Assign secondary private IP addresses by using ENIs - Elastic Compute Service

You can assign one or more secondary private IP addresses to a primary or secondary elastic network interface (ENI) to meet your business requirements in multi-application, failover, and Server Load Balancer (SLB) scenarios. This topic describes how to assign secondary private IP addresses and configure secondary private IP addresses for an Elastic Compute Service (ECS) instance.

Scenarios

Secondary private IP addresses are suitable for the following scenarios:

Multi-application scenarios: If your instance hosts multiple applications, you can assign secondary private IP addresses to the applications so that each application can use a separate IP address for outbound connections. This way, a single instance can provide multiple services to maximize instance utilization.
Failover scenarios: If an instance fails, you can unbind secondary ENIs from the instance and bind the ENIs to another instance so that traffic destined for the secondary private IP addresses of the failed instance is diverted to the normal instance. This ensures service continuity.
SLB scenario: By assigning multiple secondary private IP addresses to each instance, an SLB mechanism can be implemented to evenly distribute traffic across multiple instances. This improves system scalability and performance.

Limits

When you assign secondary private IP addresses, take note of the following limits:

Limits on security groups: A limited number of private IP addresses can be contained in a security group of the Virtual Private Cloud (VPC) type. For more information, see the Security group limits section of the "Limits" topic.
Limits on ENIs: The maximum number of private IP addresses that can be assigned to an ENI varies based on the status of the ENI.
- For an ENI in the Available state, up to 10 private IP addresses can be assigned.
- For an ENI in the InUse state, the maximum number of private IP addresses that can be assigned varies based on the instance type of the instance to which the ENI is bound. For more information, see Overview of instance families.

Procedure

Step 1: Make preparations

Make sure that the following requirements are met:

The instance to which an ENI is bound is in the Running (Running) state. For more information, see Start an instance.
The ENI is bound to the instance. For more information, see Bind a secondary ENI.

Step 2: Assign secondary private IP addresses

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Elastic Network Interfaces.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Elastic Network Interfaces page, find the ENI to which you want to assign secondary private IP addresses and click Manage ENI IP Addresses in the Actions column.
In the Manage ENI IP Addresses dialog box, click Increase in the Secondary Private IPv4 Address or IPv6 section.
- If you leave the fields empty, random IP addresses are automatically assigned from within the private IPv4 or IPv6 CIDR blocks of the vSwitch to which the ENI is connected.
- If you enter IP addresses, make sure that the IP addresses are within the private IPv4 or IPv6 CIDR blocks of the vSwitch to which the ENI is connected.
Click Confirm.

Step 3: Configure secondary private IP addresses for an instance

After you assign a secondary private IP address to an instance, you must configure the secondary private IP address for the instance based on the operating system type and IP address type. The operations that you must perform vary based on the operating system type and IP address type.

Note

For information about how to configure secondary private IPv6 addresses, see Configure an IPv6 address for an ECS instance.

Windows instances

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
View the subnet mask and default gateway of the instance.
1. Open Command Prompt or Windows PowerShell.
2. Run the ipconfig command to view the subnet mask and default gateway of the instance.
  The sample command output shown in the following figure is returned. The command output indicates that Ethernet is used.
Click Network and Sharing Center.
Click Change adapter settings.
Double-click the network connection in use. In this example, the network connection named Ethernet is used. Click Properties in the Ethernet Status dialog box.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following IP address and click Advanced...
In the Advanced TCP/IP Settings dialog box, configure IP addresses.
1. In the IP addresses section, click Add... and enter one of the assigned IP addresses in the IP address field and the obtained subnet mask in the Subnet mask field.
  You can repeat this step to add multiple IP addresses to the same adapter.
2. In the Default gateways section, click Add... and enter the obtained default gateway in the Default gateway field.
Click OK.
Run the ipconfig command to check the configuration result.
The following figure shows the output of a sample command used to configure two secondary private IP addresses.

Note

If a Windows instance cannot access the Internet after you configure secondary private IP addresses for the instance, troubleshoot the issue by following the instructions in the After I configure a secondary private IP address for a Windows instance, the instance cannot connect to the Internet. Why? section of the "Network FAQ" topic.

Linux instances that run a Red Hat Enterprise Linux (RHEL) operating system

Important

The procedure applies to the following operating systems: Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, CentOS 6, CentOS 7, CentOS 8, Red Hat 6, Red Hat 7, Red Hat 8, Anolis 7, Anolis 8, Fedora 33, and Fedora 34.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
View network configurations.
- Run the ifconfig command to query the subnet mask and run the route -n command to query the default gateway.
  The following figure shows a sample command output.
  In the preceding command output, 255.255.**.** corresponding to netmask is the IPv4 subnet mask, and 192.**.**.253 corresponding to Gateway is the default gateway.
  Note
  If the Linux distribution used by the instance does not support the ifconfig command, run the ip a or ip addr show command instead.
- Run the ls /etc/sysconfig/network-scripts/ifcfg-<Name of the ENI> command to check whether the configuration file that contains the primary private IP address of the ENI exists.
  The following figures show sample command outputs.
  - The specified file does not exist
    If the preceding message is returned, the configuration file that contains the primary private IP address of the ENI does not exist. You must run the sudo vi /etc/sysconfig/network-scripts/ifcfg-<Name of the ENI> command to specify the primary private IP address of the ENI in the configuration file.
    Example:
```
DEVICE=<Name of the ENI> // Example: eth1
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes

IPADDR=<Assigned primary private IPv4 address>
NETMASK=<IPv4 subnet mask>
GATEWAY=<Default gateway>
```
  - The specified file exists
    If the preceding message is returned, the configuration file that contains the primary private IP address of the ENI exists. Ignore this step and proceed to the next step.
Modify the network configuration file.
Note
In the following example, the secondary ENI named eth1 is used. You must replace the value of DEVICE based on your business requirements.
- To configure a single secondary private IPv4 address, run the sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1:0 command to add configuration items to the configuration file.
  Example:
```
DEVICE=eth1:0
TYPE=Ethernet
BOOTPROTO=static

IPADDR=<Assigned secondary private IPv4 address 1>
NETMASK=<IPv4 subnet mask>
```
- If you want to configure more secondary private IPv4 addresses, increment the DEVICE sequence number and add the corresponding configuration items.
  For example, run the sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1:1 command to add the following sample configuration items:
```
DEVICE=eth1:1
TYPE=Ethernet
BOOTPROTO=static

IPADDR=<Assigned secondary private IPv4 address 2>
NETMASK=<IPv4 subnet mask>
```

Run a corresponding command based on the operating system for the configuration to take effect.

Operating system	Command
Alibaba Cloud Linux 2 CentOS 7 Red Hat 7 Anolis 7	Run one of the following commands to restart the network service: `sudo service network restart` `sudo systemctl restart network`
CentOS 6 Red Hat 6	Run the `sudo service network restart` command to restart the network service.
Alibaba Cloud Linux 3 CentOS 8 Red Hat 8 Anolis 8 Fedora 33/34	Perform the following operations: Run the `sudo systemctl restart NetworkManager` command to restart the network service. Run the `sudo nmcli device reapply eth1` command to reconnect to the eth1 ENI, or run the `sudo reboot` command to restart the instance.

Run the ifconfig command to check whether the configuration takes effect.
The following figure shows the output of a sample command used to configure two secondary private IP addresses.

Linux instances that run a Debian operating system

Before you perform the following procedure, take note of the following items:

This procedure applies to the following operating systems: Ubuntu 18, Ubuntu 20, Ubuntu 14, Ubuntu16, Debian 8, Debian 9, and Debian 10.
In the following example, the eth0 primary ENI is used. If you use a secondary ENI, replace the ENI ID with the actual ENI ID.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Configure secondary private IP addresses based on the operating system that your instance runs.
- Debian series: Ubuntu 18 and Ubuntu 20
  1. Disable cloud-init network configuration. Run the sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg command to open the configuration file and add the corresponding configuration items to the file.
    Example:
```
network: {config: disabled}
```
  2. Run the sudo vim /etc/netplan/50-cloud-init.yaml command to open the network configuration file and change the IP addresses that are assigned by using Dynamic Host Configuration Protocol (DHCP) to static IP addresses.
    Example:
```
network:
    version: 2
    ethernets:
        eth0:
            match:
                macaddress: 00:16:3e:36:**:**
            addresses:
              - <Primary private IPv4 address>/<Subnet mask bit>
              - <Assigned secondary private IPv4 address 1>/<Subnet mask bit>
              - <Assigned secondary private IPv4 address 2>/<Subnet mask bit>
            gateway4: <Default gateway>
```
    Note
    You must replace <Subnet mask bit> with the subnet mask bit corresponding to the subnet mask. For example, set the subnet mask bit to /24 for the 255.255.255.0 subnet mask.
  3. Run the sudo netplan apply command to restart the network service.
  4. Run the ip -a command to check whether the configuration takes effect.
    The following figure shows the output of a sample command used to configure two secondary private IP addresses.
- Debian series: Ubuntu 14, Ubuntu 16, Debian 8, Debian 9, and Debian 10
  1. Run the sudo vi /etc/network/interfaces command to open the network configuration file and add the corresponding configuration items to the file.
    Example:
```
auto eth0:0
iface eth0:0 inet static
address <Assigned secondary private IPv4 address 1>
netmask <IPv4 mask>

auto eth0:1
iface eth0:1 inet static
address <Assigned secondary private IPv4 address 2>
netmask <IPv4 mask>
```
  2. Run the sudo reboot command to restart the instance.
  3. Run the ifconfig command to check whether the configuration takes effect.
    The following figure shows the output of a sample command used to configure two secondary private IP addresses.

Linux instances that run a SUSE Linux Enterprise Server (SLES) operating system

Before you perform the following procedure, take note of the following items:

This procedure applies to the following operating systems: SUSE 11, SUSE 12, SUSE 15, OpenSUSE 15, and OpenSUSE 42.
In the following example, the eth0 primary ENI is used. If you use a secondary ENI, replace the ENI ID with the actual ENI ID.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.

Run the sudo vi /etc/sysconfig/network/ifcfg-eth0 command to open the network configuration file and add the corresponding configuration items. Example:

IPADDR_0=<Assigned secondary private IPv4 address 1>
NETMASK_0=<IPv4 subnet mask>
LABEL_0='0'

IPADDR_1=<Assigned secondary private IPv4 address 2>
NETMASK_1=<IPv4 subnet mask>
LABEL_1='1'

Run the sudo service network restart or sudo systemctl restart network command to restart the network service.
Run the ifconfig command to check whether the configuration takes effect.
The following figure shows the output of a sample command used to configure two secondary private IP addresses.