiple instances to support the flexible scaling and migration of services. When you create an ENI together with an instance, the ENI is automatically bound to the instance. You can also separately create a secondary ENI and bind it to an instance.

ENIs have the following features:
  • In addition to the primary ENI that is created together with an instance, you can also bind multiple secondary ENIs to the instance. The ECS instance and the secondary ENIs that you want to bind to the instance must reside within the same zone and VPC, but can belong to different vSwitches and security groups.
  • Each ENI can be assigned multiple secondary private IP addresses based on the instance type of the instance to which the ENI is bound.
  • When you unbind a secondary ENI from an instance and bind the ENI to another instance, the attributes of the ENI remain unchanged and the network traffic is switched to the new instance.
  • ENIs support hot-plug and can be migrated among instances. When you unbind an ENI from an instance and bind the ENI to another instance, services on the instances are not affected, and you do not need to restart the instances.

Limits

  • The following limits apply to the resources supported by a single ENI:
    • Primary private IP address: one.
    • Secondary private IP address: one or more. The number of secondary private IP addresses is determined based on the instance type of the instance to which the ENI is bound. For more information, see Instance families.
    • EIP: one or more. The number of EIPs is determined based on how the EIPs are associated with the ENI. For more information, see Associate an EIP with an ECS instance.
    • MAC address: one.
    • Security group: one to five. At least one security group is required.
  • A limited number of ENIs can be created for one account in each region. For more information, see the "ENI limits" section in Limits.
  • The ENI and the instance to which the ENI is bound must reside within the same zone and VPC, but can belong to different vSwitches and security groups.
  • The number of secondary ENIs that can be bound to an ECS instance is determined based on the instance type.
  • Only I/O optimized instance types support ENIs.
  • ECS instances of the classic network type do not support ENIs.
  • The instance bandwidth is determined based on the instance type. You cannot increase the bandwidth of an ECS instance by binding multiple secondary ENIs to the instance.

Scenarios

ENIs are suitable for the following scenarios:
  • Deployment of high availability clusters

    Multiple ENIs can be bound to a single ECS instance. This implements a high availability architecture.

  • Low-cost failover

    You can unbind an ENI from a failed ECS instance and bind the ENI to another instance to redirect traffic to the backup instance. This allows quick recovery of services.

  • Fine-grained network management

    You can configure multiple ENIs for an instance. For example, you can use some ENIs for internal management and other ENIs for Internet business access to isolate confidential data from business data. You can also configure specific security group rules for each ENI based on the source IP addresses, protocols, and ports to achieve access control.

  • Configuration of multiple private IP addresses for a single instance

    You can assign multiple secondary private IP addresses to an ENI. If multiple applications are managed on your instance, you can assign an independent IP address for each application to improve the utilization of your instance.

  • Configuration of multiple public IP addresses for a single instance

    Only a single public address can be assigned to an ECS instance that has no ENIs bound. To assign multiple public IP addresses to an instance, you can associate EIPs with one or more ENIs of the instance. In NAT mode, all private IP addresses of an ENI can have EIPs associated.

Operations in the ECS console

The following table describes the operations that you can perform in the ECS console to manage ENIs.

Operation Description References
Creates an ENI You can create an ENI together with an instance or separately create an ENI. Create an ENI
Bind an ENI When you create an ENI together with an instance, the ENI is automatically bound to the instance. You can also separately create an ENI and bind it to an instance. An ENI can be bound to only a single ECS instance at a time. However, an ECS instance can have multiple ENIs bound to it. Bind an ENI
Configure an ENI For the instances whose images cannot identify secondary ENIs, you must log on to the instance to configure the ENIs.
Note If the instance runs an image of CentOS 7.3 64-bit, CentOS 6.8 64-bit, or Windows Server 2008 R2 or later, you do not need to configure ENIs.
Configure an ENI
Assign or revoke secondary private IP addresses You can assign or revoke multiple secondary private IP addresses to or from an ENI.
Modify an ENI You can modify the security groups to which the primary and secondary ENIs belong. You can also modify the names and descriptions of secondary ENIs. Modify an ENI
Unbind an ENI You can unbind an ENI from an instance. Unbind an ENI
Delete an ENI You can delete an ENI after you unbind it from an instance. Delete an ENI

API operations

The following table describes the API operations that you can call to manage ENIs.

API Description
CreateNetworkInterface Creates a secondary ENI.
DeleteNetworkInterface Deletes a secondary ENI.
DescribeNetworkInterfaces Queries the details of one or more ENIs.
AttachNetworkInterface Binds a secondary ENI to an instance.
AssignPrivateIpAddresses Assigns one or more secondary private IP addresses to an ENI.
UnassignPrivateIpAddresses Revokes one or more secondary private IP addresses from an ENI.
DetachNetworkInterface Unbinds a secondary ENI from an instance.
ModifyNetworkInterfaceAttribute Modifies the name, description, and security group of an ENI.
DescribeInstances Queries the information about ENIs that are bound to an instance.