All Products
Search

This Product

    Container Service for Kubernetes:Use the Terway Edge network plugin with ENS elastic network interfaces

    Document Center

    Container Service for Kubernetes:Use the Terway Edge network plugin with ENS elastic network interfaces

    Last Updated:Mar 26, 2026

    The Terway Edge network plug-in is an Underlay container network plug-in provided by ACK Edge cluster. This document describes how the Terway Edge network plug-in provides container network communication based on ENS elastic network interfaces.

    How it works

    image

    Terway Edge assigns elastic network interfaces (ENIs) from the ENS network to Pods, giving each Pod an IP address from the ENI's pool of private IP addresses. The Pod network and ENS instances share the same network plane.

    The same model applies in a Virtual Private Cloud (VPC): multiple Pods share one ENI, and Pod IP addresses come from the ENI's private IP addresses. The Pod network and ECS instances share the same network plane.

    To connect a central VPC and an edge ENS network across network domains, use Edge Network Acceleration (ENA). ENA establishes private network connectivity between the two environments, enabling cross-domain communication between containers and hosts.

    Important

    Terway Edge automatically assigns ENIs and their private IP addresses to Pods. Do not manually configure these private IP addresses.

    Constraints

    Before you proceed, note the following constraints on ENI capacity and usage:

    • Each ENI supports up to 25 private IP addresses, so each ENI can host up to 25 Pods.

    • The primary ENI of an ENS instance cannot be used to assign Pod IP addresses.

    • The maximum number of Pods an ENS instance can support is (number of ENIs − 1) × 25. Bind additional ENIs based on your capacity requirements.

    • To bind an ENI to an ENS instance, stop the instance first. After the ENI is bound, restart the instance.

    Security group rules

    Configure the following security group rules for container-to-container communication:

    Direction Protocol Port Authorized object Usage
    Inbound All All ENS network CIDR block Allow inbound traffic from other Pods in the ENS network
    Outbound All All ENS network CIDR block Allow outbound traffic to other Pods in the ENS network

    Prerequisites

    Before you begin, ensure that you have:

    Step 1: Bind an ENI

    Bind an ENI to the ENS instance before adding it as a node. Use the ENS console for a manual binding, or use the ENI binding tool to purchase and bind an ENI in a single operation.

    Console

    1. Log on to the ENS console. In the left-side navigation pane, choose Networking > ENIs.

    2. On the ENIs page, click Create ENI. Configure the parameters and click Launch.

    3. Find the ENI ID of the ENI you created. In the Actions column, click Bind to Instance. Select the target Instance ID/Name and click OK.

    ENI binding tool

    The ENI binding tool purchases and binds an ENI to an ENS instance in a single step. The following OS types and architectures are supported:

    Tool name OS type Architecture
    eni-tool-linux-amd64 Linux amd64
    eni-tool-linux-arm64 Linux arm64
    eni-tool-darwin-amd64 Darwin amd64
    eni-tool-darwin-arm64 Darwin arm64

    1. Download the ENI binding tool. The following command downloads the eni-tool-linux-amd64 version. To use a different version, replace eni-tool-linux-amd64 with the tool name for your OS and architecture.

      wget https://alias-cn-hangzhou.oss-cn-beijing.aliyuncs.com/ens/eni-tool/eni-tool-linux-amd64; chmod +x eni-tool-linux-amd64

    2. Run the tool to bind an ENI to an ENS instance. Pass your credentials either inline or through a profile file. The following table describes all available parameters:

      • Using inline credentials: ``shell ./eni-tool-linux-amd64 --accessKey <your-access-key-id> --secretKey <your-access-key-secret> --instance <instance-id> ``

      • Using a profile file: ``shell ./eni-tool-linux-amd64 --profile ./profile.json --instance <instance-id> ` Create profile.json with the following content: `json { "AccessKey": "<your-access-key-id>", "SecretKey": "<your-access-key-secret>" } ``

      Parameter Description Default Required
      --accessKey Your Alibaba Cloud AccessKey ID. N/A Yes
      --secretKey Your Alibaba Cloud AccessKey secret. N/A Yes
      --instance The ID of the ENS instance to bind the ENI to. N/A Yes
      --region The region ID used to access the ENS service. ap-southeast-1 Yes
      --vswitch The vSwitch ID for the ENI to purchase. vSwitch ID of the ENS instance No
      --eniNumber The number of ENIs to purchase. 2 (supports up to 50 Pods) No
      --securityGroup The security group ID for the ENI to purchase. Security group ID of the ENS instance No

      --region

      The region ID used by the ENI binding tool to access the ENS service.

      ap-southeast-1

      Yes
      --profile Path to a JSON file containing your AccessKey ID and AccessKey secret. N/A No

    Step 2: Add an ENS node

    Add the ENS node to the ACK Edge cluster. For more information, see Add an edge node.