ENIs can be used to deploy high-availability clusters, perform low-cost failover, and achieve fine-grained network management. If your business requires more detailed network classification and isolation, or if you need to address single point of failure issues with a single network card, you can bind multiple ENIs to an ECS instance to extend the network card capabilities.
Create ENIs
You can create ENIs when you purchase an instance or create them separately after the instance is created and bind them to the instance.
There is a limit on the number of ENIs you can create in a single region. You can visit the Quota Center to view the limits, or you can request to increase the total number of ENIs based on your business needs. For specific operations, see ECS Quota Management.
Create with instance
When purchasing an ECS instance, you can choose to add ENIs that are created with the instance. These ENIs are automatically assigned IP addresses and bound to the instance without additional binding operations. For specific operations, see Custom Purchase Instance.
-
Some ECS instance types do not support binding secondary ENIs when creating instances. You can bind them separately after the instance is created. For more information, see ECS Instance Types That Do Not Support Hot Swapping of ENIs.
-
ENIs created in this manner are automatically released when the associated instance is released. However, you can prevent this by disabling the automatic release feature within the instance settings to keep the ENI after the instance is released.
Create separately
After creating an instance, if you need to better manage and extend the network capabilities of ECS instances, such as adding private IP addresses, building high-availability network environments, creating dedicated network traffic, or isolating different network environments, you can separately create secondary ENIs to meet your needs. ENIs created separately are secondary ENIs and can be bound to instances.
You can also create ENIs by calling CreateNetworkInterface.
-
Log on to the ECS console.
-
In the left-side navigation pane, select
. -
In the upper-left corner of the page, select the resource group and region where the target resource resides.
-
Click Create ENI.
-
On the Create ENI page, complete the relevant settings.
Parameter
Description
ENI Name
Custom. Enter the ENI name as prompted.
VPC
Select the VPC to which the instance is bound. After an ENI is created, its VPC cannot be changed.
NoteAn ENI can be bound to only an instance that is in the same VPC.
vSwitch
Select a vSwitch in the zone where the instance is located. After an ENI is created, its vSwitch cannot be changed.
NoteAn ENI and the instance to which it is bound must be in the same zone but can be connected to different vSwitches.
Security Group
Select the security group in the specified VPC. You can select one to five security groups.
NoteYou cannot select basic security groups or advanced security groups at the same time.
Add Elastic RDMA Interface
(Optional) This feature enables the ENI to support eRDMA capabilities. ENIs with this capability can only be attached to instance types that support eRDMA capabilities. For more information, see Elastic RDMA Interface (ERI).
Primary Private IP
(Optional) Enter the primary private IP address of the ENI. This IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an address, an idle private address is automatically assigned to the ENI when it is created. For more information, see Primary Private IP.
Secondary Private IPv4
(Optional) Set the secondary private IPv4 address.
Do Not Assign: The ENI temporarily does not require a secondary private IPv4 address.
Auto-assign: Manually enter the number of secondary private IPv4 addresses, which can be an integer from 1 to 9. The system automatically assigns the specified number of idle IPv4 addresses from the vSwitch.
Specify Address: Manually add secondary private IPv4 addresses. You can add up to nine secondary private IPv4 addresses.
Specify Ipv4 Prefix: Assign an IPv4 CIDR block to the ENI. For more information, see IP Prefix.
For more information, see Secondary Private IP.
IPv6
(Optional) Set the secondary private IPv6 address.
Do Not Assign: The ENI temporarily does not require a secondary private IPv6 address.
Auto-assign: Manually enter the number of secondary private IPv6 addresses, which can be an integer from 1 to 10. The system automatically assigns the specified number of idle IPv6 addresses from the vSwitch.
Specify Address: Manually complete the last four digits of the secondary private IPv6 address. You can add up to ten secondary private IPv6 addresses.
Specify Ipv6 Prefix: Assign an IPv6 CIDR block to the ENI. For more information, see IP Prefix.
NoteTo set an IPv6 address for the ENI, you need to select a vSwitch that supports IPv6 addresses. If the selected vSwitch does not have the IPv6 address assignment feature enabled, you can click Enable Vswitch Ipv6 to enable it.
SESSION Timeout
Configuration and management of the timeout for established TCP connections, TCP wait and close timeout, and UDP stream timeout. For more information, see Connection Timeout Management.
Description
(Optional) Enter a description for the ENI for easy management.
Resource Group
(Optional) Select a resource group for multi-user and multi-project hierarchical resource management. For more details about resource groups, see Resource Group.
Tag
(Optional) Select one or more tags for easy search and resource aggregation. For more details about tags, see Tag.
-
Click Create ENI.
When the status of the newly created ENI in the ENI list shows Pending, it indicates that the secondary ENI has been successfully created.
Bind ENIs to instances
An ENI can be bound to only one ECS instance at a time, but an ECS instance can have multiple ENIs bound to it simultaneously. For the number of ENIs that can be bound to each instance type, see Instance Family.
The primary ENI is bound when the instance is created. If you want to extend the network interface for an instance, you need to bind the secondary ENI in the Pending state to the target instance.
Prerequisites
-
The ENI to be bound must belong to the same VPC and be in the same zone as the target ECS instance.
-
The ECS instance to be bound must be an I/O optimized instance type (see Instance Family or call DescribeInstanceTypes to view the performance data of the target instance type, or see Instance Type Selection Guide for how to select an instance type), and be in the Stopped or Running state.
Some instance types do not support hot swapping and only support binding secondary ENIs in the Stopped state.
-
If the ECS instance was last started before April 1, 2018 (including but not limited to starting a newly purchased instance, restarting, or rebooting), you must restart the instance before you can bind ENIs to it.
ImportantYou must restart the ECS instance in the console or by calling RebootInstance. Restarting within the operating system is ineffective.
Procedure
Bind when purchasing instance
When purchasing an instance, you can bind up to two ENIs, one as the primary ENI and the other as a secondary ENI.
When purchasing an ECS instance, you can choose to bind ENIs that are already created and in the pending state within the same VPC and zone to the instance as the primary or secondary ENI without additional creation. For specific operations, see Custom Purchase Instance.
Bind after instance creation
After the instance is created, only secondary ENIs can be bound.
-
Bind through the console
-
Log on to the ECS console.
-
In the left-side navigation pane, select
. -
In the upper-left corner of the page, select the resource group and region where the target resource resides.
-
Find the available secondary ENI, and in the operation column, click Bind Instance.
-
In the Bind Instance dialog box, select the instance and click Confirm.
Refresh the list. When the status of the ENI shows Bound, it indicates that the ENI has been successfully bound.
-
-
-
Bind through API
You can also bind ENIs by calling AttachNetworkInterface, specifying NetworkInterfaceId as the target ENI ID and InstanceId as the instance ID to attach the ENI to an instance of the VPC type.
After the ENI is bound to the instance, you need to configure the ENI to take effect within the instance.
Configure ENI to take effect within the instance
The primary ENI usually takes effect automatically after the instance is created, and you do not need to configure it. When you attach multiple secondary ENIs to an ECS instance, you need to confirm within the instance whether the ENIs have taken effect.
Step 1: Confirm within the instance whether the ENIs have taken effect
If the bound secondary ENI is not correctly configured within the instance, the ENI cannot communicate normally. Follow the steps below to confirm that the ENI has taken effect.
Linux instance
Sample operating system: Alibaba Cloud Linux 3.2.
-
Connect to the Linux instance remotely.
For specific operations, see Log on to a Linux instance by using the SSH protocol through Workbench.
-
Run the following command to view and confirm the ENI information of the instance.
ip a
The returned information shows the ENI information of the current instance:
-
ENI identifier: eth0, eth1. In this example, the instance has two ENIs, one primary ENI eth0 and one secondary ENI eth1.
-
ENI status: state UP, indicating that the ENI status is normal and the ENI has taken effect within the instance.
ImportantIf you see state DOWN as shown in the following figure, it indicates that the ENI has not been successfully loaded and cannot be used normally. You need to configure the Linux operating system to recognize the ENI to ensure that the ENI status is normal.
-
Primary private IP address of the ENI: After the ENI status is normal, you can see the primary private IP address of each ENI. For more information, see Primary Private IP.
If your ENI is assigned a secondary private IP address but is not recognized within the operating system, you can refer to configure the operating system to recognize the secondary private IP address for reconfiguration.
-
-
Run the following command to view the routing information of the ENI.
route -n
Usually, the system configures two routes for the secondary ENI eth1:
-
Route with Destination 192.168.xx.xx: Specifies the route within a specific subnet. This route ensures that the local machine can correctly identify and directly communicate with other hosts within the subnet without additional routers.
-
Route with Destination 0.0.0.0: This route is used to handle packets destined for external networks or other remote networks. When the destination of a packet is not within the local subnet, the packet is sent to the gateway address 192.168.xx.xx for further forwarding.
Important-
By default, the priority of the default route of the attached ENI is usually lower than that of the default route of eth0, which means that data is preferentially sent from the primary ENI eth0.
-
If you want to specify that packets with private IPs corresponding to the attached ENI eth1 are sent from eth1, you can configure policy-based routing for the secondary ENI to ensure that the data is sent and received from the same source. For more information, see Configure policy-based routing for the ENI.
Some earlier operating systems, such as Ubuntu16, may not automatically configure the default route for the secondary ENI. After checking the route, it appears as follows. This situation may cause abnormal ENI usage. It is recommended to use a newer version of the operating system distribution, or you can configure it yourself. For specific operations, see Configure the default route for the ENI.
-
-
Windows instance
Sample operating system: Windows Server 2022.
-
Connect to the Windows instance remotely.
For specific operations, see Log on to a Windows instance by using the RDP protocol through Workbench.
-
Open Network and Sharing Center.
-
Click Change Adapter Settings.
In this example, the instance has two ENIs bound (one primary ENI and one secondary ENI). The following information indicates that the ENIs have taken effect within the instance, and no additional configuration is required.
If the secondary ENI is not correctly recognized due to other reasons, you may see the following information. You can refer to Handling method for ENI configuration failure on Windows instances.
-
View the status and details of the ENI.
-
Double-click the ENI name to view the ENI status.
Take the primary ENI Ethernet as an example:
-
Click Details to view the ENI property information.
In the dialog box that appears, you can view the primary private IPv4 address, subnet mask, and default gateway of the ENI:
-
-
Open the Command Prompt page.
Use the keyboard shortcut Win+R to open the Run dialog box, enter the command cmd, and click OK.
-
Run the following command to view the routing information of the ENI.
Step 2: Configure the Linux operating system to recognize the ENI
After confirming that the ENI has not taken effect, you can configure it within the system in two ways to activate the ENI.
Most Windows operating systems automatically recognize ENIs. If you encounter an ENI failure, see Handling method for ENI configuration failure on Windows instances.
Method 1: automatically configure using the multi-nic-util tool
-
The multi-nic-util tool is only applicable to the following operating systems: Alibaba Cloud Linux 2, CentOS 6 (CentOS 6.8 and later), CentOS 7 (CentOS 7.3 and later), RedHat.
-
Alibaba Cloud strongly recommends avoiding using the multi-nic-util tool in Docker or other containerized environments.
-
Using the multi-nic-util tool will overwrite the original network configuration of the ECS instance. Please be aware of this risk.
If you cannot use this tool to configure the ENI for the reasons mentioned above, refer to Method 2: Manually Configure Through Network Configuration Files.
-
Run the following command to download and install the multi-nic-util tool (public network access is required).
wget https://image-offline.oss-cn-hangzhou.aliyuncs.com/multi-nic-util/multi-nic-util-0.6.tgz && \ tar -zxvf multi-nic-util-0.6.tgz && \ cd multi-nic-util-0.6 && \ bash install.sh
-
Run the following command to restart the ENI service.
sudo systemctl restart eni.service
-
Refer to Step 1: Confirm within the instance whether the ENIs have taken effect again to ensure the ENI status is normal.
Method 2: manually configure through network configuration files
Network configuration files vary depending on the Linux distribution and version, along with the management methods and tools for network configuration.
-
It is recommended to back up the original network configuration file before editing it.
If you accidentally modify the network configuration file and cannot connect to the instance through Workbench, you can connect to the instance through VNC to review and correct the network configuration file.
-
In this example, we configure the network management protocol as Dynamic Host Configuration Protocol (DHCP) by default. The network interface will automatically obtain the primary private IP address. If you want to configure the network interface with a static IP, see Configure the operating system to recognize the secondary private IP address.
-
Ensure that the IP address, MAC address, gateway, and other information in the network configuration file are accurate. Incorrect network configuration may prevent your instance from communicating normally.
-
Connect to the ECS instance remotely.
For specific operations, see Log on to a Linux instance by using the SSH protocol through Workbench.
-
Create and edit the network configuration file for the ENI based on different Linux distributions and versions.
The primary ENI configuration file is usually generated automatically. The following example explains how to configure a secondary ENI.
RHEL/CentOS series
-
Applicable operating systems: Alibaba Cloud Linux 2/3, CentOS 6/7/8, Red Hat 6/7/8/9, Anolis 7/8, Fedora 33/34/35, etc.
-
Network interface configuration file: /etc/sysconfig/network-scripts/ifcfg-*
Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, etc.
-
Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1, and configure the network interface settings.
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1 TYPE=Ethernet BOOTPROTO=dhcp ONBOOT=yes DEFROUTE=no
-
DEVICE: Specifies the network interface identifier, such as eth1, eth2, etc.
-
TYPE: The type of network interface.
Ethernet
indicates an Ethernet-type interface. -
BOOTPROTO: Sets the method for obtaining an IP address. When set to
dhcp
, the interface will automatically obtain an IP address from the DHCP server on the network. If set tostatic
, you need to manually set the static IP address, subnet mask, etc. -
ONBOOT: Controls whether this network interface is activated when the system starts. A value of
yes
means the network interface will be automatically enabled when the system starts; ifno
, it will not be automatically enabled unless started manually. -
DEFROUTE: Whether to configure the current network interface as the default route exit.
-
For the primary ENI eth0, you do not need to configure this parameter. The system usually automatically generates the highest priority default route for the primary ENI.
-
To avoid changing the active default route of the ECS instance when starting the secondary ENI, it is recommended not to set eth1 as the default route (after setting, eth1 may replace eth0 as the default route exit, causing communication issues with your primary ENI). In a multi-ENI environment, you can control the traffic forwarding path of the ENI by configuring policy-based routing for the ENI.
-
-
Ubuntu 18 and later
Netplan is a newer network configuration framework that has become the default network configuration method for Ubuntu since Ubuntu 18.04 LTS.
-
Applicable operating systems: Ubuntu 18/20/22/24
-
Network interface configuration file: /etc/netplan/*.yaml
-
The system recognizes YAML files in the /etc/netplan directory, and each network interface can have a separate YAML file.
-
The default primary ENI network configuration file 50-cloud-init.yaml is automatically generated by cloud-init when the system starts.
-
-
Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1, and configure the network interface settings.
sudo vi /etc/netplan/eth1-netcfg.yaml
NoteBy default, the network configuration file for the primary ENI already exists. To ensure the YAML file format is correct, you can generate the network interface configuration file for the secondary ENI by using
cp 50-cloud-init.yaml ethX-netcfg.yaml
, and then modify the corresponding information as shown below.network: version: 2 ethernets: eth1: dhcp4: true match: macaddress: 00:16:3e:xx:xx:xx set-name: eth1
-
dhcp4: Whether to enable DHCP for IPv4 on this interface, with values of true or false.
-
match: Matches the attributes of the network interface, such as macaddress.
You can view the MAC address of the ENI in the console or through the API.
-
Traditional Debian-based Linux (early Ubuntu)
-
Applicable operating systems: Debian, early versions of Ubuntu, such as Ubuntu 14/16, Debian 8/9/10, etc.
-
Network interface configuration file: /etc/network/interfaces
-
By editing this file, users can manually configure the IP address, subnet mask, gateway, DNS, and other information of the network interface, along with set static IP or DHCP modes.
-
With the popularity of Systemd and its network management tools, this method has gradually been replaced in newer versions of Ubuntu and some other distributions.
-
-
Main configuration items:: The file contains configurations for the type of interface, IP address, subnet mask, gateway, DNS information, etc.
-
Sample configuration: Run the following command to edit the network configuration file and configure the network interface settings.
sudo vi /etc/network/interfaces
NoteThe configurations for the primary ENI (eth0) and the secondary ENI (eth1) are maintained in the same configuration file. Be careful not to omit the information for the primary ENI.
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 # Specify the name of the ENI that you want to configure. iface eth1 inet dhcp
-
auto <interface>: Automatically activates the network interface when the system starts.
-
iface <interface> inet <method>: Defines the configuration method for the network interface.
-
inet: Indicates the definition of IPv4-related configurations.
-
method: Sets the method for obtaining an IP address. When set to
dhcp
, the interface will use the Dynamic Host Configuration Protocol (DHCP) to automatically obtain an IP address, subnet mask, default gateway, and other necessary network parameters. If set tostatic
, you need to manually set the static IP address, subnet mask, etc.
-
SLES series
-
Applicable operating systems: SUSE Linux 11/12/15, OpenSUSE 15, etc.
-
Network interface configuration file: /etc/sysconfig/network/ifcfg-*
Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, etc.
-
Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1, and configure the network interface settings.
sudo vi /etc/sysconfig/network/ifcfg-eth1
BOOTPROTO='dhcp' STARTMODE='auto'
-
BOOTPROTO: Specifies how to obtain the IP address.
dhcp
means that the interface will automatically obtain an IP address and other related network configuration information (such as subnet mask, default gateway, and DNS server address) from the DHCP server on the network. -
STARTMODE: Defines how this network interface is handled when the system starts. Setting it to
'auto'
means that as long as the system starts and detects that this interface is available, it will attempt to activate this network interface.
-
-
-
Run the following command to restart the network service.
-
Refer to Step 1: Confirm within the instance whether the ENIs have taken effect again to ensure the ENI status is normal.
Assign private IPs for private network communication
Upon assignment to a specific VPC and subnet (vSwitch), an ENI receives a primary private IPv4 address from within the subnet by default. ECS instances utilize this private IP address for internal network communication.
For business needs that require multiple IP addresses, such as multi-application hosting, failover, and load balancing, you can assign additional private IP addresses within the subnet to the ENI. For detailed instructions, see Add Secondary Private IP Addresses to an ENI.
Bind public IPs for public network communication
-
In a single primary ENI scenario, you can assign a static public IP to the instance (primary ENI) for public network communication. For more information, see Static Public IP.
-
For multi-ENI or more flexible management scenarios, you can bind an Elastic IP Address (EIP) to the ENI for public network communication. EIPs offer greater flexibility than static public IPs as they can be easily bound and unbound. For more information, see Bind an EIP to an ENI.
You can also bind an ECS instance to one or more ENIs and assign EIPs to multiple private IPs of the ENI, allowing the ECS instance to have multiple public IP addresses. For detailed instructions, see Bind Multiple EIPs to an ECS Instance in Normal Mode.
Important-
After binding an EIP to a secondary ENI, ensure that the ENI is attached to the instance and has taken effect, so the EIP functions properly. For more information, see Configure the ENI to Take Effect Within the Instance.
-
When using a secondary ENI with an EIP or NAT Gateway, the default routing priority is lower than that of the primary ENI. By default, outbound traffic uses the primary ENI, which may lead to communication issues if inbound traffic uses the secondary ENI. To ensure consistent traffic flow, configure policy-based routing to direct traffic to return via the same path it arrived. For more information, see Configure Policy-Based Routing for the ENI.
-
If the ENI and routing are correctly configured but you are unable to ping the public IP, further investigation into the security group, firewall, and other configurations may be necessary. For more information, see Troubleshooting Methods for Failing to Ping the Public IP of an ECS Instance.
-
Associate ENIs with security groups
ENIs are associated with security groups to provide network-layer security control.
-
The security group associated with an ECS instance governs the primary ENI of that instance. This primary ENI is automatically part of the same security group as the ECS instance, and its associated security group cannot be modified independently. To change the security group for the primary ENI, you must modify the security group of the ECS instance itself. For more information, see Add, remove, or change the security group of an instance.
-
Secondary ENIs attached to an ECS instance can be linked to different security groups within the same VPC and zone as the instance. You can specify the security group for an ENI during its creation, or change the security group for an ENI after it has been created.
-
Setting multiple secondary IPv4 or IPv6 addresses for an ENI means these addresses will also be governed by the ENI's associated security group. You can establish detailed security group rules based on source IP addresses, application-layer protocols, ports, and more to enable fine-grained access control for each ENI. For more information, see Manage security group rules.