DocsICP FilingConsole
官方文档
首页

Configure routes for ENIs

更新时间:
复制 MD 格式
产品详情
我的收藏

Configure route tables and routing rules for ENIs to control how ECS instances send and receive traffic across multiple network interfaces.

Configure policy-based routes for ENIs

Policy-based routing forwards traffic through specified network interfaces based on pre-defined rules, instead of relying solely on default routes. This enables fine-grained traffic control across multiple ENIs.

Use cases

  • Communication in a multi-ENI environment: When secondary ENIs are used with EIPs or NAT gateways, reply traffic may exit through the primary ENI because its default route has higher priority. Policy-based routes enforce the source in-source out principle so that traffic enters and exits through the same ENI.

  • Traffic load balancing: Distribute outbound traffic across multiple ENIs by defining routing rules, when default routes do not meet your requirements.

  • Access control: Restrict traffic to specific interfaces or paths based on source addresses, destination addresses, or other parameters for network isolation.

Prerequisites

Procedure

The following examples use a secondary ENI named eth1. Replace ENI identifiers and IP addresses with your actual values.

Linux instance

  1. Create a route table for an ENI and add a route rule:

    ip -4 route add default via <Gateway of eth1> dev eth1 table 1001
ip -4 rule add from <IP address of eth1> lookup 1001

    For example, create a route table named 1001 for eth1 and add a rule for packets from 172.16.20.193 to route through eth1:

    ip -4 route add default via 172.16.20.253 dev eth1 table 1001
ip -4 rule add from 172.16.20.193 lookup 1001

  2. Persist the route configuration across reboots.

    Add the route command to the instance startup configuration to persist it. Otherwise, the route is lost after a restart. Skip this step if you are only testing.

    1. Open /etc/rc.local:

      vim /etc/rc.local

    2. Press i to enter Insert mode, add the command from the previous step, then press Esc. Enter :wq and press Enter to save and close the file.

      Note

      Replace the network interface identifier and gateway address with your actual values.

    3. Grant execute permissions on /etc/rc.local:

      sudo chmod +x /etc/rc.local

  3. Verify that the route table and rule are created:

    ip route list table 1001 && \
ip rule list

    The following output confirms that the route table and rule are configured:

    image

Windows instance

  1. Create a policy-based route for an ENI:

    route add -p <Destination network> mask <Subnet mask> <Gateway> if <Interface index> metric <Route priority>

    In this example, an ENI named Ethernet 2 is used. The following command routes all packets from 172.16.12.76 through the gateway at 172.16.12.253:

    route add -p 0.0.0.0 mask 0.0.0.0 172.16.12.253 if 6 metric 1

    Parameters:

    • -p: makes the route permanent. Without -p, the route is temporary and lost after a restart.

    • Destination network: 0.0.0.0 indicates the default route, used when no specific routes match.

    • Subnet mask and gateway: Run ipconfig to view these values, as shown below.

      image

    • Interface index: Run netsh interface ipv4 show interfaces to view the index, as shown below.

      image

    • Route priority: specified in the metric <n> format. A smaller value indicates a higher priority.

  2. Run route print to verify the route appears in the route list.

    image

Example

This example shows how to configure policy-based routes so that an ECS instance running Alibaba Cloud Linux 3.2 receives packets through the secondary ENI (eth1) and sends reply packets through eth1 instead of the primary ENI (eth0). If your security policies include a source IP whitelist for specific ENIs, mismatched traffic paths cause legitimate requests to be rejected. Policy-based routes resolve this issue.

  1. Prepare the environment.

    1. Create an ECS instance.

      See Create an instance on the Custom Launch tab.

    2. Bind a secondary ENI to the ECS instance.

      See Bind a secondary ENI.

    3. Apply for an Elastic IP Address (EIP) and associate it with the eth1 secondary ENI in NAT mode.

      See Associate an EIP with a secondary ENI.

      image

    4. Prepare a test client.

      Use another ECS instance with Internet access or an on-premises computer as the test client.

    5. Add an inbound rule to a security group of the ECS instance to allow access from the test client's public IP address. Then run ping <EIP> on the test client to verify connectivity to the EIP associated in Step c.

      image

      See the Case 4: Allow only traffic of specific protocols to access ECS instances section of the "Guidelines for using security groups and use cases" topic.

  2. Send packets from the test client to the ECS instance:

    ping 47.xx.xx.109

    Replace the IP address with the EIP associated with eth1.

  3. Monitor ICMP packets on both eth0 and eth1 of the ECS instance.

    • Capture ICMP packets on eth0:

      tcpdump -i eth0 icmp

    • Open a new window and capture ICMP packets on eth1:

      tcpdump -i eth1 icmp

  4. View the results.

    Policy-based route not configured

    Packets enter through eth1 but reply packets exit through eth0. The instance receives on eth1 and responds on eth0.

    image

    The default route of eth0 has priority 100, higher than eth1's, so packets are sent from eth0.

    image

    Policy-based route configured

    1. Configure policy-based routes. See the Configure policy-based routes for ENIs section of this topic.

      ip -4 route add default via 172.16.20.253 dev eth1 table 1001
ip -4 rule add from 172.16.20.177 lookup 1001

    2. Run ping <EIP> on the test client.

    3. Monitor ICMP packets on the ENIs.

      Packets now enter and exit through eth1. The instance sends and receives through the same ENI based on the source in-source-out principle.

      image

Configure default routes for ENIs

Default routes are automatically configured when you bind ENIs to ECS instances. However, in some OS versions earlier than Ubuntu 18, such as Ubuntu 16, default routes may not be configured for secondary ENIs, which causes network connectivity issues. Follow these steps to manually configure a default route.

In this example, Ubuntu16 and the eth1 secondary ENI are used.

  1. View ENI information:

    ip a

    image

    The output shows that eth1 is in effect in the operating system.

  2. View route information:

    route -n

    The output shows that eth1 has only an internal route and no outbound route.

    image

    Example exception

    Without an outbound route, communication through eth1 fails. For example, associating an EIP with eth1 for Internet access causes connectivity loss, as shown below.

    image

  3. Configure the default route for eth1:

    ip -4 route add default via 172.16.20.253 dev eth1 metric 200

    • -4: applies to IPv4 addresses only.

    • 172.16.20.253: the gateway address of eth1.

    • metric 200: the route priority. A smaller value indicates a higher priority. When multiple routes to the same destination exist, the route with the smallest metric is used.

  4. Persist the route configuration across reboots.

    Add the route command to the instance startup configuration to persist it. Otherwise, the route is lost after a restart. Skip this step if you are only testing.

    1. Open /etc/rc.local:

      vim /etc/rc.local

    2. Press i to enter Insert mode, add the command from the previous step, then press Esc. Enter :wq and press Enter to save and close the file.

      Note

      Replace the network interface identifier and gateway address with your actual values.

    3. Grant execute permissions on /etc/rc.local:

      sudo chmod +x /etc/rc.local

  5. View the route added for eth1:

    route -n

    image

    Verify that the exception is resolved

    After configuring the default route, eth1 communicates as expected.

    image

Previous:Managed ENIsNext:Source/Destination Check