Managed ENIs - Elastic Compute Service - Alibaba Cloud Documentation Center

When you create elastic network interfaces (ENIs) for specific Alibaba Cloud services such as Container Service for Kubernetes (ACK) and NAT Gateway, you can configure the ENIs to be managed by the services. ENIs managed by Alibaba Cloud services are called managed ENIs. Managed ENIs help prevent accidental resource deletion and ensure service availability. This topic describes the managed ENI feature and permissions on API operations used to query or manage managed ENIs.

Introduction

The managed ENI feature allows Alibaba Cloud services to have control on ENIs. When you use the Elastic Compute Service (ECS) console or the console of another Alibaba Cloud service to access managed ENIs, you can view the information of the ENIs but cannot manage them.

Note Procedure to create a managed ENI:

After you use Alibaba Cloud Security Token Service (STS) to grant permissions to an Alibaba Cloud service, the service calls the CreateNetworkInterface operation provided by the ECS API to create an ENI. For more information about STS, see What is STS?.

You can call the DescribeNetworkInterfaces operation and check the ServiceManaged and Description values in the response to determine whether an ENI is a managed ENI.

Note If an ENI is a managed one, the ServiceManaged value for it is true and the Description value is the name of the Alibaba Cloud service that manages the ENI.

Permissions on API operations used to query or manage managed ENIs

When you use OpenAPI to access managed ENIs, you can call API operations only to query managed ENIs. If you attempt to call an API operation to manage a managed ENI, you are prompted that the ENI is a managed ENI and cannot be manually managed and the InvalidOperation.EniServiceManaged error code is returned. The following table describes whether your Alibaba Cloud account or Alibaba Cloud services that create managed ENIs have permissions to call the API operations to query or manage the managed ENIs.


API operation	Description	Can be called by your Alibaba Cloud account for a managed ENI	Can be called by the Alibaba Cloud service that creates a managed ENI for the ENI
DescribeNetworkInterfaces	Queries ENIs.	Yes	Yes
DeleteNetworkInterface	Deletes an ENI.	No	Yes
ModifyNetworkInterfaceAttribute	Modifies the attributes such as the name, description, and security group of an ENI.	No	Yes
AttachNetworkInterface	Binds an ENI.	No	Yes
DetachNetworkInterface	Unbinds an ENI.	No	Yes
AssignPrivateIpAddresses	Assigns one or more secondary private IP addresses to an ENI.	No	Yes
UnassignPrivateIpAddresses	Unassigns one or more secondary private IP addresses from an ENI.	No	Yes
AssignIpv6Addresses	Assigns one or more IPv6 address to an ENI.	No	Yes
UnassignIpv6Addresses	Unassigns one or more IPv6 addresses from an ENI.	No	Yes