Associate multiple EIPs with a single ECS instance - Elastic IP Address

To host multiple applications on a single ECS instance where each application requires a separate public IP address, you can associate multiple EIP with the ECS instance using a secondary elastic network interface (ENI) in NAT mode. This allows a single ECS instance to be associated with multiple EIP.

Background information

Each secondary ENI supports multiple secondary private IP addresses.
The number of secondary private IP addresses that you can assign depends on the status of the secondary ENI and the instance type of the ECS instance to which the ENI is attached. For more information, see Background information about assigning secondary private IP addresses.
When you associate an EIP in NAT mode, you can associate each secondary private IP address with a separate Elastic IP Address (EIP).
For more information about NAT mode, see Associate an EIP with a secondary ENI.
An ECS instance requires a public IP address to communicate with the internet. Without a secondary ENI, an ECS instance can be assigned only one static public IP address or be associated with only one EIP.
By associating EIPs with a secondary ENI, you can assign multiple public IP addresses to a single ECS instance. If your ECS instance hosts multiple applications, each application can use a separate public IP address, which improves the utilization of the ECS instance.

Scenario

This topic uses the following scenario: A company creates an ECS instance on Alibaba Cloud to deploy a website. The ECS instance is associated with one EIP to provide services over the internet.

Due to business expansion, the company needs the ECS instance to deploy three sub-sites simultaneously. Each sub-site must use a separate EIP to provide services.

You can assign two secondary private IP addresses to the secondary ENI, which results in the secondary ENI having one primary private IP address and two secondary private IP addresses. Then, you can associate multiple EIP with the private IP addresses of the secondary ENI in NAT mode. This allows a single ECS instance to be associated with multiple EIP. 业务场景

Preparations

Before you begin, make sure that you have created the following resources:

Resource	Requirements	References
ECS instance	The ECS instance type supports multiple secondary ENIs and multiple private IP addresses per ENI. For example, an ecs.c6.large instance can have a maximum of two ENIs, including one primary ENI and one secondary ENI. Each ENI supports a maximum of six private IP addresses. Among them: The primary ENI supports one EIP associated with its primary private IP address and five EIPs associated with its secondary private IP addresses. The secondary ENI supports six EIPs associated with its private IP addresses. Therefore, the ECS instance can be associated with a total of 12 EIPs. The VPC to which the ECS instance belongs does not have an IPv4 gateway activated. If an IPv4 gateway is activated for the VPC, you must configure a route that points to the IPv4 gateway to allow instances in the VPC to access the internet.	View the number of ENIs supported by an ECS instance type Create an instance on the custom launch tab IPv4 gateways Create and manage an IPv4 gateway Change the VPC of an ECS instance
Secondary ENI	The ENI is in the same VPC as the ECS instance to which you want to attach it. The vSwitch of the ENI is in the same zone as the vSwitch of the ECS instance to which you want to attach it. The rules of the security group to which the ENI belongs allow the secondary ENI to access the internet.	Create and use an ENI Security group overview
EIP	Each EIP is in the same region as the secondary ENI with which you want to associate it.	Apply for an EIP

When you use quick deployment, you can choose to create a new instance or use an existing instance.

If you choose to create a new instance, you do not need to create these resources in advance.
If you choose to use an existing instance, you must create these resources. The operating system of the ECS instance must be CentOS 7.x.

Procedure

Manual deployment

Configuration steps

ECS绑定多个EIP 配置步骤.png

All operations on ECS instances and secondary ENIs in this topic are performed in the new ECS console. You can switch to the new console in the lower-left of the navigation pane.

Warning

The configurations in this topic involve restarting the network service and configuring routes. To prevent business interruptions or other unexpected errors, perform these operations during off-peak hours.

Step 1: Attach the secondary ENI to the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Elastic Network Interfaces.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the secondary ENI that you created and click Bind To Instance in the Actions column.
In the Bind To Instance dialog box, select the target ECS instance and click OK.
Refresh the list. When the status of the secondary ENI changes to InUse, the secondary ENI is attached.

Note

If you cannot attach the secondary ENI to the ECS instance, the following are possible causes:

The number of secondary ENIs attached to your ECS instance has reached the maximum limit for its instance type. For more information about the number of ENIs supported by an ECS instance type, see Instance families. To upgrade the instance type, see Overview of instance type changes.
Your ECS instance type requires the instance to be in the Stopped state before you can attach a secondary ENI. For more information about the ECS instance types that must be stopped, see Prerequisites.

Step 2: Assign multiple secondary private IP addresses to the secondary ENI

By assigning multiple secondary private IP addresses to a secondary ENI, you can improve the utilization of the ECS instance and transfer traffic during a failover.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Elastic Network Interfaces.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
On the ENIs page, find the target secondary ENI and click Manage ENI IP Addresses in the Actions column.
In the Manage ENI IP Addresses dialog box, in the IPv4 Address section, click Assign New IP, assign IP addresses as needed, and then click OK.
In this example, click Assign New IP twice to assign two secondary private IP addresses to the secondary ENI.
Note
You can also manually enter a secondary private IP address. The value must be within the IPv4 Private CIDR Block. If you do not specify a value, the system randomly assigns an IP address from the IPv4 Private CIDR Block.
In the Private IP Address column of the secondary ENI, you can view the assigned secondary private IP addresses.

(Optional) Step 3: Configure the NIC inside the ECS instance

After you attach a secondary ENI to an ECS instance, some images may fail to automatically detect the IP address of the secondary ENI and add routes. This prevents the secondary ENI from working as expected. You must configure the secondary ENI inside the ECS instance to detect the IP address.

To check whether the ECS instance image supports automatic configuration for attached secondary ENIs and to learn how to configure a secondary ENI inside an ECS instance, see Configure a secondary ENI.

Step 4: Configure secondary private IP addresses for the ECS instance

After the secondary ENI is attached to the ECS instance, you must configure the secondary private IP addresses on the ECS instance.

This topic uses an ECS instance that runs Alibaba Cloud Linux 2 as an example to describe how to configure secondary private IP addresses on an ECS instance. For information about how to perform the configuration on ECS instances that run other operating systems, see Configure a secondary private IP address for an instance.

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the ifconfig command to query the subnet mask and run the route -n command to query the default gateway.
The following figure shows a sample query result.
netmask is the IPv4 subnet mask, and its value is 255.255.**.**. Gateway is the default gateway, and its value is 172.**.**.253.
Modify the network configuration file.
1. Run the vi /etc/sysconfig/network-scripts/ifcfg-eth1:0 command and add the following configuration items.
  The following code provides a sample configuration:
```
DEVICE=eth1:0   
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=<Assigned secondary private IPv4 address 1>
NETMASK=<IPv4 subnet mask>
```
2. Run the vi /etc/sysconfig/network-scripts/ifcfg-eth1:1 command and add the following configuration items.
  The following code provides a sample configuration:
```
DEVICE=eth1:1   
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=<Assigned secondary private IPv4 address 2>
NETMASK=<IPv4 subnet mask>
```
Run the following command to restart the network service for the changes to take effect.
```
service network restart
```
Run the ifconfig command to view the configuration result.
The following figure shows the result of configuring two secondary private IP addresses.

Step 5: Associate EIP with the secondary private IP addresses

Log on to the Elastic IP Address console .
On the Elastic IP Addresses page, find the EIP that you created and click Associate with Resource in the Actions column.
In the Associate EIP With Resource dialog box, complete the following configurations and click OK.
- Set Instance Type to Elastic Network Interface.
  Important
  You must select Elastic Network Interface. If you select ECS Instance, the EIP cannot be associated with the assigned secondary private IP address.
- For Resource Group, select the resource group to which the secondary ENI belongs.
- Set Mode to NAT Mode.
- For Select an instance to associate, select the secondary private IP address with which you want to associate the EIP. You can view the corresponding secondary private IP address in the IP Address column of the target secondary ENI.
  In this step, select the primary private IP address of the secondary ENI that you created.
Repeat the preceding steps to associate the other two EIP with the secondary private IP addresses on the secondary ENI. Make sure that each EIP is associated with a different secondary private IP address.

Step 6: Configure routes

This topic uses an ECS instance that runs Alibaba Cloud Linux 2 as an example to describe how to configure routes on an ECS instance. For information about how to configure routes on other operating systems, see (Required) Step 4: Configure routes.

Configure routes for the secondary ENI inside the ECS instance

Connect to an ECS instance.
For information about the connection methods, see Connection method overview.
Run the following command to view routing information.
```
route -n
```
The routing information for the primary ENI (eth0) and the secondary ENI (eth1) is retrieved.
Run the following command to configure the default route.
```
ip -4 route add default via 172.16.**.253 dev eth1 metric 1001 && \
ip -4 route add default via 172.16.**.253 dev eth1 table 1001 && \
ip -4 rule add from 172.16.**.*57 lookup 1001 && \
ip -4 rule add from 172.16.**.*77 lookup 1001 && \
ip -4 rule add from 172.16.**.*78 lookup 1001
```
Note
The preceding command performs the following actions: adds a default route for eth1, creates a route table, and adds three routing policies that are associated with the route table. In the command, table 1001 is the route table (the value is the same as the metric value of the default route), 172.16.**.253 is the gateway address, 172.16.*.*57 is the primary private IP address of eth1, and 172.16.**.*77 and 172.16.**.*78 are the two secondary private IP addresses of eth1. Replace the parameters with your actual values.
Run the following command to view the created route table and policy-based routes.
```
ip route list table 1001 && \
ip rule list
```
The system returns the query result as shown in the following figure. This indicates that the route table and policy-based routes were created.
Optional: If the existing routes do not meet your requirements, you can configure the route table and rules.
By configuring route tables and rules, you can implement different routing policies to forward specific network traffic through specified gateways. This lets you more precisely control and manage the forwarding paths of network traffic.

Configure automatic route updates on startup

After you configure routes for the secondary ENI, you must configure automatic route updates on startup. Otherwise, the route configuration becomes invalid after the instance restarts.

Run the following command to open the /etc/rc.local file.
```
vim /etc/rc.local
```

Press the i key to enter edit mode, add the following content, press the Esc key to exit edit mode, and then enter :wq to save and exit.

ip -4 route add default via 172.16.**.253 dev eth1 metric 1001
ip -4 route add default via 172.16.**.253 dev eth1 table 1001 
ip -4 rule add from 172.16.**.*57 lookup 1001
ip -4 rule add from 172.16.**.*77 lookup 1001
ip -4 rule add from 172.16.**.*78 lookup 1001

Run the following command to add execute permissions to the /etc/rc.local file.
```
sudo chmod +x /etc/rc.local
```

Step 7: Test network connectivity

This topic uses an ECS instance that runs Alibaba Cloud Linux 2 as an example to describe how to test the connectivity from the ECS instance to the destination network.

Log on to the ECS instance.
For more information about connection methods, see Overview of connection methods.
Run the following command to verify the connectivity from the secondary private IP address to the destination network.
```
ping <Destination network> -I <Secondary private IP address>
```
The verification shows that the connectivity from the secondary private IP addresses to the destination network is normal. This indicates that the association of EIP with multiple secondary private IP addresses is successful.

Quick deployment

Quick deployment is based on Alibaba Cloud Resource Orchestration Service (ROS). ROS helps you quickly associate multiple EIP with a single ECS instance.

Important

Currently, quick deployment supports configuring only three EIP for a single ECS instance. If you need a more flexible configuration, use manual deployment.

Open the quick configuration template link to go to the ROS console.
In the top menu bar, select the region where the EIP is located.
On the Configure Template Parameters wizard page, enter a stack name, select Use Existing ECS/Eip/Eni or Create ECS/Eip/Eni, configure the parameters as described below, and then click Create.
- Select Use Existing ECS/Eip/Eni: You need to select an ECS instance and enter the secondary ENI ID and the IDs of three EIPs.
- Select Create ECS/Eip/Eni: You need to select a zone and an instance type, specify the system disk type, and enter the instance password.
  Important
  If you select Create ECS/Eip/Eni, the system creates a pay-as-you-go ECS instance that runs CentOS 7.x and three pay-as-you-go EIP. For information about the billing of ECS and EIP, see ECS Billing overview and EIP Billing overview.
On the Stack Information tab, when the Status changes from Creating to Create Succeeded, the deployment is complete.
Log on to the ECS instance.
For more information about connection methods, see Overview of connection methods.
Run the following command to verify the connectivity from the secondary private IP address to the destination network.
ping <Destination network> -I <Secondary private IP address>
The verification shows that the connectivity from the secondary private IP addresses to the destination network is normal. This indicates that the association of EIP with multiple secondary private IP addresses is successful.

FAQ

Am I charged an EIP configuration fee (public IP retention fee) after I associate an EIP with a secondary ENI?

You are not charged an EIP configuration fee (public IP retention fee) for subscription EIPs.
You are charged an EIP configuration fee (public IP retention fee) if you associate a pay-as-you-go EIP with a secondary ENI.

Do I need to perform additional configurations after I associate an EIP with an ENI and associate the ENI with an ECS instance?

If applications that provide services, such as websites, are deployed on the ECS instance, you do not need to configure routes on the ECS instance or in the VPC. The EIP associated with the secondary ENI can be used to provide services.
If you want the ECS instance to access the Internet, you must configure the default route of the ECS instance or create specific routes for the ECS instance. By default the primary ENI is used to forward packets to the Internet. You can adjust route priorities to use the secondary ENI to forward packets. You can also create specific routes to forward packets to the Internet from multiple ENIs or a random ENI to implement load balancing.
For more information, see Configure routes.

References

Manage EIP quotas: A single account can request 20 EIP. If you need more EIP, you can increase your EIP quota.
AssociateEipAddress: Associates an EIP with a cloud resource in the same region.