Overview - Elastic Compute Service - Alibaba Cloud Documentation Center

Elastic network interface (ENIs) are virtual network interfaces that provide network connectivity and IP addresses for Elastic Compute Service (ECS) instances that are deployed in virtual private clouds (VPCs). You can bind one or more ENIs to each ECS instance. An ENI supports multiple IP addresses. You can migrate an ENI between different ECS instances that are deployed in the same VPC and zone as the ENI. This improves the flexibility and scalability of network configurations and ensures that the network configurations can meet the network requirements in various business scenarios. For example, you can use ENIs to create multi-IP address, multi-NIC, or high-availability networks.

ENI types

Alibaba Cloud provides the following types of ENIs:

Primary ENIs
Each ECS instance in a VPC has a default ENI. The default ENI is called the primary ENI. Each ECS instance has only one primary ENI.
Secondary ENIs
- If an ECS instance has only the primary ENI, the instance sends and receives all network traffic by using the primary ENI, which is suitable for scenarios in which the business traffic is simple. If your business requires finer-grained network classification and isolation to prevent single points of failure, you can create and bind secondary ENIs that reside in the same VPC and zone as an ECS instance to the instance.
- Secondary ENIs can be separately created and bound to ECS instances. Compared with primary ENIs, secondary ENIs can be independently created and dynamically bound to and unbound from ECS instances.
  For more information, see Create and use an ENI.

ENI features

Support for multiple IP addresses. A single ENI can be associated with multiple private IP addresses. This allows a single ECS instance to provide services or access external resources by using different IP addresses, which increases network flexibility. For more information, see Secondary private IP addresses.
Release with Instance: You can enable or disable the Release with Instance feature when or after an ENI is created. The status of the feature determines whether the ENI is retained or released when the associated ECS instance is released. By default, the Release with Instance feature is enabled for an ENI, which indicates that the ENI is released when the associated ECS instance is released. This simplifies O&M management and prevents resource residuals.
If the Release with Instance feature is disabled for an ENI, the ENI and its configurations, such as IP addresses and associated security groups, are retained when the associated ECS instance is released. You can quickly bind the ENI to a different ECS instance that resides in the same VPC and zone as the ENI. You can also reuse the ENI when you create a new ECS instance. This improves O&M flexibility and business continuity.

Hot swapping. The hot swapping feature of secondary ENIs provides great flexibility and convenience. The feature allows you to dynamically bind or unbind secondary ENIs to or from an ECS instance in the Running state, without the need to restart the instance or interrupt the services running on the instance. For example, you can unbind a secondary ENI from an ECS instance and attach the ENI to a different ECS instance that resides in the same VPC and zone as the ENI, without the need to restart the instances.

Note

You cannot unbind the primary ENI from an ECS instance. Primary ENIs do not support the hot swapping feature.

For information about the instance types that support the hot swapping feature of secondary ENIs, see Overview of instance families.

ECS instance types that do not support the hot swapping feature of secondary ENIs

Instance family	Instance type
s6, shared standard instance family	ecs.s6-c1m1.small, ecs.s6-c1m2.large, ecs.s6-c1m2.small, ecs.s6-c1m4.large, and ecs.s6-c1m4.small
e, economy instance family	ecs.e-c1m1.large, ecs.e-c1m2.large, and ecs.e-c1m4.large
t6, burstable instance family	ecs.t6-c1m1.large, ecs.t6-c1m2.large, ecs.t6-c1m4.large, ecs.t6-c2m1.large, and ecs.t6-c4m1.large
t5, burstable instance family	ecs.t5-c1m1.large, ecs.t5-c1m2.large, ecs.t5-c1m4.large, ecs.t5-lc1m1.small, ecs.t5-lc1m2.large, ecs.t5-lc1m2.small, ecs.t5-lc1m4.large, and ecs.t5-lc2m1.nano
xn4, n4, mn4, and e4, previous-generation shared instance families	ecs.xn4.small ecs.n4.small and ecs.n4.large ecs.mn4.small and ecs.mn4.large ecs.e4.small and ecs.e4.large

For the instance types that do not support the hot swapping feature of secondary ENIs, the following limits apply:
- You cannot bind a secondary ENI to an ECS instance of an instance type in the preceding table when you create the instance. After you create the instance, you can bind secondary ENIs to the instance.
- When you bind a secondary ENI to or unbind a secondary ENI from an ECS instance of an instance type in the preceding table, make sure that the instance is in the Stopped state.

Limits

You can use ENIs free of charge. However, the number of ENIs that you can create in an Alibaba Cloud account is limited. For more information, see the ENI limits section of the "Limits" topic.
An ECS instance and the ENIs that are bound to the instance must reside in the same VPC and zone.
- The ENIs bound to an ECS instance can connect to different vSwitches in the same VPC and zone as the instance.
- If you bind two or more ENIs from the same subnet to an ECS instance, network issues may occur, such as asymmetric routing. You can assign one or more secondary private IP addresses to each primary or secondary ENI to optimize the usage of ECS instances that are deployed in VPCs and divert traffic during a failover. For more information, see Secondary private IP addresses.
The number of ENIs that you can bind to an ECS instance varies based on the instance type. For more information, see the ENIs columns in Overview of instance families.
Binding multiple ENIs to an ECS instance does not increase or multiply the network bandwidth of the instance. For more information, see Network bandwidth.

Important attributes of ENIs

After you bind ENIs to an ECS instance, the instance can obtain resources such as private IP addresses and elastic IP addresses (EIPs). This way, the ECS instance can communicate with the Internet or other cloud resources. The following section describes a few important attributes of ENIs:

VPC: An ENI can be bound to only an ECS instance that resides in the same VPC as the ENI. You cannot change the VPC of an ENI after the ENI is created.
vSwitch: Each VPC has an independent IP address range. You can create multiple vSwitches in a VPC to divide the VPC into subnets. By default, subnets in the same VPC can communicate with each other. When you specify a vSwitch for an ENI, the ENI obtains one or more IP addresses from the CIDR block associated with the vSwitch. An ENI can be bound to only an ECS instance that resides in the same zone as the ENI. The instance and the ENI can connect to different vSwitches.
Note
If you want to bind an ENI to an ECS instance and the IP addresses of the ENI are not within the CIDR block of the VPC in which the instance resides, you must perform the following steps: Add a secondary CIDR block to the VPC, create a vSwitch in the zone in which the instance resides, associate the secondary CIDR block with the vSwitch, create an ENI that is associated with the vSwitch, and then bind the ENI to the instance. For more information, see Secondary CIDR blocks.
MAC address: Each ENI has a unique media access control (MAC) address as its unique identifier.
You can view information about an ENI, such as the VPC and MAC address of the ENI, in the ECS console or by calling an API operation. For more information, see Modify the attributes of an ENI.
Private IP addresses: You can assign one or more private IP addresses to an ENI for communication over the internal network. Each ENI is automatically assigned an IPv4 address as the primary private IPv4 address from the CIDR block that is associated with the vSwitch connected to the ENI.
- If you have requirements for multiple private IP addresses in business scenarios, such as the multi-application, failover, and Server Load Balancer (SLB) scenarios, you can assign one or more secondary private IPv4 addresses to an ENI that is bound to an ECS instance. For more information, see the Assign secondary private IP addresses to an ENI section of the "Secondary private IP addresses" topic.
- If you want an ECS instance to communicate with the Internet or private networks over IPv6, you can associate IPv6 CIDR blocks with the VPC in which the instance resides and with the vSwitch that is connected to an ENI bound to the instance, and then assign one or more IPv6 addresses to the ENI. For more information, see IPv6 communication.
Static public IP address or EIPs: You can assign a static public IP address to or associate EIPs with an ECS instance to allow the instance to access the Internet. An ENI does not have Internet communication capabilities. To enable Internet communication for an ECS instance, you can use one of the following methods:
- Assign a static public IP address to the primary ENI of the ECS instance. For more information, see Static public IP address.
- Associate EIPs with ENIs bound to the ECS instance. You can associate an EIP with or disassociate an EIP from an ENI based on your business requirements. For the ECS instance to provide multiple public IP addresses for external access, you can associate EIPs with multiple private IP addresses that are assigned to the ENIs bound to the instance. For more information, see Associate an EIP with a secondary ENI.
Security groups: To provide network layer security control, you can associate ENIs with security groups.
- When you associate an ECS instance with a security group, you associate the primary ENI of the instance with the security group. For more information, see Associate security groups with an instance (primary ENI).
- In the same VPC, the secondary ENIs bound to an ECS instance can be associated with different security groups from the security group of the primary ENI. For more information, see Associate a secondary ENI with security groups.
Route table: When data is transmitted within a VPC and between the VPC and other networks, the route table is used to guide the routing of data packets. Correct routing configurations ensure that ENIs can correctly send and receive data. For more information, see the (Conditionally required) Step 4: Configure routes section of the "Configure a secondary ENI" topic.
Note
In a multi-ENI environment, the priority of the default route of a secondary ENI is lower than the priority of the default route of the primary ENI. This ensures that data is preferentially sent from the primary ENI. If you want data packets associated with a private IP address of a secondary ENI to be sent from the secondary ENI, you can configure policy-based routing for the secondary ENI to ensure that data received by the ENI is also sent from the ENI.

Network enhancements of ENIs

eRDMA capabilities

You can enable Elastic RDMA Interface (ERI) for an ENI. An ENI for which ERI is enabled is an ERI that supports elastic Remote Direct Memory Access (eRDMA) capabilities. You can bind an ERI to and install the eRDMA driver on an eRDMA-capable ECS instance to provide low-latency and high-throughput network communication for the instance. For more information, see ERIs.

NIC multi-queue

The network interface controller (NIC) multi-queue feature allows you to configure multiple transmit (Tx) and receive (Rx) queues on a NIC. Each queue can be processed by a different CPU core. The NIC multi-queue feature is designed to improve network I/O throughput and reduce latency by allowing multiple CPU cores to simultaneously process network packets in different queues on a NIC.

For more information, see NIC multi-queue.

Network card indexes

Specific Elastic Compute Service (ECS) instance types support configuring network card indexes to provide higher network performance. When you attach elastic network interfaces (ENIs) to ECS instances of an instance type that supports configuring network card indexes, you can specify network card indexes to attach the ENIs to different underlying communication channels. This way, you can maximize network bandwidth utilization and improve instance bandwidth capabilities.

For more information, see Network card indexes.

View the ENIs bound to an ECS instance

You can view information about the ENIs bound to an ECS instance in the ECS console, by calling an API operation, or within the instance.

View the ENIs bound to an ECS instance in the ECS console

View the ENIs bound to an ECS instance by calling an API operation

View the ENIs bound to an ECS instance after you connect to the instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource that you want to manage belongs.
Click the ID of the ECS instance whose ENIs you want to view to go to the instance details page.
Click the ENIs tab to view the ENIs bound to the ECS instance.
You can view the IDs, names, types, status, and IP addresses of the ENIs bound to the ECS instance in the ENI list.

Call the DescribeInstances operation to query information about the ECS instance specified by using the InstanceIds parameter. The NetworkInterfaces parameter in the response contains information about the ENIs bound to the instance, including the type (Type), ID (NetworkInterfaceId), and primary private IP address (PrimaryIpAddress) of each ENI.

Linux instance

Windows instance

In this example, Alibaba Cloud Linux 3.2 is used.

Connect to a Linux instance.
For more information, see Use Workbench to connect to a Linux instance over SSH.
Run the following command to view and check the information of the ENIs bound to the Linux instance:
```
ip a
```
The following figure shows the sample command output.
- In this example, two ENIs are bound to the Linux instance. The ENI named eth0 serves as the primary ENI and the ENI named eth1 serves as a secondary ENI.
- The ENIs are in the UP state, which indicates that the ENIs take effect in the operating system of the Linux instance.
  Important
  The following figure shows that the ENI named eth1 is in the DOWN state, which indicates that the ENI is not loaded. In this case, you must configure the Linux operating system to recognize the ENI to ensure that the ENI is in the UP state.
- The primary private IP address of each ENI that is in the UP state is displayed in the command output. For information about the primary private IP address, see Primary private IP address.
- If you assign secondary private IP addresses to an ENI but the operating system cannot recognize the secondary private IP addresses, resolve the issue by performing the operations described in the Step 3: Configure the operating system of the instance to recognize the secondary private IP addresses section of the "Secondary private IP addresses" topic.
Run the following command to view route information for ENIs:
```
route -n
```
The preceding command output indicates that the system configures two routes for the secondary ENI named eth1.
- The route destined for 192.168.xx.xx: a route within a specific subnet. The route ensures that the Linux instance can correctly identify and directly communicate with other hosts within the subnet without the need to forward traffic that matches the route to additional routers.
- The route destined for 0.0.0.0: the default route used to process packets destined for external networks or other remote networks. When the destination of a packet is not within the local subnet, the packet is sent to the gateway address 192.168.xx.xx for further forwarding.
  Important
  - By default, the priority of the default route of a secondary ENI is lower than the priority of the default route of the primary ENI. In this example, the eth0 ENI is the primary ENI. Packets are preferentially sent from the primary ENI eth0.
  - If you want packets associated with the private IP address of the secondary ENI named eth1 to be sent from the ENI, configure policy-based routing for the ENI to ensure that data received by the ENI is also sent from the ENI. For more information, see the Configure policy-based routing for an ENI section of the "Configure routing for an ENI" topic.
  Specific early operating systems, such as Ubuntu 16, may not automatically configure default routes for secondary ENIs. The command output does not contain default routes for secondary ENIs, as shown in the following figure. In this case, exceptions may occur when you use the ENIs. We recommend that you use late operating system distributions or manually configure default routes for the secondary ENIs. For information about how to configure a default route for a secondary ENI, see the Configure a default route for an ENI section of the "Configure routing for an ENI" topic.

In this example, Windows Server 2022 is used.

Connect to a Windows instance.
For more information, see Use Workbench to connect to a Windows instance over RDP.
Open Network and Sharing Center.
Click Change adapter settings.
In this example, one primary ENI and one secondary ENI are bound to the Windows instance. The following figure shows that the ENIs take effect in the operating system of the instance. No additional configurations are required.
The following figure shows that the operating system of the Windows instance cannot identify the secondary ENI due to specific reasons. In this case, troubleshoot the issue as described in What do I do if the ENI configurations of a Windows instance become invalid?
View the status and details of the ENIs.
1. Double-click the name of an ENI to view the status of the ENI.
  In this example, the primary ENI named Ethernet is used.
2. Click Details to view the properties of the ENI.
  In the dialog box that appears, you can view the primary private IPv4 address, subnet mask, and default gateway of the ENI.
Open the Command Prompt.
Press Win+R. In the Run dialog box, enter cmd and click OK.
Run the following command to view route information for ENIs:

References

You can use the Terway Container Network Interface (CNI) plug-in to manage the IP addresses and communication of pods in Kubernetes clusters. Terway can define access policies between containers based on standard Kubernetes network policies. You can use one of the following modes to enable network communication between Kubernetes clusters: the inclusive ENI mode based on the secondary IP addresses of ENIs and the VPC mode based on ENIs. For more information, see Work with Terway.
You can use ENIs in conjunction with SLB to distribute and manage traffic. For more information, see Add backend servers by specifying ENIs.
Specific Alibaba Cloud services, such as Container Service for Kubernetes (ACK) and NAT Gateway, depend on ENIs to work. You can grant Alibaba Cloud services the permissions to manage the lifecycles of the ENIs that are created by the services. This prevents accidental operations on the ENIs and ensures service availability. For more information, see Managed ENIs.

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)