# ecs-network

Part of **ECS**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Configure networking for ECS instances](../../intent/ecs-configure-instance/SKILL.md). If you're unsure which path to take, check the routing skill first.

# ECS Network Console Guide

## Operations Overview

| Operation | Console Entry | Prerequisites | Description |
|------|-----------|---------|------|
| Create ENI | Console > ECS > Network Interfaces > Create ENI | A VPC and vSwitch are created; a security group exists in the VPC | Creates a new elastic network interface in a specified VPC and zone |
| Bind Secondary ENI to Instance | Console > ECS > Instances > [Instance ID] > ENIs > Bind ENI | Secondary ENI is Available; instance is Running/Stopped; same VPC and zone | Attaches an available secondary ENI to an ECS instance |
| Unbind Secondary ENI | Console > ECS > Instances > Select Instance > Network Interfaces > Actions > Unbind | Secondary ENI is Bound; instance is Running or Stopped | Detaches a secondary ENI from its associated instance |
| Modify ENI Attributes | Console > ECS > Network & Security > Elastic Network Interfaces | Secondary ENI is in Available state | Updates the name and security group of a secondary ENI |
| Delete Secondary ENI | Console > ECS > Network Interfaces > Delete Secondary ENI | Secondary ENI is in Available state | Permanently removes an unused secondary ENI |
| View ENIs | Console > ECS > Elastic Network Interfaces > View ENIs | None | Lists all ENIs with filtering by name, ID, vSwitch, security group, instance, or tag |
| Assign IPv6 Address to Instance | Console > ECS > Instances > Assign IPv6 Address | VPC/vSwitch has IPv6 CIDR; instance family supports IPv6 | Enables IPv6 addressing on an existing ECS instance |
| Create Security Group | Console > ECS > Security Groups > Create Security Group | A VPC is created | Creates a new security group within a VPC for traffic control |
| Add Instance to Security Group | Console > ECS > Security Groups > Manage Instances | Instance exists in same region/VPC; not in 5+ groups | Adds an ECS instance to a security group |
| Remove Instance from Security Group | Console > ECS > Instances > Manage Instances | Instance belongs to multiple security groups | Removes an instance from a specific security group |
| Add Security Group Rule | Console > ECS > Security Groups > Manage Rules | Public/internal IP addresses identified | Adds an inbound or outbound rule to allow/deny traffic |
| Modify Security Group Rule | Console > ECS > Security Groups > Manage Rules | Security group and rule exist | Updates properties of an existing security group rule |
| Delete Security Group Rule | Console > ECS > Security Groups > Select Security Group > Manage Rules | Rule exists in security group | Removes one or more security group rules |
| Clone Security Group Rule | Console > ECS > Security Groups > Manage Rules | Rule exists in security group | Duplicates an existing rule for quick modification |
| Import Security Group Rules | Console > ECS > Security Groups > Select Security Group > Actions > Manage Rules > Rules Tab > Import | Valid XLS backup file; appropriate permissions | Restores security group rules from a previously exported file |
| Export Security Group Rules | Console > ECS > Security Groups > Select Security Group > Manage Rules > Inbound/Outbound Tab > Export | None | Downloads current rules as an Excel file for backup |
| Modify Security Group | Console > ECS > Security Groups > Modify Security Group | None | Changes the name or description of a security group |
| Delete Security Group | Console > ECS > Security Groups | No instances in group; not referenced by other groups | Deletes an empty and unreferenced security group |
| View Security Groups | Console > ECS > Security Groups > View Security Groups | None | Searches and lists security groups using filters like ID, name, VPC, or tag |
| Configure Custom DNS | ECS > Instances > Select Instance > Remote Connect > Configure DNS | ECS instance in VPC; remote access permissions | Sets custom DNS servers via Windows GUI or Linux configuration |

## Operation Steps

### Create ENI

**Navigation**: Console > ECS > Network Interfaces > Create ENI

**Prerequisites**:
- A virtual private cloud (VPC) and a vSwitch are created.
- A security group is available in the VPC.

1. Navigate to the **Network Interfaces** page in the ECS console.
   - Element: **Network & Security** (menu) — left-side navigation panel

2. Click **Create ENI**.
   - Element: **Create ENI** (button) — main content area

3. Configure the parameters in the creation form.
   - Element: **Organization** (dropdown)
   - Element: **Resource Set** (dropdown)
   - Element: **Region** (dropdown)
   - Element: **Zone** (dropdown)
   - Element: **VPC** (dropdown)
   - Element: **VSwitch** (dropdown)
   - Element: **Security Group** (dropdown)
   - Element: **ENI Name** (text_input)
   - Element: **Description** (text_input)
   - Element: **Primary Private IP Address** (text_input)

4. Click **Submit**.
   - Element: **Submit** (button) — main content area
   - Notes: After submission, the ENI appears on the Network Interfaces page.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Organization | dropdown | Yes | — | The organization in which to create the ENI. |
| Resource Set | dropdown | Yes | — | The resource set in which to create the ENI. |
| Region | dropdown | Yes | — | The region in which to create the ENI. |
| Zone | dropdown | Yes | — | The zone in which to create the ENI. |
| VPC | dropdown | Yes | — | The VPC in which to create the ENI. Must match the instance's VPC. |
| VSwitch | dropdown | Yes | — | The vSwitch to connect the ENI. Must be in the same zone as the target instance. |
| Security Group | dropdown | Yes | — | The security group whose rules apply to the ENI. |
| ENI Name | text | Yes | — | Name must be 2–128 chars, start with letter, no http:// or https://. Allowed: letters, digits, . _ - : , |
| Description | text | No | — | Description must be 2–256 chars, start with letter, no http:// or https://. Allowed: letters, digits, . _ - : , |
| Primary Private IP Address | text | No | — | IPv4 address within the vSwitch CIDR. If omitted, system assigns one automatically. |

### Bind Secondary ENI to Instance

**Navigation**: Console > ECS > Instances > [Instance ID] > ENIs > Bind ENI

**Prerequisites**:
- The secondary ENI is in the Available state.
- The instance is in Running or Stopped state.
- The instance and ENI belong to the same VPC.
- The vSwitch of the ENI and the instance are in the same zone.

1. On the **Instances** page, find the target instance and click its **instance ID**.
   - Element: **instance ID** (link) — Instances page

2. Click the **ENIs** tab.
   - Element: **ENIs** (tab) — top navigation panel

3. Click **Bind ENI**.
   - Element: **Bind ENI** (button) — main content area

4. In the **Bind ENI** dialog box, select an ENI from the **ENI** drop-down list.
   - Element: **ENI** (dropdown) — Bind ENI dialog box

5. Click **OK**.
   - Element: **OK** (button) — Bind ENI dialog box

6. Alternatively, from the **Network Interfaces** page, find the secondary ENI and click **Bind to Instance** in the **Actions** column.
   - Element: **Bind to Instance** (link) — Actions column

7. In the **Bind to Instance** dialog box, select an instance and click **OK**.
   - Element: **OK** (button) — Bind to Instance dialog box
   - Notes: If successful, 'Bound' appears in the Status column for the ENI.

### Unbind Secondary ENI

**Navigation**: Console > ECS > Instances > Select Instance > Network Interfaces > Actions > Unbind

**Prerequisites**:
- The secondary ENI is in the Bound state.
- The instance to which the secondary ENI is bound is in the Running or Stopped state.

1. Go to the **Network Interfaces** page.
   - Element: **Network & Security** (menu) — left navigation panel

2. Find the secondary ENI you want to unbind and click **Unbind** in the **Actions** column.
   - Element: **Unbind** (button) — Actions column

3. In the confirmation dialog, click **Unbind**.
   - Element: **Unbind** (button) — confirmation dialog

### Modify ENI Attributes

**Navigation**: Console > ECS > Network & Security > Elastic Network Interfaces

**Prerequisites**:
- The secondary ENI is in the Available state.

1. On the **Elastic Network Interfaces** page, find the ENI and click **Modify** in the **Actions** column.
   - Element: **Modify** (button) — Actions column

2. In the **Modify ENI** dialog box, update the **Name** and **Security Group** fields.
   - Element: **Modify ENI** (dialog) — main content area

3. Click **OK**.
   - Element: **OK** (button) — bottom of dialog box

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Name | text | No | — | Display name of the secondary ENI. |
| Security Group | dropdown | No | — | Security group to associate with the ENI. |

### Delete Secondary ENI

**Navigation**: Console > ECS > Network Interfaces > Delete Secondary ENI

**Prerequisites**:
- The secondary ENI is in the Available state.

1. On the **Network Interfaces** page, find the ENI and click **Delete** in the **Actions** column.
   - Element: **Delete** (button) — Actions column

2. In the confirmation message, click **Delete**.
   - Element: **Delete** (button) — confirmation dialog

### View ENIs

**Navigation**: Console > ECS > Elastic Network Interfaces > View ENIs

1. On the **ENIs** page, select a filter option from the drop-down list and enter information (e.g., ENI name).
   - Element: **drop-down list** (dropdown) — top of the ENI page

2. Click the **search icon** to display matching ENIs.
   - Element: **search icon** (button) — right side of filter fields

3. For advanced filtering, click **Advanced Filter**.
   - Element: **Advanced Filter** (button) — top of the ENI page
   - Notes: Enables multiple filter conditions

4. Select one or more filter options, enter values, and click **Search**.
   - Element: **Search** (button) — bottom of advanced filter panel

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| ENI Name | text | No | — | Enter an ENI name to search. |
| ENI ID | text | No | — | Enter an ENI ID to search. |
| vSwitch ID | text | No | — | Search ENIs associated with this vSwitch. |
| Security Group ID | text | No | — | Search ENIs in this security group. |
| Instance ID | text | No | — | Search ENIs bound to this instance. |
| Tag | text | No | — | Enter tag key or value to filter. |

### Assign IPv6 Address to Instance

**Navigation**: Console > ECS > Instances > Assign IPv6 Address

**Prerequisites**:
- The vSwitch and VPC of the ECS instance are associated with an IPv6 CIDR block.
- The instance family supports IPv6.

1. On the **Instances** page, find the instance and click the **More** button in the **Actions** column.
   - Element: **More** (button) — Actions column

2. From the dropdown, select **Network and Security Group > Manage Secondary Private IP Addresses**.
   - Element: **Network and Security Group > Manage Secondary Private IP Addresses** (menu) — Actions dropdown

3. In the dialog, go to the **IPv6 Addresses** section and click **Enable**.
   - Element: **Enable** (button) — IPv6 Addresses section

4. If IPv6 is not enabled for the vSwitch, click **Open IPv6**.
   - Element: **Open IPv6** (button) — IPv6 network segment section
   - Notes: Only visible if IPv6 is disabled on the vSwitch.

5. Click **OK** to confirm.
   - Element: **OK** (button) — Manage Secondary Private IP Addresses dialog

### Create Security Group

**Navigation**: Console > ECS > Security Groups > Create Security Group

**Prerequisites**:
- A virtual private cloud (VPC) is created.

1. On the **Security Groups** page, click **Create Security Group**.
   - Element: **Create Security Group** (button) — main content area

2. Fill in the required fields in the form.
   - Element: **Organization** (dropdown)
   - Element: **Resource Set** (dropdown)
   - Element: **Region** (dropdown)
   - Element: **Zone** (dropdown)
   - Element: **Sharing Scope** (dropdown)
   - Element: **VPC** (dropdown)
   - Element: **Security Group Name** (text_input)
   - Element: **Description** (text_input)

3. Click **Submit**.
   - Element: **Submit** (button) — main content area
   - Notes: The new security group appears on the Security Groups page.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Organization | dropdown | Yes | — | Must match the VPC’s organization. |
| Resource Set | dropdown | Yes | — | Must match the VPC’s resource set. |
| Region | dropdown | Yes | — | Must match the VPC’s region. |
| Zone | dropdown | Yes | — | Zone for the security group. |
| Sharing Scope | dropdown | Yes | Current Resource Set, Current Organization and Subordinate Organizations, Current Organization | Defines who can use this security group. |
| VPC | dropdown | Yes | — | VPC where the security group is created. |
| Security Group Name | text | Yes | — | 2–128 chars, starts with letter, no http:// or https://. Allowed: letters, digits, . _ - : , |
| Description | text | No | — | 2–256 chars, starts with letter, no http:// or https://. Allowed: letters, digits, . _ - : , |

### Add Instance to Security Group

**Navigation**: Console > ECS > Security Groups > Manage Instances

**Prerequisites**:
- The ECS instance exists in the same region as the security group.
- The instance is not already in 5 security groups.

1. On the **Security Groups** page, find the target group, click the **More** icon in **Actions**, and select **Manage Instances**.
   - Element: **More** (icon) — Actions column
   - Element: **Manage Instances** (link) — Actions dropdown

2. Click **Add Instance**.
   - Element: **Add Instance** (button) — Security Group Details page

3. In the dialog, select an instance from the drop-down and click **OK**.
   - Element: **OK** (button) — Add Instance dialog box
   - Notes: An instance can belong to up to five security groups. Rules apply immediately.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Instance ID/Name | dropdown | Yes | — | Select an ECS instance in the same region. |

### Add Security Group Rule

**Navigation**: Console > ECS > Security Groups > Manage Rules

**Prerequisites**:
- Public or internal IP addresses from which you want to manage access are known.

1. On the **Security Groups** page, find the group and click **Manage Rules** in **Actions**.
   - Element: **Manage Rules** (link) — Actions column

2. Click **Create Rule**.
   - Element: **Create Rule** (button) — main content area

3. In the **Create Rule** dialog, configure all fields.
   - Element: **Create Rule** (dialog) — main content area

4. Click **OK**.
   - Element: **OK** (button) — bottom of dialog

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| NIC Type | dropdown | Yes | Internal NIC | Only Internal NIC is valid for VPC instances. Rules apply to both Internet and internal traffic. |
| Rule Direction | radio | Yes | Outbound, Inbound | Outbound: traffic from instances. Inbound: traffic to instances. |
| Action | radio | Yes | Allow, Deny | Deny takes precedence over Allow for identical rules. |
| Protocol Type | dropdown | Yes | All, TCP, UDP, ICMP, ICMPv6, GRE | Protocol for the rule. |
| Port Range | text_input | Yes | — | Format: start/end (e.g., 80/80). For All/ICMP/ICMPv6/GRE: -1/-1. Valid ports: 1–65535. |
| Priority | number_input | Yes | 1–100 | Default: 1 (highest priority). |
| Authorization Type | dropdown | Yes | IPv4 CIDR Block, IPv6 CIDR Block, Security Group | Type of source/destination. |
| Authorization Object | text_input | Yes | — | IPv4: e.g., 192.0.2.1 or 192.0.2.0/24 (up to 10, comma-separated). IPv6: e.g., 2001:db8::1 or 2001:db8::/32. Security Group: select ID in same VPC. |
| Description | text_input | No | — | 1–512 chars, no http:// or https://. |

### Delete Security Group Rule

**Navigation**: Console > ECS > Security Groups > Select Security Group > Manage Rules

1. Click **Manage Rules** for the target security group.
   - Element: **Manage Rules** (link) — Actions column

2. Click the **Inbound** or **Outbound** tab.
   - Element: **Inbound** (tab) — Rules tab
   - Element: **Outbound** (tab) — Rules tab

3. To delete one rule, click **Delete** in its **Actions** column.
   - Element: **Delete** (link) — Actions column

4. To delete multiple rules, select them and click **Delete** in the lower-left corner.
   - Element: **Delete** (button) — lower-left corner of tab

5. Confirm by clicking **Delete** in the dialog.
   - Element: **Delete** (button) — confirmation dialog

### Clone Security Group Rule

**Navigation**: Console > ECS > Security Groups > Manage Rules

1. Click **Manage Rules** for the security group.
   - Element: **Manage Rules** (button) — Actions column

2. Click the **Inbound** or **Outbound** tab.
   - Element: **Inbound** (tab) — Rules tab

3. Find the rule and click **Clone** in **Actions**.
   - Element: **Clone** (button) — Actions column

4. Modify attributes in the **Clone Rule** dialog.
   - Element: **Clone Rule** (dialog) — dialog box

5. Click **OK**.
   - Element: **OK** (button) — dialog box
   - Notes: A new rule appears in the list after cloning.

### Import Security Group Rules

**Navigation**: Console > ECS > Security Groups > Select Security Group > Actions > Manage Rules > Rules Tab > Import

**Prerequisites**:
- A valid security group exists in the target region.
- The backup file is in XLS format and follows the template.
- User has permissions to modify rules.

1. Click **Manage Rules** for the security group.
   - Element: **Manage Rules** (link) — Actions column

2. On the **Rules** tab, click **Import**.
   - Element: **Import** (button) — Rules tab

3. In the dialog, click **Upload File**.
   - Element: **Upload File** (button) — Import Security Group Rule dialog box

4. Select the XLS file and click **Open**.
   - Element: **Open** (button) — file selection dialog
   - Notes: Ensure the file matches the required template structure.

### Export Security Group Rules

**Navigation**: Console > ECS > Security Groups > Select Security Group > Manage Rules > Inbound/Outbound Tab > Export

1. Click **Manage Rules** for the security group.
   - Element: **Manage Rules** (link) — Actions column

2. Click the **Inbound** or **Outbound** tab.
   - Element: **Inbound** (tab) — Rules tab

3. Click **Export** in the upper-right corner.
   - Element: **Export** (button) — upper-right corner
   - Notes: Rules download as an Excel file.

### Modify Security Group

**Navigation**: Console > ECS > Security Groups > Modify Security Group

1. Find the security group and click **Modify** in **Actions**.
   - Element: **Modify** (button) — Actions column

2. In the **Modify Security Group** dialog, update **Name** and **Description**.
   - Element: **Modify Security Group** (dialog) — main content area
   - Notes: Name: 2–128 chars, starts with letter, no http:// or https://. Allowed: letters, digits, _ - :. Description: 2–256 chars, starts with letter, no http:// or https://. Allowed: letters, digits, . _ - : ,

3. Click **OK**.
   - Element: **OK** (button) — bottom of dialog box

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Name | text_input | Yes | — | 2–128 chars, starts with letter, no http:// or https://. Allowed: letters, digits, _ - : |
| Description | text_input | No | — | 2–256 chars, starts with letter, no http:// or https://. Allowed: letters, digits, . _ - : , |

### Configure Custom DNS

**Navigation**: ECS > Instances > Select Instance > Remote Connect > Configure DNS

**Prerequisites**:
- ECS instance is created and in a VPC.
- Remote connection access (e.g., Workbench) is available.
- Administrator/root privileges for manual config.

1. On the instance details page, click **Remote Connect**.
 - Element: **** (button) — top action bar

2. Choose **Connect via Workbench**.
 - Element: **Workbench** (link) — remote connect popup

3. In Windows, open **Settings** from Start menu.
 - Element: **** (link) — Start menu

4. Go to **Network and Internet > Ethernet**.
 - Element: **** (menu) — Network and Internet page

5. In **DNS server assignment**, click **Edit**.
 - Element: **** (button) — DNS server assignment section

6. Switch DNS mode to **Manual** and enable IPv4.
 - Element: **** (radio) — Edit DNS settings dialog

7. Enter **Preferred DNS** and set **Alternate DNS** to `100.100.2.136`, then click **Save**.
 - Element: **** (button) — bottom of dialog
   - Notes: Alternate DNS ensures internal Alibaba Cloud services resolve correctly.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Preferred DNS | text_input | Yes | — | Custom DNS server IP address. |
| Alternate DNS | text_input | No | 100.100.2.136 | Recommended for internal service resolution. |

## FAQ

Q: Can I bind a secondary ENI to an instance in a different zone?
A: No. The ENI and instance must be in the same zone and VPC. The vSwitch of the ENI must also be in the same zone as the instance.

Q: What happens if I delete a security group that still has instances?
A: You cannot delete a security group that contains instances or is referenced by rules in other security groups. Remove all instances and dependent rules first.

Q: How many security group rules can I add per group?
A: Each security group can have up to 200 total rules (inbound + outbound combined).

Q: Can I modify an ENI while it is bound to an instance?
A: No. You can only modify attributes (name, security group) when the ENI is in the Available state (unbound).

Q: Is there a charge for creating or managing security groups and ENIs?
A: Creating and managing security groups and ENIs is free. However, ENIs may incur charges based on usage duration, and data transfer costs may apply.

## Pricing & Billing

### Billing Model
ENIs are billed per request or per instance-hour depending on context. Security group operations are free.

### Price Reference
- ENI creation: ¥0.0001 per request
- ENI usage: ¥0.01 per hour (when bound to an instance)

### Free Tier
- No free quota for ENI creation or usage.
- Security group creation and rule management are free.

### Billing Notes
- ENIs are charged from creation until deletion.
- Unbound ENIs in "Available" state still incur hourly charges.
- Security group operations (create, modify, delete, import, export) do not incur additional fees.
- Data transfer through ENIs may incur separate network traffic charges.