Elastic network interfaces (ENIs) are virtual network interfaces that provide network connectivity and IP addresses for Elastic Compute Service (ECS) instances that are deployed in virtual private clouds (VPCs). You can bind one or more ENIs to each ECS instance. You can bind secondary ENIs to or unbind secondary ENIs from different ECS instances to allow for more flexibility and scalability in network configurations and meet network requirements in different scenarios. For example, you can use ENIs to provide multiple IP addresses or network interface controllers (NICs) for a single ECS instance or create a high-availability network scheme.
An ENI can include the following attributes:
VPC information, such as vSwitch or zone
A primary private IPv4 address from the IPv4 address range of a vSwitch in your VPC
One or more secondary private IPv4 addresses from the IPv4 address range of a vSwitch in your VPC
One or more public IPv4 addresses
One or more IPv6 addresses
A media access control (MAC) address
One or more security groups
Terms
Term | Description |
ENI type | ENIs are classified into primary ENIs and secondary ENIs. Each ECS instance that is deployed in a VPC has a default ENI, which is called the primary ENI. You cannot separately create a primary ENI or unbind a primary ENI from an ECS instance. You can separately create a secondary ENI and bind the secondary ENI to an ECS instance. |
private IPv4 address | The primary private IP address of an ENI is a private IPv4 address that is within the CIDR block of the associated vSwitch. You can specify a primary private IP address when you create a secondary ENI. If you do not specify a primary private IP address, the system assigns a primary private IP address at random. You can assign one or more secondary private IPv4 addresses to an ENI, unassign the IP addresses from the ENI, and then assign the IP addresses to other ENIs. The number of private IPv4 addresses that you can assign to an ENI varies based on the instance type of the ECS instance to which the ENI is bound. For more information, see the Private IPv4 addresses per ENI columns in Overview of instance families. |
private IPv6 address | If you associate IPv6 CIDR blocks with your VPC and vSwitch, you can assign one or more secondary private IPv6 addresses from the IPv6 CIDR block of the vSwitch to an ENI. For information about how to associate an IPv6 CIDR block with a vSwitch, see Create and manage a vSwitch. The number of IPv6 addresses that you can assign to an ENI varies based on the instance type of the ECS instance to which the ENI is bound. For more information, see the IPv6 addresses per ENI columns in Overview of instance families. IPv6 addresses support communication over the internal network in VPCs. You can enable IPv6 public bandwidth to have Internet connectivity. For more information, see Step 3: Enable IPv6 public bandwidth for a Windows instance and Step 3: Enable IPv6 public bandwidth for a Linux instance. |
EIP | You can associate one or more elastic IP addresses (EIPs) with an ENI to allow the ENI to communicate over the Internet. For more information, see Associate or disassociate an EIP. |
NIC multi-queue | The NIC multi-queue feature allows instance types to support multiple traffic queues on each ENI. NIC queues represent the maximum number of queues that an instance type supports per ENI. Performance bottlenecks may occur when you use a single vCPU to process NIC interrupts on an ECS instance. To improve network performance, you can use the NIC multi-queue feature to distribute NIC interrupts across different vCPUs. For more information, see Configure NIC multi-queue. |
Network card mapping | Instance types that support network card mapping provide higher network performance. When you bind ENIs to ECS instances of an instance type that supports network card mapping, you can specify network card indexes (NetworkCardIndex) to map the ENIs to network cards on the physical machines that host the ECS instances. This way, you can prevent bandwidth contention and improve instance bandwidth capabilities. You can call the DescribeInstanceTypes operation to query information about the network cards that are supported by instance types. To map ENIs to network cards, you must assign network card index 0 to primary ENIs and assign network card indexes to secondary ENIs based on the instance type. To maximize the network performance of an ECS instance, assign different network card indexes to the primary ENI and secondary ENIs. For more information, see Best practices for managing ENIs by using ECS SDK for Java. |
Scenarios
Container network plans: You can use ENI-based Container Network Interface (CNI) plug-ins to manage the IP addresses and communication of pods in Kubernetes clusters. For example, Terway is an Alibaba Cloud open-source CNI plug-in that is used on top of ENIs. Terway can define access policies between containers based on standard Kubernetes network policies. You can use one of the following modes to enable network communication between Kubernetes clusters: the inclusive ENI mode based on the secondary IP addresses of ENIs and the VPC mode based on ENIs. For more information, see Work with Terway.
Network and security management: You can use multiple ENIs to create virtual versions of specific networking devices, such as load balancers, NAT servers, and proxy servers. In most cases, multiple ENIs are bound to a virtual security device. Each ENI has its own private IP addresses. You can configure public IP addresses and firewalls for the ENI based on your business requirements. Common scenario in which you can create a management network by using ENIs on an ECS instance that is deployed in a VPC: The primary ENI handles public traffic and the secondary ENIs handle internal traffic. The secondary ENIs are connected to subnets within the VPC. The primary ENI is associated with a security group that controls access from the Internet or on TCP ports 80 and 443 of Internet-facing load balancers to the instance. The secondary ENIs that handle internal traffic are associated with security groups that controls access only from specific subnets within the VPC. External traffic from an external public client can access the VPC only when the traffic matches a rule of the firewall or security group that is associated with the primary ENI. In this case, resources that can be accessed from the Internet must be isolated from your internal networks and services. This can greatly mitigate impacts or damages that are caused by security violations.
Isolation from the Internet: ENIs can be used in the multi-layer network architecture to ensure that internal networks and services are isolated from public-facing services. You can place a secondary ENI on each of your web servers that connect to a mid-tier network where an application server resides. One ENI handles public-facing traffic and one ENI handles backend traffic that is strictly controlled. Each dual-homed instance receives and processes frontend requests, initiates a connection to the backend, and then sends requests to the servers on the backend network. You can configure ENIs for different purposes to apply firewall rules and access control to each ENI and forcefully enable security-related features for communications from the public network to VPCs.
High availability: If an instance fails, you can move the ENIs to a standby instance to recover services. For example, you can use an ENI as the primary ENI or a secondary ENI that is connected to a critical service, such as a database instance or a NAT instance. If the instance to which the ENI is attached fails, you or the command running on your behalf can attach the ENI to a hot standby instance. The ENI maintains its private IP addresses, EIPs, and MAC address. This way, network traffic flows to the standby instance after you attach the ENI to the standby instance.
Traffic isolation: Specific applications are sensitive to fluctuations in traffic. You can use ENIs to handle traffic bursts. This ensures that at least the minimum bandwidth is available during traffic spikes or traffic congestion. Each ENI belongs to a virtual queue. Virtual queues can be used to prevent bandwidth peak and DDoS attacks that harm the network of a VPC from affecting the networks of other VPCs. A virtual queue to which an ENI belongs can be used to prevent head-of-line (HOL) blocking and ensure that each I/O interface can equally share the CPU resources of the instance to which the ENI is attached.
Best practices
You are not charged for ENIs. The number of ENIs that you can use is limited. For more information, see the ENI limits section in the Limits topic.
You can bind ENIs to ECS instances that reside in the same zone as the ENIs when the instances are running (hot bind), stopped (cold bind), or being started (cold bind). The number of ENIs that you can bind to an ECS instance varies based on the instance type. For more information, see the ENIs columns in Overview of instance families. You cannot unbind the primary ENI from an ECS instance. For more information, see Bind a secondary ENI.
You can move an ENI from one ECS instance to another ECS instance if the instances reside in the same zone. After you bind an ENI to an ECS instance, the network bandwidth of the instance remains unchanged.
When you create an ENI, you can add the ENI to multiple security groups. All rules of the security groups apply to the ENI. If you configure multiple secondary IPv4 or IPv6 addresses for the ENI, the IP addresses are included in the rules and cannot be modified. For information about how to change the security groups of an ENI, see Modify the attributes of an ENI. The modification immediately takes effect. For more information about security groups, see Overview of security groups.
When you call API operations to query a list of ENIs, you can specify the NextToken parameter to perform a paged query. For more information, see DescribeNetworkInterfaces.
ENIs are automatically configured on the operating systems of ECS instances that use the following images: CentOS 6.8 64-bit, CentOS 7.3 64-bit, Window Server 2008 R2, and later. For instances that use other images, you must manually configure ENIs. For more information, see Configure a secondary ENI.
When you start ECS instances by using Alibaba Cloud CLI or SDKs or by calling API operations, you can bind secondary ENIs to the instances. For more information, see Bind a secondary ENI.
You can use the Terway CNI plug-in to manage the IP addresses and communication of pods in Kubernetes clusters. For more information, see Work with Terway.
If you bind two or more ENIs from the same subnet to an ECS instance, you may encounter networking issues such as asymmetric routing. You can assign one or more secondary private IP addresses to primary or secondary ENIs to optimize the usage of ECS instances that are deployed in VPCs and divert traffic during a failover. For more information, see Assign secondary private IP addresses.
Performance bottlenecks may occur when you use a single vCPU to process NIC interrupts on an ECS instance. To improve network performance, you can use the NIC multi-queue feature to distribute NIC interrupts across different vCPUs. For more information, see Configure NIC multi-queue.
You can use eRDMA interfaces (ERIs) to seamlessly migrate on-premises Remote Direct Memory Access (RDMA) applications, such as high-performance computing, AI training, and big data applications, to the cloud and run the applications as services in the cloud at lower costs and with higher elasticity and performance. For more information, see Overview of eRDMA.
If you have a large number of ENIs, you can add tags to the ENIs for grouping and management. For more information about tags, see Overview of tags.
You can use ENIs to add backend servers for Server Load Balancer (SLB) instances. For more information, see Add backend servers by specifying ENIs.
Manage ENIs
You can manage and configure ENIs in the ECS console or by calling API operations.
You can view, create, modify, delete, bind, and unbind ENIs in the ECS console.
You can modify scripts or use SDKs to call API operations to batch manage, operate, bind, and unbind ENIs.
Use the ECS console
Call API operations
CreateNetworkInterface: creates a secondary ENI.
DeleteNetworkInterface: deletes a secondary ENI.
DescribeNetworkInterfaces: queries a list of ENIs.
AttachNetworkInterface: binds a secondary ENI to an ECS instance.
AssignPrivateIpAddresses: assigns one or more secondary private IP addresses to an ENI.
UnassignPrivateIpAddresses: unassigns one or more secondary private IP addresses from an ENI.
DetachNetworkInterface: unbinds an ENI from an ECS instance.
ModifyNetworkInterfaceAttribute: changes the name, security groups, and description of an ENI.
DescribeInstances: queries information about the ENIs that are bound to ECS instances.