All Products
Search

This Product

    Elastic Compute Service:Create and use an ENI

    Document Center

    Elastic Compute Service:Create and use an ENI

    Last Updated:Feb 15, 2025

    ENIs enable the deployment of high availability clusters, cost-effective failover solutions, and fine-grained network management. If your business requires sophisticated network segmentation and isolation, or you need to address single points of failure in network interfaces, you can attach multiple ENIs to an ECS instance to expand its networking capabilities.

    Create an ENI

    You can create an ENI during the purchase of an instance or separately after the instance has been created, and then bind it to the instance.

    Note

    There is a limit to the number of ENIs that can be created in a single region. Visit the Quota Center to view the quota or apply to increase the total number of ENIs based on your business needs. For detailed instructions, see ECS quota management.

    Create with instance

    When purchasing an ECS instance, you can opt to add an ENI created with the instance. These ENIs are automatically assigned IP addresses and bound to the instance, eliminating the need for additional binding steps. For detailed instructions, see Custom purchase instance.

    Note

    • Some ECS instance types do not support binding secondary ENIs during creation. You can bind them separately after the instance is created. For more information, see ECS instance types that do not support hot swapping of network interface cards.

    • By default, ENIs created in this manner are released alongside the instance. However, you can utilize the 'release with instance' feature to prevent this, ensuring the network interface card is retained even after the instance is released.

    image

    Create separately

    After creating an instance, if you need to enhance network management and expand the ECS instance's network capabilities, such as adding private IP addresses or ensuring high availability network environments, you can create a secondary ENI separately to meet these requirements. The separately created ENI is a secondary ENI and can be bound to the instance.

    Note

    You can also create an ENI by calling CreateNetworkInterface.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, select Network & Security > ENI.

    3. In the upper-left corner of the top navigation bar, select the resource group and region where the resources are located. 地域

    4. Click Create ENI.

    5. On the Create ENI page, complete the relevant settings.

      Parameter

      Description

      Network interface card name

      Custom, please enter the ENI name as prompted.

      VPC

      Select the VPC to which the instance is bound. After an ENI is created, its VPC cannot be changed.

      Note

      An ENI can be bound to only an instance that is in the same VPC as the ENI.

      vSwitch

      Select a vSwitch that is in the same zone as the instance to which you want to bind the ENI. After an ENI is created, its vSwitch cannot be changed.

      Note

      An ENI and the instance to which it is bound must belong to the same zone. They can be connected to different vSwitches.

      Security group

      Select security groups in the specified VPC. You can specify up to five security groups.

      Note

      You cannot select basic security groups or advanced security groups at the same time.

      Source/destination check

      The source/destination check ensures that the instance is the source or destination of any traffic it receives, preventing spoofed packet attacks and improving security. If the instance runs services such as Network Address Translation, routing, or firewall, you need to disable this feature. For more information, see Source/destination check.

      Primary private IP

      (Optional) Enter the primary private IP address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created.

      Secondary private IP

      (Optional) Specify secondary private IP addresses.

      • Do Not Allocate: The ENI does not need a secondary private IP address for now.

      • Automatic Allocation: Manually enter the number of secondary private IP addresses, which can be an integer from 1 to 9. The system automatically assigns the specified number of idle IP addresses from within the CIDR block of the selected vSwitch to the ENI.

      • Specify Address: Manually add secondary private IP addresses. You can add up to nine secondary private IP addresses.

      SESSION timeout

      Configuration and management of the timeout for established TCP connections, TCP wait and close timeout, and UDP stream timeout. For more information, see Connection timeout management.

      Description

      (Optional) Enter a description for the ENI for easy management.

      Resource group

      (Optional) Select a resource group. You can add resources that are owned by multiple accounts and assigned to multiple projects to resource groups for easy management. For more information about resource groups, see Resource group.

      Tag

      (Optional) Select one or more tags to add to the ENI for easy search and management. For more information about tags, see Tag.

    6. Click Confirm.

      When the status of the newly created ENI in the network interface card list is displayed as Available, it indicates that the secondary ENI has been successfully created.

    Bind ENI to an instance

    Note

    An ENI can be bound to only one ECS instance at a time, but an ECS instance can have multiple ENIs. For the number of ENIs that can be bound to each instance type, see Instance family.

    The primary network interface card is bound when the instance is created. To extend the network interface of the instance, you need to bind the secondary ENI in the Pending binding state to the destination instance.

    Prerequisites

    • The ENI to be bound must belong to the same VPC and zone as the destination ECS instance.

    • The ECS instance to be bound must be an I/O optimized instance type (see Instance family or call DescribeInstanceTypes to view the performance data of the destination instance type, or see Instance type selection guide to learn how to select an instance type) and be in the Stopped or Running state.

      Some instance types do not support hot swapping and only support binding secondary ENIs when in the Stopped state.

      List of ECS instance types that do not support hot swapping of network interface cards

      Instance family

      Instance type

      Shared standard instance family s6

      ecs.s6-c1m1.small, ecs.s6-c1m2.large, ecs.s6-c1m2.small, ecs.s6-c1m4.large, ecs.s6-c1m4.small

      Economy instance family e

      ecs.e-c1m1.large, ecs.e-c1m2.large, ecs.e-c1m4.large

      Burstable instance family t6

      ecs.t6-c1m1.large, ecs.t6-c1m2.large, ecs.t6-c1m4.large, ecs.t6-c2m1.large, ecs.t6-c4m1.large

      Burstable instance family t5

      ecs.t5-c1m1.large, ecs.t5-c1m2.large, ecs.t5-c1m4.large, ecs.t5-lc1m1.small, ecs.t5-lc1m2.large, ecs.t5-lc1m2.small, ecs.t5-lc1m4.large, ecs.t5-lc2m1.nano

      Previous-generation shared instance families xn4, n4, mn4, e4

      • ecs.xn4.small

      • ecs.n4.small, ecs.n4.large

      • ecs.mn4.small, ecs.mn4.large

      • ecs.e4.small, ecs.e4.large

    • If the ECS instance was last started, restarted, or reactivated before April 1, 2018, you must restart the instance before you can bind ENIs to it.

      Important

      You must restart the ECS instance in the console or by calling RebootInstance. Restarting the ECS instance within the operating system is invalid.

    Procedure

    Bind when purchasing an instance

    Note

    When purchasing an instance, you can bind up to two ENIs: one primary network interface card and one secondary ENI.

    When purchasing an ECS instance, you can choose to bind an ENI that is in the same VPC and zone and in the Pending binding state to the instance as the primary network interface card or secondary ENI, without the need for additional creation. For detailed instructions, see Custom purchase instance.

    image

    Bind after instance creation

    Note

    After an instance is created, only secondary ENIs can be bound.

    • Bind through the console

      1. Log on to the ECS console.

      2. In the left-side navigation pane, select Network & Security > ENI.

      3. In the upper-left corner of the top navigation bar, select the resource group and region where the resources are located. 地域

      4. Find the available secondary ENI, and click Bind Instance in the Actions column.

        1. In the Bind Instance dialog box, select an instance, and then click Confirm.

          Refresh the list. When the status of the ENI is displayed as Bound, it indicates that the ENI has been successfully bound.

    • Bind through API

      You can also bind an ENI by calling AttachNetworkInterface, specifying NetworkInterfaceId as the target ENI ID and InstanceId as the instance ID to attach the ENI to an instance of the VPC type.

      Specify the physical network interface card index through NetworkCardIndex in the API

      To support higher network performance, some instance types support physical network interface card mapping. When attaching a network interface card through AttachNetworkInterface, you can specify the NetworkCardIndex parameter to map to the network interface card on the physical machine, thereby avoiding bandwidth contention and improving the bandwidth capability of the instance. For more information, see Physical network interface card mapping.

    After the ENI is bound to the instance, you need to configure the ENI to take effect inside the instance.

    Configure the ENI to take effect inside the instance

    The primary network interface card usually takes effect automatically after the instance is created, and you do not need to configure it. When you attach multiple secondary ENIs to an ECS instance, you need to confirm whether the network interface card takes effect inside the instance.

    Step 1: Confirm whether the network interface card takes effect inside the instance

    Warning

    If the bound secondary ENI is not correctly configured inside the instance, the ENI cannot communicate properly. Confirm that the network interface card takes effect according to the following operations.

    Linux instance

    Sample operating system: Alibaba Cloud Linux 3.2.

    1. Connect to the Linux instance remotely.

      For detailed instructions, see Log on to a Linux instance by using the SSH protocol through Workbench.

    2. Run the following command to view and confirm the network interface card information of the instance.

      ip a

      The returned information shows the network interface card information of the current instance:

      • Network interface card identifier: eth0, eth1. In this example, the instance has two ENIs: a primary network interface card eth0 and a secondary ENI eth1.

      • Network interface card status: state UP, indicating that the network interface card status is normal, and the network interface card has taken effect inside the instance.

        image

        Important

        If you see state DOWN as shown in the following figure, it indicates that the network interface card is not successfully loaded and cannot be used normally. You need to configure the Linux operating system to recognize the network interface card to ensure that the network interface card status is normal.

        image

      • Primary private IP address of the network interface card: After the network interface card status is normal, you can see the primary private IP of each ENI.

        If your network interface card is assigned a secondary private IP address but is not recognized inside the operating system, you can refer to configure the operating system to recognize the secondary private IP address for reconfiguration.

    3. Run the following command to view the routing information of the network interface card.

      route -n

      centos8-route

      It can be seen that, under normal circumstances, the system configures two routes for the secondary ENI eth1:

      • Route with Destination 192.168.xx.xx: Specifies the route within a specific subnet. This route ensures that the local machine can correctly identify and directly communicate with other hosts within the subnet without going through additional routers.

      • Route with Destination 0.0.0.0: This route is used to handle packets destined for external networks or other remote networks. When the destination of a packet is not within the local subnet, the packet is sent to the gateway address 192.168.xx.xx for the next hop.

        Important

        • By default, the priority of the default route of the additional network interface card is usually lower than that of the default route of eth0, which means that data is preferentially sent from the primary network interface card eth0.

        • If you want to specify that packets corresponding to the private IP of the additional network interface card eth1 are sent from eth1, you can configure policy-based routing for the secondary network interface card to ensure that the data source enters and exits the source. For more information, see Configure policy-based routing for the network interface card.

        Some earlier operating systems, such as Ubuntu16, may not automatically configure the default route for the secondary ENI. After viewing the route, it is shown as follows. This situation may cause abnormal use of the network interface card. It is recommended that you use a newer operating system distribution, or you can configure the default route for the network interface card yourself.

        image

    Windows instance

    Sample operating system: Windows Server 2022.

    1. Connect to the Windows instance remotely.

      For detailed instructions, see Log on to a Windows instance by using the RDP protocol through Workbench.

    2. Open Network and Sharing Center.

    3. Click Change Adapter Settings.

      In this example, the instance is bound with two ENIs (one primary network interface card and one secondary ENI). You can see the information shown below, indicating that the network interface card has taken effect inside the instance, and no other configuration is required.

      image

      If the secondary ENI is not correctly recognized due to other reasons, you may see the following information. You can refer to Handling method for ENI configuration failure on Windows instances.

      image

    4. View the status and detailed information of the network interface card.

      1. Double-click the network interface card name to view the network interface card status.

        Take the primary network interface card Ethernet as an example:

        image

      2. Click Details to view the network interface card property information.

        In the pop-up dialog box, you can see the primary private IPv4 address, subnet mask, default gateway, and other information of the network interface card:

        image

    5. Open the Command Prompt page.

      Use the keyboard shortcut Win+R to open the Run dialog box, enter the command cmd, and click OK.

    6. Run the following command to view the routing information of the network interface card.

      image

    Step 2: Configure the Linux operating system to recognize the network interface card

    After confirming that the network interface card does not take effect, you can configure it in the system through the following two methods to make the network interface card take effect.

    Note

    Most Windows operating systems can automatically recognize ENIs. If there is a network interface card failure, see Handling method for ENI configuration failure on Windows instances.

    Method 1: Automatically configure through the multi-nic-util tool

    Important

    • Using the multi-nic-util tool will overwrite the original network configuration of the ECS instance. Please be aware of this risk.

    • Alibaba Cloud strongly recommends that you avoid using the multi-nic-util tool in Docker or other containerized environments.

    • multi-nic-util Supported operating systems: Alibaba Cloud Linux 2, CentOS 6 (CentOS 6.8 and later), CentOS 7 (CentOS 7.3 and later), RedHat.

      For other operating systems, you can refer to Method 2: Manually configure through the network configuration file.

    1. Run the following command to download and install the multi-nic-util tool (public network access is required).

      wget https://image-offline.oss-cn-hangzhou.aliyuncs.com/multi-nic-util/multi-nic-util-0.6.tgz && \
tar -zxvf multi-nic-util-0.6.tgz && \
cd multi-nic-util-0.6 && \
bash install.sh

    2. Run the following command to restart the ENI service.

      sudo systemctl restart eni.service

    3. Refer to Step 1: Confirm whether the network interface card takes effect inside the instance again to confirm that the network interface card status is normal.

    Method 2: Manually configure through the network configuration file

    The network configuration file varies depending on the management method and tools of the network configuration of different Linux distributions and versions.

    Important

    • We recommend that you back up the original network configuration file before editing it.

      If you accidentally modify the network configuration file and cannot connect to the instance through Workbench, you can connect to the instance through VNC to compare and view the changes in the network configuration file and make repairs.

    • In this example, we configure the network management protocol as Dynamic Host Configuration Protocol (DHCP) by default. The network interface will obtain the primary private IP address by default. If you want to configure the network interface by configuring a static IP, see Configure the operating system to recognize the secondary private IP address.

    • Make sure that the IP address, MAC address, gateway, and other information in the network configuration file are consistent with the actual situation. Incorrect network configuration may cause your instance to fail to communicate properly.

    1. Connect to the ECS instance remotely.

      For detailed instructions, see Log on to a Linux instance by using the SSH protocol through Workbench.

    2. Create and edit the network configuration file of the ENI based on different Linux distributions and versions.

      The primary network interface card configuration file is usually generated automatically. The following example explains how to configure a secondary network interface card.

      RHEL/CentOS series

      • Applicable operating systems: Alibaba Cloud Linux 2/3, CentOS 6/7/8, Red Hat 6/7/8/9, Anolis 7/8, Fedora 33/34/35, etc.

      • Network interface configuration file: /etc/sysconfig/network-scripts/ifcfg-*

        Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, etc.

      • Sample configuration: Run the following command to create and edit the configuration file of the secondary ENI eth1 bound to the instance, and configure the network interface configuration information.

        sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1
        DEVICE=eth1      
TYPE=Ethernet
BOOTPROTO=dhcp
ONBOOT=yes

        • DEVICE: Specify the network interface identifier, such as eth1, eth2, etc.

        • TYPE: The type of the network interface. Ethernet indicates that the interface is of the Ethernet type.

        • BOOTPROTO: Set the method for obtaining the IP address. When set to dhcp, it means that the interface will automatically obtain an IP address from the DHCP server in the network through the DHCP protocol. If changed to static, you need to manually set the static IP address, subnet mask, and other information.

        • ONBOOT: Control whether to activate this network interface when the system starts. A value of yes means that the network interface will be automatically enabled when the system starts. If it is no, it will not be automatically enabled unless manually started.

      Ubuntu18 and later

      Netplan is a newer network configuration framework that has become the default network configuration method for Ubuntu since Ubuntu 18.04 LTS.

      • Applicable operating systems: Ubuntu 18/20/22/24

      • Network interface configuration file: /etc/netplan/*.yaml

        • The system recognizes yaml files in the /etc/netplan directory, and each network interface can be set with a separate yaml file.

        • The default primary network interface card network configuration file 50-cloud-init.yaml is automatically generated by cloud-init when the system starts.

      • Sample configuration: Run the following command to create and edit the configuration file of the secondary ENI eth1 bound to the instance, and configure the network interface configuration information.

        sudo vi /etc/netplan/eth1-netcfg.yaml
        Note

        By default, the primary network interface card's network configuration file already exists. To ensure that the yaml file format is correct, you can generate the network interface configuration file for the secondary network interface card by using cp 50-cloud-init.yaml ethX-netcfg.yaml , and then modify the corresponding information as shown below.

        network:
    version: 2
    ethernets:
        eth1:
            dhcp4: true
            match:
                 macaddress: 00:16:3e:xx:xx:xx 
            set-name: eth1

        • dhcp4: Whether to enable DHCP for IPv4 on this interface. The value can be true or false.

        • match: Match the attributes of the network interface, such as macaddress.

          You can view the MAC address of the ENI in the console or through the API.

      Traditional Debian-based Linux (earlier Ubuntu)

      • Applicable operating systems: Debian, earlier versions of Ubuntu, such as Ubuntu 14/16, Debian 8/9/10, etc.

      • Network interface configuration file: /etc/network/interfaces

        • By editing this file, users can manually configure the IP address, subnet mask, gateway, DNS, and other information of the network interface, along with set static IP or DHCP modes.

        • With the popularity of Systemd and its network management tools, this method has gradually been replaced in newer versions of Ubuntu and some other distributions.

      • Main configuration items: The file contains configurations such as the type of interface, IP address, subnet mask, gateway, and DNS information.

      • Sample configuration: Run the following command to edit the network configuration file and configure the network interface configuration information.

        sudo vi /etc/network/interfaces
        Note

        The configurations of the primary network interface card (eth0) and the secondary ENI (eth1) are maintained in the same configuration file. Make sure not to omit the information of the primary network interface card.

        auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1  # Specify the name of the ENI that you want to configure.
iface eth1 inet dhcp

        • auto <interface>: Automatically activate the network interface when the system starts.

        • iface <interface> inet <method>: Define the configuration method of the network interface.

        • inet: Defines IPv4-related configurations.

        • method: Set the method for obtaining the IP address. When set to dhcp, it means that the interface will use the Dynamic Host Configuration Protocol (DHCP) to automatically obtain the IP address, subnet mask, default gateway, and other necessary network parameters. If changed to static, you need to manually set the static IP address, subnet mask, and other information.

      SLES series

      • Applicable operating systems: SUSE Linux 11/12/15, OpenSUSE 15, etc.

      • Network interface configuration file: /etc/sysconfig/network/ifcfg-*

        Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, etc.

      • Sample configuration: Run the following command to create and edit the configuration file of the secondary ENI eth1 bound to the instance, and configure the network interface configuration information.

        sudo vi /etc/sysconfig/network/ifcfg-eth1
        BOOTPROTO='dhcp'
STARTMODE='auto'

        • BOOTPROTO: Specify how to obtain the IP address. dhcp means that the interface will automatically obtain the IP address and other related network configuration information (such as subnet mask, default gateway, and DNS server address) from the DHCP server on the network through the Dynamic Host Configuration Protocol (DHCP).

        • STARTMODE: Defines how to handle this network interface when the system starts. Setting it to 'auto' means that as long as the system starts and detects that this interface is available, it will attempt to activate this network interface.

    3. Run the following command to restart the network service.

      Restart the network service to allow the new configurations to take effect.

      Operating system

      Command to restart the network service

      • Alibaba Cloud Linux 2

      • CentOS 7

      • Red Hat 7

      • Anolis 7

      • SUSE Linux 11, SUSE Linux 12, and SUSE Linux 15

      • openSUSE 15 and openSUSE 42

      sudo service network restart

      or sudo systemctl restart network

      • CentOS 6

      • Red Hat 6

      sudo service network restart

      • Alibaba Cloud Linux 3

      • CentOS 8

      • Red Hat 8

      • Anolis 8

      • Fedora 33, Fedora 34, and Fedora 35

      sudo systemctl restart NetworkManager or sudo reboot

      • Ubuntu 18, Ubuntu 20, and Ubuntu 22

      • Debian 12

      sudo netplan apply

      • Ubuntu 14 and Ubuntu 16

      • Debian 8, Debian 9, Debian 10, and Debian 11

      sudo systemctl restart networking or sudo reboot

    4. Refer to Step 1: Confirm whether the network interface card takes effect inside the instance again to confirm that the network interface card status is normal.

    Assign private IP for private network communication

    By default, when an ENI is associated with a specific VPC and subnet (vSwitch), it receives a primary private IPv4 address from within the subnet. ECS instances use this private IP address to communicate over the internal network.

    In business scenarios that require multiple IP addresses, such as multi-application hosting, failover, and load balancing, you can assign additional private IP addresses to the network interface card within the subnet. For detailed instructions, see Add Secondary Private IP Addresses to an ENI.

    Bind public IP for public network communication

    • In a single primary network card scenario, you can assign a static public IP to the instance's primary network interface to enable public network communication. For more information, see Static public IP.

    • For multiple network cards or more flexible management, you can bind an Elastic IP Address (EIP) to an ENI, which offers more flexibility than a static public IP as it can be easily bound and unbound. For more information, see Bind an EIP to an ENI.

      Additionally, you can associate an ECS instance with one or more ENIs and bind an EIP to multiple private IPs of the ENI, allowing the ECS instance to have several public IP addresses. For detailed instructions, see Bind multiple EIPs to an ECS instance in NAT mode.

      Important

      • After binding an EIP to a secondary ENI, ensure that the network card is attached to the instance and operational within the instance for the EIP to function properly. For more information, see Configure the ENI to take effect inside the instance.

      • When using a secondary ENI with an EIP or NAT Gateway, the default route priority is lower than that of the primary network card, which may cause incoming traffic on the secondary ENI to exit through the primary ENI, leading to EIP communication issues. To resolve this, configure policy-based routing to ensure traffic exits through the same ENI it arrived on, maintaining consistent inbound and outbound paths. For more information, see Configure policy-based routing for the network interface card.

    Associate ENI with security group

    ENIs are linked with security groups to enforce network-layer security controls.

    • The security group associated with an ECS instance governs the primary network interface card. This primary network interface card is automatically part of the same security group as the instance, and its security group cannot be altered independently. To change the security group for the primary network interface card, you must modify the ECS instance's security group. For more information, see Add, remove, or change the security group of an instance.

    • A secondary ENI attached to an ECS instance can be linked to a different security group within the same VPC and zone. You can designate the security group during the ENI's creation or update the associated security group after the network interface card has been created. For more information, see creating the ENI, or change the security group associated with the ENI.

    • Assigning multiple secondary IPv4 or IPv6 addresses to an ENI means these addresses adhere to the network interface card's security group. You can establish detailed security group rules based on source IP addresses, application-layer protocols, and ports to provide granular access control for each ENI's traffic. For more information, see Manage security group rules.