All Products
Search
Document Center

NAT Gateway:Configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet

Last Updated:Aug 19, 2024

To better manage your workloads, you can configure Elastic Compute Service (ECS) instances with static public IP addresses assigned to use the same elastic IP address (EIP) to access the Internet. This topic describes how to configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet.

Prerequisites

Source Network Address Translation (SNAT) is configured for the VPC of the ECS instances that are assigned static public IP addresses. For more information, see Configure SNAT to access the Internet.

Background information

NAT gateways support the SNAT feature. SNAT enables ECS instances in a virtual private cloud (VPC) to access the Internet when the ECS instances are not assigned public IP addresses. ECS instances that are assigned static public IP addresses preferentially use the public IP addresses to access the Internet. ECS instances that are not assigned public IP addresses use the SNAT feature of a NAT gateway to access the Internet. Consequently, the ECS instances in the VPC use different IP addresses to access the Internet, which complicates management.

image

You can configure ECS instances in the VPC to use the same NAT IP address to access the Internet by associating elastic network interfaces (ENIs) with the ECS instances.

As shown in the following example, you can associate an ENI with the ECS instance, convert the static public IP address to an EIP, and then associate the EIP with the ENI. This way, the ECS instance uses the ENI to receive requests from the Internet and accesses the Internet through the NAT gateway.

image

Step 1: Convert a static public IP address to an EIP

The method that you can use to convert a static public IP address to an EIP varies based on the billing method of the ECS instance.

  • For a pay-as-you-go ECS instance, you can directly convert its static public IP address to an EIP.

  • For a subscription ECS instance, you cannot directly convert its static public IP address to an EIP. Before you can convert the static public IP address of a subscription ECS instance to an EIP, you must change the billing method of the ECS instance to pay-as-you-go. For more information, see Change the billing method of an instance from subscription to pay-as-you-go.

To convert a static public IP address that is assigned to a pay-as-you-go ECS instance to an EIP, perform the following operations:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images>Instances.

  3. In the top navigation bar, select the region where the ECS instance that you want to manage is deployed.

  4. On the Instances page, find the ECS instance that you want to manage and choose ellipsis-v.png />Network and Security Group>Convert to an EIP in the Actions column.

  5. In the message that appears, click OK.

Step 2: Create an ENI

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security>ENIs.

  3. In the top navigation bar, select the region where you want to create an ENI.

    Note

    The ENI and the ECS instance must belong to the same region.

  4. On the Elastic Network Interfaces page, click Create ENI.

  5. In the Create ENI dialog box, set the following parameters and click OK:

    The following table lists only the key parameters. For more information, see Create a secondary ENI.

    Parameter

    Description

    ENI Name

    Enter a name for the ENI.

    VPC

    Select the VPC to which the ECS instance belongs.

    vSwitch

    Select a vSwitch in the zone of the ECS instance.

    Security Group

    Select a security group of the VPC.

    Primary Private IP Address (Optional)

    Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created. In this example, the primary private IP address is not specified.

    Secondary Private IPv4 Address (Optional)

    Select an option. In this example, Not Assign is selected.

Step 3: Associate the ENI with the ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security>ENIs.

  3. In the top navigation bar, select the region of the ENI.

  4. On the Elastic Network Interfaces page, find the ENI and click Bind to Instance in the Actions column.

  5. In the dialog box that appears, select the ECS instance with which you want to associate the ENI and click OK.

Step 4: Disassociate the EIP from the ECS instance

  1. Log on to the EIP console.

  2. In the top navigation bar, select the region of the EIP.

  3. On the Elastic IP Addresses page, find the EIP and click Disassociate from Resource in the Actions column.

  4. In the message that appears, click OK.

Step 5: Associate the EIP with the ENI

  1. Log on to the EIP console.

  2. In the top navigation bar, select the region of the EIP.

  3. On the Elastic IP Addresses page, find the EIP that you want to associate and click Associate with Resource in the Actions column.

  4. In the Associate EIP with Resource dialog box, set the following parameters and click OK:

    Parameter

    Description

    Instance Type

    Select ENI.

    Resource Group (Optional)

    Select the resource group to which the EIP belongs. In this example, the default resource group is selected.

    Mode (Optional)

    Select the association mode of the EIP. In this example, NAT Mode is selected.

    Select an instance to associate

    Select the secondary ENI with which you want to associate the EIP.

Step 6: Configure routes for the ENI

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security>ENIs.

  3. View the details of the ENIs.

  4. Log on to the ECS instance. For more information, see Connection method overview.

  5. Run the ip a command to view the information about the ENIs.网卡信息

    The following result is returned:

    eth0: the primary ENI. The private IP address of eth0 is 192.168.3.10.

    eth1: a secondary ENI. The private IP address of eth1 is 192.168.3.11, and the public IP address is 118.190.XX.XX.

  6. Set the metric value of the default route for each ENI in the route table based on your business requirements.

    Run the route -n command to query the Gateway and metric values:

    The following result is returned:metric

    Note

    In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If multiple secondary ENIs are used, you must set metric values based on your business requirements. For more information, see Configure an ENI.

  7. Create a route table and configure policy-based routing.

    • If you want to configure temporary policy-based routes for the ENI of the ECS instance, perform the following steps:

      Note

      After the ECS instance is restarted, the policy-based routes configured for the ENI become invalid.

      1. Run the following command to create a route table:

        ip -4 route add default via 192.168.3.13 dev eth1 table 101
        Note

        We recommend that you keep the name of the route table the same as the metric value of the default route. In this example, 101 is used.

      2. Run the following command to check whether the route table is created:

        ip route list table 101

        The following result is returned:路由

      3. Run the following command to add a policy-based route:

        ip -4 rule add from 192.168.3.11 lookup 101

      4. Run the following command to query the routing policy:

        ip rule list

        The following result is returned:策略路由

    • If you want to add multiple routes for the ENI of the ECS instance, perform the following steps:

      Note

      After the ECS instance is restarted, the policy-based routes for the ENI remain valid.

      1. Run the following command to open the /etc/rc.local script.

        vi /etc/rc.local
      2. At the end of the configuration file, press the i key to enter the edit mode.

      3. Add the following information to the end of the script:

        ip -4 route add default via 192.168.3.13 dev eth1 table 101
        ip -4 rule add from 192.168.3.11 lookup 101
        Note

        In this example, one secondary ENI is used. The metric value of the secondary ENI is greater than the metric value of the primary ENI, which indicates that the routing priority of the secondary ENI is lower than the routing priority of the primary ENI. Therefore, you can use the default metric values. If multiple secondary ENIs are used, you must add the command that sets the metric value to the script. For more information about the command that sets the metric value, see Configure an ENI.

      4. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the configuration file.

      5. Run the following command to make the /etc/rc.d/rc.local script executable:

        chmod +x /etc/rc.d/rc.local
        Note

        The /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script. Therefore, you must run the preceding command to make the /etc/rc.d/rc.local script executable. You can run the ls -l /etc/rc.local command to check whether the /etc/rc.local script is a symbolic link to the /etc/rc.d/rc.local script.

Step 7: Test the network connectivity

Perform the following operations to check whether the ECS instance can use the EIP that is associated with the ENI to receive requests from the Internet. In this example, an on-premises Linux machine is used to remotely connect to the ECS instance.

Note

To remotely connect to the ECS instance, make sure that the security group rules of the ECS instance allow network traffic on SSH port 22. For more information, see Add security group rules.

  1. Log on to an on-premises Linux machine.

  2. Run the ssh root @ public IP command and enter the password of the ECS instance to check whether you can remotely connect to the ECS instance.

    If the Welcome to Alibaba Cloud Elastic Compute Service ! message appears, you are connected to the instance.验证

Perform the following operations to check whether the ECS instance can access the Internet through the SNAT. The following example shows how to view the IP address used by the ECS instance to access the Internet.

  1. Log on to the ECS instance.

  2. Run the curl https://myip.ipip.net command to check the IP address used by the ECS instance.

    If the IP address used by the ECS instance is the same as the one in the SNAT entry created for the ECS instance, it indicates that the ECS instance preferentially uses the SNAT feature to access the Internet.验证2