Source/Destination Check controls whether an Elastic Network Interface (ENI) verifies that packets match its own IP addresses. Enable it to prevent IP spoofing, or disable it when the instance must forward traffic for other hosts.
How Source/Destination Check works
When Source/Destination Check is enabled for an ENI, the ENI:
Receives only packets destined for its IP addresses.
Sends only packets that use its IP addresses as the source.
When Source/Destination Check is disabled, the ENI does not verify the IP addresses of packets it sends or receives.
Starting April 22, 2025, Source/Destination Check will be enabled by default during instance or ENI creation through a phased release. For more information, see the announcement.
Protection scope
Source/Destination Check provides the following protections:
| Protection | Description |
|---|---|
| IP spoofing prevention | Verifies that the source IP address of each packet matches the IP address of the sending interface. Drops packets with mismatched addresses. |
| Unauthorized data transmission reduction | Prevents the server from acting as a packet routing point for other services. Only traffic intended for the server is processed. |
| Network stability | Prevents data flow issues caused by incorrect routing. Improves network resource utilization across the system. |
Source/Destination Check alone does not protect against all network threats. Combine it with security group configurations, network ACLs, SSL/TLS encryption, identity verification mechanisms, Anti-DDoS protection, and data backups for comprehensive protection.
Configure Source/Destination Check
Set during ENI creation
When creating an ENI, enable or disable Source/Destination Check. If your scenario is not one of the scenarios where you might need to disable Source/Destination Check, enable the feature to improve network security.
Create an ENI with an instance
When purchasing an ECS instance, enable or disable Source/Destination Check for the ENIs (primary and secondary) created with the instance. For more information, see Create an instance using the wizard.
Some ECS instance types do not support attaching secondary ENIs during instance creation. Attach them separately after the instance is created. For more information, see ECS instance types that must be stopped.
When purchasing an instance, attach a maximum of two ENIs: one primary ENI (automatically matched) and one secondary ENI.
Create a standalone ENI
When creating a standalone ENI, configure its Source/Destination Check setting, then attach the ENI to an instance. For more information, see Create and use an ENI.
Call the CreateNetworkInterface operation to create an ENI via API. Set the SourceDestCheck parameter totrueto enable Source/Destination Check, orfalseto disable it.
Modify for an existing ENI
After an ENI is created, modify its properties to enable or disable Source/Destination Check.
Console
In the top navigation bar, select a region and resource group.
Click the ID of the target ENI to open its details page.
View the current status of Source/Destination Check and change the setting.
API
| Operation | Purpose | Parameters |
|---|---|---|
| ModifyNetworkInterfaceAttribute | Enable or disable Source/Destination Check for an existing ENI | NetworkInterfaceId: target ENI. SourceDestCheck: true to enable, false to disable. |
| DescribeNetworkInterfaceAttribute | Query the current Source/Destination Check status | NetworkInterfaceId: target ENI. Response includes SourceDestCheck (true = enabled, false = disabled). |
When to disable Source/Destination Check
Disable Source/Destination Check when an instance must forward, translate, or redistribute traffic that does not originate from or target its own IP addresses.
| Scenario | Description |
|---|---|
| Multi-ENI configurations | In an instance with multiple ENIs, a packet might enter through one interface (such as eth1) and exit through another (such as eth0). Source/Destination Check on the primary ENI can affect the data flow of secondary ENIs. After attaching an ENI to an instance, you can configure policy-based routing to resolve this issue. For more information, see Configure policy-based routing for an ENI. |
| Network Address Translation (NAT) | An instance acting as a NAT device must receive packets from other instances and forward them to the internet or other networks. |
| Routing | An instance configured as a router must process all traffic that passes through it, not just packets addressed directly to it. |
| Custom load balancing | A server acting as a custom load balancer must receive client requests and distribute them to different backend servers. |
| VPN endpoint | An instance serving as a VPN server must process packets from different networks. |
| Advanced network architectures | Complex network designs may require disabled Source/Destination Check for traffic shaping rules, firewall solutions, or detailed network monitoring. |
Supported regions
Source/Destination Check is available only in the following regions. In other regions, the feature is disabled by default.
| Area | Region name | Region ID |
|---|---|---|
| Asia-Pacific - China | China (Qingdao) | cn-qingdao |
| China (Beijing) | cn-beijing | |
| China (Zhangjiakou) | cn-zhangjiakou | |
| China (Hohhot) | cn-huhehaote | |
| China (Ulanqab) | cn-wulanchabu | |
| China (Hangzhou) | cn-hangzhou | |
| China (Shanghai) | cn-shanghai | |
| China (Nanjing - Local Region) | cn-nanjing | |
| China (Fuzhou - Local Region) | cn-fuzhou | |
| China (Shenzhen) | cn-shenzhen | |
| China (Heyuan) | cn-heyuan | |
| China (Guangzhou) | cn-guangzhou | |
| China (Chengdu) | cn-chengdu | |
| China (Hong Kong) | cn-hongkong | |
| China (Wuhan - Local Region) | cn-wuhan-lr | |
| Asia-Pacific - Other | Singapore | ap-southeast-1 |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | |
| Indonesia (Jakarta) | ap-southeast-5 | |
| Philippines (Manila) | ap-southeast-6 | |
| Thailand (Bangkok) | ap-southeast-7 | |
| Japan (Tokyo) | ap-northeast-1 | |
| South Korea (Seoul) | ap-northeast-2 | |
| Europe & Americas | US (Virginia) | us-east-1 |
| US (Silicon Valley) | us-west-1 | |
| Mexico | na-south-1 | |
| Germany (Frankfurt) | eu-central-1 | |
| UK (London) | eu-west-1 | |
| Middle East | UAE (Dubai) | me-east-1 |