Elastic IP Address:Associate an EIP with a cloud resource

Associate with an ECS instance

You can directly associate an EIP with an Elastic Compute Service (ECS) instance that is in the same region and deployed in a virtual private cloud (VPC).

• An ECS instance can be associated with only one EIP.

• Before you associate an EIP, make sure the ECS instance is in the Running or Stopped state. The instance cannot have a public IP address or another EIP.

• An EIP is associated with an ECS instance in NAT mode. In this mode, the EIP can process only address and port information at the IP and transport layers. It does not support protocols that require a NAT Application Layer Gateway (NAT ALG).

Associate with an ENI (EIP-visible mode)

An EIP is mapped to the private NIC of an ECS instance using NAT. Therefore, the NIC of the ECS instance can detect only the private IP address, not the EIP. You can use EIP-visible mode to associate an EIP with a secondary ENI to make the EIP visible on the NIC.

• After you associate an EIP in EIP-visible mode, you cannot access the 100.64.0.0/10 CIDR block. This CIDR block is reserved for internal communication between Alibaba Cloud services. Make sure that a route with the destination CIDR block 100.64.0.0/10 points to the primary ENI or another secondary ENI that is not associated with an EIP in EIP-visible mode.

• Associating an EIP with a secondary ENI in EIP-visible mode has many limitations. We recommend that you use a secondary CIDR block for the VPC to make the EIP visible on the ENI. To do this, configure a public CIDR block as a secondary CIDR block for the VPC. Then, create a secondary ENI in the CIDR block, associate an EIP with the ENI, and attach the ENI to an ECS instance. After that, you can manage the EIP directly in the operating system.

After you attach a secondary ENI to an ECS instance, some images cannot automatically detect the IP address of the ENI and add a route. In this case, you must configure the secondary ENI.

After the association, the ECS instance automatically adds a route that uses the secondary ENI as the outbound interface. The priority of this route is lower than the route that uses the primary ENI as the outbound interface. Adjust the route priority as needed.

Associate with a NAT Gateway: Centralized egress

Configuring an EIP for each ECS instance increases costs when multiple instances need to access the internet. Use the SNAT feature of a public NAT Gateway to allow multiple ECS instances to share EIPs for internet access. This saves costs and improves security by hiding the real IP addresses of the instances and restricting inbound connections.

• A public NAT Gateway supports up to 20 EIPs.

• For public NAT gateways created after September 19, 2022, associating an EIP consumes a private IP address from the vSwitch where the NAT gateway is deployed. This does not affect existing NAT gateway instances. Make sure that the vSwitch has sufficient private IP addresses.

Associate with a load balancer: Centralized ingress

We recommend that you use Application Load Balancer (ALB) and Network Load Balancer (NLB). You can add backend servers from different zones to the load balancers. This distributes traffic across different backend services to increase the throughput capacity of your application, eliminate single points of failure, and improve availability.

Associate with an HaVip: IP failover

Use the high-availability virtual IP address (HaVip) feature to keep the service IP address unchanged during an active-standby switchover between servers in the same zone. After you associate an EIP with an HaVip, the HaVip can provide a high-availability, internet-facing service through the EIP.

• Before you use an HaVip, log on to the Quota Center console to request the permission to create HaVips. A quota of 1 indicates that you can create HaVips. By default, each account can create up to 50 HaVips.

• An HaVip can be associated with only one EIP.

• The HaVip must be in the Available or Allocated state.