An EIP is mapped to the private IP address of an ECS instance through NAT by default, so the operating system sees only the private address. Some applications require the public IP address to be configured directly on the network interface, making the EIP visible.
-
Protocol requirements: Protocols such as FTP in active mode require the packet payload to carry the host's public IP address. Communication fails if the payload contains a private IP address.
-
Source address validation: Some servers require the IP address of the outbound network interface to match the public egress IP address.
-
IPsec VPN: Some VPN software requires a direct binding to a public IP address to establish a tunnel.
With a VPC secondary CIDR block, you can create an elastic network interface whose primary private IP address matches the EIP, making the public IP address visible in the operating system. You can also assign an IPv6 address to the same network interface to enable IPv4/IPv6 dual-stack communication on a single interface.
How it works
A VPC secondary CIDR block allows you to add any CIDR block, including public IP address ranges, as a user-defined network segment. This allows you to:
-
Add the public CIDR block that contains the EIP, such as
118.XX.XX.0/24, as a secondary CIDR block to the VPC. -
Create a vSwitch and an elastic network interface in the secondary CIDR block, and set the primary private IP address of the elastic network interface to match the EIP address.
-
Bind the EIP to the elastic network interface in NAT mode to make the public IP address visible in the operating system.
You can also assign an IPv6 address to the same network interface and enable public bandwidth for IPv4/IPv6 dual-stack communication.
Limitations
-
Communication within the same VPC: An ECS instance with a visible EIP communicates with other instances in the same VPC over the private network, not the public internet, even when using the EIP for communication.
-
vSwitch CIDR block: The CIDR block of the vSwitch created in the secondary CIDR block must include the EIP address. The EIP cannot be one of the system-reserved addresses of the vSwitch. For IPv4, the first and the last three IP addresses of a vSwitch's CIDR block are reserved.
-
Elastic network interface:
-
The ECS instance and its bound elastic network interface must be in the same VPC and availability zone, but they can belong to different vSwitches.
-
The number of elastic network interfaces that can be attached to an ECS instance is determined by its instance type.
-
-
Secondary CIDR block: Each VPC supports a maximum of five secondary IPv4 CIDR blocks and five secondary IPv6 CIDR blocks.
Configure a visible IPv4 EIP
Console
-
Create an EIP: Log on to the EIP console and click Create EIP. For more information about the configurations, see Select an EIP.
-
Billing Method: We recommend that you select Pay-as-you-go.
-
Region: Select the same region as the ECS instance.
-
You can use the default values for the other parameters.
The EIP address determines the secondary CIDR block and vSwitch CIDR block that you will configure later.
-
-
Add a secondary IPv4 CIDR block to the VPC, and then create a vSwitch and an elastic network interface.
-
Add a secondary CIDR block:
-
Log on to the VPC console and click the ID of the VPC that contains your ECS instance to open its details page.
-
Click the CIDR Block Management tab and click Add Secondary IPv4 CIDR Block. Select Custom and enter a CIDR block that includes the EIP address.
For example, if the EIP address is
118.XX.XX.230, you can set the CIDR block to118.XX.XX.0/24.
-
-
Go to the Create vSwitch page to create a vSwitch in the secondary CIDR block.
-
VPC: Select the VPC to which the ECS instance belongs.
-
IPv4 CIDR: Select an added secondary CIDR block.
-
Zone: Select the availability zone of the ECS instance.
-
IPv4 CIDR: Enter a CIDR block for the vSwitch. This block must be a subnet of the secondary CIDR block that you added and must contain the EIP address. For example, if the EIP address is
118.XX.XX.230, you can set the vSwitch CIDR block to118.XX.XX.128/25.
-
-
Create an elastic network interface:
-
Go to the Network Interfaces page in the ECS console.
-
Click Create Network Interface.
-
VPC, vSwitch, and Security Group: Select the VPC and security group of the ECS instance, and the vSwitch that you created in the secondary CIDR block.
-
Primary private IP address: Enter the IP address of your EIP, such as
118.XX.XX.230.
-
-
-
-
Bind resources
-
Bind the EIP to the elastic network interface: Go to the EIP console, find your EIP, and in the Actions column, click Associate with Resource.
-
Instance Type: Select ENI.
-
Mode: Select NAT Mode.
-
Select an instance to associate: Select the elastic network interface that you created.
-
-
Bind the elastic network interface to the ECS instance:
-
Go to the Network Interfaces page in the ECS console, find the target elastic network interface, and in the Operation column, click Bind instance and select the target ECS instance. Some instance types do not support hot-plugging. You must stop the ECS instance before you bind the elastic network interface.
If the number of secondary elastic network interfaces attached to the ECS instance reaches the limit for its instance type, you can change the instance configuration to upgrade the instance type.
-
Verify that the elastic network interface is up: Log on to the ECS instance and run the
ip addr showcommand to verify that the IP address of the secondary elastic network interface matches the EIP. If the network interface is not up, you need to configure the Linux operating system to recognize the network interface.
-
-
-
Configure policy-based routing: The default route of the ECS instance points to the primary network interface,
eth0. To ensure that requests entering through the secondary elastic network interface,eth1, return through the same path (source-in/source-out), configure policy-based routing.-
Temporary configuration (resets on reboot):
ip route add default via <vswitch_gateway> dev eth1 table 1001 ip rule add from <primary_private_ip_address> lookup 1001 -
Permanent configuration: Configure routes to be automatically updated on system startup to make the configuration permanent.
-
-
Verify the result: Log on to the ECS instance and run the
curl -4 --interface eth1 ifconfig.mecommand to verify that the egress IP address is the EIP.
API
-
Call the AllocateEipAddress operation to create an EIP.
-
Call the AssociateVpcCidrBlock operation to add a secondary CIDR block.
-
Call the CreateVSwitch operation to create a vSwitch.
-
Call the CreateNetworkInterface operation to create an elastic network interface.
-
Call the AssociateEipAddress operation to bind the EIP to the elastic network interface.
-
Call the AttachNetworkInterface operation to bind the elastic network interface to an existing ECS instance.
Configure IPv6 dual-stack
You can extend the preceding configuration by assigning an IPv6 address to the secondary elastic network interface to enable a dual-stack setup.
Console
-
Enable IPv6 for the VPC:
If IPv6 is not enabled for the target VPC, click Enable IPv6 in the IPv6 CIDR column of the target VPC, select Allocated by system, and select the Automatically Enable IPv6 for All vSwitches checkbox. The system automatically creates an IPv6 gateway and assigns an IPv6 CIDR block.
If IPv6 is already enabled for the VPC and vSwitch, you can skip this step.
-
Assign an IPv6 address to the elastic network interface:
Go to the Network Interfaces page in the ECS console. Find the target elastic network interface, and in the Operation column, click Manage ENI IP Addresses to add an IPv6 address.
-
Configure the operating system to recognize the IPv6 address: Log on to the ECS instance and run the
sudo acs-plugin-manager --exec --plugin=ecs-utils-ipv6command. After the command is run, runip -6 addr show dev eth1to confirm that the address is recognized.[root@iZxxx]# ip -6 addr show dev eth1 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 altname enp0s6 altname ens6 inet6 2408:4005:305:xxx:xxx:xxx:d28b/64 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::xxx/64 scope link noprefixroute valid_lft forever preferred_lft forever -
Enable public bandwidth for the IPv6 address: By default, an IPv6 address supports only intra-VPC communication. To allow internet access over IPv6, you must enable public bandwidth.
-
Log on to the IPv6 Gateway console.
-
Click the IPv6 gateway of the target VPC. Find the target IPv6 address and click Activate Internet Bandwidth in the Actions column to configure the public bandwidth.
-
-
Verify the result: Log on to the ECS instance and run the
curl -6 ifconfig.mecommand to verify the IPv6 public egress.
API
-
For an existing VPC and vSwitch, call the ModifyVpcAttribute and ModifyVSwitchAttribute operations and set the
EnableIPv6parameter to enable or disable IPv6.Unlike the console workflow, using an API to enable IPv6 for a VPC and a vSwitch does not automatically create an IPv6 gateway. You must call the CreateIpv6Gateway operation to create one.
-
Call the AssignIpv6Addresses operation to assign IPv6 addresses to an elastic network interface.
-
Call the AllocateIpv6InternetBandwidth operation to purchase public bandwidth for an IPv6 address.
FAQ
|
Problem |
Possible cause |
Solution |
|
The primary private IP address of the elastic network interface is invalid. |
The primary private IP address is not within the vSwitch CIDR block. |
Recreate the vSwitch and ensure that its CIDR block includes the EIP address. |
|
The target ECS instance cannot be selected when you bind the elastic network interface. |
The availability zones do not match. |
Ensure that the elastic network interface and the ECS instance are in the same availability zone. |
|
An error occurs when you bind the elastic network interface to an ECS instance. |
The instance type does not support hot-plugging. |
Stop the instance, bind the interface, and then restart the instance. |
|
The elastic network interface is not enabled. |
The operating system has not recognized the new network interface. |
Configure the Linux operating system to recognize the network interface. |
|
The ECS instance cannot access the internet. |
The default route points to the primary network interface. |
Adjust the route priority to ensure that the secondary elastic network interface is used for internet access, or specify the interface by using the |
|
Asymmetric routing exists. |
Configure policy-based routing to ensure source-in/source-out. |
|
|
The security group does not allow the required traffic. |
Check whether the security group allows traffic from the required sources. |