Source/destination check, source destination check - Elastic Compute Service

In some cases, attackers use IP address spoofing to send packets with a forged source IP address. This makes the packets appear to come from a trusted network. Enabling the Source/Destination Check feature for an Elastic Network Interface (ENI) helps prevent these attacks and improves network security.

What is source/destination check

When the Source/Destination Check feature is enabled for an ENI, the ENI receives only packets destined for its IP addresses and sends only packets that use its IP addresses as the source. Conversely, if this feature is disabled, the ENI does not verify the IP addresses of packets it sends or receives.

Note

To continuously improve the security and stability of Elastic Compute Service (ECS) instances, this feature will be enabled by default during instance or ENI creation through a phased release starting April 22, 2025. For more information, see the announcement.

Benefits of enabling source/destination check

Prevent IP spoofing: The feature prevents potential IP address spoofing attacks by verifying that the source IP address of a packet matches the IP address of the device that sent it. If the source IP address does not match the IP address of the interface, the packet is dropped.
Enhance security: Enabling Source/Destination Check reduces the risk of unauthorized data transmission. This is especially useful when you do not want your server to act as a packet routing point for other services. When Source/Destination Check is enabled, only traffic intended for the server is processed. This helps prevent potential security vulnerabilities.
Maintain network stability and efficiency: The feature helps prevent data flow issues caused by incorrect routing. This maintains the stability of the entire network system and improves network resource utilization.

Note that Source/Destination Check alone is not enough to protect against all types of network threats. As needed, you can combine multiple technologies and policies to protect your network from various attacks. These include security group configurations, network ACLs, SSL/TLS encryption, identity verification mechanisms, Anti-DDoS protection, and important data backups.

Supported regions

The Source/Destination Check feature is available only in some regions. In other regions, this feature is disabled by default.

Click to view the list of supported regions

Area	Region Name	Region ID
Asia-Pacific - China	China (Qingdao)	cn-qingdao
	China (Beijing)	cn-beijing
	China (Zhangjiakou)	cn-zhangjiakou
	China (Hohhot)	cn-huhehaote
	China (Ulanqab)	cn-wulanchabu
	China (Hangzhou)	cn-hangzhou
	China (Shanghai)	cn-shanghai
	China (Nanjing - Local Region)	cn-nanjing
	China (Fuzhou - Local Region)	cn-fuzhou
	China (Shenzhen)	cn-shenzhen
	China (Heyuan)	cn-heyuan
	China (Guangzhou)	cn-guangzhou
	China (Chengdu)	cn-chengdu
	China (Hong Kong)	cn-hongkong
	China (Wuhan - Local Region)	cn-wuhan-lr
Asia-Pacific - Other	Singapore	ap-southeast-1
	Malaysia (Kuala Lumpur)	ap-southeast-3
	Indonesia (Jakarta)	ap-southeast-5
	Philippines (Manila)	ap-southeast-6
	Thailand (Bangkok)	ap-southeast-7
	Japan (Tokyo)	ap-northeast-1
	South Korea (Seoul)	ap-northeast-2
Europe & Americas	US (Virginia)	us-east-1
	US (Silicon Valley)	us-west-1
	Mexico	na-south-1
	Germany (Frankfurt)	eu-central-1
	UK (London)	eu-west-1
Middle East	UAE (Dubai)	me-east-1

Scenarios where you might need to disable source/destination check

Disabling Source/Destination Check is necessary for certain special network configurations. Common scenarios include the following:

Multi-ENI scenario: In an instance with multiple ENIs, a packet might enter through one network interface (such as eth1) and exit through another (such as eth0). If Source/Destination Check is enabled on the primary ENI, it can affect the data flow of secondary ENIs.
After you attach an ENI to an instance, you can configure policy-based routing to resolve this issue. For more information, see Configure policy-based routing for an ENI.
Network Address Translation: When an instance acts as a Network Address Translation (NAT) device, it must receive packets from other instances in the network and forward them to the internet or other networks. In this case, you must disable Source/Destination Check to allow traffic to pass freely.
Router: When an instance is configured as a router, it must process all traffic that passes through it, not just packets sent directly to it. In this case, you must disable Source/Destination Check to correctly forward packets.
Custom load balancer: When a server acts as a custom Server Load Balancer, it needs to receive client requests and distribute them to different backend servers. In this case, you must also disable Source/Destination Check to allow this traffic pattern.
VPN endpoint: When an instance is used as a VPN server, it may need to process packets from different networks. This also requires you to disable Source/Destination Check to allow these packets to pass.
Advanced network architecture: For more complex network designs, you may also need to disable Source/Destination Check to meet specific requirements. Examples include implementing specific traffic shaping rules, integrating special firewall solutions, or performing detailed network monitoring.

Set the source/destination check feature for an ENI

Enable or disable source/destination check when creating an ENI

When you create an ENI, you can enable or disable the Source/Destination Check feature. If your scenario is not one of the scenarios where you might need to disable Source/Destination Check, we recommend that you enable the feature to improve network security.

Create an ENI with an instance

When you purchase an ECS instance, you can enable or disable Source/Destination Check for the ENIs (primary and secondary ENIs) created with the instance. For more information, see Create an instance using the wizard.

Note

Some ECS instance types do not support attaching secondary ENIs during instance creation. You can attach them separately after the instance is created. For more information, see ECS instance types that must be stopped.
When you purchase an instance, you can attach a maximum of two ENIs: one primary ENI (automatically matched) and one secondary ENI.

Create an ENI separately

When you create a standalone ENI, you can configure its Source/Destination Check feature. Then, you can attach the ENI to an instance. For more information, see Create and use an ENI.

Note

You can also call the CreateNetworkInterface operation to create an ENI. Set the SourceDestCheck parameter to `true` to enable Source/Destination Check, or `false` to disable it.

Modify the source/destination check for an ENI

After an ENI is created, you can modify its properties to enable or disable the Source/Destination Check feature.

Modify in the console

Go to ECS console - Elastic Network Interfaces.
In the top navigation bar, select a region and resource group.
Click the ID of the target ENI to open its details page.
View the current status of the Source/Destination Check feature and change the setting.

Modify using the API

Call the ModifyNetworkInterfaceAttribute operation. Set the SourceDestCheck parameter to `true` to enable Source/Destination Check for the specified NetworkInterfaceId, or `false` to disable it.
After the modification is successful, you can call DescribeNetworkInterfaceAttribute to query the properties of the specified NetworkInterfaceId. In the response, the SourceDestCheck parameter indicates whether Source/Destination Check is enabled. A value of `true` indicates that the feature is enabled, and a value of `false` indicates that the feature is disabled.