DaaS / Products / Deploy and Network-Configure ECS Server

Deploy and Network-Configure ECS Server

A developer provisions a new Alibaba Cloud Linux ECS instance for an application server and immediately configures its networking — assigning security group rules, binding an elastic network interface, and setting up public IP access so the instance is reachable and secure.

Products involved

Scenario

Developers use this workflow when deploying a new Alibaba Cloud Linux (Alinux) application server that requires immediate, secure external access. By combining ECS instance provisioning with granular network configuration, teams ensure the server boots with hardened security group rules, a dedicated secondary ENI for traffic isolation, and a public EIP for inbound reachability.

Integration steps

Provision Alinux Instance: Launch the instance using the official Alinux 3 image.

   aliyun ecs RunInstances --RegionId cn-hangzhou --InstanceType ecs.g7.large \
     --ImageId aliyun_3_x64_20G_alibase_20230801.vhd --VSwitchId vsw-xxx \
     --SecurityGroupId sg-default --InstanceName alinux-app-01

Create & Authorize Security Group: Define inbound rules for application traffic.

   aliyun ecs CreateSecurityGroup --RegionId cn-hangzhou --VpcId vpc-xxx --SecurityGroupName app-sg
   aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-xxx --IpProtocol TCP --PortRange 8080/8080 --SourceCidrIp 0.0.0.0/0

Attach Security Group: Bind the hardened SG to the running instance.

   aliyun ecs JoinSecurityGroup --SecurityGroupId sg-xxx --InstanceId i-xxx

Create & Attach Secondary ENI: Provision a dedicated ENI in the same VSwitch.

   aliyun ecs CreateNetworkInterface --RegionId cn-hangzhou --VSwitchId vsw-xxx --SecurityGroupId sg-xxx
   aliyun ecs AttachNetworkInterface --InstanceId i-xxx --NetworkInterfaceId eni-xxx

Allocate & Bind EIP: Assign a public IP for external reachability.

   aliyun vpc AllocateEipAddress --RegionId cn-hangzhou --InstanceChargeType PostPaid
   aliyun vpc AssociateEipAddress --AllocationId eip-xxx --InstanceId i-xxx --InstanceType EcsInstance

Configure Alinux Network Stack: SSH in and activate the secondary interface.

   nmcli con add type ethernet ifname eth1 con-name eni-secondary
   nmcli con up eni-secondary

Apply Alinux Network Tuning: Optimize kernel TCP parameters for high-throughput workloads.

   echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
   sysctl -p

Architecture

The ECS control plane orchestrates infrastructure provisioning (compute allocation, VPC routing, EIP binding, and hypervisor-level ENI attachment). Once virtual NICs are attached at the hypervisor layer, the Alinux guest OS assumes control, using NetworkManager for IP routing, firewalld for host-level packet filtering, and sysctl for kernel TCP stack tuning. API requests flow from the CLI → Alibaba Cloud API Gateway → ECS/VPC controllers → Guest OS via cloud-init and virtio-net drivers.

Prerequisites

Alibaba Cloud CLI installed and authenticated with RAM policies (AliyunECSFullAccess, AliyunVPCFullAccess)
Existing VPC and VSwitch IDs in the target region
Valid SSH key pair for initial Alinux access
Official Alinux 3 image ID (e.g., aliyun_3_x64_20G_alibase_20230801.vhd)

Common pitfalls

ENI invisible to OS: Hypervisor attachment succeeds, but Alinux requires nmcli reload or udev rules to recognize eth1.
SG vs. host firewall mismatch: ECS SG allows port 8080, but Alinux firewalld blocks it. Run firewall-cmd --add-port=8080/tcp --permanent.
EIP association failure: EIP and ECS instance must share the same region; cross-region binding is unsupported.
MTU fragmentation: Secondary ENIs default to MTU 1500. Mismatched jumbo frames cause silent packet drops.
Cloud-init race condition: Running network commands before cloud-init finishes overwrites DHCP configs. Verify /var/lib/cloud/instance/boot-finished exists first.

Typical questions

deploy ECS and configure network
set up new server with networking
create ECS instance and assign security group
launch server and bind elastic IP
provision and network an ECS
部署ECS并配置网络
创建服务器并设置安全组
ECS上线配置网络

FAQ

Q: How do I deploy an ECS instance and configure its network settings? A: You deploy and network-configure an ECS server by provisioning an Alibaba Cloud Linux instance, applying hardened security group rules, attaching a secondary ENI for traffic isolation, and binding a public EIP. The workflow uses the Alibaba Cloud CLI to launch the instance, authorize inbound traffic, attach the network interface, and associate the IP address. After the hypervisor attaches the virtual NICs, you must activate the secondary interface with nmcli and tune kernel TCP parameters in the guest OS.