This topic describes how to set the cut-through mode when associating an Elastic IP Address (EIP) with a secondary Elastic Network Interface (ENI). In this mode, the EIP replaces the private IP address of the ENI and the ENI becomes a pure public network interface. You can see the EIP in the network interface information of the operating system.


Before you set the cut-through mode, make sure that the following conditions are met:
  • The network type of the secondary ENI must be VPC.
  • The secondary ENI and the EIP instance must be in the same region.
  • The secondary ENI is not associated with any ECS instance.

    If the secondary ENI is associated with an ECS instance, disassociate first. Associate the secondary ENI with the ECS instance after you set the cut-through mode. For more information, see Detach an ENI from an instance.

  • A secondary ENI can only be associated with one EIP.

Background information

EIPs are a type of NAT IP address. Because the public IP address in the NAT mode exists in the NAT Gateway and is not on the network interface of the ECS instance, you cannot see the public IP address in the operating system and can only see the private IP address. This requires manual maintenance of the matching relationship between network interfaces/servers and public IP addresses, which complicates the operation and maintenance. Additionally, when an EIP is deployed as a NAT ALG (NAT application layer gateway), protocols such as H.323, SIP, DNS, and RTSP are not supported.

Setting the Cut-Through Mode makes the EIP visible on the network interface and solves the preceding problems. In the cut-through mode:
  • The EIP replaces the private IP address of the ENI. The ENI becomes a pure public network interface and its private network functions are no longer available.
  • You can check the EIP in the ENI of the operating system, and directly obtain the public IP address on the ENI by running the ifconfig or ipconfig command.
  • The EIP supports all IP protocol types, including FTP, H.323, SIP, DNS, RTSP, and TFTP.
Notice If you are using a subscription EIP which is associated with a secondary ENI in the cut-through mode, and the secondary ENI is associated with an ECS instance, the private network functions of the secondary ENI becomes unavailable when the EIP is released upon expiration. You must disassociate the secondary ENI from the ECS instance and then reassociate the secondary ENI with the ECS instance to restore the private network functions of the secondary ENI.


  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Elastic IP Addresses.
  3. Select the region of the target EIP.
    Note Currently, the cut-through mode is supported only in the China (Zhangjiakou), China (Shenzhen), China (Hohhot), Germany (Frankfurt), and US (Virginia) regions.
  4. On the Elastic IP Addresses page, find the target EIP and click Bind in the Actions column.
  5. On the Bind Elastic IP Address page, complete the following configurations, and then click OK.
    Configuration Required? Description
    Instance Type Yes Select Secondary ENI.
    Resource Group No Select the resource group to which the EIP belongs.
    Mode No Select Cut-Through Mode.
    Secondary ENI Yes Select the secondary ENI to be associated with the EIP.
    Notice Make sure that the selected secondary ENI is not associated with any ECS instance.
    Bind Elastic IP Address
  6. Return to the EIP list page and click the ID of the associated ENI.
    View the ENI associated with the EIP.
  7. On the network interface list page, find the target ENI and click Bind to Instance to associate the ENI with an ECS instance.
    • The number of ENIs that can be associated with an ECS instance varies according to the specification of the ECS instance. For more information, see Instance families.
    • After you associate the secondary ENI with the ECS instance, you must enable the DHCP function of the secondary ENI and restart networking service to make the cut-through mode effective.
    • After the cut-through mode is set, the ECS instance automatically generates a route entry with the secondary ENI as the exit interface. The priority of this route entry is lower than that of the route with the primary ENI as the exit interface. Therefore, you must adjust the priority of these entries if the preceding does not fit your service requirements.
  8. Log on to the ECS instance by using the associated EIP and check the network configurations of the ECS instance.
    Note Make sure that the security group rules of the ECS instance allow remote access.
    You can see that the local IP address of the ECS instance is changed to the associated EIP.View the EIP of the ECS instance