You can assign one or more secondary private IP addresses to a primary or secondary elastic network interface (ENI) that is attached to an Elastic Compute Service (ECS) instance. This meets your business requirements for multiple private IP addresses in multi-application, failover, and Server Load Balancer (SLB) scenarios. This topic describes how to assign secondary private IP addresses to and configure secondary private IP addresses for an ECS instance and how to unassign the secondary private IP addresses.
Introduction
If the primary ENI or a secondary ENI on your instance requires more than one IP address, in addition to the primary private IP address, you can assign multiple secondary private IP addresses to the ENI. In this case, a single ECS instance has multiple private IP addresses. The following figure shows the private IP address assignment to the primary and secondary ENIs.
Scenarios
Secondary private IP addresses are suitable for the following scenarios:
Scenarios that involve multiple applications: If multiple applications are deployed on an ECS instance, you can assign secondary private IP addresses to the applications. This way, each application can use a separate IP address for communication and a single instance can provide multiple services to maximize instance utilization.
Failover scenarios: If an instance fails, you can unbind secondary ENIs from the instance and bind the ENIs to another instance. Traffic destined for the secondary private IP addresses of the failed instance can be diverted to the normal instance to ensure service continuity.
SLB scenario: After multiple secondary private IP addresses are assigned to each instance, the SLB mechanism can evenly distribute traffic to different private IP addresses across instances. This improves system scalability and performance.
Considerations
The maximum number of private IP addresses that can be assigned to an ENI varies based on the status of the ENI.
For an ENI in the Available state, you can assign up to 10 private IP addresses.
For an ENI in the InUse state, the maximum number of private IP addresses that you can assign varies based on the instance type of the instance to which the ENI is bound. For more information, see the Private IPv4 addresses per ENI column in the instance type table of each instance family in Overview of instance families.
A limited number of private IP addresses can be contained in a security group that belongs to a virtual private cloud (VPC). For more information, see the Security group limits section in the "Limits" topic.
Assign secondary private IP addresses to an ENI
In the following steps, both steps 1 and 3 are mandatory. Please read carefully the steps before you perform operations.
Step 1: Assign one or more secondary private IP addresses to an ENI
You can add or delete secondary private IP addresses in the Manage ENI IP Addresses dialog box of the primary ENI or a secondary ENI bound to an ECS instance in the ECS console. Perform the following steps.
You can call an API operation to assign secondary private IPv4 or IPv6 addresses to an ENI. For more information, see AssignPrivateIpAddresses or AssignIpv6Addresses.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Elastic Network Interfaces page, find the ENI to which you want to assign secondary private IP addresses and click Manage ENI IP Addresses in the Operation column.
In the Manage ENI IP Addresses dialog box, click Increase in the Secondary Private IPv4 Address or IPv6 section.
If you leave the fields empty, random IP addresses are automatically assigned from within the private IPv4 or IPv6 CIDR blocks of the vSwitch to which the ENI is connected.
If you enter IP addresses, make sure that the IP addresses are within the private IPv4 or IPv6 CIDR blocks of the vSwitch to which the ENI is connected.
Click Confirm to complete the assignment of the secondary private IP addresses.
Check whether the secondary private IP addresses are assigned to the ENI as expected.
Go to the instance details page of the instance to which the ENI is bound, click the ENIs tab, and then view the address assignment information. The following figure shows an example.
(Conditionally required) Step 2: Bind the ENI
If you want to add a secondary private IP address to a secondary ENI, make sure that the secondary ENI is bound to an ECS instance and configured. For more information, see Bind a secondary ENI and Configure a secondary ENI.
In this example, a secondary private IP address is assigned to the primary ENI that is already bound to an ECS instance. Therefore, you do not need to perform this step.
Step 3: Configure the operating system of the instance to recognize the secondary private IP addresses
After you assign a secondary private IP address to an instance, you must configure the secondary private IP address for the instance based on the operating system type and IP address type. The operations that you must perform vary based on the operating system type and IP address type.
Configuration example
In this example, secondary private IPv4 addresses are configured. For information about how to configure IPv6 addresses, see IPv6 communication.
The following table describes the assignment of secondary private IPv4 addresses to the primary ENI. Replace the IPv4 addresses with actual IPv4 addresses.
ENI
Primary private IPv4 address
Secondary private IPv4 address 1
Secondary private IPv4 address 2
Primary ENI
192.168.1.201
192.168.1.202
192.168.1.203
Before you perform operations, make sure that the instance to which the ENI is bound is in the Running (Running) state. For information about how to start an instance, see Start an instance.
The following configuration operations in the following operating systems are only for reference. The configuration operations may vary based on the operating system type.
Configuration example in Linux
Connect to the Linux ECS instance.
For more information, see Use Workbench to connect to a Linux instance over SSH.
View the current network configurations and routing information, and obtain the default gateway and subnet mask.
View the primary private IPv4 address of the ENI
Run the following command to query the network configurations:
ip aThe following figure shows the sample command output.
The command output indicates the network configurations of the ENI named eth0.
eth0 is activated and is dynamically assigned 192.168.1.201 as the primary private IPv4 address.
View the subnet mask and gateway
Run the following command to query the routing information:
route -nThe sample command output shown in the following figure indicates the routing information of the instance.
The subnet mask (Genmask) is 255.255.255.0.
The default gateway (Gateway) is 192.168.1.253.
The following table describes the network configurations of the instance.
ENI
Status
Default gateway
Subnet mask
Primary private IP address
Secondary private IPv4 address 1
Secondary private IPv4 address 2
eth0 (serves as the primary ENI)
UP
192.168.1.253
255.255.255.0
192.168.1.201 (is automatically configured)
192.168.1.202 (cannot be recognized and must be manually configured)
192.168.1.203 (cannot be recognized and must be manually configured)
Use one of the following methods to configure secondary private IPv4 addresses based on your business requirements.
Run
nmcli concommandsNoteNetworkManager is a daemon process used to manage network connections and network settings in Linux operating systems. NetworkManager provides the nmcli command-line tool to help you easily manage network connections.
nmcli is suitable for all operating systems that manage network services by using NetworkManager, including but not limited to Fedora, CentOS, Red Hat Enterprise Linux (RHEL), Ubuntu, Debian, and their distributions.
In this example, eth0 is used as the connection name. Replace the connection name with the actual connection name.
Run the following command to create a file to disable the network configuration feature of cloud-init. This prevents configuration failures caused by instance restart. For more information, see the cloud-init automatically initializes network configurations section of this topic.
sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgAdd the following configuration to the file:
network: {config: disabled}Run the following command to check the current network connection:
nmcli con showThe names of network connections vary based on the Linux distribution. The following figure shows a sample network connection.
Run the following commands to configure the secondary private IPv4 addresses, default gateway, and IPv4 configuration method (manual or DHCP) of eth0:
sudo nmcli con modify System\ eth0 ipv4.addresses 192.168.1.201/24,192.168.1.202/24,192.168.1.203/24 sudo nmcli con modify System\ eth0 ipv4.gateway 192.168.1.253 sudo nmcli con modify System\ eth0 ipv4.method manualRun the following command to allow the configurations to take effect:
sudo nmcli con up System\ eth0If a message similar to "Connection successfully activated" is returned, the configurations take effect.
Modify the network configuration file of the ENI
ImportantThe network configuration file varies based on the Linux operating system distribution and version.
We recommend that you back up the network configuration file before you modify the file.
Make sure that you correctly modify the network configuration file. Incorrect configurations may cause an instance connection failure.
RHEL series
NoteThe following procedure applies to the following operating system distributions: Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, CentOS 6, CentOS 7, CentOS 8, Red Hat 6, Red Hat 7, Red Hat 8, Red Hat 9, Anolis 7, Anolis 8, Fedora 33, Fedora 34, and Fedora 35.
In this example, Alibaba Cloud Linux 3.2 is used.
In this example, the eth0 ENI is used. Replace the ENI name with the actual ENI name.
Run the following command to check whether the main configuration file of the ENI exists. Each ENI has a corresponding configuration file that identifies the ENI.
NoteIn specific operating systems, such as Alibaba Cloud Linux 3.2, the main configuration file of an ENI is automatically generated by cloud-init.
In other operating systems, such as CentOS 8.5, you must create the main configuration file of an ENI and configure ENI parameters in the file.
ls /etc/sysconfig/network-scripts/ifcfg-eth0If the main configuration file exists, proceed to Step b.
If the main configuration file does not exist, create the main configuration file and configure basic ENI parameters in the file.
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0Specify the ENI name, use Static as the method to obtain an IP address, and then configure the primary private IPv4 address, subnet mask, and gateway information of the ENI.
In this example, the main configuration file of eth0 does not exist. You must configure the required parameters. Sample code snippet:
The ENI name. Example: eth0. DEVICE=eth0 TYPE=Ethernet BOOTPROTO=dhcp #Activate the ENI when the operating system starts. ONBOOT=yes
Run the following command to open the network configuration file of eth0 and configure Secondary private IPv4 address 1 for eth0:
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0:0Sample code snippet:
#The ENI name in the format of <ENI name>:<Serial number of the secondary private IP address>. DEVICE=eth0:0 TYPE=Ethernet #The method used to obtain an IP address, which is set to Static. BOOTPROTO=static #The IPv4 address and subnet mask that require manual configuration. IPADDR=192.168.1.202 NETMASK=255.255.255.0
Ubuntu 22, Ubuntu 24, and Debian 12
Run the following command to disable the network configuration feature of cloud-init.
ImportantThe /etc/netplan/50-cloud-init.yaml network configuration file is automatically generated by
cloud-initwhen the instance starts. Before you can modify the file, you must disable the network configuration feature of cloud-init. For more information, see the cloud-init automatically initializes network configurations section of this topic.sudo vim /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgAdd the following configuration to the configuration file:
network: {config: disabled}Run the following command to open the network configuration file and configure the ENI:
sudo vim /etc/netplan/50-cloud-init.yamlSample code snippet:
network: version: 2 ethernets: eth0: #The name of the ENI. dhcp4: false #By default, DHCP is enabled to automatically assign IP addresses. If the parameter is set to false, you must manually configure IP addresses for the ENI. match: macaddress: 00:16:3e:16:43:xx #Replace this parameter with the actual MAC address of your ENI. set-name: eth0 addresses: - 192.168.1.201/24 #The primary private IP address of the ENI. - 192.168.1.202/24 #Secondary private IP address 1. - 192.168.1.203/24 #Secondary private IP address 2. routes: - to: default via: 192.168.1.253 #The default gateway.
Restart the network service to allow the new configurations to take effect.
NoteIf you run the
nmcli concommands, you do not need to restart the network service. NetworkManager monitors the network configuration file and automatically applies the new configurations.Operating system
Command to restart the network service
Alibaba Cloud Linux 2
CentOS 7
Red Hat 7
Anolis 7
SUSE Linux 11, SUSE Linux 12, and SUSE Linux 15
openSUSE 15 and openSUSE 42
sudo service network restartor
sudo systemctl restart networkCentOS 6
Red Hat 6
sudo service network restartAlibaba Cloud Linux 3
CentOS 8
Red Hat 8
Anolis 8
Fedora 33, Fedora 34, and Fedora 35
sudo systemctl restart NetworkManagerorsudo rebootUbuntu 18, Ubuntu 20, and Ubuntu 22
Debian 12
sudo netplan applyUbuntu 14 and Ubuntu 16
Debian 8, Debian 9, Debian 10, and Debian 11
sudo systemctl restart networkingorsudo rebootRepeat Step 2 to check whether the configurations take effect.
Configuration example in Windows
The procedure applies to the Windows operating system.
In this example, Windows Server 2022 is used.
In this example, the primary ENI named Ethernet is used. If you use a secondary ENI, replace the ENI name with the actual ENI name. Example: Ethernet 2.
Connect to the Windows ECS instance.
For more information, see Use Workbench to connect to a Windows instance over RDP.
View the current network configurations and routing information to obtain the default gateway and subnet mask of the ENI.
Open Command Prompt or Windows PowerShell.
Run the following command to view information about the current ENI and its IP addresses:
ipconfigThe following command output indicates information about the current ENI and its IP addresses.
The following table describes the network configuration and routing information of the ENI.
ENI
Subnet mask
Default gateway
Primary private IP address
Secondary private IPv4 address 1 to be configured
Secondary private IPv4 address 2 to be configured
Ethernet (serves as the primary ENI)
255.255.255.0
192.168.1.253
192.168.1.201 (is automatically configured)
192.168.1.202 (cannot be recognized and must be manually configured)
192.168.1.203 (cannot be recognized and must be manually configured)
Open Network and Sharing Center.
Click Change adapter settings.
Double-click the primary ENI named Ethernet. Then, click Properties in the Ethernet Status dialog box.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following IP address and click Advanced.
ImportantThe policy of automatically obtaining IP addresses is changed to manual configuration. Configure the following parameters, including the primary private IP address. Otherwise, you cannot connect to the instance by using the primary private IP address.
In the Advanced TCP/IP Settings dialog box, configure IP addresses.
In the IP addresses section, click Add. Then, enter the primary and secondary private IP addresses that are assigned to Ethernet and the subnet mask that you queried.
In this example, enter the two secondary private IP addresses of Ethernet.
In the Default gateways section, click Add and enter the obtained default gateway that you queried in the Gateway field.
Click OK to save the settings in each dialog box to complete the configuration of the secondary private IPv4 addresses. Repeat Step 2 to check whether the configurations take effect.
Configuration examples in other operating systems
Unassign secondary private IP addresses
When an ENI no longer requires secondary private IP addresses, you can unassign the secondary private IP addresses from the ENI. You can perform the following steps to unassign secondary private IP addresses.
Prerequisites
Before you unassign secondary private IP addresses from an ENI, make sure that the following prerequisites are met:
One or more secondary private IP addresses are assigned to the ENI.
The ENI is in the Available (Available) or InUse (InUse) state.
When you unassign secondary private IP addresses from a primary ENI, the ECS instance to which the primary ENI is bound is in the Running (Running) or Stopped (Stopped) state.
Procedure
You can call an API operation to unassign one or more secondary private IPv4 or IPv6 addresses from an ENI. For more information, see UnassignPrivateIpAddresses or UnassignIpv6Addresses.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Elastic Network Interfaces page, find the ENI from which you want to unassign secondary private IP addresses and click Manage ENI IP Addresses in the Operation column.
In the Manage ENI IP Addresses dialog box, find the secondary private IP addresses that you want to unassign in the Secondary Private IPv4 Address section and click the
icon on the right side of the IP addresses. Click OK.
Refresh the ENI list. If the IP Address column of the ENI no longer displays the secondary private IP addresses that you unassigned, the secondary private IP addresses are unassigned from the ENI.
Related operations
cloud-init automatically initializes network configurations
cloud-init is an open source initialization tool that automates initialization operations for Linux operating systems, such as generating an initial password, configuring the hostname, and running user data scripts. cloud-init is pre-installed on all Alibaba Cloud public images. When an ECS instance starts, cloud-init automatically generates network configurations for the instance.
View the description of the network configuration file to check whether the file is automatically generated by cloud-init.
You can view information about whether cloud-init automatically generates a network configuration file. In this example, the description of the /etc/sysconfig/network-scripts/ifcfg-eth0 configuration file for Alibaba Cloud Linux 3.2 is viewed.
Disable the network configuration feature of cloud-init.
Scenarios in which the network configuration feature of cloud-init can be disabled: In the following scenarios, you may disable the network configuration feature of cloud-init. Otherwise, if the instance restarts, the network configurations automatically generated by cloud-init may overwrite your custom network configurations.
Manually configure the network by modifying the network configuration file automatically created by cloud-init.
Manage the network by using other network management services, such as NetworkManager.
Method used to disable the network configuration feature of cloud-init: Create the /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg file and add the
network: {config: disabled}configuration to the file.ImportantFor more information about cloud-init, log on to the Linux instance operating system and view information in the /etc/cloud/cloud.cfg.d/README file.
Configure IP addresses
The methods used to configure IP addresses in the operating system include DHCP (default) and static. When you configure secondary private IP addresses, select a configuration method based on your business scenario.
Static configuration: You must manually configure necessary network parameters, such as subnet masks, default gateways, and DNS server addresses.
DHCP dynamic acquisition: DHCP is a network protocol that allows devices in a network to automatically acquire network configurations, such as IP addresses, subnet masks, default gateways, and DNS server addresses. You can also configure secondary private IP addresses for Linux instances when DHCP dynamic acquisition is enabled.