Managed elastic network interfaces (ENIs) are ENIs that are managed by Alibaba Cloud services. Specific Alibaba Cloud services, such as Container Service for Kubernetes (ACK) and NAT Gateway, depend on elastic network interfaces (ENIs) to work. You can grant Alibaba Cloud services the permissions to manage the lifecycles of the ENIs that are created by the services. This prevents accidental operations on the ENIs and ensures service availability.
Introduction
The managed ENI feature allows Alibaba Cloud services to have control on ENIs. When you use the Elastic Compute Service (ECS) console or the console of another Alibaba Cloud service to access managed ENIs, you can view the information of the ENIs but cannot manage the ENIs.
Procedure to create a managed ENI:
After you use Alibaba Cloud Security Token Service (STS) to grant specific permissions to an Alibaba Cloud service, the service calls the CreateNetworkInterface operation provided by ECS to create an ENI. The created ENI is managed by the service. For more information about STS, see What is STS?
You can call the DescribeNetworkInterfaces operation and check the values of ServiceManaged and Description in the response to determine whether an ENI is a managed ENI.
If an ENI is a managed ENI, the ServiceManaged value for the ENI is true and the Description value is the name of the Alibaba Cloud service that manages the ENI.
Permissions on API operations used to query or manage managed ENIs
When you use API to access managed ENIs, you can call API operations only to query managed ENIs. If you attempt to call an API operation to manage a managed ENI, you are prompted that the ENI is a managed ENI and cannot be manually managed and the InvalidOperation.EniServiceManaged error code is returned. The following table describes whether your Alibaba Cloud account or Alibaba Cloud services that create managed ENIs have permissions to call API operations to query or manage the managed ENIs.
API operation | Description | Can be called by your Alibaba Cloud account for a managed ENI | Can be called by the Alibaba Cloud service that creates a managed ENI for the ENI |
Queries ENIs. | Yes | Yes | |
Deletes an ENI. | No | Yes | |
Modifies the attributes of an ENI, such as the name, description, and security groups. | No | Yes | |
Binds an ENI. | No | Yes | |
Unbinds an ENI. | No | Yes | |
Assigns one or more secondary private IP addresses to an ENI. | No | Yes | |
Unassigns one or more secondary private IP addresses from an ENI. | No | Yes | |
Assigns one or more IPv6 address to an ENI. | No | Yes | |
Unassigns one or more IPv6 addresses from an ENI. | No | Yes |