This topic was translated by AI and is currently in queue for revision by our editors. Alibaba Cloud does not guarantee the accuracy of AI-translated content. Request expedited revision

create and use an eni

Updated at: 2025-02-21 17:52
important

This topic contains important information on necessary precautions. We recommend that you read this topic carefully before proceeding.

ENIs can be used to deploy high-availability clusters, perform low-cost failover, and manage networks in a fine-grained manner. If your business requires more refined network classification and isolation, or if you need to address single point of failure issues with a single network interface card, you can bind multiple ENIs to an ECS instance to extend the network interface cards.

Create an eni

You can create an ENI when you purchase an instance or create an ENI separately after the instance is created and bind it to the instance.

Note

There is a limit on the number of ENIs that can be created in a single region. You can visit the Quota Center to view the limits, or you can apply to increase the total number of ENIs based on your business needs. For more information, see ECS quota management.

Create with an instance
Create separately

When you purchase an ECS instance, you can choose to add an ENI that is created with the instance. These ENIs are automatically assigned IP addresses and bound to the instance without the need for additional binding operations. For more information, see Custom purchase instance.

Note
  • Some ECS instance types do not support binding secondary ENIs when creating instances. You can bind them separately after the instance is created. For more information, see ECS instance types that do not support hot swapping of network interfaces.

  • ENIs created in this manner are set to release by default when the associated instance is released. However, you can prevent this by using the instance feature to disable automatic release, ensuring the ENI is retained after the instance release.

image

After creating an instance, if you need to better manage and extend the network capabilities of ECS instances, such as adding private IP addresses, building high-availability network environments, creating dedicated network traffic, and isolating different network environments, you can create secondary ENIs separately to meet your needs. ENIs created separately are secondary ENIs and can be bound to instances.

Note

You can also create an ENI by calling CreateNetworkInterface.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, select Network & Security > Enis.

  3. In the upper-left corner of the page, select the resource group and region where the target resources reside. 地域

  4. Click Create ENI.

  5. On the Create ENI page, complete the relevant settings.

    Parameter

    Description

    Network interface name

    Enter a name for the ENI.

    VPC

    Select the VPC to which the instance to be bound belongs. After an ENI is created, its VPC cannot be changed.

    Note

    An ENI can be bound to only an instance that is in the same VPC as the ENI.

    vSwitch

    Select the vSwitch in the zone where the instance to be bound resides. After an ENI is created, its vSwitch cannot be changed.

    Note

    An ENI and the instance to which it is bound must be in the same zone. They can be connected to different vSwitches.

    Security group

    Select the security group in the current VPC. You can select one to five security groups.

    Note

    You cannot select both basic security groups and advanced security groups.

    Source/destination check

    The source/destination check ensures that the instance is the source or destination of any traffic it receives, preventing spoofed packet attacks and enhancing security. If the instance runs services such as Network Address Translation, routing, or firewall, you need to disable this feature. For more information, see Source/destination check.

    Primary private IP

    (Optional) Enter the primary private IP address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an address, an idle private address is automatically assigned when the ENI is created.

    Secondary private IP

    (Optional) Specify secondary private IP addresses.

    • Do Not Assign: Indicates that the ENI does not need secondary private IP addresses temporarily.

    • Auto-assign: Manually enter the number of secondary private IP addresses, which can be an integer from 1 to 9. The system automatically assigns the specified number of idle IP addresses from the selected vSwitch.

    • Specify Address: Manually add secondary private IP addresses. You can add up to nine secondary private IP addresses.

    SESSION timeout

    Configuration and management of the timeout for established TCP connections, TCP wait and close timeout, and UDP stream timeout. For more information, see Connection timeout management.

    Description

    (Optional) Enter a description for the ENI for easy management.

    Resource group

    (Optional) Select a resource group. Resources that are owned by multiple accounts and assigned to multiple projects can be added to resource groups for easy management. For more information about resource groups, see Resource group.

    Tag

    (Optional) Select one or more tags to add to the ENI for easy search and management. For more information about tags, see Tag.

  6. Click Confirm.

    When the status of the newly created ENI in the network interface list is displayed as Available, it indicates that the secondary ENI has been successfully created.

Bind an eni to an instance

Note

An ENI can be bound to only one ECS instance at a time. However, an ECS instance can have multiple ENIs. For the number of ENIs that can be bound to each instance type, see Instance family.

The primary ENI is bound when the instance is created. If you want to extend the network interfaces for an instance, you need to bind the secondary ENI in the Pending status to the target instance.

Prerequisites

  • The ENI to be bound must be in the same VPC and zone as the target ECS instance.

  • The ECS instance to be bound must be an I/O optimized instance type (see Instance family or call DescribeInstanceTypes to view the performance data of the target instance type, or see Instance type selection guide to learn how to select an instance type) and must be in the Stopped or Running state.

    Some instance types do not support hot swapping and only support binding secondary ENIs when in the Stopped state.

    List of ECS instance types that do not support hot swapping of network interfaces

    Instance family

    Instance type

    Shared standard instance family s6

    ecs.s6-c1m1.small, ecs.s6-c1m2.large, ecs.s6-c1m2.small, ecs.s6-c1m4.large, ecs.s6-c1m4.small

    Economy instance family e

    ecs.e-c1m1.large, ecs.e-c1m2.large, ecs.e-c1m4.large

    Burstable instance family t6

    ecs.t6-c1m1.large, ecs.t6-c1m2.large, ecs.t6-c1m4.large, ecs.t6-c2m1.large, ecs.t6-c4m1.large

    Burstable instance family t5

    ecs.t5-c1m1.large, ecs.t5-c1m2.large, ecs.t5-c1m4.large, ecs.t5-lc1m1.small, ecs.t5-lc1m2.large, ecs.t5-lc1m2.small, ecs.t5-lc1m4.large, ecs.t5-lc2m1.nano

    Previous-generation shared instance families xn4, n4, mn4, e4

    • ecs.xn4.small

    • ecs.n4.small, ecs.n4.large

    • ecs.mn4.small, ecs.mn4.large

    • ecs.e4.small, ecs.e4.large

  • If the ECS instance was last started, restarted, or reactivated before April 1, 2018, you must restart the instance before you can bind ENIs to it.

    Important

    You must restart the ECS instance in the console or by calling RebootInstance. Restarting the instance in the operating system is not valid.

Procedure

Bind when purchasing an instance
Bind after instance creation
Note

When purchasing an instance, you can bind up to two ENIs: one primary ENI and one secondary ENI.

When purchasing an ECS instance, you can choose to bind an ENI that has been created and is in the pending state in the same VPC and zone to the instance as the primary ENI or secondary ENI without the need for additional creation. For more information, see Custom purchase instance.

image

Note

After an instance is created, only secondary ENIs can be bound.

  • Bind through the console

    1. Log on to the ECS console.

    2. In the left-side navigation pane, select Network & Security > Enis.

    3. In the upper-left corner of the page, select the resource group and region where the target resources reside. 地域

    4. Find the available secondary ENI and click Bind Instance in the Actions column.

      1. In the Bind Instance dialog box, select an instance and click Confirm.

        Refresh the list. When the status of the ENI is displayed as Bound, it indicates that the ENI has been successfully bound.

  • Bind through API

    You can also bind an ENI by calling AttachNetworkInterface, specifying NetworkInterfaceId as the target ENI ID and InstanceId as the instance ID to attach the ENI to an instance of the VPC type.

    Specify the physical network interface index through NetworkCardIndex in the API

    To support higher network performance, some instance types support physical network interface mapping. When you attach an ENI by calling AttachNetworkInterface, you can specify the NetworkCardIndex parameter to map the ENI to the network interface of the physical machine, thereby avoiding bandwidth contention and improving the bandwidth capability of the instance. For more information, see Physical network interface mapping.

After the ENI is bound to the instance, you need to configure the ENI to take effect inside the instance.

Configure the eni to take effect inside the instance

The primary ENI usually takes effect automatically after the instance is created, and no configuration is required. After you attach multiple secondary ENIs to an ECS instance, you need to confirm whether the ENIs take effect inside the instance.

Step 1: Confirm whether the eni takes effect inside the instance

Warning

If the bound secondary ENI is not correctly configured inside the instance, the ENI cannot communicate properly. Confirm whether the ENI takes effect according to the following operations.

Linux instance
Windows instance

Sample operating system: Alibaba Cloud Linux 3.2.

  1. Connect to the Linux instance.

    For more information, see Log on to a Linux instance by using the SSH protocol in Workbench.

  2. Run the following command to view and confirm the network interface information of the instance.

    ip a

    The following figure shows the sample command output:

    • Network interface identifier: eth0, eth1. In this example, two ENIs are bound to the instance. The ENI named eth0 serves as the primary ENI, and the ENI named eth1 serves as a secondary ENI.

    • Network interface status: state UP indicates that the network interface is in the normal state, which means that the network interface has taken effect inside the instance.

      image

      Important

      If you see the state DOWN shown in the following figure, it indicates that the network interface is not successfully loaded and cannot be used properly. You need to configure the Linux operating system to identify the network interface to ensure that the network interface is in the normal state.

      image

    • Primary private IP address of the network interface: After the network interface is in the normal state, you can view the primary private IP address of each ENI. For more information, see Primary private IP.

      If your network interface is assigned a secondary private IP address but is not recognized inside the operating system, you can refer to Configure the operating system to recognize the secondary private IP address for reconfiguration.

  3. Run the following command to view the routing information of the network interface.

    route -n

    centos8-route

    In most cases, the system configures two routes for the secondary ENI eth1:

    • Route with destination 192.168.xx.xx: Specifies the route within a specific subnet. This route ensures that the local machine can correctly identify and directly communicate with other hosts within the subnet without the need to forward traffic that matches the route to additional routers.

    • Route with destination 0.0.0.0: This route is used to handle packets destined for external networks or other remote networks. When the destination of a packet is not within the local subnet, the packet is sent to the gateway address 192.168.xx.xx for further forwarding.

      Important
      • By default, the priority of the default route of the attached network interface is usually lower than that of the default route of eth0, which means that data is preferentially sent from the primary ENI eth0.

      • If you want to specify that packets with private IP addresses corresponding to the attached network interface eth1 are sent from eth1, you can configure policy-based routing for the secondary network interface to ensure that the source and destination of the data are consistent. For more information, see Configure policy-based routing for the network interface.

      Some earlier operating systems, such as Ubuntu16, may not automatically configure the default route for the secondary ENI. After viewing the route, the following figure shows that this situation may cause abnormal use of the network interface. We recommend that you use a newer version of the operating system distribution, or you can configure it yourself. For more information, see Configure the default route for the network interface.

      image

Sample operating system: Windows Server 2022.

  1. Connect to the Windows instance.

    For more information, see Log on to a Windows instance by using the RDP protocol in Workbench.

  2. Open Network and Sharing Center.

  3. Click Change Adapter Settings.

    In this example, two ENIs are bound to the instance (one primary ENI and one secondary ENI). The following figure shows that the ENIs take effect inside the instance. No additional configurations are required.

    image

    If the secondary ENI is not correctly recognized due to other reasons, you may see the following information. You can refer to Troubleshoot the failure of the ENI configuration for Windows instances.

    image

  4. View the status and details of the network interface.

    1. Double-click the network interface name to view the status of the network interface.

      Take the primary ENI Ethernet as an example:

      image

    2. Click Details to view the properties of the network interface.

      In the dialog box that appears, you can view the primary private IPv4 address, subnet mask, and default gateway of the network interface:

      image

  5. Open the Command Prompt page.

    Press the Win+R keyboard shortcut to open the Run dialog box, enter the command cmd, and click OK.

  6. Run the following command to view the routing information of the network interface.

    image

Step 2: Configure the Linux operating system to recognize the network interface

After confirming that the network interface does not take effect, you can configure the network interface in the system in the following two ways to make it take effect.

Note

Most Windows operating systems can automatically recognize ENIs. If the network interface fails, see Troubleshoot the failure of the ENI configuration for Windows instances.

Method 1: Automatically configure by using the multi-nic-util tool

Important
  • Using the multi-nic-util tool may overwrite the original network configurations of the ECS instance. Proceed with caution.

  • We strongly recommend that you avoid using the multi-nic-util tool in Docker or other containerized environments.

  • Supported operating systems for multi-nic-util: Alibaba Cloud Linux 2, CentOS 6 (CentOS 6.8 and later), CentOS 7 (CentOS 7.3 and later), RedHat.

    For other operating systems, you can refer to Method 2: Manually configure by using network configuration files.

  1. Run the following command to download and install the multi-nic-util tool (public network access is required).

    wget https://image-offline.oss-cn-hangzhou.aliyuncs.com/multi-nic-util/multi-nic-util-0.6.tgz && \
    tar -zxvf multi-nic-util-0.6.tgz && \
    cd multi-nic-util-0.6 && \
    bash install.sh
  2. Run the following command to restart the ENI service.

    sudo systemctl restart eni.service
  3. Refer to Step 1: Confirm whether the ENI takes effect inside the instance again to confirm that the network interface is in the normal state.

Method 2: Manually configure by using network configuration files

Network configuration files vary depending on the Linux distribution and version, along with the management methods and tools for network configuration.

Important
  • We recommend that you back up the original network configuration file before you modify it.

    If you accidentally modify the network configuration file and cannot connect to the instance by using Workbench, you can connect to the instance by using VNC to compare and view the changes in the network configuration file and fix them.

  • In this example, we configure the network management protocol as Dynamic Host Configuration Protocol (DHCP) by default. The network interface automatically obtains the primary private IP address. If you want to configure the network interface by using a static IP address, see Configure the operating system to recognize the secondary private IP address.

  • Make sure that the IP address, MAC address, gateway, and other information in the network configuration file are consistent with the actual situation. Incorrect network configurations may cause your instance to fail to communicate properly.

  1. Connect to the ECS instance.

    For more information, see Log on to a Linux instance by using the SSH protocol in Workbench.

  2. Create and edit the network configuration file for the ENI based on different Linux distributions and versions.

    The configuration file for the primary ENI is usually generated automatically. The following example describes how to configure the secondary ENI.

    RHEL/CentOS series
    Ubuntu18 and later
    Traditional Debian-based Linux (earlier Ubuntu)
    SLES series
    • Supported operating systems: Alibaba Cloud Linux 2/3, CentOS 6/7/8, Red Hat 6/7/8/9, Anolis 7/8, Fedora 33/34/35, and so on.

    • Network interface configuration file: /etc/sysconfig/network-scripts/ifcfg-*

      Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, and so on.

    • Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1 bound to the instance and configure the network interface settings.

      sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1
      DEVICE=eth1      
      TYPE=Ethernet
      BOOTPROTO=dhcp
      ONBOOT=yes
      • DEVICE: Specifies the network interface identifier, such as eth1, eth2, and so on.

      • TYPE: Specifies the type of the network interface. Ethernet indicates that the interface is of the Ethernet type.

      • BOOTPROTO: Specifies how to obtain the IP address. When set to dhcp, the interface automatically obtains an IP address from the DHCP server in the network by using the DHCP protocol. If set to static, you need to manually set the static IP address, subnet mask, and other information.

      • ONBOOT: Controls whether to activate the network interface when the system starts. A value of yes means that the network interface is automatically enabled when the system starts. If set to no, the network interface is not automatically enabled unless it is manually started.

    Netplan is a newer network configuration framework that has become the default network configuration method for Ubuntu since Ubuntu 18.04 LTS.

    • Supported operating systems: Ubuntu 18/20/22/24

    • Network interface configuration file: /etc/netplan/*.yaml

      • The system recognizes YAML files in the /etc/netplan directory. You can set a separate YAML file for each network interface.

      • The default network configuration file for the primary ENI, 50-cloud-init.yaml, is automatically generated by cloud-init when the system starts.

    • Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1 bound to the instance and configure the network interface settings.

      sudo vi /etc/netplan/eth1-netcfg.yaml
      Note

      By default, the network configuration file for the primary ENI already exists. To ensure that the YAML file format is correct, you can run the cp 50-cloud-init.yaml ethX-netcfg.yaml command to generate the network interface configuration file for the secondary ENI, and then modify the corresponding information as shown below.

      network:
          version: 2
          ethernets:
              eth1:
                  dhcp4: true
                  match:
                       macaddress: 00:16:3e:xx:xx:xx 
                  set-name: eth1
      • dhcp4: Specifies whether to enable DHCP for IPv4 on the interface. The value can be true or false.

      • match: Matches the attributes of the network interface, such as macaddress.

        You can view the MAC address of the ENI in the console or through the API.

    • Supported operating systems: Debian, earlier versions of Ubuntu, such as Ubuntu 14/16, Debian 8/9/10, and so on.

    • Network interface configuration file: /etc/network/interfaces

      • By editing this file, users can manually configure the IP address, subnet mask, gateway, DNS, and other information of the network interface, along with set the static IP or DHCP mode.

      • With the popularity of Systemd and its network management tools, this method has been gradually replaced in newer versions of Ubuntu and some other distributions.

    • Main configuration items: The file contains the configuration of the type, IP address, subnet mask, gateway, DNS information, and other settings of the interface.

    • Sample configuration: Run the following command to edit the network configuration file and configure the network interface settings.

      sudo vi /etc/network/interfaces
      Note

      The configuration of the primary ENI (eth0) and the secondary ENI (eth1) is maintained in the same configuration file. Make sure not to omit the information of the primary ENI.

      auto lo
      iface lo inet loopback
      
      auto eth0
      iface eth0 inet dhcp
      
      auto eth1  # Specify the name of the ENI that you want to configure.
      iface eth1 inet dhcp
      • auto <interface>: Automatically activates the network interface when the system starts.

      • iface <interface> inet <method>: Defines the configuration method of the network interface.

      • inet: Indicates that the IPv4-related configuration is defined.

      • method: Specifies how to obtain the IP address. When set to dhcp, the interface uses the DHCP protocol to automatically obtain the IP address, subnet mask, default gateway, and other necessary network parameters. If set to <static, you need to manually set the static IP address, subnet mask, and other information.

    • Supported operating systems: SUSE Linux 11/12/15, OpenSUSE 15, and so on.

    • Network interface configuration file: /etc/sysconfig/network/ifcfg-*

      Each network interface has a corresponding configuration file, such as ifcfg-eth0, ifcfg-eth1, ifcfg-eth2, and so on.

    • Sample configuration: Run the following command to create and edit the configuration file for the secondary ENI eth1 bound to the instance and configure the network interface settings.

      sudo vi /etc/sysconfig/network/ifcfg-eth1
      BOOTPROTO='dhcp'
      STARTMODE='auto'
      • BOOTPROTO: Specifies how to obtain the IP address. dhcp means that the interface automatically obtains the IP address and other related network configuration information (such as subnet mask, default gateway, and DNS server address) from the DHCP server on the network by using the DHCP protocol.

      • STARTMODE: Defines how to handle the network interface when the system starts. When set to 'auto', the system attempts to activate the network interface as long as the system starts and detects that the interface is available.

  3. Run the following command to restart the network service.

    Restart the network service to allow the new configurations to take effect.

    Operating system

    Command to restart the network service

    • Alibaba Cloud Linux 2

    • CentOS 7

    • Red Hat 7

    • Anolis 7

    • SUSE Linux 11, SUSE Linux 12, and SUSE Linux 15

    • openSUSE 15 and openSUSE 42

    sudo service network restart

    or sudo systemctl restart network

    • CentOS 6

    • Red Hat 6

    sudo service network restart

    • Alibaba Cloud Linux 3

    • CentOS 8

    • Red Hat 8

    • Anolis 8

    • Fedora 33, Fedora 34, and Fedora 35

    sudo systemctl restart NetworkManager or sudo reboot

    • Ubuntu 18, Ubuntu 20, and Ubuntu 22

    • Debian 12

    sudo netplan apply

    • Ubuntu 14 and Ubuntu 16

    • Debian 8, Debian 9, Debian 10, and Debian 11

    sudo systemctl restart networking or sudo reboot

  4. Refer to Step 1: Confirm whether the ENI takes effect inside the instance again to confirm that the network interface is in the normal state.

Assign private ip for private network communication

After an ENI is assigned to a specific VPC and subnet (vSwitch), it is assigned a primary private IPv4 address within the subnet by default. The ECS instance communicates within the internal network through this private IP address.

If you have multi-IP requirements in business scenarios such as multi-application, failover, and load balancing, you can assign multiple private IP addresses within the subnet to the network interface. For more information, see Add secondary private IP addresses to an ENI.

Bind public ip for public network communication

  • Single primary ENI scenario: You can assign a static public IP address to the instance (primary ENI) to achieve public network communication. For more information, see Static public IP.

  • Multi-ENI or more flexible management scenario: You can bind an Elastic IP Address (EIP) to an ENI to achieve public network communication. Compared with a static public IP address, an EIP can be flexibly bound and unbound. For more information, see Bind an EIP to an ENI.

    You can also bind an ECS instance to one or more ENIs and bind an EIP to multiple private IP addresses of the ENI, so that the ECS instance has multiple public IP addresses. For more information, see Bind multiple EIPs to an ECS instance in NAT mode.

    Important
    • After you bind an EIP to a secondary ENI, you must ensure that the ENI is bound to the instance and has taken effect inside the instance, so that the EIP can be used properly. For more information, see Configure the ENI to take effect inside the instance.

    • When using a secondary ENI with an EIP or NAT Gateway, because its default route priority is lower than that of the primary ENI, outbound traffic is preferentially sent through the primary ENI by default. This may cause communication exceptions for the EIP when traffic flows in through the secondary ENI and returns through the primary ENI. In this case, you can configure policy-based routing to force the traffic to return from the network interface that receives the data, ensuring that the inbound and outbound paths are consistent. For more information, see Configure policy-based routing for the network interface.

    • If the network interface and route are correctly configured but you still cannot ping the public IP address, you may need to further check the security group, firewall, and other configurations. For more information, see Troubleshoot the failure to ping the public IP address of an ECS instance.

Associate an eni with a security group

An ENI is associated with a security group to provide security control at the network layer.

  • The security group associated with an ECS instance applies its rules to the primary ENI of the ECS instance. The primary ENI is added to the same security group as the instance, and you cannot modify the security group associated with the primary ENI separately. You can modify the security group to which the primary ENI belongs by modifying the security group of the ECS instance. For more information, see Add, remove, or change the security group of an instance.

  • The secondary ENI attached to an ECS instance can be associated with a security group in the same VPC and zone as the instance. It can be different from the security group of the instance. You can specify the security group associated with the ENI when creating the ENI, or you can change the security group associated with the ENI after the ENI is created.

  • If you set multiple secondary IPv4 or IPv6 addresses for an ENI, these IPv4 or IPv6 addresses are also associated with the security group associated with the ENI. You can configure precise security group rules based on source IP addresses, application-layer protocols, and ports to achieve fine-grained access control for the traffic of each ENI. For more information, see Manage security group rules.

  • On this page (1)
  • Create an eni
  • Bind an eni to an instance
  • Prerequisites
  • Procedure
  • Configure the eni to take effect inside the instance
  • Step 1: Confirm whether the eni takes effect inside the instance
  • Step 2: Configure the Linux operating system to recognize the network interface
  • Assign private ip for private network communication
  • Bind public ip for public network communication
  • Associate an eni with a security group
Feedback
phone Contact Us