Associate an EIP with a secondary ENI - Elastic IP Address

You can associate an elastic IP address (EIP) with an elastic network interface (ENI). If you associate EIPs with ENIs and associate the ENIs with an Elastic Compute Service (ECS) instance, the ECS instance can use multiple EIPs. This improves the service availability, flexibility, and scalability.

Background information

Each ENI is assigned a private IP address. After you associate an EIP with an ENI, the ENI can send and receive network traffic through both a private IP address and a public IP address. Alibaba Cloud provides a solution to migrating EIPs between two ECS instances without affecting the reliability and availability of your service. If you migrate an ENI that is associated with an EIP from an ECS instance to another ECS instance, both the private and public IP addresses of the ENI are migrated.

You can associate multiple ENIs with an ECS instance. You can associate each ENI with an EIP. This way, the ECS instance has multiple public IP addresses. The ECS instance can use the EIPs to provide Internet-facing services. You can configure security group rules for the ECS instance to control access from the Internet.

Association modes

You can associate an EIP with an ENI in one of the following three modes:

NAT mode
Cut-through mode
Multi-EIP-to-ENI mode
Note
- Alibaba Cloud no longer accepts new applications for using the multi-EIP-to-ENI mode. If you acquired the permissions to use this feature, you can continue to associate EIPs with a secondary ENI in multi-EIP-to-ENI mode.
- We recommend that you expose an EIP on an ENI by adding a secondary CIDR block to a virtual private cloud (VPC). For more information, see Expose an EIP on an NIC by adding a secondary CIDR block to a VPC.

The following table describes the differences among these modes.


Item	NAT mode	Cut-through mode	Multi-EIP-to-ENI mode
Whether the EIP is displayed on the ENI in the operating system	No	Yes Note You can run the ifconfig or ipconfig command to query the public IP address of the ENI.	Yes Note After you configure a static IP address in the operating system, you can run the ifconfig or ipconfig command to query the public IP address of the ENI.
Types of ENIs that can be associated with EIPs	Primary ENI and secondary ENI Note To associate an EIP with a primary ENI, associate the EIP with the ECS instance to which the primary ENI belongs. For more information, see Associate an EIP with an ECS instance.	Secondary ENI	Secondary ENI
Number of EIPs that can be associated with a primary ENI	1	EIPs cannot be associated with primary ENIs	EIPs cannot be associated with primary ENIs
Number of EIPs that can be associated with a secondary ENI	Based on the number of private IP addresses of the secondary ENI Note Each EIP is mapped to a private IP address of a secondary ENI. If a secondary ENI is assigned 10 private IP addresses, at most 10 EIPs can be associated with the secondary ENI.	1 Note You can associate an EIP with only the primary private IP address of a secondary ENI in cut-through mode.	10
Whether private network features of a secondary ENI are available after an EIP is associated with the secondary ENI	Yes	No	Yes
Supported protocols	The EIP does not support protocols that are managed by NAT application layer gateways (ALGs), such as H.323, Session Initiation Protocol (SIP), Domain Network System (DNS), and Real Time Streaming Protocol (RTSP).	EIPs support all IP protocols, including FTP, H.323, SIP, DNS, RTSP, and TFTP.	EIPs support all IP protocols, such as FTP, H.323, SIP, DNS, RTSP, and Trivial File Transfer Protocol (TFTP).
Supported regions	All regions	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Guangzhou), China (Chengdu), Singapore, Indonesia (Jakarta), Germany (Frankfurt), UK (London), and US (Virginia)	China (Shenzhen), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Chengdu), Singapore, Germany (Frankfurt), India (Mumbai), US (Virginia), and UK (London)

Prerequisites

A secondary ENI is created in a VPC. The secondary ENI and the EIP are created in the same region. For more information, see Create an ENI.
The secondary ENI is not associated with an ECS instance.
If the secondary ENI is associated with an ECS instance, you must disassociate the secondary ENI from the ECS instance. Then, associate an EIP with the secondary ENI in one of the three modes and associate the secondary ENI with the ECS instance. For more information, see Unbind an ENI.

Associate an EIP with a secondary ENI in NAT mode

After you associate an EIP with a secondary ENI in NAT mode, the public and private IP addresses of the ENI are available at the same time. In this case, the EIP is not displayed on the secondary ENI.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region in which the EIP is created.
On the Elastic IP Addresses page, find the EIP that you want to manage, and click Associate with Resource in the Actions column.

In the Associate EIP with Resource dialog box, set the following parameters and click OK.


Parameter	Description
Network Type	Select Secondary ENI.
Resource Group	Select the resource group to which the secondary ENI belongs.
Mode	Select NAT Mode. In NAT mode: The number of EIPs that can be associated with a secondary ENI depends on the number of private IP addresses that are assigned to the secondary ENI. The private IP address and public IP address of the secondary ENI are available for use. The EIP is not displayed in the operating system. To query the EIP, call the DescribeEipAddresses operation. For more information, see DescribeEipAddresses. The EIP does not support protocols that are managed by NAT application layer gateways (ALGs), such as H.323, Session Initiation Protocol (SIP), Domain Network System (DNS), and Real Time Streaming Protocol (RTSP).
Select an instance to associate.	Select the secondary ENI with which you want to associate the EIP.

Associate an EIP with a secondary ENI in cut-through mode (not recommended)

After you associate an EIP with a secondary ENI in cut-through mode, the EIP replaces the private IP address of the secondary ENI. The secondary ENI serves as a public network interface controller (NIC). In this case, the EIP is displayed in the operating system.

Warning If you associate a subscription EIP with a secondary ENI in cut-through mode, and the secondary ENI is associated with an ECS instance, the private network feature of the secondary ENI becomes unavailable after the EIP is released due to the expiration of the subscription. To use the private network feature of the secondary ENI in this scenario, you must disassociate the secondary ENI from the ECS instance, and associate the secondary ENI with the ECS instance again.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region of the EIP.
On the Elastic IP Addresses page, find the EIP that you want to manage, and click Associate with Resource in the Actions column.

In the Associate EIP with Resource dialog box, set the following parameters and click OK.


Parameter	Description
Network Type	Select Secondary ENI.
Resource Group	Select the resource group to which the secondary ENI belongs.
Mode	Select Cut-Through Mode.
Select an instance to associate.	Select the secondary ENI with which you want to associate the EIP.

Then, click the ENI that is associated with the EIP.
On the Network Interfaces page, click Bind to Instance in the Actions to associate the ENI with an ECS instance.
Note
- The number of ENIs that can be associated with an ECS instance varies based on the instance type. For more information, see the Overview of instance families.
- After you associate a secondary ENI with an ECS instance, some images cannot automatically identify the IP address of the secondary ENI or add routes. You must configure the secondary ENI on the ECS instance to identify the IP address of the ENI and add routes. For more information, see Configure a secondary ENI.
- After you associate an EIP in cut-through mode, the ECS instance automatically generates a route that uses the secondary ENI as the outbound interface. The priority of this route is lower than the priority of the route of the primary ENI. You can modify the priorities of the routes based on your business requirements. For more information about how to configure routes in some operating systems, see Configure routes for a secondary ENI that is bound to an instance that runs an Alibaba Cloud Linux 2 or CentOS 7 operating system and Configure routes for a secondary ENI that is bound to an instance that runs a CentOS 8 operating system.
Log on to the ECS instance by using the associated EIP and run the ipconfig command to view the network configuration of the ECS instance.
Note Make sure that the security group rules of the ECS instance allow remote access.
The following figure shows that the private IP address of the ECS instance is replaced by the EIP.

Associate EIPs with a secondary ENI in multi-EIP-to-ENI mode (application no longer accepted)

After you associate multiple EIPs with a secondary ENI in multi-EIP-to-ENI mode, the private and public IP addresses are available at the same time. The EIPs are displayed on the ENI in the operating system.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region in which the EIP is created.
On the Elastic IP Addresses page, find the EIP that you want to manage, and click Associate with Resource in the Actions column.

In the Associate EIP with Resource dialog box, set the following parameters and click OK.


Parameter	Description
Network Type	Select Secondary ENI.
Resource Group	Select the resource group to which the EIP belongs.
Mode	Select Multi-EIP to ENI Mode.
Select an instance to associate.	Select the secondary ENI with which you want to associate the EIP.

To associate more EIPs with the secondary ENI, repeat the preceding steps.
Then, click the associated ENI.
On the Network Interfaces page, click Bind to Instance to associate the ENI with an ECS instance.
Note
- If a secondary ENI is associated with EIPs in multi-EIP-to-ENI mode and you want to associate the secondary ENI with an ECS instance, the ECS instance must belong to one of the following instance families: ecs.d1ne, ecs.ebmc4, ecs.ebmg5, ecs.ebmhfg5, ecs.f1, ecs.gn5i, ecs.gn6v, ecs.i2, ecs.r1, ecs.re4, ecs.re4e, ecs.sccg5, ecs.sccgn6, ecs.scch5, ecs.c5, ecs.r5, ecs.sn2ne, ecs.se1ne, and ecs.sn1ne. For more information, see Overview of instance families.
- After you associate EIPs with a secondary ENI in multi-EIP-to-ENI mode and associate the secondary ENI with an ECS instance, you must enable Dynamic Host Configuration Protocol (DHCP) for the ECS instance. Otherwise, the multi-EIP-to-ENI mode does not take effect.
Call the DescribeEipGatewayInfo operation to query the gateways and subnet masks of the EIPs. For more information, see DescribeEipGatewayInfo.
Log on to the ECS instance and configure the EIPs for the ECS instance. For more information, see Configure EIPs for an ECS instance that runs Windows and Configure EIPs for an ECS instance that runs Linux.
Important The preceding topics describe how to configure secondary private IP addresses for ECS instances. You can follow the same procedure to configure EIPs for ECS instances. However, you must specify the gateways and subnet masks of EIPs instead of the gateways and subnet masks of secondary private IP addresses.
After you configure the EIPs for the ECS instance, you can run the ifconfig or ipconfig command to query the EIPs.

FAQ

Am I charged a configuration fee for an EIP after I associate the EIP with a secondary ENI?

You are not charged a configuration fee if the EIP uses the subscription billing method.
You are charged a configuration fee if the EIP uses the pay-as-you-go billing method.
You are not charged an EIP configuration fee for a pay-as-you-go EIP only if the following conditions are met: The EIP is associated with an ECS instance in a VPC or an elastic container instance. The maximum number of EIPs that your Alibaba Cloud account can own does not exceed 2,000. For more information, see EIP configuration fees.

Do I need to configure an ECS instance after I attach an ENI that is associated with an EIP to the ECS instance?

If you want the ECS instance to provide Internet-facing services, such as web services, you do not need to configure routes for the ECS instance or the VPC where the ECS instance is deployed. The ECS instance uses the EIP to provide services.
If you want the ECS instance to access the Internet, you must configure the default route of the ECS instance or create specific routes for the ECS instance. By default, packets are transmitted from the primary ENI. You can modify route priorities to allow packets to access the Internet from the secondary ENI. You can also create specific routes to forward packets to the Internet from multiple ENIs or a random ENI to implement load balancing.

References

AssociateEipAddress: associates an EIP with an instance in the same region.