Associate an EIP with a secondary ENI - Elastic IP Address

You can associate an EIP with an Elastic Network Interface (ENI). This association helps you build more robust, flexible, and scalable IT solutions and allows a single server to use multiple public IP addresses.

Background information

An ENI is assigned a private IP address. After you associate an EIP with the ENI, the ENI has both a private IP address and a public IP address. If you migrate an ENI that is associated with an EIP from one ECS instance to another, both the private and public IP addresses are migrated. This provides a high availability (HA) IP migration solution for ECS instances that use both public and private IP addresses.

绑定ENI

An ECS instance can have multiple ENIs attached. You can associate an EIP with each ENI to provide the ECS instance with multiple public IP addresses. In combination with security group rules, you can use these public IP addresses to flexibly provide services to the Internet.

绑定多ENI

Association modes

You can associate an EIP with an ENI in one of the following modes:

NAT Mode
Cut-through Mode
Multi-EIP-to-ENI Mode
Note
- The Multi-EIP-to-ENI Mode is no longer available for new applications. Users who have already been granted permissions can continue to use this mode.
- You can use the secondary CIDR block feature of a virtual private cloud (VPC) to make an EIP visible on an ENI. For more information, see Make an EIP visible on an ENI using a secondary CIDR block of a VPC.

The following table describes the differences between these modes.

Item	NAT mode	Cut-through mode	Multi-EIP-to-ENI mode
Specifies whether the EIP is visible on the ENI in the operating system	No	Yes Note You can run the ifconfig or ipconfig command to query the public IP address of the ENI.	Yes Note After you configure a static IP address in the operating system, you can run the ifconfig or ipconfig command to query the public IP address of the ENI.
Types of ENIs that can be associated with EIP	Primary and secondary ENIs Note When you associate an EIP with an ECS instance, the EIP is associated with the primary ENI of the instance. For more information, see Associate an EIP with an ECS instance.	Only secondary ENIs	Only secondary ENIs
Maximum number of EIP that can be associated with a primary ENI	1	EIPs cannot be associated with primary ENIs.	EIPs cannot be associated with primary ENIs.
Maximum number of EIP that can be associated with a secondary ENI	Depends on the number of private IP addresses that are assigned to the secondary ENI. Note Each EIP is mapped to a private IP address of the secondary ENI. For example, if a secondary ENI has 10 private IP addresses, you can associate a maximum of 10 EIP with the ENI.	1 Note In cut-through mode, you can associate an EIP only with the primary private IP address of a secondary ENI.	10
Availability of the private network feature of a secondary ENI after an EIP is associated	Yes	No	Yes
Supported protocols	EIP do not support protocols related to NAT Application Layer Gateway (ALG), such as H.323, SIP, DNS, and RTSP.	EIP support all IP protocols, such as FTP, H.323, SIP, DNS, RTSP, and TFTP.	EIP support all IP protocols, such as FTP, H.323, SIP, DNS, RTSP, and TFTP.
Supported regions	All regions	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Guangzhou), China (Chengdu), Singapore, Indonesia (Jakarta), Germany (Frankfurt), UK (London), and US (Virginia)	China (Shenzhen), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Chengdu), Singapore, Germany (Frankfurt), US (Virginia), and UK (London)

Prerequisites

A secondary ENI of the VPC type is created, and the secondary ENI and the EIP are in the same region. For more information, see Create and use an ENI.

Associate an EIP with a secondary ENI in NAT mode

After you associate an EIP with a secondary ENI in NAT Mode, both the private and public IP addresses of the ENI are available. The EIP is not visible on the secondary ENI.

Important

You can associate an EIP with a secondary ENI in NAT Mode before or after the secondary ENI is attached to an ECS instance. However, ECS instance types have limits on the number of ENIs that can be attached and the number of private IP addresses that can be assigned to each ENI. We recommend that you first attach the secondary ENI to an ECS instance and then associate the EIP with the secondary ENI in NAT Mode. Before you start, take note of the following:

The number of ENIs that can be attached to an ECS instance varies by instance type. For more information, see Instance types.
After you attach a secondary ENI to an ECS instance, some images do not automatically recognize the IP address of the secondary ENI or add the required routes. You must configure the secondary ENI in the ECS instance to recognize the IP address and add the routes. For more information, see Configure a secondary ENI.
If an IPv4 gateway is activated in the VPC to which the ECS instance belongs, you must configure routes for the IPv4 gateway to allow instances in the VPC to access the Internet. For more information about how to configure routes for an IPv4 gateway, see Create and manage an IPv4 gateway.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region where the EIP is located.
On the Elastic IP Addresses page, find the EIP that you created and click Associate with Resource in the Actions column.

In the Associate EIP With Resource dialog box, set the required parameters and click OK.

Configuration	Description
Instance Type	Select ENI.
Resource Group	Select the resource group to which the secondary ENI belongs.
Mode	Select NAT Mode. In NAT mode: The number of EIP that can be associated with a secondary ENI depends on the number of private IP addresses that are assigned to the secondary ENI. The EIP is associated with the secondary ENI in NAT mode. Both the private and public IP addresses of the secondary ENI are available. The EIP is not visible in the operating system. You must call the DescribeEipAddresses operation to query the EIP that is associated with the ENI. For more information, see Query created EIPs in a specified region. EIPs do not support protocols related to NAT ALG, such as H.323, SIP, DNS, and RTSP.
Select an instance to associate	Select the secondary ENI with which you want to associate the EIP.

If the Status is Allocated and the ID of the secondary ENI is displayed in the Associated Instance Type/ID column, the EIP is associated with the secondary ENI.

After you complete the preceding steps, you may need to configure routes for the secondary ENI. For more information, see Configure routes.

Associate an EIP with a secondary ENI in cut-through mode (not recommended)

If you associate an EIP with a secondary ENI in Cut-through Mode, the EIP replaces the private IP address of the secondary ENI. The secondary ENI becomes a public-only network interface card (NIC). You can view the EIP in the operating system's network interface information.

Before you start, make sure that the following requirements are met:

The EIP and the secondary ENI must be in a region that supports the cut-through mode.
The secondary ENI must not be attached to any ECS instance. If it is, detach it first. After you associate the EIP with the secondary ENI in Cut-through Mode, you can attach the secondary ENI to an ECS instance. For more information, see Manage ENIs.
An IPv4 gateway must not exist in the VPC to which the secondary ENI belongs.

Warning

For a subscription EIP, if the EIP is attached to a secondary ENI in Cut-through Mode and the secondary ENI is attached to an ECS instance, the private network feature of the secondary ENI becomes unavailable after the EIP expires and is released. To restore its private network feature, you must detach the secondary ENI from the ECS instance and then re-attach it to the ECS instance.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region where the EIP is created.
On the Elastic IP Addresses page, find the EIP that you created and click Associate with Resource in the Actions column.

In the Associate EIP With Resource dialog box, set the required parameters and click OK.

Configuration	Description
Instance Type	Select ENI.
Resource Group	Select the resource group to which the secondary ENI belongs.
Mode	Select Cut-through Mode.
Select an instance to associate	Select the secondary ENI with which you want to associate the EIP.

If the Status is Allocated and the ID of the secondary ENI is displayed in the Associated Instance Type/ID column, the EIP is associated with the secondary ENI.

In the Associated Instance Type/ID column, click the ID of the secondary ENI.
In the upper-right corner of the ENI details page, click Attach To Instance. Select the destination ECS instance to attach the ENI.
Note
- The number of ENIs that can be attached to an ECS instance varies by instance type. For more information, see Instance families.
- After you attach a secondary ENI to an ECS instance, some images do not automatically recognize the IP address of the secondary ENI or add the required routes. You must configure the secondary ENI in the ECS instance to recognize the IP address and add the routes. For more information, see Configure a secondary ENI.
- After you set the association mode to Cut-through Mode, the ECS instance automatically generates a route that uses the secondary ENI as the egress interface. The priority of this route is lower than the route that uses the primary ENI as the egress interface. You can adjust the route priorities as needed. For examples of how to configure routes in different operating systems, see Configure routes.
Log on to the ECS instance using the associated EIP and run the ipconfig command to view the network configuration of the instance.
Note
Make sure that the security group rules of the ECS instance allow remote access.
You can see that the local IP address of the instance has changed to the EIP.

Associate an EIP with a secondary ENI in multi-EIP-to-ENI mode (application no longer accepted)

After you associate EIP with a secondary ENI in Multi-EIP-to-ENI Mode, both the private and public IP addresses of the ENI are available. You can view the EIP information in the operating system's network interface settings.

Log on to the Elastic IP Address console .
In the top navigation bar, select the region where the EIP is created.
On the Elastic IP Addresses page, find the EIP that you created and click Associate with Resource in the Actions column.

In the Associate EIP With Resource dialog box, set the required parameters and click OK.

Configuration	Description
Instance Type	Select ENI.
Resource Group	Select the resource group to which the secondary ENI belongs.
Mode	Select Multi-EIP-to-ENI Mode.
Select an instance to associate	Select the secondary ENI with which you want to associate the EIP.

If the Status is Allocated and the ID of the secondary ENI is displayed in the Associated Instance Type/ID column, the EIP is associated with the secondary ENI.

Repeat the preceding steps to associate multiple EIP with the secondary ENI.
In the Associated Instance Type/ID column, click the ID of the secondary ENI.
In the upper-right corner of the ENI details page, click Attach To Instance. Select the destination ECS instance to attach the ENI.
Note
- If you associate EIP with a secondary ENI in Multi-EIP-to-ENI Mode and then attach the secondary ENI to an ECS instance, the ECS instance must belong to one of the following instance families: ecs.d1ne, ecs.ebmc4, ecs.ebmg5, ecs.ebmhfg5, ecs.f1, ecs.gn5i, ecs.gn6v, ecs.i2, ecs.r1, ecs.re4, ecs.re4e, ecs.sccg5, ecs.sccgn6, ecs.scch5, ecs.g5, ecs.c5, ecs.r5, ecs.t5, ecs.sn2ne, ecs.se1ne, and ecs.sn1ne. For more information, see Instance families.
- After you set the association mode to Multi-EIP-to-ENI Mode, you must enable the Dynamic Host Configuration Protocol (DHCP) feature for the ECS instance to which the secondary ENI is attached. Otherwise, the Multi-EIP-to-ENI Mode does not take effect.
Call the DescribeEipGatewayInfo operation to query the gateway and subnet mask of the EIP. For more information, see DescribeEipGatewayInfo.
Log on to the ECS instance and configure multiple EIP for the ECS instance. For more information, see Configure EIPs for a Windows instance and Configure EIPs for a Linux instance.
Important
When you follow the instructions in the preceding topics to configure multiple EIPs for an ECS instance, replace the secondary private IP address with the EIP. You must also replace the gateway and mask of the secondary private IP address with the gateway and mask of the EIP.
After you configure the EIPs, you can run the ifconfig or ipconfig command to view the configured EIPs.

FAQ

Am I charged an EIP configuration fee (public IP retention fee) after I associate an EIP with a secondary ENI?

You are not charged an EIP configuration fee (public IP retention fee) for subscription EIPs.
You are charged an EIP configuration fee (public IP retention fee) if you associate a pay-as-you-go EIP with a secondary ENI.

Do I need to perform additional configurations after I associate an EIP with an ENI and attach the ENI to an ECS instance?

If applications that provide services to the Internet, such as web servers, are deployed on the ECS instance, you do not need to configure routes on the ECS instance or in the VPC. The EIP that is associated with the secondary ENI can be used to provide services.
If an ECS instance requires Internet access, you must configure the default route of the ECS instance or create specific routes. By default, the primary ENI is used to forward packets to the Internet. You can adjust route priorities to use the secondary ENI to forward packets. You can also create specific routes to forward packets to the Internet from multiple or random ENIs to implement load balancing.
For more information, see Configure routes.

References

Associate multiple EIPs with an ECS instance in NAT mode: If you want to host multiple applications on the same ECS instance and each application requires an independent public IP address, you can associate multiple EIP with the ECS instance using a secondary ENI in NAT mode. This allows a single ECS instance to be associated with multiple EIP.
Make an EIP visible on an ENI using a secondary CIDR block of a VPC: We recommend that you use the secondary CIDR block feature of a VPC to make an EIP visible on an ENI.
AssociateEipAddress: Associates an EIP with a cloud resource in the same region.