Bind multiple EIPs to an ECS (NAT mode)-Elastic IP Address(EIP)-阿里云帮助中心

How it works

Bind multiple EIPs: Attach a secondary ENI that has multiple private IP addresses to an ECS instance. Then, bind the EIPs to the private IP addresses in a one-to-one mapping in NAT mode.
Configure policy-based routing to ensure symmetric traffic paths:
- Inbound traffic: When an external request reaches an EIP, the system automatically forwards the traffic to the private IP address bound to that EIP.
- Outbound traffic: Configure policy-based routing on the ECS instance. The routing policy uses the source IP address (the private IP address) of a packet to determine its next hop and egress interface (the secondary ENI). This ensures that response traffic exits through the correct EIP, which maintains symmetric routing and prevents conflicts in a multi-ENI environment.

Usage notes

The number of ENIs that you can attach to an ECS instance and the number of secondary private IP addresses that you can assign to an ENI varies with the instance family.

For example, an ECS instance of the ecs.c6.large instance type can be bound to a maximum of 2 elastic network interfaces (ENIs), including a primary ENI and a secondary ENI, and each ENI supports a maximum of 6 private IP addresses. Both the primary ENI and the secondary ENI support binding 1 EIP to the primary private IP address and 5 EIPs to the secondary private IP addresses.
In NAT mode, EIPs bind to ENIs using NAT. This mode does not support protocols that rely on NAT Application-Level Gateway (NAT ALG).
- You can bind EIPs to both primary and secondary ENIs.
- Because the mapping is one-to-one, the number of EIPs you can bind is limited by the number of private IP addresses available on the ENI.
If your VPC uses an IPv4 gateway for centralized internet access, ensure you configure a route that directs traffic to the IPv4 gateway so the ECS instance can access the internet.

Procedure

Step 1: Bind multiple EIPs

Attach a secondary ENI with multiple private IP addresses to the ECS instance.

If you already have a secondary ENI, you can bind it directly to the ECS instance.
1. Go to the ENIs page in the ECS console. In the top navigation bar, select the region where your ECS instance is located.
2. Click Create ENI.
  
  Keep the default values for other parameters. After the ENI is created, you can click Manage ENI IP Addresses in the Operation column for the ENI to add, delete, or modify its private IP addresses.
  - Select the VPC, vSwitch, and security group to which the ECS instance belongs.
  - Primary Private IP Address: You can specify an unused IP address from the vSwitch. If you do not specify an IP address, the system randomly assigns one from the available addresses in the vSwitch. This address cannot be changed after creation.
  - Secondary Private IPv4 Address: Select Auto Assign and enter the number of secondary private IP addresses that you want to assign.
3. In the Operation column for the target ENI, click Bind to Instance and select the target ECS instance.

Configure the operating system to recognize the secondary private IP addresses.

This topic uses Alibaba Cloud Linux 3.2 as an example. For other operating systems, see Configure an operating system to recognize secondary private IP addresses.

Log on to the ECS instance, and run the ip a command to view and confirm the network interface information.

Interface identifiers: eth0 (primary ENI), eth1 (secondary ENI).
Network card status: state UP indicates that the network card is functioning normally and is active within the instance. If the network card status is state DOWN, you need to configure the Linux operating system to recognize the network card.

2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 8500 qdisc mq state UP group default qlen 1000
    link/ether 00:xxx:ff
    altname enp0s5
    altname ens5
    inet 192.168.0.3/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
        valid_lft 1892159940sec preferred_lft 1892159940sec
    inet6 xxx/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 8500 qdisc mq state UP group default qlen 1000
    link/ether 00:xxx:ff
    altname enp0s7
    altname ens7
    inet 192.168.0.252/24 brd 192.168.0.255 scope global dynamic noprefixroute eth1
        valid_lft 1892159958sec preferred_lft 1892159958sec
    inet6 xxx/64 scope link noprefixroute
        valid_lft forever preferred_lft forever

Use nmcli con to configure a secondary private IP address.

Run the sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg command and add the network: {config: disabled} configuration to disable automatic network configuration by cloud-init and prevent the configuration from being lost after a reboot.

Run nmcli con show to view the network connection name of eth1.

[root@ixxx Z ~]# nmcli con show
NAME                UUID                                  TYPE       DEVICE
System eth0         5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet   eth0
Wired connection 1  c8c8d113-cd19-3945-a292-1a89d8bab4e8  ethernet   eth1

Run the following commands to configure the secondary private IPv4 addresses and the default gateway for the secondary ENI.

You can run the route -n command to view the default gateway.

sudo nmcli con modify "<eth1_connection_name>" ipv4.addresses <secondary_private_IPv4_address_1>,<secondary_private_IPv4_address_2>
sudo nmcli con modify "<eth1_connection_name>" ipv4.gateway <default_gateway>

sudo nmcli con modify "Wired connection 1" ipv4.addresses 192.168.0.1/24,192.168.0.2/24
sudo nmcli con modify "Wired connection 1" ipv4.gateway 192.168.0.253

Run the sudo nmcli con up "<eth1 network connection name>" command to activate the modified network connection. A message similar to Connection successfully activated indicates that the configuration is successful. Run the ip a command again to view the secondary private IP address.

eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 8500 qdisc mq state UP group default qlen 1000
    link/ether 00:xxx:ff
    altname enp0s7
    altname ens7
    inet 192.168.0.1/24 brd 192.168.0.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet 192.168.0.252/24 brd 192.168.0.255 scope global secondary dynamic noprefixroute eth1
       valid_lft 1892159981sec preferred_lft 1892159981sec
    inet6 fe80::xxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Create multiple EIPs and bind them to the private IP addresses of the secondary ENI.
1. Go to the EIP buy page.
  
  Only relevant parameters are listed here. For detailed guidance, see Select an EIP.
  - Billing Method: The pay-as-you-go method is suitable for services with fluctuating workloads. The Subscription method is ideal for long-term, stable workloads. This topic uses Pay-as-you-go.
  - Region and Availability Zone: Select the same region as your ECS instance.
  - Line Type: This option is available only in some regions.
  - Protection: This option is available only for BGP (Multi-ISP) EIPs that use the pay-as-you-go billing method.
  - Address Pool: If you have an existing IP address pool, you can allocate EIPs from it.
  - Quantity: Enter the number of EIPs you plan to bind.
2. Bind the EIPs to the private IP addresses of the secondary ENI in a one-to-one mapping.
  1. Go to the Elastic IP Addresses page. In the top navigation bar, select the region where the EIPs are located.
  2. For each EIP, click Associate with Resource in the Actions column. Select ENI and then choose the corresponding secondary private IP address.

Step 2: Configure policy-based routing

Configure policy-based routing on the ECS instance to ensure symmetric traffic paths.

Log on to the ECS instance and add a default route for the secondary ENI eth1: create a route table table 1001 and a corresponding routing policy for the private IP address.

ip -4 route add default via <default_gateway> dev eth1 metric 1001 && \
ip -4 route add default via <default_gateway> dev eth1 table 1001 && \
ip -4 rule add from <secondary_eni_private_ipv4_address_1> lookup 1001 && \
ip -4 rule add from <secondary_eni_private_ipv4_address_2> lookup 1001 && \
ip -4 rule add from <secondary_eni_private_ipv4_address_3> lookup 1001

Run the ip route list table 1001 && ip rule list command to view the created route table and policy-based routes.

[root@iZ ~]# ip route list table 1001 && ip rule list
default via 192.168.0.253 dev eth1
0:      from all lookup local
32763:  from 192.168.0.2 lookup 1001
32764:  from 192.168.0.1 lookup 1001
32765:  from 192.168.0.252 lookup 1001
32766:  from all lookup main
32767:  from all lookup default

Configure the routes to update automatically at startup to ensure the configuration persists across reboots.
1. Run vim /etc/rc.local and add the commands for creating a route table and policy-based routing to the file.
2. Run sudo chmod +x /etc/rc.local to add execute permissions.

Step 3: Verify the configuration

Verify outbound IP addresses

Log on to the ECS instance, run curl --interface <private IP address of the secondary ENI> https://ifconfig.me, and verify that the public egress IP address for traffic sent from each private IP address is the corresponding EIP.

[root@iZbxxx ~]# echo $(curl --silent --interface 192.168.0.2 https://ifconfig.me)
47.xxx.xxx.13
[root@iZbxxx ~]# echo $(curl --silent --interface 192.168.0.1 https://ifconfig.me)
121.xxx.xxx.23
[root@iZbxxx ~]# echo $(curl --silent --interface 192.168.0.252 https://ifconfig.me)
121.xxx.xxx.175

Verify symmetric traffic paths

Log on to another test ECS instance that can access the internet, and run ping <EIP bound to the secondary ENI>.
At the same time, log on to this ECS instance and run the tcpdump -i eth1 icmp command to capture ICMP packets on eth1 .

You can see that the packet enters through eth1 and is also returned from eth1, which shows that the ingress and egress traffic paths are consistent.

[root@iZbp1xxx_uv2Z ~]# tcpdump -i eth1 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:14:34.410905 IP 47.xxx.xxx.250 > iZbpxxx_uv2Z: ICMP echo request, id 19, seq 1, length 64
10:14:34.410944 IP iZbpxxx_juv2Z > 47.xxx.xxx.250: ICMP echo reply, id 19, seq 1, length 64
10:14:35.412272 IP 47.xxx.xxx.250 > iZbpxxx_juv2Z: ICMP echo request, id 19, seq 2, length 64
10:14:35.412307 IP iZbpxxx_juv2Z > 47.xxx.xxx.250: ICMP echo reply, id 19, seq 2, length 64
10:14:36.413675 IP 47.xxx.xxx.250 > iZbpxxx_uv2Z: ICMP echo request, id 19, seq 3, length 64
10:14:36.413707 IP iZbpxxx_juv2Z > 47.xxx.xxx.250: ICMP echo reply, id 19, seq 3, length 64

Production considerations

Risk prevention: This solution uses a single ECS instance. For high availability, use a load balancer. Be aware that rebooting the instance or changing network configurations can cause service interruptions.
Monitoring and alerting: Set up monitoring and alerts for key metrics on the secondary ENI, such as network traffic, CPU utilization, and memory usage, to promptly detect anomalies.
Security hardening: Configure the security group for the secondary ENI using the principle of least privilege. Allow only the ports and source IP addresses that are essential for your services.

Billing

EIP billing:
- EIP configuration fee (public IP retention fee):
  - pay-as-you-go EIP: When bound to a secondary ENI, a configuration fee (public IP retention fee) is charged even if there is no internet traffic.
  - Subscription EIP: No configuration fee is charged.
- Internet traffic fee:
  - pay-as-you-go EIP: Fees are charged based on the selected billing method (pay-by-bandwidth or pay-by-traffic).
  - Subscription EIP: Fees are charged based on the peak bandwidth.
Other resources: Resources such as ECS instances are billed according to their standard billing rules. Secondary ENIs are free of charge.