All Products
Search

This Product

    Elastic IP Address:Make an EIP visible on an ENI using a VPC secondary CIDR block

    Document Center

    Elastic IP Address:Make an EIP visible on an ENI using a VPC secondary CIDR block

    Last Updated:Mar 26, 2026

    Make an EIP visible in the OS by adding a VPC secondary CIDR block that contains the EIP address. This is the recommended alternative to cut-through mode, with optional IPv6 dual-stack.

    In NAT mode, the OS sees only private IPs — the EIP is invisible on the Elastic Network Interface (ENI). Some applications require the public IP to be directly configured on the NIC:

    • NAT ALG protocols: FTP active mode and similar protocols embed the local IP in the payload. A private IP causes communication failures.

    • Source address verification: Some servers require the NIC IP to match the public egress IP.

    • IPsec VPN: Some VPN software requires a public IP bound directly to the interface.

    This guide makes the EIP visible by using it as the primary private IP of a secondary ENI in a VPC secondary CIDR block. This is the recommended alternative to cut-through mode — it keeps private network connectivity intact. You can also assign an IPv6 address to the same ENI to enable IPv4/IPv6 dual-stack communication.

    How it works

    The secondary CIDR block of a VPC allows you to add any CIDR block, including public IP ranges, as a custom network segment. This enables the following workflow:

    1. Add a secondary IPv4 CIDR block to your VPC using the public CIDR block that contains your EIP, such as 118.XX.XX.0/24.

    2. Create a vSwitch in that secondary block, in the same zone as your instance.

    3. Create a secondary ENI in the new vSwitch with the EIP as its primary private IP address.

    4. Associate the EIP with this ENI in NAT mode and attach the ENI to your ECS instance.

    The EIP then appears as the ENI's primary private IPv4 address, visible in the OS.

    Optionally, assign an IPv6 address to the same ENI and enable IPv6 public bandwidth for dual-stack IPv4/IPv6 support.

    image

    Usage notes

    • Intra-VPC communication: ECS instances using a secondary CIDR block in ENI-visible mode cannot use the EIP to communicate with other instances in the same VPC via the public network. Traffic remains private.

    • vSwitch CIDR block: The EIP must fall within the vSwitch IP range and cannot be a system-reserved addresses (the first and last three IPs of each vSwitch for IPv4).

    • ENI:

      • An ECS instance and its attached ENIs must be in the same VPC and zone. They can be in different vSwitches.

      • The number of ENIs an instance supports varies by instance type.

    • Secondary CIDR block: Each VPC supports up to 5 secondary IPv4 CIDR blocks and 5 secondary IPv6 CIDR blocks.

    Configure IPv4 network interface visibility

    Console

    1. Create an EIP.

      Log on to the EIP console and click Create EIP. For more information, see EIP selection guide.

      • Set Billing Method to Pay-as-you-go.

      • Region: Select the same region as the ECS instance.

      • Keep the default values for the other parameters.

      The EIP address determines the secondary CIDR block and vSwitch CIDR block that you configure later.

    2. Set up the secondary CIDR block, vSwitch, and ENI.

      1. Add a secondary CIDR block.

        1. Log on to the VPC console. Click the ID of the VPC that contains the ECS instance to go to the details page.

        2. Click the CIDR Block Management tab and click Add Secondary IPv4 CIDR Block. Select Custom and enter a CIDR block that includes the EIP address.

          For example, if the EIP address is 118.XX.XX.230, set the CIDR block to 118.XX.XX.0/24.

      2. Go to the Create vSwitch page and create a vSwitch in the secondary CIDR block.

        • VPC: Select the VPC that contains the ECS instance.

        • IPv4 CIDR: Select the secondary CIDR block that you added.

        • Zone: Select the zone where the ECS instance is located.

        • IPv4 CIDR: Enter a CIDR block that includes the EIP address. For example, if the EIP address is 118.XX.XX.230, set the CIDR block to 118.XX.XX.128/25.

      3. Create an ENI.

        1. Go to the Elastic Network Interfaces page in the ECS console.

        2. Click Create ENI.

          • VPC, vSwitch, and Security Group: Select the VPC and security group that contain the ECS instance, and the vSwitch that you created in the secondary CIDR block.

          • Primary Private IP Address: Enter the IP address of the EIP (for example, 118.XX.XX.230).

    3. Associate the EIP and attach the ENI.

      1. Associate the EIP with the ENI.

        Go to the EIP console. Find the target EIP and click Associate with Resource in the Actions column.

        • Set Instance Type to ENI.

        • Set Mode to NAT Mode.

        • Select an instance to associate: Select the ENI that you created.

      2. Attach the ENI with the ECS instance.

        1. Go to the ENI page.

        2. Find the target ENI, click Bind Instance in the Operation column, and select the target ECS instance.

          Some instance types do not support hot-plugging. You must stop the ECS instance before you can associate the ENI.

          If the number of secondary ENIs associated with an ECS instance reaches the limit for its instance type, you can resize the instance to upgrade its instance type.

        3. Verify that the ENI is working. Log on to the ECS instance and run the ip addr show command to confirm that the IP address of the secondary ENI is the same as the EIP. If the ENI is not started, you must configure the Linux operating system to recognize the network interface.

    4. Configure policy-based routing.

      The default route points to the primary ENI (eth0). Configure policy-based routing on the ECS instance so responses exit through the secondary ENI (eth1):

      • Temporary configuration (lost after restart):

        Replace eth1 with the actual device name of your secondary ENI. Replace <subnet_gateway> with the gateway of your secondary CIDR vSwitch. Replace <primary_private_IP_address> with the EIP address assigned to the ENI.
        ip route add default via <subnet_gateway> dev eth1 table 1001
ip rule add from <primary_private_IP_address> lookup 1001

      • To persist these rules across reboots, add the commands to /etc/rc.local and run sudo chmod +x /etc/rc.local.

    5. Verify the configuration.

      Log on to the ECS instance and run the curl -4 --interface eth1 ifconfig.me to verify that the outbound IP address matches the EIP.

    API

    1. Call AllocateEipAddress to allocate an EIP..

    2. Call AssociateVpcCidrBlock to add the secondary CIDR block to the VPC.

    3. Call CreateVSwitch to create a vSwitch within the secondary CIDR block.

    4. Call CreateNetworkInterface to create an ENI.

    5. Call AssociateEipAddress to associate the EIP with the ENI.

    6. Call AttachNetworkInterface to attach the ENI to the ECS instance.

    Configure IPv6 dual stack

    After you configure IPv4 EIP visibility, assign an IPv6 address to the same secondary ENI to enable single-NIC IPv4/IPv6 dual-stack.

    image

    Console

    1. Enable IPv6.

      If IPv6 is not enabled for the target VPC, click Enable IPv6 in the IPv6 CIDR column of the target VPC. Select Allocated by system, and then select the Automatically Enable IPv6 for All vSwitches checkbox. The system automatically creates an IPv6 Gateway and assigns an IPv6 CIDR block.

      If IPv6 is already enabled for the target VPC and its vSwitches, skip this step.

    2. Assign an IPv6 address to the ENI:

      Go to the ENI page. In the Operation column of the target ENI, click Manage ENI IP Addresses and add an IPv6 address.

    3. Configure the operating system to recognize the IPv6 address.

      Log on to the ECS instance and run the following commands to configure IPv6:

         sudo acs-plugin-manager --exec --plugin=ecs-utils-ipv6
   ip -6 addr show dev eth1

      image

    4. Enable public bandwidth for the IPv6 address.

      By default, an IPv6 address supports only communication within its VPC. To enable internet access, you must enable public bandwidth for the address.

      1. Log on to the IPv6 Gateway console.

      2. Click the IPv6 gateway of the target VPC. In the Actions column of the target IPv6 address, click Activate Internet Bandwidth and configure the public bandwidth.

    5. Verify the result.

      Log on to the ECS instance and run the curl -6 ifconfig.me command to verify the IPv6 public egress.

    API

    1. For existing VPCs and vSwitches, call ModifyVpcAttribute and ModifyVSwitchAttribute with EnableIPv6 set to true.

      Unlike the console, enabling IPv6 via API does not automatically create an IPv6 gateway. Call CreateIpv6Gateway to create one.

    2. Call AssignIpv6Addresses to assign an IPv6 address to the ENI.

    3. Call AllocateIpv6InternetBandwidth to purchase public bandwidth for the IPv6 address.

    Troubleshooting

    Problem

    Possible cause

    Solution

    Invalid primary private IP

    The primary private IP is not in the vSwitch CIDR block.

    Re-create the vSwitch with a CIDR block that includes the primary private IP address.

    Cannot select ECS instance

    The ENI and ECS instance zones differ.

    Ensure the ENI and ECS instance are in the same zone.

    ENI attachment fails

    The instance type doesn't support hot-plugging.

    Stop the instance, bind the ENI, and restart.

    ENI not visible in OS

    The OS does not auto-detect the ENI.

    Configure the Linux OS to recognize the network interface manually.

    No internet access

    Default route points to primary ENI.

    Adjust route priority or use --interface eth1 to force egress.

    Asymmetric routing exists.

    Configure policy routing to ensure symmetric traffic pathways.

    Security group blocks traffic.

    Check security group rules to allow inbound/outbound access.