All Products
Search

This Product

    :Announcement on the release of the ENI-based source and destination IP address check feature in ECS

    Document Center

    :Announcement on the release of the ENI-based source and destination IP address check feature in ECS

    Last Updated:Sep 08, 2025

    To continuously improve the security and stability of Elastic Compute Service (ECS) instances, Alibaba Cloud provides the source and destination IP address check feature at the granularity of elastic network interfaces (ENIs). This feature ensures that an ENI can receive only packets destined for its IP addresses and send only packets with its IP addresses as the source. This prevents potential IP address spoofing attacks. Starting from April 22, 2025, this feature is in canary release and can be enabled by default for ENIs when you create ECS instances and ENIs.

    Effective time

    00:00:00 on April 22, 2025 UTC+8

    Affected customers

    Alibaba Cloud accounts that meet the following requirements have this feature enabled by default for ENIs created separately or together with ECS instances:

    • Starting from 00:00:00 on December 1, 2024, no route entries whose next hop type is ENI or ECS instance are configured in the route tables of virtual private clouds (VPCs).

    • Starting from 00:00:00 on December 1, 2024, no ECS instances have traffic records where the source or destination IP address of traffic on an ENI does not match any IP address assigned to the ENI.

    If your Alibaba Cloud account does not meet these requirements, the system assumes you have specific ENI routing needs and disables this feature by default. You can also manually enable or disable this feature.

    Note

    This change does not affect any existing ENIs or ECS instances. It is expected to have no impact on your existing business.

    Manually disable the feature

    After this change, add a step to disable the source and destination IP address check feature for the relevant ECS instances or ENIs in the following scenarios to ensure that traffic can be forwarded as expected:

    • You want to run NAT, routing, or firewall services on new ECS instances.

    • You have multi-ENI scenarios without source in-source out configurations.

    • You want to use virtual IP addresses for self-managed services that have security risks, such as load balancing.

    For more information, see Configure the source and destination IP address check feature for an ENI.