Associate multiple EIPs with an ECS instance - Elastic IP Address

If you want to deploy multiple applications on an Elastic Compute Service (ECS) instance and each application uses a unique public IP address, you can associate multiple elastic IP addresses (EIPs) with a secondary elastic network interface (ENI) in NAT mode. Then, associate the secondary ENI with the ECS instance. This way, the EIPs are associated with the ECS instance.

Background information

You can assign multiple secondary private IP addresses to a secondary ENI.
The number of private IP addresses that can be assigned to a secondary ENI is determined by the status of the secondary ENI and the specification of the ECS instance associated with the secondary ENI. For more information, see Assign secondary private IP addresses.
Each secondary private IP address can be associated with an EIP in NAT mode.
For more information, see Associate an EIP with a secondary ENI.
An ECS instance can communicate with the Internet if the ECS instance is assigned a public IP address. If you do not use a secondary ENI, each ECS instance can be assigned only one static public IP address or associated with only one EIP.
To assign multiple public IP addresses to an ECS instance, you can associate EIPs with a secondary ENI, and then associate the secondary ENI with the ECS instance. If the ECS instance hosts multiple applications, each application uses a unique public IP address to communicate with the Internet. This improves the utilization of the ECS instance.

Scenarios

The following scenario is used in this topic. A company created an ECS instance on Alibaba Cloud to deploy websites and associated an EIP with the ECS instance.

To meet business requirements, the company needs to deploy three sub-websites on the ECS instance and each sub-website uses a unique EIP to provide services.

You can assign one primary private IP address and two secondary private IP addresses to a secondary ENI. Then, associate multiple EIPs with the private IP addresses in NAT mode. This way, the ECS instance is associated with multiple EIPs. 业务场景

Prerequisites

Before you start, make sure that the following requirements are met:

Resource	Requirement	References
Elastic Compute Service (ECS) instance	An ECS instance can be associated with multiple secondary ENIs and each ENI can be associated with multiple private IP addresses. For example, an ECS instance of the ecs.c6.large specification can be associated with at most two ENIs (one primary ENI and one secondary ENI), and each ENI can be associated with at most 6 private IP addresses. On the buy page: The private IP address of the primary ENI can be associated with only one EIP. The private IP addresses of the secondary ENI can be associated with at most six EIPs. Therefore, the ECS instance can be associated with at most seven EIPs. No IPv4 gateway is activated on the virtual private cloud (VPC) to which the ECS instance belongs. If an IPv4 gateway is already activated on the VPC, you can configure IPv4 gateway routes to allow instances in the VPC to access the Internet.	View the number of ENIs supported by ECS instances of different specifications Create an instance on the Custom Launch tab IPv4 Gateway Overview Create and Manage IPv4 Gateways Change the VPC of an ECS instance
Secondary ENI	The secondary ENI and the ECS instance to be associated must belong to the same VPC. The vSwitch of the secondary ENI and the vSwitch of the ECS instance must belong to the same zone. The security group rules allow the secondary ENIs to access the Internet.	Create a secondary ENI Overview of security groups
EIP	The EIPs to be associated and the secondary ENI must belong to the same region.	Apply for an EIP

When you use the quick deployment method, you can create a new instance or use an existing instance.

If you create a new instance, you do not need to create the preceding resources.
If you use an existing instance, you must first create the preceding instances and the ECS instance must run CentOS 7.x.

Procedure

Manual deployment

Procedure

ECS绑定多个EIP 配置步骤.png

In this topic, the new ECS console is used as an example. You can click the button in the lower-left part of the navigation pane to switch between the new version and the previous version.

Warning

Operations in this topic involve restarting the network service and configuring routes. We recommend that you perform the operations during off-peak hours to avoid service interruptions.

Step 1: Associate the secondary ENI with the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > ENIs.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the secondary ENI and click Bind to Instance in the Actions column.
In the Bind to Instance dialog box, select an ECS instance and click OK.
Refresh the list. If InUse is displayed in the Status column, the secondary ENI is associated with the ECS instance.

Note

If you cannot associate the secondary ENI with the ECS instance, possible causes are:

The number of secondary ENIs associated with the ECS instance has reached the upper limit. For more information, see Instance families. For more information about how to upgrade instance specifications, see Overview of instance configuration changes.
The ECS instance can be associated with a secondary ENI only if the ECS instance is in the Stopped state. For more information, see Prerequisites.

Step 2: Assign multiple secondary private IP addresses to the secondary ENI

You can assign multiple secondary private IP addresses to the secondary ENI and associate the secondary ENI with the ECS instance. This ensures high utilization and service availability of the ECS instance.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > ENIs.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the ENIs page, find the ENI and click Manage Secondary Private IP Address in the Actions column.
In the Manage Secondary Private IP Address dialog box, click Assign New IP in the IPv4 Addresses section, assign an IP address as needed, and then click OK.
Assign New IP is clicked twice in this example. This way, two secondary private IP addresses are automatically assigned to the secondary ENI.
Note
You can also enter a secondary private IP address that falls within the private IPv4 CIDR clock. If you do not enter a secondary private IP address, the system assigns an idle IP address from the private IPv4 CIDR block.
You can view the assigned secondary private IP address in the Private IP Address column of the secondary ENI.

Step 3 (optional): Configure the ENI on the ECS instance

After you associate the secondary ENI with the ECS instance, some images may fail to identify the IP address of the ENI or add routes. As a result, the secondary ENI cannot work as expected. In this case, you need to configure the secondary ENI on the ECS instance so that the IP address of the ENI can be identified.

For more information about how to check whether an ECS instance image supports the associated secondary ENI and how to configure an secondary ENI on an ECS instance, see Configure a secondary ENI.

Step 4: Configure a secondary private IP address for the ECS instance

After you associate the secondary ENI with the ECS instance, you need to configure a secondary private IP address for the ECS instance.

An ECS instance that runs Alibaba Cloud Linux 2 is used in this example to describe how to configure a secondary private IP address for an ECS instance. For more information about the procedure for ECS instances that run other operating systems, see Assign secondary private IP addresses.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the ifconfig command to query the subnet mask and run the route -n command to query the default gateway.
The following figure shows an example output.
255.255.**.** corresponding to netmask is the IPv4 subnet mask, and 172.**.**.253 corresponding to Gateway is the default gateway.

Modify the network configuration file.

Run the vi /etc/sysconfig/network-scripts/ifcfg-eth1:0 command to add configurations.

Example:

DEVICE=eth1:0   
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=<Assigned secondary private IPv4 address 1>
NETMASK=<IPv4 subnet mask>

Run the vi /etc/sysconfig/network-scripts/ifcfg-eth1:1 command to add configurations.

Example:

DEVICE=eth1:1   
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=<Assigned secondary private IPv4 address 2>
NETMASK=<IPv4 subnet mask>

Run the following command to restart the network service so that the configuration can take effect.
```
service network restart
```
Run the ifconfig command to view the configuration result.
The following figure shows the output of the command used to configure two secondary private IP addresses.

Step 5: Associate the EIP with the secondary private IP address

Log on to the Elastic IP Address console .
On the Elastic IP Addresses page, find the EIP that you created and click Associate with Resource in the Actions column.
In the Associate EIP with Resource dialog box, set the following parameters and click OK.
- Instance Type: Select Secondary ENI.
  Important
  Select Secondary ENI. If you select ECS Instance, you cannot associate the EIP with the secondary private IP address.
- Resource Group: Select the resource group to which the secondary ENI belongs.
- Mode: Select NAT Mode.
- Select an instance to associate.: Select the secondary private IP address. You can view the secondary private IP address in the Private IP Address column of the secondary ENI.
  In this example, the primary private IP address of the secondary ENI is selected.
Repeat the preceding steps to associate the other two EIPs with the secondary private IP addresses of the secondary ENI.

Step 6: Configure routes

An ECS instance that runs Alibaba Cloud Linux 2 is used in this example to describe how to configure routes for an ECS instance. For more information about the procedure for ECS instances that run other operating systems, see Step 4 (optional): Configure routes.

Configure routes for the secondary ENI on the ECS instance

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to query route information.
```
route -n
```
The following route information about the primary ENI (eth0) and the secondary ENI (eth1) is returned.
Run the following command to configure default routes.
```
ip -4 route add default via 172.16.**.253 dev eth1 metric 1001 && \
ip -4 route add default via 172.16.**.253 dev eth1 table 1001 && \
ip -4 rule add from 172.16.**.*57 lookup 1001 && \
ip -4 rule add from 172.16.**.*77 lookup 1001 && \
ip -4 rule add from 172.16.**.*78 lookup 1001
```
Note
The preceding command adds default routes to eth1, creates a route table, and associates three routing policies associated with the route table. table 1001 is the route table (consistent with the metric value of the default route). 172.16.**.253 is the IP address of the gateway. 172.16.*.*57 is the primary private IP address of eth1. 172.16.**.*77 and 172.16.**.*78 are two secondary private IP addresses of eth1. Specify the parameters based on actual information.
Run the following command to view the created route table and routing policies.
```
ip route list table 1001 && \
ip rule list
```
If the following output is returned, the route table and routing policies are created.
Optional: If the existing routes do not meet your requirements, you can configure route tables and rules.
You can configure route tables and rules to implement routing policies, which allow you to forward traffic through specified gateways. This allows you to control and manage network traffic in a more fine-grained way.

Configure automatic route update on instance startup

After you configure routes for the secondary ENI, you need to configure automatic route update on instance startup. Otherwise, the routes become invalid.

Run the following command to open the /etc/rc.local file.
```
vim /etc/rc.local
```

Press the I key to enter the edit mode, add the following content, press the Esc key to exit the edit mode, and then enter :wq to save and exit.

ip -4 route add default via 172.16.**.253 dev eth1 metric 1001
ip -4 route add default via 172.16.**.253 dev eth1 table 1001 
ip -4 rule add from 172.16.**.*57 lookup 1001
ip -4 rule add from 172.16.**.*77 lookup 1001
ip -4 rule add from 172.16.**.*78 lookup 1001

Run the following command to grant execute permissions on the /etc/rc.local file.
```
sudo chmod +x /etc/rc.local
```

Step 7: Test the network connectivity

An ECS instance that runs Alibaba Cloud Linux 2 is used in this example to describe how to test the connectivity between the ECS instance and the destination network.

Log on to the ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the connectivity between the secondary private IP address and the destination network:
```
ping <Destination network> -I <Secondary private IP address>
```
The result shows that the secondary private IP addresses can access the destination network, which indicates that the secondary private IP addresses are associated with the EIPs.

Quick deployment

You can use Resource Orchestration Service (ROS) to implement quick deployment, which allows you to quickly associate multiple EIPs with an ECS instance.

Important

The quick deployment feature allows you to associate three EIPs with an ECS instance. If you need a more flexible configuration solution, we recommend that you select Manual Deployment.

Click the Template to go to the Resource Orchestration Service (ROS) console.
In the top navigation bar, select the region of the EIP.
On the Configure Template Parameters wizard page, enter a stack name, select Use Existing ECS/EIP/ENI or Create ECS/EIP/ENI, set the following parameters, and then click Create.
- Select Use Existing ECS/EIP/ENI: Select an ECS instance, and enter a secondary ENI ID and three EIP IDs.
- If you select Create ECS/EIP/ENI, you need to select a zone, instance type, and system disk type, and enter a password.
  Important
  If you select Create ECS/EIP/ENI, the system automatically creates a pay-as-you-go ECS instance that runs CentOS 7.x and three pay-as-you-go EIPs. For more information about the billing methods of ECS instances and EIPs, see ECS billing overview and EIP billing overview.
If Creating changes to Created in the Status section on the Stack Information tab, the resources are deployed.
Log on to the ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to check the connectivity between the secondary private IP address and the destination network:
ping <destination network> -I <secondary private IP address>
The result shows that the secondary private IP addresses can access the destination network, which indicates that the secondary private IP addresses are associated with the EIPs.

FAQ

Am I charged a configuration fee for an EIP after I associate the EIP with a secondary ENI?

You are not charged an EIP configuration fee if the EIP uses the subscription billing method.
You are charged an EIP configuration fee if the EIP uses the pay-as-you-go billing method.
You are not charged an EIP configuration fee for an EIP only when the following conditions are met: The EIP is associated with an elastic container instance or an Elastic Compute Service (ECS) instance that resides in a virtual private cloud (VPC). The number of EIPs that your Alibaba Cloud account can own does not exceed 2,000.
If EIPs are associated with an ECS instance through an ENI, you are still charged an EIP configuration fee.
For more information, see EIP configuration fees.

Do I need to perform additional configurations after I associate an EIP with an ENI and associate the ENI with an ECS instance?

If you want the ECS instance to provide Internet-facing services, such as web services, you do not need to configure routes for the ECS instance or the VPC where the ECS instance is deployed. The ECS instance uses the EIP to provide services.
If you want the ECS instance to access the Internet, you must configure the default route of the ECS instance or create specific routes for the ECS instance. By default, packets are transmitted from the primary ENI. You can modify route priorities to allow packets to access the Internet from the secondary ENI. You can also create specific routes to forward packets to the Internet from multiple ENIs or a random ENI to implement load balancing.
For more information, see Configure routes.

References

Manage EIP quotas: Each Alibaba Cloud account can apply for at most 20 EIPs. If you need more EIPs, you can increase the EIP quota.
AssociateEipAddress: associates an EIP with an instance in the same region.