Elastic Compute Service:Overview of elastic network interfaces

Types of elastic network interfaces

Alibaba Cloud offers the following types of network interfaces:

• Primary Network Interface

  The default network interface for each instance in a VPC is known as the primary network interface. Each instance is equipped with a single primary network interface.

• Secondary Elastic Network Interface

  • In scenarios with a single primary network interface, all network traffic is routed through this interface, suitable for simple traffic patterns. For more complex network segmentation and isolation, or to mitigate the risk of a single point of failure, secondary ENIs can be created and attached within the same VPC and zone to expand the network capabilities of an ECS instance.

  • Secondary ENIs are independently creatable network interfaces that can be dynamically attached or detached from instances in addition to the primary network interface.

    For detailed instructions, see Create and Use Elastic Network Interfaces.

Features of elastic network interfaces

• Support for Multiple IP Addresses: An ENI can be associated with several private IP addresses, enabling a single ECS instance to serve or access external resources through various IPs, thus enhancing network flexibility. For more information, see Secondary Private IP Addresses.

• Release with Instance Feature: When creating an ENI or afterwards, you can enable or disable the release with instance feature to determine whether the ENI should be retained or released along with the instance.

  Note

  ENIs that are retained upon instance release can be reattached as a primary or secondary ENI when creating a new instance.

  

• Hot Swapping: The hot swapping capability of secondary elastic network interfaces (ENIs) offers significant flexibility and convenience. It allows dynamic addition or removal of secondary ENIs while the ECS instance is operational, without the need to reboot the server or disrupt ongoing services. For instance, you can detach a secondary ENI from one instance and bind it to another within the same VPC and zone, all without having to restart the instance.

  Note

  The primary network interface cannot be detached from the instance and does not support hot swapping.

  • Certain instance types support network interface hot swapping. For more information, see Instance Families.

    List of ECS Instance Types That Do Not Support Network Interface Hot Swapping

    Instance family	Instance type
    Shared standard instance family s6	ecs.s6-c1m1.small, ecs.s6-c1m2.large, ecs.s6-c1m2.small, ecs.s6-c1m4.large, ecs.s6-c1m4.small
    Economy instance family e	ecs.e-c1m1.large, ecs.e-c1m2.large, ecs.e-c1m4.large
    Burstable instance family t6	ecs.t6-c1m1.large, ecs.t6-c1m2.large, ecs.t6-c1m4.large, ecs.t6-c2m1.large, ecs.t6-c4m1.large
    Burstable instance family t5	ecs.t5-c1m1.large, ecs.t5-c1m2.large, ecs.t5-c1m4.large, ecs.t5-lc1m1.small, ecs.t5-lc1m2.large, ecs.t5-lc1m2.small, ecs.t5-lc1m4.large, ecs.t5-lc2m1.nano
    Previous-generation shared instance families xn4, n4, mn4, e4	ecs.xn4.small ecs.n4.small, ecs.n4.large ecs.mn4.small, ecs.mn4.large ecs.e4.small, ecs.e4.large

  • For ECS instance types that do not support hot swapping:

    • Secondary ENIs cannot be added during instance creation but can be attached after the instance is created.

    • The instance must be in the Stopped state to bind or unbind secondary ENIs.

Limits

• ENIs are provided at no cost, but there is a limit to the number of ENIs that can be created by a single Alibaba Cloud account. For more information, see ENI Quotas.

• Instances and their bound ENIs must be in the same VPC and zone.

  • Multiple ENIs attached to an instance can be from different subnets within the same VPC and zone.

  • If two or more network interfaces from the same subnet are attached to an instance, network issues such as asymmetric routing may occur. Assigning one or more secondary private IP addresses to an ENI can optimize the utilization of VPC-type ECS instances and manage traffic in case of load failure. For more information, see Secondary Private IP Addresses.

• The number of network interfaces that can be attached to each instance depends on the instance type. For more details, see Instance Families under Elastic Network Interfaces.

• Attaching multiple network interfaces to an instance does not increase the instance's network bandwidth. For more information, see Network Bandwidth.

Important attributes of elastic network interfaces

By attaching ENIs, ECS instances gain resources such as private IP addresses and Elastic IP Addresses (EIPs) for communication with the Internet or other cloud resources. Key attributes of ENIs include the following:

• Virtual Private Cloud (VPC): ENIs can only be attached to instances within the same VPC. Once created, the VPC of an ENI cannot be changed.

• vSwitch: Each VPC has its own IP address range, and multiple vSwitches can be created to segment subnets. Subnets within the same VPC are interconnected by default. When an ENI is associated with a vSwitch, it receives one or more IP addresses from that subnet. ENIs and their instances must be in the same zone but can connect to different vSwitches.

• MAC Address: Each ENI has a unique MAC address that serves as its identifier.

  You can view details such as the VPC and MAC address of the network interface through the console or API. For more information, see View or Modify ENI Attributes.

• Assign One or More Private IP Addresses for Private Network Communication: By default, each ENI is assigned a primary private IPv4 address within its subnet.

  • For multi-IP requirements in scenarios such as multi-application, failover, and load balancing, you can assign additional secondary private IPv4 addresses to an ENI. For more information, see Add Secondary Private IP Addresses to ENIs.

  • For IPv6 public and private network communication, you can assign IPv6 addresses to the ENI of an instance in a VPC and vSwitch with an IPv6 CIDR block. For more information, see IPv6 Communication.

• Bind Static Public IP or Elastic IP Address (EIP) for Public Network Communication: By themselves, ENIs do not have public network communication capabilities. Public network communication can be achieved by:

  • Assigning a static public IP to the instance for public network communication. For more information, see Static Public IP.

  • Binding an EIP to an ENI for flexible public network communication. By binding an EIP to multiple private IP addresses of an ENI, an ECS instance can provide multiple public IPs. For more information, see Bind EIP to ENI.

• Security Group: ENIs are linked to security groups for network-layer security control.

  • Associating an ECS instance with a security group effectively associates the instance's primary network interface with the security group. For more information, see Associate a Security Group with an Instance (Primary Network Interface).

  • Within the same VPC, a secondary network interface can be associated with a different security group than the primary network interface. For more information, see Associate a Security Group with a Secondary Network Interface.

• Route Table: A route table is necessary for data packet path selection within a VPC and to other networks. Proper routing configuration is crucial for ENIs to send and receive data correctly. For more information, see Configure Routing.

  Note

  In a multi-network interface environment, the default route of a secondary network interface usually has a lower priority than that of the primary network interface. This means that data is sent from the primary network interface by default. To ensure data packets corresponding to the private IP of a secondary network interface are sent from that interface, you can configure policy-based routing for the secondary network interface.

Network enhancement features of elastic network interfaces

View elastic network interfaces of ECS instances

You can view information about the ENIs bound to an instance through the ECS console or directly within the instance.

References

• The Terway network plug-in facilitates network address management and pod communication within Kubernetes clusters. It allows for the implementation of access policies between containers using standard Kubernetes network policies and offers both VPC mode, utilizing ENIs, and inclusive ENI mode, using secondary IP addresses of ENIs. You can select the mode that best suits your needs for intra-cluster communication. For more information, see Using the Terway network plug-in.

• ENIs can be paired with Server Load Balancers, such as ELB, to manage and distribute network traffic effectively. For more information, see Adding backend servers through ENIs.

• Certain Alibaba Cloud services, including Container Service for Kubernetes (ACK) and NAT Gateway, rely on ENI capabilities to deliver their services. You can grant the cloud product system permission to manage the lifecycle of ENIs created for these products, safeguarding against unintended modifications and ensuring service availability. For more information, see Managed ENIs.

• To bind ENIs to ECS instances outside the VPC CIDR block range, you must add a CIDR block to the VPC, create a vSwitch within this new CIDR block in the same zone as the ECS instance, and then create and attach ENIs under that vSwitch to the instance. For more information, see Expanding VPC address space with additional CIDR blocks.