Each ECS instance has one primary elastic network interface (ENI). You can attach one or more secondary ENIs to prevent single points of failure or to isolate network traffic.
Create an elastic network interface
Console
In the ECS console, go to the ENIs page, and then click Create an ENI.
Configure the following key parameters and use the defaults for the others:
VPC and vSwitch: Specifies the network where the ENI will reside.
The ENI and the instance to which you attach it must be in the same VPC and vSwitch.
security group: Associates one or more security groups to control inbound and outbound traffic.
API
Call the CreateNetworkInterface operation to create an elastic network interface.
Attach an ENI to an ECS instance
When you create a new instance, you can attach an existing ENI as the primary ENI or a secondary ENI. The instance then inherits the ENI's network configuration, including its IP addresses, routes, MAC address, and associated security groups.
When you attach an ENI to an existing instance, it can only serve as a secondary ENI. This expands the instance's networking capabilities, for example, by isolating traffic or adding IP addresses.
The number of ENIs that can be attached to an instance varies by instance family.
Prerequisites
The ENI and the instance must be in the same VPC and vSwitch.
Some instance types must be stopped before you can attach an ENI. Attaching an ENI to a running instance is known as a hot-plug operation.
Attach an ENI when you create an instance
Console
If you select an existing security group or create a new one, the system automatically creates a new primary ENI. This prevents you from attaching an existing ENI.
In the ECS console, go to the Custom Launch page.
After you select Network and Zone, in the Network and Security Group section, under the ENIs setting, select Existing ENI for the Primary ENI or Secondary ENIs.
API
Call the RunInstances operation. Use the NetworkInterface.N.NetworkInterfaceId parameter to specify the ENIs. The interface specified as NetworkInterface.1 becomes the primary ENI, and any subsequent interfaces, such as NetworkInterface.2, become secondary ENIs.
Attach an ENI to an existing instance
Console
In the ECS console, go to the Instances page and click the ID of the target instance to open its details page.
On the instance details page, click the ENIs tab, and then click Bind Secondary ENI.
Select the target ENI, and then click OK.
API
Call the AttachNetworkInterface operation to attach an ENI to an existing instance.
Configure the ENI in the guest OS
The primary ENI is typically activated automatically after the instance is created, so no configuration is required. However, after you attach one or more secondary ENIs to an ECS instance, you must verify that they are recognized and active within the guest operating system (OS).
Step 1: Verify ENI activation
If a secondary ENI is not correctly configured in the guest OS, it cannot communicate. Follow these steps to verify the ENI's status.
Linux instance
Example OS: Alibaba Cloud Linux 3.2.
Connect to the Linux instance.
For more information, see Connect to a Linux instance by using Workbench.
Run the following command to view and confirm the instance's network interface information:
ip aThe output shows the following information about the instance's network interfaces:
Interface identifier:
eth0,eth1. In this example, the instance has two ENIs: a primary ENI (eth0) and a secondary ENI (eth1).Interface status:
state UPindicates that the interface is active and ready to use.
ImportantIf the status is state DOWN as shown in the following figure, the interface failed to load and is unusable. You must configure the Linux guest OS to recognize the ENI.
primary private IP address: If the interface is active, you can view the primary private IP address for each ENI. For more information, see Primary private IP addresses.
If you assigned a secondary private IP address to the ENI but the OS does not recognize it, you must reconfigure the interface. For instructions, see Configure the guest OS to recognize a secondary private IP address.
Run the following command to view the interface's routing information:
route -n
Typically, the system configures two routes for the secondary ENI (
eth1):Route with a destination in the 192.168.x.x range: A subnet-specific route. This route ensures that the instance can communicate directly with other hosts in the same subnet without going through an additional router.
Route with a destination of 0.0.0.0: The default route. When a packet's destination does not match a more specific entry in the route table, the system uses the default route. The system then sends the packet to the next-hop
Gatewaythrough the network interface specified byIface.ImportantIf multiple default routes exist, the route with the lower Metric value has higher priority.
If you need to precisely control traffic paths and ensure that traffic returns through the same ENI that received it (symmetric routing), you can configure a policy-based route for the ENI.
Some older operating systems, such as Ubuntu 16, may not automatically configure a default route for a secondary ENI. In this case, the route table may appear as shown in the following figure, which can cause communication issues. To resolve this, use a newer OS distribution or manually configure the route. For instructions, see Configure a default route for an ENI.
Windows instance
Example OS: Windows Server 2022.
Connect to the Windows instance.
For more information, see Connect to a Windows instance by using Workbench.
Open the Network and Sharing Center.
Click Change adapter settings.
In this example, the instance has two ENIs attached (one primary and one secondary). If you see information similar to the following figure, the ENIs are active in the OS, and no further configuration is needed.
If the secondary ENI is not recognized for other reasons, you might see the following figure. In this case, see Troubleshoot ENI configuration failures on Windows instances.
View the status and details of the network adapter.
Double-click the adapter name to view its status.
The following figure shows the status of the primary ENI, named Ethernet.
Click Details to view the adapter's properties.
This dialog box shows the adapter's primary private IPv4 address, subnet mask, and default gateway.
Open Command Prompt.
Press Win+R to open the Run dialog box. Enter cmd and click OK.
Run the following command to view the interface's routing information:
Step 2: Configure the ENI in Linux
If you confirm that the ENI is not active, use one of the following methods to configure it within the guest OS.
Most modern Windows operating systems automatically recognize ENIs. If an ENI is not active, see Troubleshoot ENI configuration failures on Windows instances.
Method 1: Automatic configuration with multi-nic-util
Alibaba Cloud Linux 3, CentOS 8, and later versions use NetworkManager by default, which automatically enables secondary ENIs. This tool is not required for these operating systems.
The multi-nic-util tool is suitable for Alibaba Cloud Linux 2, CentOS 6 (6.8 and later), CentOS 7 (7.3 and later), and Red Hat.
Alibaba Cloud strongly recommends that you avoid using the multi-nic-util tool in Docker or other containerized environments.
Using the multi-nic-util tool overwrites the existing network configuration of the ECS instance. Be aware of this risk.
If you cannot use this tool for the reasons listed above, see Method 2: Manual configuration by using network configuration files.
Download and install the multi-nic-util tool. Internet access is required.
wget https://image-offline.oss-cn-hangzhou.aliyuncs.com/multi-nic-util/multi-nic-util-0.6.tgz && \ tar -zxvf multi-nic-util-0.6.tgz && \ cd multi-nic-util-0.6 && \ bash install.shRestart the ENI service.
sudo systemctl restart eni.serviceReturn to Step 1 and check the ENI status again to confirm that it is active.
Method 2: Manual configuration
Network configuration files and management tools vary across Linux distributions and versions.
Back up the original network configuration file before you edit it.
If you cannot connect to the instance by using Workbench after you modify the network configuration file, you can connect to the instance by using VNC to review the changes and repair the file.
In this example, the network interface is configured by default to use the Dynamic Host Configuration Protocol (DHCP) to obtain its primary private IP address. To configure a static IP address, see Configure the guest OS to recognize a secondary private IP address.
Ensure that the IP address, MAC address, gateway, and other information in the configuration file match the actual settings. An incorrect network configuration can cause instance communication to fail.
After you attach or detach an ENI, make sure the network configuration file reflects these changes. This helps prevent network connectivity issues or configuration conflicts.
Connect to the ECS instance.
For more information, see Connect to a Linux instance by using Workbench.
Create and edit the network configuration file for the ENI based on your Linux distribution and version.
The configuration file for the primary ENI is typically generated automatically. The following examples focus on configuring a secondary ENI.
RHEL/CentOS family
Applicable operating systems: Alibaba Cloud Linux 2/3, CentOS 6/7/8, Red Hat 6/7/8/9, Anolis 7/8, and Fedora 33/34/35.
Network interface configuration file: /etc/sysconfig/network-scripts/ifcfg-*
Each network interface has a corresponding configuration file, such as
ifcfg-eth0,ifcfg-eth1, orifcfg-eth2.Example configuration: Run the following command to create and edit the configuration file for the secondary ENI (
eth1) that is attached to the instance.sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1DEVICE=eth1 TYPE=Ethernet BOOTPROTO=dhcp ONBOOT=yes DEFROUTE=noDEVICE: Specifies the network interface identifier, such aseth1oreth2.TYPE: The type of the network interface.Ethernetspecifies an Ethernet interface.BOOTPROTO: Sets the method for obtaining an IP address. When set todhcp, the interface automatically obtains an IP address from a DHCP server. If changed tostatic, you must manually specify the static IP address, subnet mask, and other information.ONBOOT: Controls whether this network interface is activated at system startup. A value ofyesmeans the interface is automatically enabled. A value ofnomeans it must be started manually.DEFROUTE: Specifies whether to configure this interface as the egress for the default route.For the primary ENI (
eth0), you do not need to configure this parameter. The system typically generates a default route with the highest priority for the primary ENI.To avoid changing the instance's active default route when you activate a secondary ENI, do not set the secondary ENI as the default route. If you do, it might replace
eth0as the default route, causing communication failures for the primary ENI. In a multi-ENI environment, you can configure a policy-based route for the ENI to control traffic forwarding paths.
Ubuntu 18 and later
Netplan is a network configuration utility that has been the default in Ubuntu since version 18.04 LTS.
Applicable operating systems: Ubuntu 18/20/22/24
Network interface configuration file: /etc/netplan/*.yaml
The system recognizes YAML files in the /etc/netplan directory. You can set up a separate YAML file for each network interface.
By default, cloud-init automatically generates the network configuration file for the primary ENI, 50-cloud-init.yaml, at system startup.
Example configuration: Run the following command to create and edit the configuration file for the secondary ENI (
eth1) that is attached to the instance.sudo vi /etc/netplan/eth1-netcfg.yamlNoteThe configuration file for the primary ENI already exists. To ensure correct YAML formatting, you can copy it by running
cp 50-cloud-init.yaml eth1-netcfg.yamlto generate the file for the secondary ENI, and then modify it as shown in the following example.network: version: 2 ethernets: eth1: dhcp4: true match: macaddress: 00:16:3e:xx:xx:xx set-name: eth1dhcp4: Specifies whether to enable DHCP for IPv4 for this interface. Valid values aretrueandfalse.match: Matches the network interface by its properties, such asmacaddress.You can view the MAC address of an ENI in the console or by calling an API operation.
Debian and early Ubuntu
Applicable operating systems: Debian, and early versions of Ubuntu such as Ubuntu 14/16 and Debian 8/9/10.
Network interface configuration file: /etc/network/interfaces
Edit this file to manually configure network interface settings such as IP address, subnet mask, gateway, and DNS, and set modes like static IP or DHCP.
This method has been gradually replaced by
systemd-networkdand Netplan in newer versions of Ubuntu and other distributions.
Main configuration items: The file contains settings for interface type, IP address, subnet mask, gateway, and DNS information.
Example configuration: Run the following command to edit the network configuration file.
sudo vi /etc/network/interfacesNoteThe configurations for the primary ENI (
eth0) and secondary ENI (eth1) are in the same file. Make sure not to omit the configuration for the primary ENI.auto lo iface lo inet loopback # Primary ENI auto eth0 iface eth0 inet dhcp # Secondary ENI auto eth1 iface eth1 inet dhcpauto <interface>: Automatically activates the network interface at system startup.iface <interface> inet <method>: Defines the configuration method for the network interface.inet: Specifies that an IPv4 configuration is being defined.method: Sets the method for obtaining an IP address. When set todhcp, the interface uses DHCP to automatically obtain an IP address and other network parameters. If changed tostatic, you must manually specify the static IP address, subnet mask, and other information.
SLES family
Applicable operating systems: SUSE Linux 11/12/15 and OpenSUSE 15.
Network interface configuration file: /etc/sysconfig/network/ifcfg-*
Each network interface has a corresponding configuration file, such as
ifcfg-eth0,ifcfg-eth1, orifcfg-eth2.Example configuration: Run the following command to create and edit the configuration file for the secondary ENI (
eth1) that is attached to the instance.sudo vi /etc/sysconfig/network/ifcfg-eth1BOOTPROTO='dhcp' STARTMODE='auto'BOOTPROTO: Specifies how to obtain an IP address.dhcpmeans the interface will automatically obtain its IP address and other network settings from a DHCP server.STARTMODE: Defines how the network interface is handled at system startup.'auto'means the system will attempt to activate the interface if it is available at startup.
Run the appropriate command to restart the network service.
Return to Step 1: Verify ENI activation to confirm that the ENI is active.
Assign private IP addresses
An ENI in a VPC and vSwitch is automatically assigned a primary private IPv4 address from the vSwitch's CIDR block. The ECS instance uses this private IP address for internal network communication.
If you need multiple IP addresses for use cases such as hosting multiple applications, failover, or load balancing, you can assign multiple private IP addresses to the ENI. For more information, see Assign secondary private IP addresses to an ENI.
Bind a public IP address
Single primary ENI scenario: You can assign a static public IP address to the instance's primary ENI for internet communication. For more information, see static public IP addresses.
Multiple ENIs or flexible management scenarios: You can associate an EIP with an ENI for internet communication. EIPs are more flexible than static public IP addresses because you can associate and disassociate them as needed. For more information, see Associate an EIP with an ENI.
You can also attach one or more ENIs to an ECS instance and associate EIPs with multiple private IP addresses on those ENIs. This configuration allows an ECS instance to have multiple public IP addresses. For instructions, see Associate multiple EIPs with an ECS instance in normal mode.
ImportantAfter you associate an EIP with a secondary ENI, you must ensure that the ENI is attached to an instance and is active in the guest OS. Otherwise, the EIP will not work correctly. For more information, see Configure the ENI in the guest OS.
When you use a secondary ENI with an EIP or a NAT Gateway, outbound traffic might not egress from the ENI configured with the public IP address, which can cause communication failures. To resolve this, you can configure a policy-based route to force traffic to return through the same ENI that received it, ensuring symmetric routing. For more information, see Configure a policy-based route for an ENI.
If you still cannot ping the public IP address after the ENI and routes are correctly configured, check your security group and firewall settings. For more information, see Troubleshoot issues when you cannot ping the public IP address of an ECS instance.
Associate an ENI with a security group
Associating an ENI with a security group provides network-layer security control.
The rules of a security group associated with an ECS instance apply to the instance's primary ENI. The primary ENI is always in the same security group as the instance, and you cannot change its security group association independently. To change the primary ENI's security group, you must change the instance's security group. For details, see Move an instance to a security group.
You can associate a secondary ENI attached to an ECS instance with any security group in the same VPC and zone. This security group can be different from the instance's security group. You can specify the security group when you create an ENI, or you can change the security group of an existing ENI.
If you assign multiple secondary IPv4 or IPv6 addresses to an ENI, the rules of the associated security group also govern these addresses. You can configure precise security group rules based on criteria such as source IP address, application-layer protocol, and port to control traffic to each ENI. For details, see Manage security group rules.
You can check the security group rules for an ENI to verify whether the intended traffic is allowed or denied as expected. For more information, see Check security group rules.