All Products
Search
Document Center

Elastic Compute Service:Associate a secondary ENI with security groups

Last Updated:Feb 07, 2025

Multiple secondary elastic network interfaces (ENIs) can be bound to an Elastic Compute Service (ECS) instance. In a virtual private cloud (VPC), the secondary ENIs bound to an ECS instance can be added to security groups that are different from the security groups to which the primary ENI is added. To implement fine-grained access control on the secondary ENIs, you can configure security group rules for each ENI based on the source IP address, application-layer protocol, and port range. This topic describes how to associate a secondary ENI with security groups for an ECS instance.

Limits

  • A secondary ENI must be associated with at least one security group. Each secondary ENI of an ECS instance can be associated with a limited number of security groups. For more information, see the Security group limits section of the "Limits" topic.

  • The secondary ENIs of an ECS instance and the security groups to which you want to add the secondary ENIs must use the same network type. If the secondary ENIs of the ECS instance and the security groups use the VPC network type, they must belong to the same VPC.

  • A secondary ENI can be added only to security groups that are of the same type (basic or advanced). For more information, see Basic security groups and advanced security groups.

Add a secondary ENI to or remove a secondary ENI from security groups

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Elastic Network Interfaces.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. Find the secondary ENI that you want to manage. In the Operation column, click Change Security Groups.

  5. In the Change Security Groups dialog box, change the security groups to which you want to add the secondary ENI.

    image

    • To add the secondary ENI to security groups that are not associated with the ENI, select the security groups from the Security Group drop-down list and click Confirm.

    • To remove the secondary ENI from specific security groups, delete the security groups from the Security Group field and click Confirm.

Add a secondary ENI to or remove a secondary ENI from a specific security group

You can add a secondary ENI to or remove a secondary ENI from a security group based on your business requirements.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. Find the security group that you want to manage. In the Operation column, choose image > Manage ENIs.

  5. On the Secondary network card tab of the security group, add a secondary ENI to or remove a secondary ENI from the security group.

    image

    • To add a secondary ENI to the security group, click Add ENI to Security Group. In the Add ENI to Security Group dialog box, enter the ENI ID or name in the ENI field, select the ENI, and then click Confirm.

    • To remove one or more secondary ENIs from the security group, select the secondary ENIs that you want to remove and click Remove from Security Group in the lower part of page. In the Remove from Security Group message, click OK.

Query secondary ENIs that are associated with a security group

  1. In the left-side navigation pane, choose Network & Security > Security Groups. Find a security group that you want to manage and choose image > Manage ENIs in the Operation column.

  2. On the Secondary network card tab, view all secondary ENIs that are associated with the security group.