You can use elastic network interfaces (ENIs) to deploy high-availability clusters and perform low-cost failover and fine-grained network management. If your business requires finer-grained network classification and isolation to prevent single points of failure, you can bind multiple ENIs to an Elastic Compute Service (ECS) instance to extend the network capabilities of the instance.
Create an ENI
You can create ENIs when you create ECS instances. The ENIs that are created together with the ECS instances are automatically bound to the instances. You can also separately create ENIs and bind the ENIs to ECS instances.
ECS limits the maximum number of ENIs that can be created in a region. You can view the limit in the Quota Center console. You can apply to increase the limit based on your business requirements. For more information, see Manage ECS quotas.
Create an ENI when you create an ECS instance
When you create an ECS instance in the ECS console, you can create ENIs for the instance. The created ENIs are automatically assigned IP addresses and bound to the ECS instance without the need for additional operations. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
Specific ECS instance types do not support binding secondary ENIs during instance creation. You can bind secondary ENIs to instances of the instance types only after the instances are created. For information of the instance types, see the "ECS instance types that do not support the hot swapping feature of secondary ENIs" section of the Overview topic.
By default, ENIs created together with an ECS instance are automatically released when the instance is released. If you want to retain an ENI when the associated ECS instance is released, disable the Release with Instance feature for the ENI.
Separately create an ENI
To better manage and extend the network capabilities of ECS instances, you can separately create secondary ENIs for the instances. The network capabilities include the capabilities of adding private IP addresses, building high-availability network environments, creating dedicated network traffic, and isolating network environments. Separately created ENIs are secondary ENIs and can be bound to ECS instances.
You can call the CreateNetworkInterface operation to create an ENI.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a resource group and a region.
Click Create ENI.
On the Create ENI page, configure the parameters. The following table describes the parameters.
Parameter or section
Description
ENI Name
Enter a name for the ENI.
VPC
Select a virtual private cloud (VPC). If you want to bind the created ENI to an ECS instance, select the VPC in which the instance resides. After you create an ENI, you cannot change the VPC to which the ENI belongs.
NoteAn ENI can be bound to only an ECS instance that resides in the same VPC as the ENI.
vSwitch
Select a vSwitch. If you want to bind the created ENI to an ECS instance, select a vSwitch that resides in the same zone as the instance. After an ENI is created, you cannot change the vSwitch to which the ENI is connected.
NoteAn ENI can be bound to only an ECS instance that resides in the same zone as the ENI. The ECS instance and the ENI can be connected to different vSwitches.
Security Group
Select security groups in the selected VPC. You can select up to five security groups.
NoteYou cannot select basic and advanced security groups at the same time.
eRDMA Interface
Optional. You can turn on eRDMA Interface to enable the elastic Remote Direct Memory Access (eRDMA) feature for the ENI. eRDMA-enabled ENIs are called eRDMA interfaces (ERIs). You can bind ERIs only to ECS instances of eRDMA-capable instance types. For more information, see ERIs.
Primary Private IP Address
Optional. Enter an IPv4 address as the primary private IP address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the selected vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI when the ENI is created. For more information, see Primary private IP addresses.
Secondary Private IPv4 Address
Optional. Configure secondary private IPv4 addresses for the ENI.
Not Assign: No secondary private IPv4 addresses are assigned to the ENI.
Auto-assign: Enter an integer in the range of 1 to 9 as the number of secondary private IPv4 addresses that you want to assign to the ENI. The system automatically assigns the specified number of idle IPv4 addresses from within the CIDR block of the selected vSwitch to the ENI.
Specify IP Address: Specify the private IPv4 addresses that you want to assign as secondary private IPv4 addresses to the ENI. You can specify up to nine secondary private IPv4 addresses for the ENI.
Specify IPv4 Prefix: Specify the ranges of private IPv4 addresses in IPv4 CIDR notation that you want to assign as secondary private IPv4 addresses to the ENI. For more information, see IP prefixes.
For more information, see Secondary private IP addresses.
IPv6
Optional. Configure secondary private IPv6 addresses for the ENI.
Not Assign: No secondary private IPv6 addresses are assigned to the ENI.
Auto-assign: Enter an integer in the range of 1 to 10 as the number of secondary private IPv6 addresses that you want to assign to the ENI. The system automatically assigns the specified number of idle IPv6 addresses from within the CIDR block of the selected vSwitch to the ENI.
Specify IP Address: Specify the private IPv6 addresses that you want to assign as secondary private IPv6 addresses to the ENI. You can specify up to 10 secondary private IPv6 addresses for the ENI.
Specify IPv6 Prefix: Specify the ranges of private IPv6 addresses in IPv6 CIDR notation that you want to assign as secondary private IPv6 addresses to the ENI. For more information, see IP prefixes.
NoteTo assign IPv6 addresses to the ENI, you must select a vSwitch that supports IPv6 addresses. If the IPv6 feature is not enabled for the vSwitch that you select, click Enable IPv6 for vSwitch to enable the IPv6 feature for the vSwitch.
Session Timeout Periods
Specify timeout periods for TCP connections in the ESTABLISHED state, TCP connections in the TIME_WAIT or CLOSED state, and UDP flows. For more information, see Connection timeout management.
Description
Optional. Enter a description for the ENI to facilitate management.
Resource Group
Optional. Select a resource group. You can add resources that are owned by multiple accounts and assigned to multiple projects to resource groups. This helps facilitate management. For information about resource groups, see Resource groups.
Tag
Optional. Select one or more tags that you want to add to the ENI to facilitate search and management. For information about tags, see Tags.
Click Create ENI.
When the secondary ENI is created, Available is displayed in the Status column corresponding to the ENI on the Elastic Network Interfaces page.
Bind an ENI to an ECS instance
An ENI can be bound to only one ECS instance at a time. However, an ECS instance can have multiple ENIs. For more information about the number of ENIs supported by each instance type, see Overview of instance families.
A primary ENI is bound to an ECS instance when the instance is created. You can bind secondary ENIs in the Available state to an ECS instance to extend the network capabilities of the instance.
Prerequisites
The secondary ENI that you want to bind to an ECS instance and the ECS instance reside in the same VPC and zone.
The ECS instance is of an I/O optimized instance type and is in the Stopped or Running state. To query the performance data of instance types, see Overview of instance families or call the DescribeInstanceTypes operation. To learn about how to select instance types, see Instance type selection.
Specific instance types do not support the hot swapping feature of secondary ENIs. You can bind secondary ENIs to instances of such instance types only when the instances are in the Stopped state.
If the ECS instance was last started, restarted, or reactivated before April 1, 2018 and remained in the Running state since then, you must restart the instance before you can bind ENIs to the instance.
ImportantYou can restart an ECS instance in the ECS console or by calling the RebootInstance operation. You cannot restart an ECS instance from within the operating system.
Procedure
Bind an ENI when you create an ECS instance
When you create an ECS instance, you can bind up to two ENIs to the instance. One ENI is the primary ENI and the other ENI is a secondary ENI.
When you create an ECS instance, you can bind an existing ENI that is in the Available state and resides in the selected VPC and zone to the instance as the primary ENI or a secondary ENI. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
Bind an ENI after an ECS instance is created
You can bind only secondary ENIs to an ECS instance after the instance is created.
Use the ECS console
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a resource group and a region.
Find a secondary ENI in the Available state and click Bind to Instance in the Actions column.
In the Bind to Instance dialog box, select an instance and click Confirm.
Refresh the ENI list. If the ENI is bound to the instance, Bound is displayed in the Status column corresponding to the ENI.
Call an API operation
To bind an ENI to an ECS instance that resides in the same VPC as the ENI, you can call the AttachNetworkInterface operation with the NetworkInterfaceId parameter set to the ID of the ENI and the InstanceId parameter set to the ID of the instance.
After you bind ENIs to an ECS instance, you must configure the ENIs to take effect in the operating system of the instance. For more information, see the Configure ENIs to take effect in an ECS instance section of this topic.
Configure ENIs to take effect in an ECS instance
Primary ENIs automatically take effect after the ECS instances to which the ENIs are bound are created, without the need for manual intervention. After you bind multiple secondary ENIs to an ECS instance, check whether the ENIs take effect in the operating system of the instance.
Step 1: Check whether ENIs take effect in the operating system of an ECS instance
If the secondary ENIs that are bound to an ECS instance are incorrectly configured, the ENIs cannot communicate as expected. Perform the following operations to check whether the secondary ENIs bound to an ECS instance take effect in the operating system of the instance.
Linux instance
In this example, an ECS instance that runs Alibaba Cloud Linux 3.2 is used.
Connect to the Linux ECS instance.
For more information, see Use Workbench to connect to a Linux instance over SSH.
Run the following command to view information about the ENIs:
ip aThe following figure shows the sample command output.
In this example, two ENIs are bound to the Linux ECS instance. The ENI named eth0 serves as the primary ENI and the ENI named eth1 serves as a secondary ENI.
The ENIs are in the UP state, which indicates that the ENIs are in effect in the operating system of the instance.
ImportantIf an ENI is in the DOWN state as shown in the following figure, the ENI is not properly loaded and cannot be used as expected. In this case, perform Step 2: Configure the Linux operating system to recognize an ENI to ensure that the ENI is in the UP state.
Primary private IP address: After an ENI enters the UP state, you can view the primary private IP address of the ENI. For more information, see Primary private IP addresses.
If you assign secondary private IP addresses to an ENI bound to an ECS instance but the operating system of the instance cannot recognize the secondary private IP addresses, you must resolve the issue. For information about how to resolve the issue, see the Step 3: Configure the operating system of the instance to recognize the secondary private IP addresses section of the "Secondary private IP addresses" topic.
Run the following command to view the route information of the ENIs:
route -n
The preceding command output indicates that two routes are configured for the eth1 secondary ENI.
Route destined for 192.168.xx.xx: is a route within a specific subnet. This route ensures that the Linux ECS instance can correctly identify and directly communicate with other hosts within the subnet without the need to forward traffic that matches the route to additional routers.
Route destined for 0.0.0.0: is the default route, which is used to process packets destined for external networks or other remote networks. If the destination of a packet is not within the local subnet, the packet is sent to the gateway at 192.168.xx.xx for further forwarding.
ImportantBy default, the priority of the default route of a secondary ENI is lower than the priority of the default route of the eth0 primary ENI. This ensures that data is preferentially sent from the primary ENI.
If you want packets associated with a private IP address of the eth1 secondary ENI to be sent from the secondary ENI, you can configure policy-based routing for the secondary ENI to ensure that for packets received on the secondary ENI, the instance replies from the ENI. For more information, see Configure routes for ENIs.
In specific early operating system versions, such as Ubuntu 16, default routes may not be automatically configured for secondary ENIs. If default routes are not automatically configured for the secondary ENIs on an ECS instance that runs one of the early operating system versions, the command output shown in the following figure is returned after you run the route -n command to view the route information of the ENIs. The secondary ENIs may not work as expected. We recommend that you upgrade to a later operating system version or configure default routes for the ENIs. For information about how to configure default routes for ENIs, see the Configure default routes for ENIs section of the "Configure routes for ENIs" topic.
Windows instance
In this example, an ECS instance that runs Windows Server 2022 is used.
Connect to the Windows ECS instance.
For more information, see Use Workbench to connect to a Windows instance over RDP.
Open Network and Sharing Center.
Click Change adapter settings.
In this example, one primary ENI and one secondary ENI are bound to the Windows instance. The following figure shows that the ENIs take effect in the operating system of the instance. No additional configurations are required.
The following figure shows that the operating system of the Windows ECS instance cannot recognize the secondary ENI due to specific reasons. For information about how to troubleshoot the issue, see What do I do if the ENI configurations of a Windows instance become invalid?
View the status and details of the ENIs.
Double-click the name of an ENI to view the status of the ENI.
In this example, the primary ENI named Ethernet is used.
Click Details to view the properties of the ENI.
In the dialog box that appears, you can view the primary private IPv4 address, subnet mask, and default gateway of the ENI.
Open Command Prompt.
Press Win+R. In the Run dialog box, enter cmd and click OK.
Run the following command to view the route information of the ENIs:
Step 2: Configure the Linux operating system to recognize an ENI
If an ENI bound to an ECS instance does not take effect in the operating system of the instance, use one of the following methods to configure the ENI to take effect.
Most Windows operating systems automatically recognize ENIs. If the configurations of ENIs are invalid in a Windows ECS instance, perform the operations described in What do I do if the ENI configurations of a Windows instance become invalid to troubleshoot the issue.
Method 1: Use the multi-nic-util tool
The multi-nic-util tool can be used in the following operating systems: Alibaba Cloud Linux 2, CentOS 6 (CentOS 6.8 and later), CentOS 7 (CentOS 7.3 and later), and Red Hat.
We recommend that you do not use the multi-nic-util tool in Docker or other containerized environments.
If you use the multi-nic-util tool, the original network configurations of the Linux ECS instance may be overwritten. Proceed with caution.
If you cannot use the multi-nic-util tool to configure ENIs, use Method 2: Modify network interface configuration files.
Run the following commands to download and install the multi-nic-util tool. The download and installation require an Internet connection.
wget https://image-offline.oss-cn-hangzhou.aliyuncs.com/multi-nic-util/multi-nic-util-0.6.tgz && \ tar -zxvf multi-nic-util-0.6.tgz && \ cd multi-nic-util-0.6 && \ bash install.shRun the following command to restart the ENI service:
sudo systemctl restart eni.serviceCheck whether ENIs are in the UP state. For more information, see the Step 1: Check whether ENIs take effect in the operating system of an ECS instance section of this topic.
Method 2: Modify network interface configuration files
Network interface configuration files vary based on the Linux distribution, operating system version, and the method and tool used to manage network configurations.
Before you modify the configuration file of a network interface, we recommend that you back up the file.
If you cannot connect to a Linux ECS instance by using Workbench after you accidentally modify the configuration file of a network interface, connect to the instance by using Virtual Network Computing (VNC) to restore the configuration file.
In this example, the IP address configuration mode of ENIs on the instance is set to Dynamic Host Configuration Protocol (DHCP), and the ENIs are automatically assigned primary private IP addresses. You can set the IP address configuration mode of ENIs to static and assign static IP address to the ENIs. For more information, see the Step 3: Configure the operating system of the instance to recognize the secondary private IP addresses section of the "Secondary private IP addresses" topic.
Take note that information, such as IP addresses, Media Access Control (MAC) addresses, and gateways, in the configuration files of network interfaces must be correct. Incorrect network configurations may cause your ECS instance to fail to communicate as expected.
After binding or unbinding an ENI, ensure that the network configuration files are consistent with the actual setup to prevent network connectivity issues or configuration conflicts.
Connect to the ECS instance.
For more information, see Use Workbench to connect to a Linux instance over SSH.
Create and modify configuration files for ENIs based on the Linux distribution and operating system version.
In most cases, configuration files are automatically generated for primary ENIs. In this example, a secondary ENI is used.
Red Hat Enterprise Linux (RHEL) or CentOS series
Supported operating systems: Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, CentOS 6, CentOS 7, CentOS 8, Red Hat 6, Red Hat 7, Red Hat 8, Red Hat 9, Anolis 7, Anolis 8, Fedora 33, Fedora 34, and Fedora 35.
Network interface configuration files: /etc/sysconfig/network-scripts/ifcfg-*.
Each network interface has a configuration file, such as ifcfg-eth0, ifcfg-eth1, or ifcfg-eth2.
Example: Run the following command to create a configuration file for the eth1 secondary ENI and then add the following configurations to the configuration file:
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1DEVICE=eth1 TYPE=Ethernet BOOTPROTO=dhcp ONBOOT=yes DEFROUTE=noDEVICE: the identifier of the network interface. Example: eth1 or eth2.
TYPE: the type of the network interface. A value of
Ethernetindicates Ethernet network interface.BOOTPROTO: the IP address configuration mode of the network interface. If you set this parameter to
dhcpfor a network interface, the network interface is automatically assigned an IP address by a DHCP server based on DHCP. If you set this parameter tostaticfor a network interface, you must manually configure network information, such as a static IP address and a subnet mask, for the network interface.ONBOOT: specifies whether to activate the network interface on system startup. If you set this parameter to
yesfor a network interface, the network interface is automatically activated on system startup. If you set this parameter tonoof a network interface, the network interface is not automatically activated on system startup. You can manually activate the network interface.DEFROUTE: specifies whether to set the network interface as the exit interface of a default route.
The highest-priority default route is automatically generated for the eth0 primary ENI. You do not need to configure the DEFROUTE parameter for the ENI.
To prevent the active default route of the ECS instance from changing when you start the eth1 secondary ENI, we recommend that you do not set the secondary ENI as the exit interface of a default route. In a multi-ENI environment, you can configure policy-based routes to control the traffic forwarding paths of ENIs.
Ubuntu 18 or later
Netplan is a new network configuration framework that is used as the default network configuration mode for Ubuntu since Ubuntu 18.04 LTS.
Supported operating systems: Ubuntu 18, 20, 22, and 24.
Network interface configuration file :/etc/netplan/*.yaml.
The preceding operating systems can recognize YAML files in the /etc/netplan directory. You can configure a separate YAML file for each network interface.
The default configuration file of the primary ENI, which is 50-cloud-init.yaml, is automatically generated by cloud-init on system startup.
Example: Run the following command to create a configuration file for the eth1 secondary ENI and then add the following configurations to the configuration file:
sudo vi /etc/netplan/eth1-netcfg.yamlNoteBy default, the configuration file of the primary ENI exists. Run the
cp 50-cloud-init.yaml ethX-netcfg.yamlcommand to generate a configuration file for a secondary ENI. Then, modify corresponding information in the configuration files in the YAML format of the ENIs as follows:network: version: 2 ethernets: eth1: dhcp4: true match: macaddress: 00:16:3e:xx:xx:xx set-name: eth1dhcp4: specifies whether to enable DHCP for IPv4 (DHCPv4). Valid values: true and false.
match: the attributes of the network interface, such as macaddress.
You can view the MAC addresses of ENIs in the ECS console or by calling an API operation.
Early Debian or Ubuntu versions
Supported operating systems: early Debian and Ubuntu versions, such as Ubuntu 14, Ubuntu 16, Debian 8, Debian 9, and Debian 10.
Network Interface configuration file: /etc/network/interfaces.
Modify the preceding network interface configuration file to configure network interface information, such as IP addresses, subnet masks, gateways, and DNS settings, and set the IP address configuration mode to static or dhcp for network interfaces.
With the growing popularity of Systemd and its network management tools, this method has been gradually replaced in new versions of Ubuntu and other Linux distributions.
Main configuration items: The /etc/network/interfaces file contains network interface configurations, such as the type of network interface, IP addresses, subnet masks, gateways, and DNS settings.
Example: Run the following command to open the /etc/network/interfaces file and configure network interface information:
sudo vi /etc/network/interfacesNoteThe eth0 primary ENI is configured in the same configuration file as the eth1 secondary ENI. You must add information about the primary ENI to the configuration file.
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 # The name of the ENI that you want to configure. iface eth1 inet dhcpauto <Interface>: the network interface that you want to be automatically activated on system startup.
iface <Interface> inet <Method>: the configuration method of the network interface.
inet: the IPv4 settings.
<Method>: the IP address configuration mode. If you set the <Method> parameter to
dhcpfor a network interface, the network interface obtains an IP address, a subnet mask, the default gateway, and other required network parameters by using DHCP. If you set the <Method> parameter tostaticfor a network interface, you must manually configure network information, such as a static IP address and a subnet mask, for the network interface.
SUSE Linux Enterprise Server (SLES) series
Supported operating systems: SUSE Linux 11, 12, 15 and openSUSE 15.
Network interface configuration files: /etc/sysconfig/network/ifcfg-*.
Each network interface has a configuration file, such as ifcfg-eth0, ifcfg-eth1, or ifcfg-eth2.
Example: Run the following command to create a configuration file for the eth1 secondary ENI and then add the following configurations to the configuration file:
sudo vi /etc/sysconfig/network/ifcfg-eth1BOOTPROTO='dhcp' STARTMODE='auto'BOOTPROTO: the IP address configuration mode of the network interface. If you set this parameter to
dhcpfor a network interface, the network interface automatically obtains an IP address and other network configurations, such as a subnet mask, the default gateway, and the address of a DNS server, from a DHCP server by using DHCP.STARTMODE: specifies how to handle the network interface on system startup. If you set this parameter to
'auto'for a network interface, the operating system activates the network interface on system startup as long as the operating system detects the network interface as available.
Restart the network service.
Check whether ENIs are in the UP state. For more information, see the Step 1: Check whether ENIs take effect in the operating system of an ECS instance section of this topic.
Assign private IP addresses to ENIs for communication over VPCs
After you assign an ENI to a VPC and a vSwitch, a private IP address is automatically assigned as the primary private IP address from the CIDR block of the vSwitch to the ENI. The ECS instance to which the ENI is bound can use the private IP address for communication over the internal network.
If you require multiple private IP addresses in business scenarios, such as the multi-application, failover, and load-balancing scenarios, you can assign one or more secondary private IP addresses from the CIDR block of the vSwitch to which an ENI is connected to the ENI. For more information, see the Assign secondary private IP addresses to an ENI section of the "Secondary private IP addresses" topic.
Associate public IP addresses with ENIs for communication over the Internet
If an ECS instance has only the primary ENI, you can configure a public IP address to be automatically assigned to the instance. The automatically assigned public IP address is called a static public IP address. The static public IP address is associated with the primary ENI of the ECS instance and can be used for communication over the Internet. For more information, see Static public IP address.
If an ECS instance has multiple ENIs or you want to manage ENIs in a more flexible manner, you can associate elastic IP addresses (EIPs) with ENIs for communication over the Internet. EIPs are more flexible to use than static public IP addresses. For more information, see Associate an EIP with a secondary ENI.
You can bind one or more ENIs to an ECS instance and associate EIPs with the ENIs. This allows the ECS instance to have multiple public IP addresses. For more information, see Associate multiple EIPs with an ECS instance in NAT mode.
ImportantAfter you associate EIPs with secondary ENIs, make sure that the ENIs are bound to ECS instances and take effect in the operating systems of the instances. This way, the ECS instance can use the EIPs as expected. For more information, see the Configure ENIs to take effect in an ECS instance section of this topic.
If you use secondary ENIs together with EIPs or NAT gateways, outbound traffic is preferentially sent by primary ENIs because the default routes of primary ENIs have higher priorities than the default routes of secondary ENIs. In this case, after ECS instances receive data traffic on secondary ENIs, the instances may send reply data traffic from primary ENIs. As a result, communication issues occur. In this case, you can configure policy-based routes to route data traffic in and out by using the same ENIs based on the source in-source out principle. For more information, see Configure routes for ENIs.
If you cannot ping a public IP address of an ECS instance after you properly configure ENIs and routes for the instance, you may need to check the security configurations of the instance, such as security groups and firewalls. For more information, see What do I do if I cannot ping the public IP address of an ECS instance?
Associate ENIs with security groups
You can associate ENIs with security groups to provide network layer security control.
The rules of security groups associated with ECS instances take effect on the primary ENIs of the instances. When you add an ECS instance to a security group, the instance and the primary ENI of the instance are associated with the security group. You cannot separately change the security groups associated with the primary ENI. You can change the security groups associated with the primary ENI only by changing the security groups associated with the ECS instance. For more information, see the Add an ECS instance to or remove an ECS instance from security groups or replace the security groups of an ECS instance section of the "Associate security groups with an instance (primary ENI)" topic.
You can associate the secondary ENIs of an ECS instance with security groups in the same zone within the same VPC. The security groups associated with the secondary ENIs can be different from the security groups associated with the ECS instance. You can specify security groups when you create an ENI or change the security groups associated with an ENI after the ENI is created. For information about how to change the security groups associated with an ENI, see the Add a secondary ENI to or remove a secondary ENI from security groups section of the "Associate a secondary ENI with security groups" topic.
If you assign multiple secondary private IPv4 or IPv6 addresses to an ENI, the IPv4 or IPv6 addresses are associated with the security groups that are associated with the ENI. You can configure security group rules for each ENI based on source IP addresses, application-layer protocols, and ports to achieve fine-grained access control. For more information, see Manage security group rules.