Multiple secondary elastic network interfaces (ENIs) can be bound to an Elastic Compute Service (ECS) instance. In a virtual private cloud (VPC), the secondary ENIs bound to an ECS instance can be added to security groups that are different from the security groups to which the primary ENI is added. To implement fine-grained access control on the secondary ENIs, you can configure security group rules for each ENI based on the source IP address, application-layer protocol, and port range. This topic describes how to associate a secondary ENI with security groups for an ECS instance.
Limits
A secondary ENI must be associated with at least one security group. Each secondary ENI of an ECS instance can be associated with a limited number of security groups. For more information, see the Security group limits section of the "Limits" topic.
The secondary ENIs of an ECS instance and the security groups to which you want to add the secondary ENIs must use the same network type. If the secondary ENIs of the ECS instance and the security groups use the VPC network type, they must belong to the same VPC.
A secondary ENI can be added only to security groups that are of the same type (basic or advanced). For more information, see Basic security groups and advanced security groups.
Add a secondary ENI to or remove a secondary ENI from security groups
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the secondary ENI that you want to manage. In the Operation column, click Change Security Groups.
In the Change Security Groups dialog box, change the security groups to which you want to add the secondary ENI.
To add the secondary ENI to security groups that are not associated with the ENI, select the security groups from the Security Group drop-down list and click Confirm.
To remove the secondary ENI from specific security groups, delete the security groups from the Security Group field and click Confirm.
Add a secondary ENI to or remove a secondary ENI from a specific security group
You can add a secondary ENI to or remove a secondary ENI from a security group based on your business requirements.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the security group that you want to manage. In the Operation column, choose
> Manage ENIs.
On the Secondary network card tab of the security group, add a secondary ENI to or remove a secondary ENI from the security group.
To add a secondary ENI to the security group, click Add ENI to Security Group. In the Add ENI to Security Group dialog box, enter the ENI ID or name in the ENI field, select the ENI, and then click Confirm.
To remove one or more secondary ENIs from the security group, select the secondary ENIs that you want to remove and click Remove from Security Group in the lower part of page. In the Remove from Security Group message, click OK.
Query secondary ENIs that are associated with a security group
In the left-side navigation pane, choose . Find a security group that you want to manage and choose
> Manage ENIs in the Operation column.
On the Secondary network card tab, view all secondary ENIs that are associated with the security group.
Related API operations
For information about how to add an ENI to a security group by calling an API operation, see JoinSecurityGroup.
For information about how to remove an ENI from a security group by calling an API operation, see LeaveSecurityGroup.
For information about how to change the security groups to which an ENI is added by calling an API operation, see ModifyNetworkInterfaceAttribute.