To better manage your workloads, you can configure Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to use the same NAT IP address to access the Internet. This topic describes how to configure ECS instances that are associated with elastic IP addresses (EIPs) to use the same NAT IP address to access the Internet.
Prerequisites
SNAT entries are configured for the VPC in which the ECS instances are deployed. For more information, see Configure SNAT to access the Internet.
Background information

You can configure ECS instances in the VPC to use the same NAT IP address to access the Internet by associating elastic network interfaces (ENIs) with the ECS instances.

Step 1: Create an ENI
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Select the region where you want to create the ENI.
Note The ENI and the ECS instance must belong to the same region.
- On the Network Interfaces page, click Create ENI.
- In the Create ENI dialog box, set the following parameters and click OK:
- ENI Name: Enter a name for the ENI.
- VPC: Select the VPC where the ECS instance is created.
- VSwitch: Select the vSwitch of the zone where the ECS instance is deployed.
- Primary Private IP: Optional. Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created. In this example, the primary private IP address is not specified.
- Secondary Private IP Addresses: Optional. You can specify this parameter based on your business requirements. In this example, Not set is selected.
- Security Group: Select a security group that is created for the selected VPC.
Step 2: Associate the ENI with the ECS instance
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Select the region where the ENI is deployed.
- On the Network Interfaces page, find the ENI that you want to manage and click Bind to Instance in the Actions column.
- In the dialog box that appears, select the ECS instance with which you want to associate the ENI and click OK.
Step 3: Disassociate the EIP from the ECS instance
- Log on to the EIP console.
- Select the region where the EIP is created.
- On the Elastic IP Addresses page, find the EIP that you want to disassociate from the ECS instance and click Unbind in the Actions column.
- In the message that appears, click OK.
Step 4: Associate the EIP with the ENI
- Log on to the EIP console.
- Select the region where the EIP is created.
- On the Elastic IP Addresses page, find the EIP that you want to associate and click Bind Resource in the Actions column.
- In the Bind Elastic IP Address to Resources dialog box, set the following parameters and click OK:
- Instance Type: Select Secondary ENI.
- Resource Group: Optional. Select the resource group to which the EIP belongs. In this example, the default resource group is selected.
- Binding mode: Optional. Select the mode in which you want to associate the EIP with the ENI. In this example, Normal is selected.
- Select an instance to bind: Select the secondary ENI with which you want to associate the EIP.
Step 5: Configure routes for the ENIs of the ECS instance
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- The following figure shows the details of the ENIs.
- Connect to the ECS instance from a remote device. For more information, see Connection method overview.
- Run the following command to view the information about the ENIs with which the ECS
instance is associated:
ip a
The following result is returned:
eth0 is the primary ENI. The private IP address of eth0 is 192.168.3.10.
eth1 is a secondary ENI. The private IP address of eth1 is 192.168.3.11, and the public IP address is 118.190.XX.XX.
- Set the metric value of the default route for each ENI in the route table based on your business
requirements.
Run the following command to view the Gateway and metric values:
route -n
Note In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If you use multiple secondary ENIs, you must configure metric values based on your business requirements. For more information, see Configure routes for ENIs. - Create a route table and configure policy-based routing (PBR).
- If you want to add PBR rules for the ENI of the ECS instance only once, perform the
following steps:
Note After the ECS instance is restarted, the PBR rules for the ENI become invalid.
- Run the following command to create a route table:
ip -4 route add default via 192.168.3.13 dev eth1 table 101
Note We recommend that you keep the name of the route table the same as the metric value of the default route of the ENI. In this example, 101 is used. - Run the following command to check whether the route table is created:
The following result is returned:ip route list table 101
- Run the following command to add a PBR rule:
ip -4 rule add from 192.168.3.11 lookup 101
- Run the following command to view all of the PBR rules:
The following result is returned:ip rule list
- Run the following command to create a route table:
- If you want to add PBR rules for the ENI of the ECS instance multiple times, perform
the following steps:
Note After the ECS instance is restarted, the PBR rules for the ENI are still valid.
- Run the following command to open the /etc/rc.local script:
vi /etc/rc.local
- At the end of the script, press the i key to enter the edit mode.
- Add the following information to the end of the script:
ip -4 route add default via 192.168.3.13 dev eth1 table 101 ip -4 rule add from 192.168.3.11 lookup 101
Note In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If multiple secondary ENIs are used, you must add the command that sets the metric value to the script. For more information about the command that sets the metric value, see Configure routes for ENIs. - Press the Esc key to exit the edit mode. Enter
:wq
and press the Enter key to save and close the script. - Run the following command to make the /etc/rc.d/rc.local script executable:
chmod +x /etc/rc.d/rc.local
Note The /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script. Therefore, you must run the preceding command to make the /etc/rc.d/rc.local script executable. You can run thels -l /etc/rc.local
command to check whether the /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script.
- Run the following command to open the /etc/rc.local script:
- If you want to add PBR rules for the ENI of the ECS instance only once, perform the
following steps:
Step 6: Verify the network connectivity
- Log on to the on-premises Linux machine.
- Run the
ssh root @ public IP
command and enter the password of the ECS instance to check whether you can remotely connect to the ECS instance. If the following message appears, you are connected to the ECS instance.Welcome to Alibaba Cloud Elastic Compute Service!
Perform the following operations to check whether the ECS instance can access the Internet through the SNAT service provided by the NAT gateway. Perform the following steps to view the NAT IP address on the ECS instance:
- Log on to the ECS instance.
- Run the
curl https://myip.ipip.net
command to check the NAT IP address that the ECS instance uses to access the Internet. If the NAT IP address is the same as the one in the SNAT entry that is created for the ECS instance, it indicates that the ECS instance preferably uses the SNAT service to access the Internet.