Deploy and Network-Configure ECS Server

Scenario

Developers use this workflow when deploying a new Alibaba Cloud Linux (Alinux) application server that requires immediate, secure external access. By combining ECS instance provisioning with granular network configuration, teams ensure the server boots with hardened security group rules, a dedicated secondary ENI for traffic isolation, and a public EIP for inbound reachability.

Integration steps

1. Provision Alinux Instance: Launch the instance using the official Alinux 3 image.

``bash aliyun ecs RunInstances --RegionId cn-hangzhou --InstanceType ecs.g7.large \ --ImageId aliyun_3_x64_20G_alibase_20230801.vhd --VSwitchId vsw-xxx \ --SecurityGroupId sg-default --InstanceName alinux-app-01 ``

2. Create & Authorize Security Group: Define inbound rules for application traffic.

``bash aliyun ecs CreateSecurityGroup --RegionId cn-hangzhou --VpcId vpc-xxx --SecurityGroupName app-sg aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-xxx --IpProtocol TCP --PortRange 8080/8080 --SourceCidrIp 0.0.0.0/0 ``

3. Attach Security Group: Bind the hardened SG to the running instance.

``bash aliyun ecs JoinSecurityGroup --SecurityGroupId sg-xxx --InstanceId i-xxx ``

4. Create & Attach Secondary ENI: Provision a dedicated ENI in the same VSwitch.

``bash aliyun ecs CreateNetworkInterface --RegionId cn-hangzhou --VSwitchId vsw-xxx --SecurityGroupId sg-xxx aliyun ecs AttachNetworkInterface --InstanceId i-xxx --NetworkInterfaceId eni-xxx ``

5. Allocate & Bind EIP: Assign a public IP for external reachability.

``bash aliyun vpc AllocateEipAddress --RegionId cn-hangzhou --InstanceChargeType PostPaid aliyun vpc AssociateEipAddress --AllocationId eip-xxx --InstanceId i-xxx --InstanceType EcsInstance ``

6. Configure Alinux Network Stack: SSH in and activate the secondary interface.

``bash nmcli con add type ethernet ifname eth1 con-name eni-secondary nmcli con up eni-secondary ``

7. Apply Alinux Network Tuning: Optimize kernel TCP parameters for high-throughput workloads.

``bash echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf sysctl -p ``

Architecture

The ECS control plane orchestrates infrastructure provisioning (compute allocation, VPC routing, EIP binding, and hypervisor-level ENI attachment). Once virtual NICs are attached at the hypervisor layer, the Alinux guest OS assumes control, using NetworkManager for IP routing, firewalld for host-level packet filtering, and sysctl for kernel TCP stack tuning. API requests flow from the CLI → Alibaba Cloud API Gateway → ECS/VPC controllers → Guest OS via cloud-init and virtio-net drivers.

Prerequisites

• Alibaba Cloud CLI installed and authenticated with RAM policies (AliyunECSFullAccess, AliyunVPCFullAccess)
• Existing VPC and VSwitch IDs in the target region
• Valid SSH key pair for initial Alinux access
• Official Alinux 3 image ID (e.g., aliyun_3_x64_20G_alibase_20230801.vhd)

Common pitfalls

• ENI invisible to OS: Hypervisor attachment succeeds, but Alinux requires nmcli reload or udev rules to recognize eth1.
• SG vs. host firewall mismatch: ECS SG allows port 8080, but Alinux firewalld blocks it. Run firewall-cmd --add-port=8080/tcp --permanent.
• EIP association failure: EIP and ECS instance must share the same region; cross-region binding is unsupported.
• MTU fragmentation: Secondary ENIs default to MTU 1500. Mismatched jumbo frames cause silent packet drops.
• Cloud-init race condition: Running network commands before cloud-init finishes overwrites DHCP configs. Verify /var/lib/cloud/instance/boot-finished exists first.

Typical questions

• deploy ECS and configure network
• set up new server with networking
• create ECS instance and assign security group
• launch server and bind elastic IP
• provision and network an ECS
• 部署ECS并配置网络
• 创建服务器并设置安全组
• ECS上线配置网络