Elastic IP Address:Security hardening for EIP cut-through mode access to the 100.64.0.0/10 reserved CIDR block

Change details

Starting from April 23, 2026, 00:00 (UTC+8), EIPs with the association mode set to Cut-through Mode will no longer be allowed to access the Alibaba Cloud reserved CIDR block 100.64.0.0/10. This CIDR block is reserved for Alibaba Cloud services and is only applicable to private network access. This change aims to prevent unintended access behavior and further safeguard your business security.

Scope of impact

If you are currently using EIPs with the association mode set to Cut-through Mode to access cloud services within the 100.64.0.0/10 CIDR block, you will not be able to continue accessing them after April 23, 2026.

Instructions

To ensure smooth business operations, please configure the route for 100.64.0.0/10 to point to the primary elastic network interface (ENI) of your ECS instance before April 23, 2026.

1. Bind the ENI associated with the EIP to an ECS instance:

   1. Go to the VPC console - Elastic IP Addresses page. In the top menu bar, select the region of the EIP.

   2. Find the target EIP with the association mode set to Cut-through Mode, and click the ENI ID in the Associated Instance Type/ID column.

   3. On the ENI details page, click Associate with Instance and select the target ECS instance to associate.

2. Log on to the ECS instance using the associated EIP, and run the ifconfig or ipconfig command to check the network configuration of the instance.

   Each instance type supports a different number of ENIs that can be bound.

   After a secondary ENI is bound to an ECS instance, some images cannot automatically detect the IP address of the secondary ENI and add routes. In this case, you need to configure the secondary ENI.

   After the binding, the ECS instance automatically generates a route with the secondary ENI as the outbound interface. The priority of this route is lower than that of the route with the primary ENI as the outbound interface. Please adjust the route priority based on your business requirements.

3. After completing the binding and route configuration, create the set_cloud_service_default_route.sh script to route the Alibaba Cloud service address 100.64.0.0/10 to the primary ENI.

   primary_ip=$(curl -s http://100.100.100.200/latest/meta-data/private-ipv4)
   if [ -z "$primary_ip" ]; then
       echo "ERROR: Failed to get primary ip" >&2
       exit 1
   fi
   echo "get primary_ip=$primary_ip"
   
   primary_device=$(ip -4 -o addr | grep $primary_ip| awk '{print $2}')
   if [ -z "$primary_device" ]; then
       echo "ERROR: Failed to get main nic" >&2
       exit 1
   fi
   echo "primary device is $primary_device"
   
   gateway=$(ip route show default | grep $primary_device | grep -oP 'via\s+\K[0-9.]+')
   if [ -z "$gateway" ]; then
       echo "ERROR: Failed to get default gateway" >&2
       exit 1
   fi
   echo "default gateway is $gateway"
   
   cmd="ip route replace 100.64.0.0/10 via $gateway dev $primary_device"
   sudo $cmd
   if [ $? -ne 0 ]; then
       echo "ERROR: Failed to add route for 100.64.0.0/10" >&2
   fi
   result=$(ip route | grep "100.64.0.0")
   echo "config finish, $result"
   if [ -z "$result" ]; then
       echo "ERROR: Failed to add route for 100.64.0.0/10" >&2
       exit 1
   fi
   
   result=$(grep "100.64.0.0/10" /etc/rc.local)
   if [ -z "$result" ]; then
       echo $cmd | sudo tee -a /etc/rc.local
       echo "add default route to rc.local"
   fi
   
   echo "Success"

4. Run the sh set_cloud_service_default_route.sh command. If Success is displayed, the configuration is successful.

   

5. After the configuration is complete, run the following commands to verify. If the commands return output and the ENI shown in the output is the primary ENI, the configuration is as expected.

   ip route show | grep "100.64.0.0"
   grep "100.64.0.0" /etc/rc.local