Associate multiple EIPs with an ECS instance in NAT mode - Best Practices| Alibaba Cloud Documentation Center

Background information

You can assign multiple secondary private IP addresses to a secondary ENI. If a secondary ENI is in the Available state, you can assign up to 10 secondary private IP addresses to the secondary ENI.
Each secondary private IP address can be associated with an EIP in NAT mode. For more information about the NAT mode, see Association modes.
ECS instances can communicate with the Internet only if they have public IP addresses. If you do not use a secondary ENI, each ECS instance can be assigned only one static public IP address or associated with only one EIP. To assign multiple public IP addresses to an ECS instance, you can associate EIPs with a secondary ENI, and then associate the secondary ENI with the ECS instance. If the ECS instance hosts multiple applications, each application uses an independent public IP address to communicate with the Internet. This way, you can improve the utilization of the ECS instance.

Scenarios

The following scenario is used as an example. A company created an ECS instance on Alibaba Cloud and associated an EIP with the ECS instance. To meet business requirements, the company needs to associate three EIPs with the ECS instance.

You can assign two secondary private IP addresses to a secondary ENI. This way, the secondary ENI has one primary private IP address and two secondary private IP addresses. Then, associate EIPs with the private IP addresses in NAT mode, and associate the secondary ENI with the ECS instance. This way, the ECS instance is associated with multiple EIPs. Scenario

Prerequisites

An ECS instance is created. For more information, see Create an instance by using the wizard.
A secondary ENI is created and meets the following requirements:
- The secondary ENI and the ECS instance to be associated with the secondary ENI are deployed in the same virtual private cloud (VPC).
- The vSwitch of the secondary ENI and the vSwitch of the ECS instance to be associated with the secondary ENI are deployed in the same zone.
For more information, see Create an ENI.
Three EIPs are created in the same region as the secondary ENI. For more information, see Apply for an EIP.

Procedure

Step 1: Assign multiple secondary private IP addresses to a secondary ENI

You can assign multiple secondary private IP addresses to a secondary ENI and associate the secondary ENI with an ECS instance. This ensures high utilization and service availability of the ECS instance.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > ENIs.
In the upper-left corner, select the region where the secondary ENI is deployed.
On the Network Interfaces page, find the ENI that you want to manage and click Manage Secondary Private IP Address in the Actions column.
In the Manage Secondary Private IP Address dialog box, click Assign New IP and click OK.
Click Assign New IP twice in this example. This way, two secondary private IP addresses are automatically assigned to the secondary ENI.

Note You can also enter a secondary private IP address that falls within the IPv4 private CIDR clock. If you do not enter a secondary private IP address, the system assigns an idle IP address from the IPv4 private CIDR block.
On the Network Interfaces page, find the secondary ENI, and click Manage Secondary Private IP Address in the Actions column to view the assigned secondary private IP addresses.

Step 2: Associate EIPs with the secondary private IP addresses

Log on to the Elastic IP Address console .
In the top navigation bar, select the region of the EIP.
On the Elastic IP Addresses page, find the EIP that you want to manage and click Bind Resource in the Actions column.
In the Associate EIP with Resource dialog box, set the following parameters and click OK:
- Instance Type: Select Secondary ENI.
- Mode: Select NAT Mode.
- Select an instance to associate: Select the private IP address with which you want to associate the EIP.
  In this example, the primary private IP address of the secondary ENI is selected.
Repeat the preceding steps to associate the other two EIPs with the secondary private IP addresses of the secondary ENI. Make sure that each EIP is associated with a separate secondary private IP address.

Step 3: Associate the secondary ENI with the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region where the ECS instance is deployed.
On the Instances page, find the ECS instance, and choose More > Network and Security Group > Bind Secondary ENI in the Actions column.
In the Bind Secondary ENI dialog box, select the secondary ENI to be associated and click OK.

Step 4: Configure the secondary private IP addresses

After you associate the secondary ENI with the ECS instance, you must configure the secondary private IP addresses for the ECS instance.

An ECS instance that runs CentOS 7 is used in the following example to describe how to configure secondary private IP addresses for an ECS instance. For more information see Configure secondary private IPv4 addresses in a Windows instance and Configure secondary private IPv4 addresses for an ECS instance that runs Linux.

Log on to the ECS instance.
For more information about how to connect to an ECS instance, see Connection methods.
Run the ip address command to view the media access control (MAC) address of the secondary ENI.

Configure secondary private IP addresses for the secondary ENI.

Run the following command to open the configuration file of the secondary ENI:
vi /etc/sysconfig/network-scripts/ifcfg-eth1

Press the i key to enter the edit mode and modify the configuration file based on the following information:

DEVICE=eth1  # indicates that this is the configuration file of eth1, the new secondary ENI that is associated with the ECS instance.
BOOTPROTO=no
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=no
IPV6INIT=no
PERSISTENT_DHCLIENT=yes
HWADDR=00:16:**:**:fd:d6  # Specify the MAC address of the secondary ENI.
IPADDR0=192.xx.xx.5     # Specify the primary private IP address of the secondary ENI.
IPADDR1=192.xx.xx.8     # Specify one of the secondary private IP addresses of the secondary ENI.
IPADDR2=192.xx.xx.9     # Specify the other secondary private IP address of the secondary ENI.
DEFROUTE=no  # indicates that the secondary ENI is not used for the default route. To ensure that the default route of the ECS instance is not changed when you use the ifup command to bring up the secondary ENI, do not use eth1 for the default route.

After you modify the configuration file, press Esc. Then, enter :wq! and press Enter to save the modified file and exit the edit mode.

Run the following command to restart the network service:
service network restart

After you configure the secondary private IP addresses, you can run the ip address command to view the configured secondary private IP addresses.

Step 5: Test network connectivity

An ECS instance that runs CentOS 7 is used in the following example to describe how to test the connectivity between the ECS instance and the destination network.

Log on to the ECS instance.
For more information about how to connect to an ECS instance, see Connection methods.
Run the following command to add a static route whose source IP address is one of the secondary private IP addresses:
ip route add <Destination network> via <Gateway of the secondary private IP address> src <Secondary private IP address>

Note For more information about how to view the gateway of a secondary private IP address, see Obtain the information of an ENI.
Run the following command to verify the connectivity between the secondary private IP address and the destination network:
ping <Destination network> -I <Secondary private IP address>
The test result shows that packets sent from the secondary private IP address can reach the destination network. The ECS instance can access the Internet by using the EIPs associated with the private IP addresses.