What is an ENI? - Elastic Compute Service - Alibaba Cloud Documentation Center

Elastic network interface (ENIs) are virtual network interfaces that provide network connectivity and IP addresses for Elastic Compute Service (ECS) instances that are deployed in virtual private clouds (VPCs). You can bind one or more ENIs to each ECS instance. An ENI supports multiple IP addresses. You can migrate an ENI between different ECS instances that are deployed in the same VPC and zone as the ENI. This improves the flexibility and scalability of network configurations and ensures that the network configurations can meet the network requirements in various business scenarios. For example, you can use ENIs to create multi-IP address, multi-NIC, or high-availability networks.

ENI types

Alibaba Cloud provides the following types of ENIs:

Primary ENIs

Each ECS instance in a VPC has a default ENI. The default ENI is called the primary ENI. Each ECS instance has only one primary ENI.
Secondary ENIs
- If an ECS instance has only the primary ENI, the instance sends and receives all network traffic by using the primary ENI, which is suitable for scenarios in which the business traffic is simple. If your business requires finer-grained network classification and isolation to prevent single points of failure, you can create and bind secondary ENIs that reside in the same VPC and zone as an ECS instance to the instance.
- Secondary ENIs can be separately created and bound to ECS instances. Compared with primary ENIs, secondary ENIs can be independently created and dynamically bound to and unbound from ECS instances.
  
  For more information, see Create and use an ENI.

ENI features

Support for multiple IP addresses. A single ENI can be associated with multiple private IP addresses. This allows a single ECS instance to provide services or access external resources by using different IP addresses, which increases network flexibility. For more information, see Secondary private IP addresses.
Release with Instance: You can enable or disable the Release with Instance feature when or after an ENI is created. The status of the feature determines whether the ENI is retained or released when the associated ECS instance is released. By default, the Release with Instance feature is enabled for an ENI, which indicates that the ENI is released when the associated ECS instance is released. This simplifies O&M management and prevents resource residuals.

If the Release with Instance feature is disabled for an ENI, the ENI and its configurations, such as IP addresses and associated security groups, are retained when the associated ECS instance is released. You can quickly bind the ENI to a different ECS instance that resides in the same VPC and zone as the ENI. You can also reuse the ENI when you create a new ECS instance. This improves O&M flexibility and business continuity.

Hot swapping. The hot swapping feature of secondary ENIs provides great flexibility and convenience. The feature allows you to dynamically bind or unbind secondary ENIs to or from an ECS instance in the Running state, without the need to restart the instance or interrupt the services running on the instance. For example, you can unbind a secondary ENI from an ECS instance and attach the ENI to a different ECS instance that resides in the same VPC and zone as the ENI, without the need to restart the instances.

Note

You cannot unbind the primary ENI from an ECS instance. Primary ENIs do not support the hot swapping feature.

The following table describes the instance types that do not support the hot swapping feature of secondary ENIs.

ECS instance types that do not support the hot swapping feature of secondary ENIs

Instance family	Instance type
s6, shared standard instance family	ecs.s6-c1m1.small, ecs.s6-c1m2.large, ecs.s6-c1m2.small, ecs.s6-c1m4.large, and ecs.s6-c1m4.small
e, economy instance family	ecs.e-c1m1.large, ecs.e-c1m2.large, ecs.e-c1m4.large, ecs.e-c4m1.large, and ecs.e-c2m1.large
t6, burstable instance family	ecs.t6-c1m1.large, ecs.t6-c1m2.large, ecs.t6-c1m4.large, ecs.t6-c2m1.large, and ecs.t6-c4m1.large
t5, burstable instance family	ecs.t5-c1m1.large, ecs.t5-c1m2.large, ecs.t5-c1m4.large, ecs.t5-lc1m1.small, ecs.t5-lc1m2.large, ecs.t5-lc1m2.small, ecs.t5-lc1m4.large, and ecs.t5-lc2m1.nano
xn4, n4, mn4, and e4, previous-generation shared instance families	ecs.xn4.small ecs.n4.small and ecs.n4.large ecs.mn4.small and ecs.mn4.large ecs.e4.small and ecs.e4.large

For the instance types that do not support the hot swapping feature of secondary ENIs, the following limits apply:
- You cannot bind a secondary ENI to an ECS instance of an instance type in the preceding table when you create the instance. After you create the instance, you can bind secondary ENIs to the instance.
- When you bind a secondary ENI to or unbind a secondary ENI from an ECS instance of an instance type in the preceding table, make sure that the instance is in the Stopped state.

Limits

You can use ENIs free of charge. However, the number of ENIs that you can create in an Alibaba Cloud account is limited. For more information, see the Limits section of the "Limits and quotas on ECS" topic.
An ECS instance and the ENIs that are bound to the instance must reside in the same VPC and zone.
- The ENIs bound to an ECS instance can connect to different vSwitches in the same VPC and zone as the instance.
- If you bind two or more ENIs from the same subnet to an ECS instance, network issues may occur, such as asymmetric routing. You can assign one or more secondary private IP addresses to each primary or secondary ENI to optimize the usage of ECS instances that are deployed in VPCs and divert traffic during a failover. For more information, see Secondary private IP addresses.
The number of ENIs that you can bind to an ECS instance varies based on the instance type. For more information, see the ENIs columns in Instance family overview.
Binding multiple ENIs to an ECS instance does not increase or multiply the network bandwidth of the instance. For more information, see Network bandwidth.

Important attributes of ENIs

After you bind ENIs to an ECS instance, the instance can obtain resources such as private IP addresses and elastic IP addresses (EIPs). This way, the ECS instance can communicate with the Internet or other cloud resources. The following section describes a few important attributes of ENIs:

VPC: An ENI can be bound to only an ECS instance that resides in the same VPC as the ENI. You cannot change the VPC of an ENI after the ENI is created.
vSwitch: Each VPC has an independent IP address range. You can create multiple vSwitches in a VPC to divide the VPC into subnets. By default, subnets in the same VPC can communicate with each other. When you specify a vSwitch for an ENI, the ENI obtains one or more IP addresses from the CIDR block associated with the vSwitch. An ENI can be bound to only an ECS instance that resides in the same zone as the ENI. The instance and the ENI can connect to different vSwitches.

Note
If you want to bind an ENI to an ECS instance and the IP addresses of the ENI are not within the CIDR block of the VPC in which the instance resides, you must perform the following steps: Add a secondary CIDR block to the VPC, create a vSwitch in the zone in which the instance resides, associate the secondary CIDR block with the vSwitch, create an ENI that is associated with the vSwitch, and then bind the ENI to the instance. For more information, see Secondary CIDR blocks.
MAC address: Each ENI has a unique media access control (MAC) address as its unique identifier.

You can view information about an ENI, such as the VPC and MAC address of the ENI, in the ECS console or by calling an API operation. For more information, see Modify the attributes of an ENI.
Private IP addresses: You can assign one or more private IP addresses to an ENI for communication over the internal network. Each ENI is automatically assigned an IPv4 address as the primary private IPv4 address from the CIDR block that is associated with the vSwitch connected to the ENI.
- If you have requirements for multiple private IP addresses in business scenarios, such as the multi-application, failover, and Server Load Balancer (SLB) scenarios, you can assign one or more secondary private IPv4 addresses to an ENI that is bound to an ECS instance. For more information, see the Assign secondary private IP addresses section of the "Secondary private IP addresses" topic.
- If you want an ECS instance to communicate with the Internet or private networks over IPv6, you can associate IPv6 CIDR blocks with the VPC in which the instance resides and with the vSwitch that is connected to an ENI bound to the instance, and then assign one or more IPv6 addresses to the ENI. For more information, see IPv6 communication.
Static public IP address or EIPs: You can assign a static public IP address to or associate EIPs with an ECS instance to allow the instance to access the Internet. An ENI does not have Internet communication capabilities. To enable Internet communication for an ECS instance, you can use one of the following methods:
- Assign a static public IP address to the primary ENI of the ECS instance. For more information, see Static public IP.
- Associate EIPs with ENIs bound to the ECS instance. You can associate an EIP with or disassociate an EIP from an ENI based on your business requirements. For the ECS instance to provide multiple public IP addresses for external access, you can associate EIPs with multiple private IP addresses that are assigned to the ENIs bound to the instance. For more information, see Associate an EIP with a secondary ENI.
Security groups: To provide network layer security control, you can associate ENIs with security groups.
- When you associate an ECS instance with a security group, you associate the primary ENI of the instance with the security group. For more information, see Associate security groups with an instance (primary ENI).
- In the same VPC, the secondary ENIs bound to an ECS instance can be associated with different security groups from the security group of the primary ENI. For more information, see Associate a secondary ENI with security groups.
Route table: When data is transmitted within a VPC and between the VPC and other networks, the route table is used to guide the routing of data packets. Correct routing configurations ensure that ENIs can correctly send and receive data. For more information, see the (Conditionally required) Step 4: Configure routes section of the "Configure a secondary ENI" topic.

Note
In a multi-ENI environment, the priority of the default route of a secondary ENI is lower than the priority of the default route of the primary ENI. This ensures that data is preferentially sent from the primary ENI. If you want data packets associated with a private IP address of a secondary ENI to be sent from the secondary ENI, you can configure policy-based routing for the secondary ENI to ensure that data received by the ENI is also sent from the ENI.

Network enhancements of ENIs

eRDMA capabilities

You can enable Elastic RDMA Interface (ERI) for an ENI. An ENI for which ERI is enabled is an ERI that supports elastic Remote Direct Memory Access (eRDMA) capabilities. You can bind an ERI to and install the eRDMA driver on an eRDMA-capable ECS instance to provide low-latency and high-throughput network communication for the instance. For more information, see Elastic RDMA Interface (ERI).

NIC multi-queue

NIC multi-queue is a feature that improves network I/O throughput and reduces latency by allowing multiple CPU cores to process network packets in parallel. The feature achieves this by configuring multiple transmit and receive queues on a network interface and assigning each queue to a different CPU core.

For more information, see NIC multi-queue.

Network card indexes

Specific Elastic Compute Service (ECS) instance types support configuring network card indexes to provide higher network performance. Without network card indexes, every elastic network interface (ENI) you attach shares the same underlying communication channel, regardless of how many ENIs you add. Network card indexes let you distribute ENIs across separate channels, so each channel carries its own traffic and you fully use the available bandwidth.

For more information, see Network card indexes.

View the ENIs bound to an ECS instance

You can view information about the ENIs bound to an ECS instance in the ECS console, by calling an API operation, or within the instance.

View the ENIs bound to an ECS instance in the ECS console

Go to ECS console - Instances.
In the top navigation bar, select the region and resource group to which the resource that you want to manage belongs.
Click the ID of the ECS instance whose ENIs you want to view to go to the instance details page.
Click the ENIs tab to view the ENIs bound to the ECS instance.

You can view the IDs, names, types, status, and IP addresses of the ENIs bound to the ECS instance in the ENI list.

View the ENIs bound to an ECS instance by calling an API operation

Call the DescribeInstances operation to query information about the ECS instance specified by using the InstanceIds parameter. The NetworkInterfaces parameter in the response contains information about the ENIs bound to the instance, including the type (Type), ID (NetworkInterfaceId), and primary private IP address (PrimaryIpAddress) of each ENI.

View the ENIs bound to an ECS instance after you connect to the instance

Linux instance

Example operating system: Alibaba Cloud Linux 3.2.

Connect to the Linux instance.

For more information, see Connect to a Linux instance by using Workbench.
Run the following command to check the network interface information of the instance:
```
ip a
```
The output shows the network interface information for the current instance:
- Interface identifier: eth0, eth1. In this example, the instance has two ENIs: a primary ENI (eth0) and a secondary ENI (eth1).
- Interface status: state UP indicates that the interface is active in the instance.
  
  Important
  If you see state DOWN as shown in the figure below, the interface has not loaded successfully and cannot be used. You must configure the Linux OS to recognize the ENI.
- Primary private IP address of the interface: After an interface becomes active, you can see its primary private IP address. For more information, see Primary private IP address.
  
  If a secondary private IP address is assigned to your ENI but is not recognized by the OS, you can reconfigure it. For more information, see Configure the OS to recognize a secondary private IP address.
Run the following command to view the routing information:
```
route -n
```
Typically, the system configures two routes for the secondary ENI, eth1:
- Route with a destination of 192.168.xx.xx: This route is for a specific subnet. It ensures that the instance can directly communicate with other hosts in the subnet without going through an additional router.
- Route with a destination of 0.0.0.0: This is the default route. When a packet's destination address does not match a more specific entry in the route table, the system uses the default route. The packet is then sent to the next-hop Gateway through the network interface specified by Iface.
  Important
  - When multiple default routes exist, the route priority is determined by the Metric value. The lower the Metric, the higher the priority.
  - If you want to precisely control traffic paths and require traffic to return through the same ENI that received it, you can configure a policy-based route for the ENI.
  Some older operating systems, such as Ubuntu 16, may not automatically configure a default route for the secondary ENI. If you check the routes, the output may appear as shown below. This can cause the ENI to malfunction. We recommend that you use a newer OS distribution. Alternatively, you can configure it manually. For more information, see Configure a default route for an ENI.

Windows instance

Example operating system: Windows Server 2022.

Connect to the Windows instance.

For more information, see Connect to a Windows instance by using Workbench.
Open the Network and Sharing Center.
Click Change adapter settings.

In this example, the instance is attached to two ENIs (one primary and one secondary). If you see information similar to the following, it indicates that the ENIs are active within the instance OS and no further configuration is required.

If the secondary ENI is not recognized, you might see the following information. In this case, see Troubleshoot ENI configuration failures on Windows instances.
View the status and details of the network interface.
1. Double-click the network interface name to view its status.
  
  Take the primary ENI Ethernet as an example:
2. Click Details to view the properties of the network interface.
  
  In the dialog box that appears, you can view information such as the primary private IPv4 address, subnet mask, and default gateway of the network interface:
Open Command Prompt.

Press the Win+R keyboard shortcut to open the Run dialog box, enter cmd, and then click OK.
Run the following command to view the routing information of the network interfaces.

References

You can use the Terway Container Network Interface (CNI) plug-in to manage the IP addresses and communication of pods in Kubernetes clusters. Terway can define access policies between containers based on standard Kubernetes network policies. You can use one of the following modes to enable network communication between Kubernetes clusters: the inclusive ENI mode based on the secondary IP addresses of ENIs and the VPC mode based on ENIs. For more information, see Using the Terway network plugin.
You can use ENIs in conjunction with SLB to distribute and manage traffic. For more information, see Add backend servers by specifying ENIs.
Specific Alibaba Cloud services, such as Container Service for Kubernetes (ACK) and NAT Gateway, depend on ENIs to work. You can grant Alibaba Cloud services the permissions to manage the lifecycles of the ENIs that are created by the services. This prevents accidental operations on the ENIs and ensures service availability. For more information, see Managed ENIs.
The multicast feature supported by Enterprise Edition transit routers is a cloud-native feature developed by Alibaba Cloud. This feature helps you build multicast networks without additional physical devices or third-party software licenses. You can use ENIs attached to ECS instances only as multicast sources. The system uses the primary private IP address of an ENI to send multicast traffic to a multicast group. For more information, see Manage multicast.