This topic describes how to expose an elastic IP address (EIP) on a network interface controller (NIC) by adding a secondary CIDR block to a virtual private cloud (VPC). The EIP is specified as the primary private IPv4 address of the secondary elastic network interface (ENI).

Background information

EIPs function as Network Address Translation (NAT) IP addresses. In NAT mode, public IP addresses are assigned to gateways instead of the ENIs of ECS instances. Therefore, you can query only private IP addresses and cannot query public IP addresses in the operating system. Administrators must manually maintain the mapping between NICs or servers and public IP addresses. In addition, EIPs that are associated with resources in NAT mode do not support protocols such as H.323, Session Initiation Protocol (SIP), Domain Name System (DNS), or Real Time Streaming Protocol (RTSP).

Scenarios

The following scenario is used as an example. A company creates a VPC and vSwitch 1 on Alibaba Cloud. An Elastic Compute Service (ECS) instance is attached to vSwitch 1. vSwitch 1 is deployed in Zone A. Due to business growth, the company wants to provide Internet access to the ECS instance and the IT engineers want to view the network configurations of the ECS instance.

To meet the preceding requirements, you must create the following resources:
  • A secondary IPv4 CIDR block of the VPC and vSwitch 2: Specify the CIDR block of an EIP as the secondary IPv4 CIDR block of the VPC. Then, create vSwitch 2 in the specified CIDR block. You must deploy vSwitch 2 in Zone A where vSwitch 1 resides.
  • A secondary ENI: Create a secondary ENI in vSwitch 2, and then specify the EIP as the primary private IPv4 address of the secondary ENI.
After you create the secondary ENI, associate the secondary ENI with the EIP. Then, associate the secondary ENI with the ECS instance in Zone A. After you complete the preceding operations, the EIP is used as the primary private IPv4 address of the secondary ENI. You can view the EIP on the NIC in the operating system of the ECS instance. Expose the EIP
The following table describes the networking details.
Parameter CIDR block
EIP 120.XX.XX.106
Primary CIDR block of the VPC Primary CIDR block 10.0.0.0/8
vSwitch 1 10.0.0.0/24
Private IPv4 address of the primary ENI 10.0.0.202
Secondary IPv4 CIDR block of the VPC Secondary IPv4 CIDR block 120.XX.XX.0/24
vSwitch 2 120.XX.XX.0/25
Primary private IPv4 address of the secondary ENI 120.XX.XX.106

Prerequisites

  • A VPC and vSwitch 1 are created. vSwitch 1 is deployed in Zone A. For more information, see Create and manage a VPC.
  • An ECS instance is attached to vSwitch 1. For more information, see Create an instance by using the wizard.
  • Make sure that the security group rules of the ECS instance allow the ECS instance to access the Internet. For more information, see Overview.
  • An EIP is created for Internet access. For more information, see Apply for an EIP.

Procedure

Procedure

Step 1: Add a secondary IPv4 CIDR block to the VPC

Specify the CIDR block of the EIP as the secondary IPv4 CIDR block of the VPC.

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region where the VPC is deployed.
  3. On the VPC page, find the VPC that you want to manage and click its ID.
  4. On the VPC Details page, click the CIDRs tab and click Add IPv4 CIDR.
  5. In the Add Secondary CIDR dialog box, configure the following parameters and click OK.
    Parameter Description
    VPC Displays the VPC to which you want to add the secondary IPv4 CIDR block.
    Secondary CIDR Select a method to add the secondary IPv4 CIDR block:
    • Default CIDR Block
    • Custom CIDR Block

    In this example, Custom CIDR Block is selected and the CIDR block of the EIP 120.XX.XX.0/24 is entered.

Step 2: Create a vSwitch in the secondary IPv4 CIDR block

Create vSwitch 2 in the secondary IPv4 CIDR block.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click vSwitch.
  3. Select the region of the VPC for which you want to create a vSwitch.
  4. On the vSwitch page, click Create vSwitch.
  5. On the Create vSwitch page, configure the following parameters and click OK.

    Pay close attention to the parameters that are described in the following table. For more information, see Create a vSwitch.

    Parameter Description
    VPC Select the VPC in which you want to deploy vSwitch 2.

    In this example, the VPC in which the ECS instance is deployed is selected.

    CIDR Block Specify the CIDR block of vSwitch 2.

    In this example, the secondary IPv4 CIDR block that you added in Step 1: Add a secondary IPv4 CIDR block to the VPC is specified.

    Zone Select the zone in which you want to deploy vSwitch 2. vSwitches that are deployed in different zones of the same region can communicate with each other.

    In this example, Zone A is selected.

    IPv4 CIDR Block Specify the IPv4 CIDR block of vSwitch 2.

    In this example, 120.XX.XX.0/25 is specified. The CIDR block is a subset of the secondary IPv4 CIDR block.

Step 3: Create a secondary ENI

Create a secondary ENI in vSwitch 2, and then specify the EIP as the primary private IPv4 address of the secondary ENI.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > ENIs.
  3. In the top navigation bar, select a region.
  4. Click Create ENI. In the Create ENI dialog box, configure the parameters and click OK.

    Pay close attention to the parameters that are described in the following table. For more information, see Create an ENI.

    Parameter Description
    VPC Select the VPC of the ECS instance that you want to associate with the secondary ENI. After an ENI is created, you cannot change the VPC of the ENI.

    In this example, the VPC in which the ECS instance is deployed is selected.

    VSwitch Select the vSwitch of the ECS instance that you want to associate with the secondary ENI. After an ENI is created, you cannot change the vSwitch of the ENI.

    In this example, vSwitch 2 in the secondary IPv4 CIDR block that you added in Step 2: Create a vSwitch in the secondary IPv4 CIDR block is selected.

    Note An ENI can be associated with only an ECS instance that is deployed in the same zone as the ENI. The ECS instance and the ENI can be attached to different vSwitches.
    Primary Private IP Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to your ENI after the ENI is created.

    In this example, the EIP 120.XX.XX.106 is entered.

    Security Group Select security groups in the specified VPC. You can select one to five security groups.
    In this example, the security group to which the ECS instance belongs is selected.
    Note If you do not want to select the security group to which the ECS instance belongs, take note of the following items:
    • You cannot select basic security groups and advanced security groups at the same time.
    • You cannot select managed security groups that are used by other cloud services.
    • Make sure that the security group rules allow requests from the IP addresses of the ECS instance and the secondary ENI.
    • Make sure that the security group rules allow the secondary ENI to access the Internet.
    For more information, see Overview.

Step 4: Associate the EIP with the secondary ENI

  1. Log on to the Elastic IP Address console.
  2. In the top navigation bar, select the region where the EIP is deployed.
  3. On the Elastic IP Addresses page, find the EIP that you want to associate and click Bind Resource in the Actions column.
  4. In the Associate EIP with Resource dialog box, set the required parameters and click OK.

    Pay close attention to the parameters that are described in the following table. For more information, see Associate an EIP with a secondary ENI in NAT mode.

    Parameter Description
    Instance Type Select Secondary ENI.
    Mode In this example, NAT Mode is selected.
    Select an instance to associate. In this example, the secondary ENI that you created in Step 3: Create a secondary ENI is selected.

Step 5: Associate the secondary ENI with the ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the region where the ECS instance is deployed.
  4. On the Instances page, find the ECS instance and choose More > Network and Security Group > Bind Secondary ENI in the Actions column.
  5. In the Bind Secondary ENI dialog box, select the secondary ENI that you created in Step 3: Create a secondary ENI and click OK.

Step 6: Verify the network connectivity

  1. Log on to the ECS instance.
  2. Run the following command to query the network configurations of the ECS instance. 
    ifconfig
    The EIP is used as the primary private IPv4 address of the secondary ENI and is exposed on the NIC in the operating system of the ECS instance. Network configurations of the ECS instance
  3. Run the following command to verify the network connectivity between the primary private IPv4 address of the secondary ENI and a network. 
    ping <Destination network> -I <Primary private IPv4 address of the secondary ENI>
    The result shows that the primary private IPv4 address of the secondary ENI can reach the destination network. This indicates that the ECS instance can use the primary private IPv4 address of the secondary ENI to access the Internet. Verify network connectivity