An Elastic Network Interface (ENI), primary or secondary, can have one or more secondary private IP addresses. This supports use cases that require multiple IP addresses, such as multi-application hosting, failover, and load balancing. This topic describes how to assign, configure, and unassign secondary private IP addresses.
Introduction
If the primary private IP address on an Elastic Compute Service (ECS) instance's ENI is not enough, you can assign one or more secondary private IP addresses. This allows a single ECS instance to have multiple private IP addresses. The following figure shows the relationship between an ECS instance, its ENIs, and its private IP addresses.
Use cases
You can use secondary private IP addresses in the following scenarios:
Multi-application hosting: When you deploy multiple applications on a single ECS instance, you can assign an independent secondary private IP address to each application. This lets you host multiple services on the same ECS instance and use it more efficiently.
Failover: If an instance fails, you can unbind its secondary ENI and bind it to a standby instance. Request traffic directed to its secondary private IP addresses is then routed to the standby instance, achieving high availability.
Load balancing: By assigning multiple secondary private IP addresses to an instance, you can implement a load balancing mechanism to improve system scalability and performance.
Usage notes
The maximum number of private IP addresses you can assign to a single ENI depends on its status.
For an ENI in the Available state, you can assign up to 10 private IP addresses.
For an ENI in the InUse state, the maximum number of private IP addresses you can assign cannot exceed the limit for the instance type. For more information, see the Private IPv4 addresses per ENI column in the instance type table of each instance family in Instance family overview.
A Virtual Private Cloud (VPC) security group can contain only a limited number of private IP addresses. Plan your secondary private IP addresses accordingly. For more information, see Security groups.
Assign secondary private IP addresses to an ENI
You must configure the secondary private IP address in the instance's operating system so the OS can recognize and use it. After assigning the address in the console (Step 1), you must also perform the OS configuration described in.
Step 1: Assign one or more secondary private IP addresses to an ENI
You can add or delete secondary private IP addresses on the Manage ENI IP Addresses page for the target ENI, which can be either the primary or a secondary ENI of an ECS instance.
You can also assign a secondary private IP (or IPv6) address to an ENI by calling an API. For more information, see AssignPrivateIpAddresses or AssignIpv6Addresses.
-
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the ENIs page, find the ENI to which you want to manage and click Manage ENI IP Addresses in the Operation column.
In the Manage ENI IP Addresses dialog box, click Increase in the Secondary Private IPv4 Address or IPv6 section.
Auto-assign: The system randomly assigns an IP address from the ENI's IPv4 or IPv6 private CIDR block.
Enter manually: Manually enter a secondary private IP address. Make sure the value is within the ENI's IPv4 or IPv6 private CIDR block.
Click Confirm to complete the secondary private IP address assignment.
Confirm that the secondary private IP address is correctly assigned to the target ENI.
You can verify this information on the ENI details page of the ECS instance, as shown in the following example.
(Conditionally required) Step 2: Bind the ENI
When you add a secondary private IP address to a secondary ENI, you must ensure that you have already bound the secondary ENI to an ECS instance and configured it. For detailed instructions, see Create and use an ENI and Configure an ENI to take effect within an instance.
This topic uses an example of assigning a secondary private IP address to the primary ENI of an ECS instance, so this step is not required.
Step 3: Configure the OS to recognize the secondary private IP address
After assigning a secondary private IP address to an instance, you must also configure the address within the instance's operating system (OS) based on the operating system and IP address type. The specific configuration steps vary depending on the OS and IP address type.
Configuration example
his topic uses the configuration of a secondary private IPv4 address as an example. For instructions on how to configure a secondary private IPv6 address, see IPv6 communication.
This example assigns the private IPv4 addresses to the ENI as shown below. Modify the IP addresses in the following commands and configurations to match your environment.
ENI
Primary private IPv4 address
Secondary private IPv4 address 1
Secondary private IPv4 address 2
Primary ENI
192.168.1.201
192.168.1.202
192.168.1.203
Before you begin, make sure the corresponding instance is in the Running state. For more information, see Start an instance.
This topic provides configuration steps for the following mainstream operating systems. Please configure according to your OS.
Linux OS configuration example
Connect to the Linux ECS instance.
For more information, see Connect to Linux.
View the current network configuration and routing information to confirm the required default gateway and subnet mask.
View the primary private IPv4 address
Run the following command to view network configuration information:
ip aThe returned information shows the current network configuration of the instance:
From the information above, the current network configuration is as follows:
eth0: Activated, and the primary private IPv4 address 192.168.1.201 is dynamically configured.
View the subnet mask and gateway
Run the following command to view routing information:
route -nThe returned information shows:
Subnet mask (Genmask): 255.255.255.0
Default gateway (Gateway): 192.168.1.253
Based on the information above, the current network configuration is as follows:
ENI
Status
Default gateway
Subnet mask
Primary private IP address
Secondary private IPv4 address 1
Secondary private IPv4 address 2
eth0 (serves as the primary ENI)
UP
192.168.1.253
255.255.255.0
192.168.1.201 (is automatically configured)
192.168.1.202 (cannot be recognized and must be manually configured)
192.168.1.203 (cannot be recognized and must be manually configured)
Configure the secondary private IPv4 address using the method that suits your situation.
Run
nmcli concommandsNoteNetworkManager is a daemon in Linux systems for managing network connections and settings. It provides the command-line tool
nmcli, which lets users easily manage network connections.This method applies to all operating systems that manage network services through NetworkManager, including but not limited to Fedora, CentOS, RHEL, Ubuntu/Debian, and systems based on these distributions.
Example connection: The connection name corresponding to the ENI eth0. You need to modify the connection name based on your actual situation.
Run the following command to create a new file to disable cloud-init's network configuration feature, preventing the configuration from being lost after a restart. For more information, see Automatic network configuration by cloud-init.
sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgAdd the following configuration to the file:
network: {config: disabled}Run the following command to view the current network connection information:
nmcli con showThe naming of network connections varies across different Linux distributions. An example is shown below.
Run the following commands to configure the secondary private IPv4 addresses, Default Gateway, and IPv4 configuration method (manual, DHCP, etc.) for eth0.
sudo nmcli con modify "System eth0" ipv4.addresses 192.168.1.201/24,192.168.1.202/24,192.168.1.203/24 sudo nmcli con modify "System eth0" ipv4.gateway 192.168.1.253Run the following command to activate the modified network connection.
sudo nmcli con up "System eth0"If the configuration is correct, a message similar to "Connection successfully activated" will appear, indicating success.
Modify the network configuration file of the ENI
ImportantThe network configuration file varies depending on the Linux OS distribution and version.
We recommend backing up the network configuration file before you modify the file.
Since this involves changes to network configuration files, be sure to verify the correctness of your operations. Incorrect configuration can make the instance unreachable.
RHEL series
NoteApplicable operating systems: Alibaba Cloud Linux 2/3, CentOS 6/7/8, Red Hat 6/7/8/9, Anolis 7/8, Fedora 33/34/35.
Example operating system: Alibaba Cloud Linux 3.2.
Example ENI: The operations are demonstrated using the ENI eth0. You need to modify the network interface identifier based on your actual situation.
Run the following command to check if the main configuration file for the ENI exists. Each network interface will have a corresponding configuration file to identify it.
NoteFor some operating systems, such as Alibaba Cloud Linux 3.2, cloud-init automatically generates the main ENI configuration file, so you do not need to create it.
For other operating systems, such as CentOS 8.5, you need to manually create the main ENI configuration file and configure basic ENI information.
ls /etc/sysconfig/network-scripts/ifcfg-eth0File exists: Proceed to Step b.
File does not exist: Create the file and manually configure the basic ENI information.
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0Configure the ENI name, set the IP acquisition method to static, and configure the primary private IPv4 address, Subnet Mask, and gateway information for the ENI.In this example, if the
eth0file does not exist, configure it as follows:The ENI name. Example: eth0. DEVICE=eth0 TYPE=Ethernet BOOTPROTO=dhcp #Activate the ENI when the operating system starts. ONBOOT=yes
Run the following command to configure the first secondary private IPv4 address for the
eth0ENI:sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0:0Sample code snippet:
#The ENI name in the format of <ENI name>:<Serial number of the secondary private IP address>. DEVICE=eth0:0 TYPE=Ethernet #The method used to obtain an IP address, which is set to Static. BOOTPROTO=static #The IPv4 address and subnet mask that require manual configuration. IPADDR=192.168.1.202 NETMASK=255.255.255.0
Ubuntu 18 and Ubuntu 20
Disable the cloud-init network configuration.
ImportantThe network configuration file (
/etc/netplan/50-cloud-init.yaml) is automatically generated bycloud-initat instance startup. To edit it, you must first disable cloud-init's network configuration feature. For more information, see Automatic network configuration by cloud-init.sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgAdd the following configuration:
network: {config: disabled}Edit the network configuration file.
sudo vim /etc/netplan/50-cloud-init.yamlThe following is a sample configuration:
network: version: 2 ethernets: eth0: #Network interface name. dhcp4: false #The default is DHCP. Set to false to manually configure the IP address. match: macaddress: 00:16:3e:16:43:xx #The MAC address of your network interface card. set-name: eth0 addresses: - 192.168.1.201/24 #The primary private IP address of the network interface card. - 192.168.1.202/24 #Secondary private IP address 1 of the network interface card. - 192.168.1.203/24 #Secondary private IP address 2 of the network interface card. gateway4: 192.168.1.253 #Default gateway. nameservers: addresses: [223.5.5.5, 223.6.6.6] #DNS servers.
Ubuntu 22, Ubuntu 24, and Debian 12
Disable the network configuration feature of cloud-init.
ImportantThe network configuration file (
/etc/netplan/50-cloud-init.yaml) is automatically generated bycloud-initat instance startup. To edit it, you must first disable cloud-init's network configuration feature. For more information, see the Automatic network configuration by cloud-init section of this topic.sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgAdd the following configuration to the configuration file:
network: {config: disabled}Edit the network configuration file and configure the network interface settings.
sudo vim /etc/netplan/50-cloud-init.yamlSample code snippet:
network: version: 2 ethernets: eth0: #The name of the ENI. dhcp4: false #By default, DHCP is enabled to automatically assign IP addresses. If the parameter is set to false, you must manually configure IP addresses for the ENI. match: macaddress: 00:16:3e:16:43:xx #Replace this parameter with the actual MAC address of your ENI. set-name: eth0 addresses: - 192.168.1.201/24 #The primary private IP address of the ENI. - 192.168.1.202/24 #Secondary private IP address 1. - 192.168.1.203/24 #Secondary private IP address 2. routes: - to: default via: 192.168.1.253 #The default gateway. nameservers: addresses: [223.5.5.5, 223.6.6.6] #DNS
Restart the network service to apply the configuration.
NoteIf you followed the
nmcli conmethod described above, you do not need to restart the network service. NetworkManager monitors changes to the configuration files and applies the new settings automatically.Operating system
Command to restart the network service
Alibaba Cloud Linux 2
CentOS 7
Red Hat 7
Anolis 7
SUSE Linux 11, SUSE Linux 12, and SUSE Linux 15
openSUSE 15 and openSUSE 42
sudo service network restartor
sudo systemctl restart networkCentOS 6
Red Hat 6
sudo service network restartAlibaba Cloud Linux 3
CentOS 8
Red Hat 8
Anolis 8
Fedora 33, Fedora 34, and Fedora 35
sudo systemctl restart NetworkManagerorsudo rebootUbuntu 18, Ubuntu 20, and Ubuntu 22
Debian 12
sudo netplan applyUbuntu 14 and Ubuntu 16
Debian 8, Debian 9, Debian 10, and Debian 11
sudo systemctl restart networkingorsudo rebootRepeat the operations in step 2 to verify that the configuration is successful.
Windows OS configuration example
Applicable OS: Windows.
Example OS: Windows Server 2022.
Example ENI: The operations are demonstrated using the primary ENI named Ethernet. If you are working with a secondary ENI, modify the ENI identifier accordingly, such as Ethernet2.
Connect to the Windows ECS instance.
For more information, see Connect to Windows.
View the current network configuration and routing information to confirm the required default gateway and subnet mask of the ENI.
Open Command Prompt or Windows PowerShell.
Run the following command to view the current ENI and IP information:
ipconfigThe returned information shows the current ENI and recognized IP information.
The current network configuration and routing information are as follows.
ENI
Subnet mask
Default gateway
Primary private IP address
Secondary private IPv4 address 1 to be configured
Secondary private IPv4 address 2 to be configured
Ethernet (serves as the primary ENI)
255.255.255.0
192.168.1.253
192.168.1.201 (is automatically configured)
192.168.1.202 (cannot be recognized and must be manually configured)
192.168.1.203 (cannot be recognized and must be manually configured)
Open Network and Sharing Center.
Click Change adapter settings.
Double-click the primary ENI named Ethernet. Then, click Properties in the Ethernet Status dialog box.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following IP address and click Advanced.
ImportantThis changes the policy from automatically obtaining an IP address to manual configuration. Therefore, you must also configure the ENI's primary private IP address in the following steps. Otherwise, you will not be able to remotely connect to the instance using the primary private IP address.
In the Advanced TCP/IP Settings dialog box, set the IP addresses.
In the IP addresses section, click Add. Then, enter the primary and secondary private IP addresses that are assigned to Ethernet and the subnet mask that you queried.
In this example, enter the two secondary private IP addresses of Ethernet.
In the Default gateways section, click Add and enter the obtained default gateway that you queried in the Gateway field.
Click OK in each dialog box to save the settings and complete the configuration of the secondary private IPv4 addresses. Repeat the operations in step 2 to verify that the configuration is successful.
Other OS configuration examples
Unassign a secondary private IP address
If a secondary private IP address is no longer needed on an ENI, you can unassign it.
Prerequisites
Before you unassign a secondary private IP address, confirm the following:
You have assigned a secondary private IP address to the ENI.
The ENI is in the Available or InUse state.
When unassigning a secondary private IP address from a primary ENI, the instance to which the primary ENI is bound must be in the Running or Stopped state.
Procedure
You can also unassign one or more secondary private IP (or IPv6) addresses from an ENI by calling an API: UnassignPrivateIpAddresses or UnassignIpv6Addresses.
-
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the ENIs page, find the target ENI, and click Manage ENI IP Addresses in the Operation column.
In the Manage ENI IP Addresses dialog box, find the secondary private IP addresses that you want to unassign in the Secondary Private IPv4 Address section. Click the
icon on the right side of the IP addresses. Click Confirm.
Refresh the ENI list. If the IP Address is successfully unassigned if it no longer appears in the list.
Related operations
Automatic network configuration by cloud-init
cloud-init is an open-source initialization tool that provides initialization configuration capabilities for Linux operating systems, such as initializing passwords, setting hostnames, and executing custom scripts. Alibaba Cloud installs cloud-init on all public images by default. When an ECS instance starts, cloud-init automatically generates the system's network configuration information.
Explanation of cloud-init in network configuration files.
You can see an explanation of the automatic generation by cloud-init in the corresponding network configuration file. For example, in the network configuration file
/etc/sysconfig/network-scripts/ifcfg-eth0of Alibaba Cloud Linux 3.2:
Disable the network configuration feature of cloud-init.
When to disable: You may need to disable this feature in the following situations. Otherwise, the configuration automatically generated by cloud-init upon system reboot may overwrite your custom network settings.
Static network configuration: Manually configuring the network by modifying the network configuration file automatically created by cloud-init.
Managing the network through other network management services (such as NetworkManager).
How to disable: Create the file
/etc/cloud/cloud.cfg.d/99-disable-network-config.cfgand add the configurationnetwork: {config: disabled}.ImportantFor more detailed information about cloud-init, you can log in to the Linux instance and view the information in
/etc/cloud/cloud.cfg.d/README.
Configure IP addresses
IP addresses in an operating system can be configured using either DHCP (the default) or static assignment. When configuring a secondary private IP address, you need to choose the configuration method based on your actual situation.
Static configuration: Requires manual configuration of necessary network parameters, such as subnet mask, default gateway, and DNS server addresses.
DHCP (dynamic acquisition): DHCP is a network protocol that lets devices in a network automatically obtain IP addresses, subnet masks, default gateways, DNS server addresses, and other configuration information. You can also configure a secondary private IP address for a Linux instance while maintaining DHCP dynamic acquisition.