{"id":35,"date":"2026-04-12T14:41:45","date_gmt":"2026-04-12T14:41:45","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-elastic-ip-address-eip-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/"},"modified":"2026-04-12T14:41:45","modified_gmt":"2026-04-12T14:41:45","slug":"alibaba-cloud-elastic-ip-address-eip-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-elastic-ip-address-eip-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/","title":{"rendered":"Alibaba Cloud Elastic IP Address (EIP) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking and CDN"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking and CDN<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Elastic IP Address (EIP) in <strong>Alibaba Cloud<\/strong> is a public IP address resource that you allocate independently and then associate with cloud resources such as ECS instances, Server Load Balancer (SLB) instances, and NAT gateways (availability depends on region and resource type\u2014verify in official docs). It is designed for scenarios where you need a <strong>stable public entry point<\/strong> that can be <strong>moved<\/strong> between resources without changing the public IP.<\/p>\n\n\n\n<p>In simple terms: <strong>an EIP is a \u201cportable\u201d public IPv4 address<\/strong>. Instead of permanently tying a public IP to a specific virtual machine or load balancer, you can allocate an EIP and attach\/detach it as your architecture changes\u2014useful for failover, blue\/green deployments, or replacing instances.<\/p>\n\n\n\n<p>Technically, Elastic IP Address (EIP) is a VPC networking capability that provides <strong>public Internet reachability<\/strong> to a target resource in the same region. You allocate an EIP (with a billing method such as pay-by-traffic or pay-by-bandwidth, depending on region and configuration), then associate it to an instance. The EIP acts as the source\/destination public IP for inbound\/outbound traffic while the backend resource maintains private addressing inside your VPC.<\/p>\n\n\n\n<p>The main problem EIP solves is <strong>public IP lifecycle management<\/strong>: it decouples public IPs from compute\/network resources so you can replace or scale infrastructure without breaking client integrations, DNS records, partner allowlists, firewall rules, or compliance artifacts that depend on a fixed IP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Elastic IP Address (EIP)?<\/h2>\n\n\n\n<p><strong>Elastic IP Address (EIP)<\/strong> is an Alibaba Cloud service (in the <strong>Networking and CDN<\/strong> category) that lets you allocate a public IP address as an independent resource and associate it with supported cloud resources to enable public Internet access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose (what it is for)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Provide a <strong>static, routable public IP<\/strong> that you control and can <strong>associate\/disassociate<\/strong> with resources.<\/li>\n<li>Enable <strong>Internet ingress and egress<\/strong> for private resources (for example, an ECS instance without a public IP).<\/li>\n<li>Support operational workflows like <strong>failover<\/strong>, <strong>instance replacement<\/strong>, and <strong>migration<\/strong> without changing the public IP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allocate and release EIPs on demand.<\/li>\n<li>Associate and disassociate EIPs with supported resources (commonly ECS, SLB, NAT Gateway; exact compatibility varies\u2014verify in official docs for your region and product generation).<\/li>\n<li>Choose billing\/charging method (commonly pay-by-traffic or pay-by-bandwidth; supported options vary by region).<\/li>\n<li>Integrate with automation via API\/SDK\/CLI and infrastructure as code tools (for example, Terraform provider resources).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EIP instance<\/strong>: the public IPv4 address resource you allocate.<\/li>\n<li><strong>Association target<\/strong>: the resource bound to the EIP (ECS\/SLB\/NAT\/etc.).<\/li>\n<li><strong>Internet bandwidth\/charge configuration<\/strong>: the EIP\u2019s public network billing and bandwidth cap settings (model varies).<\/li>\n<li><strong>Tags and metadata<\/strong>: for governance, cost allocation, and automation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>network addressing<\/strong> service under Alibaba Cloud VPC networking (not a CDN; not a DDoS service; not a load balancer itself).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/zonal)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Typically regional<\/strong>: you allocate an EIP in a region and associate it with resources in the same region. Cross-region association is generally not supported for standard EIP.<br\/>\n<em>Verify exact scoping and constraints in official docs for your account\/region, and do not confuse standard EIP with separate products such as Anycast EIP (if available in your account).<\/em><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Elastic IP Address (EIP) is commonly used alongside:\n&#8211; <strong>Elastic Compute Service (ECS)<\/strong> for Internet-facing VMs\n&#8211; <strong>Server Load Balancer (SLB)<\/strong> for exposing services behind a load balancer\n&#8211; <strong>NAT Gateway<\/strong> for outbound Internet access (SNAT) and inbound publishing (DNAT\/port forwarding), depending on architecture\n&#8211; <strong>VPC<\/strong>, <strong>vSwitch<\/strong>, <strong>security groups<\/strong>, and optionally <strong>Network ACLs<\/strong>\n&#8211; Security\/visibility services like <strong>ActionTrail<\/strong>, <strong>CloudMonitor<\/strong>, and network security controls (Cloud Firewall \/ Anti-DDoS services\u2014availability and product names can vary)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Elastic IP Address (EIP)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stable public endpoint<\/strong> for customers\/partners: avoids rework when infrastructure changes.<\/li>\n<li><strong>Faster incident recovery<\/strong>: re-associate the EIP to a standby resource during outages.<\/li>\n<li><strong>Simpler vendor allowlisting<\/strong>: partners can allowlist one IP even if you replace backend instances.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Decouple IP from compute<\/strong>: replace ECS instances without changing the public IP.<\/li>\n<li><strong>Support multiple architectures<\/strong>: direct-to-ECS, public SLB, or NAT-based exposure.<\/li>\n<li><strong>Automatable<\/strong>: manage with APIs\/CLI\/Terraform for consistent environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blue\/green and canary<\/strong>: move traffic by re-binding the EIP or adjusting upstream routing.<\/li>\n<li><strong>Maintenance workflows<\/strong>: detach EIP before patching\/rebuilding; reattach after validation.<\/li>\n<li><strong>Controlled exposure<\/strong>: keep most resources private and only expose what needs Internet access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced public attack surface<\/strong>: you can keep resources private until you intentionally attach an EIP.<\/li>\n<li><strong>Centralized governance<\/strong>: enforce tagging, approval processes, and IAM policies for EIP lifecycle.<\/li>\n<li><strong>Auditability<\/strong>: track allocation\/association changes via Alibaba Cloud audit services (for example, ActionTrail\u2014verify naming\/features in your account).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Independently managed bandwidth and charging<\/strong>: choose a billing model aligned with workload patterns.<\/li>\n<li><strong>Elasticity<\/strong>: swap to larger instances or different architectures while keeping the same public IP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need a <strong>fixed public IP<\/strong> for DNS, allowlists, or integrations.<\/li>\n<li>You want <strong>failover capability<\/strong> by moving a public IP between resources.<\/li>\n<li>You are building in VPC and prefer resources <strong>without auto-assigned public IPs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You do not need a static IP and can use a dynamic public IP or a managed front door (like a load balancer with domain-based routing).<\/li>\n<li>Your best practice is to expose <strong>only a load balancer<\/strong> and keep instances private; in that case, attach the EIP to SLB (if supported) or use SLB\u2019s public addressing rather than putting EIPs on instances.<\/li>\n<li>You need <strong>global anycast<\/strong> behavior; standard EIP is typically regional. Consider Alibaba Cloud\u2019s separate global acceleration \/ Anycast offerings if required (verify product fit).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Elastic IP Address (EIP) used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and ISVs needing a stable endpoint for customers<\/li>\n<li>Finance and regulated industries where firewall allowlisting and change control matter<\/li>\n<li>Gaming and real-time services needing predictable endpoints<\/li>\n<li>Retail\/e-commerce for payment gateway allowlists and webhook callbacks<\/li>\n<li>Manufacturing\/IoT for device callback endpoints (often through a load balancer, not directly to a VM)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams implementing standard network patterns<\/li>\n<li>DevOps\/SRE teams running production workloads with failover requirements<\/li>\n<li>Security teams enforcing egress\/ingress controls and IP governance<\/li>\n<li>Application teams that need a stable endpoint for integrations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Jump\/bastion hosts (better: use hardened bastion pattern and strict policies)<\/li>\n<li>Small public APIs (prefer SLB for production; EIP-to-ECS can be acceptable for dev\/POC)<\/li>\n<li>VPN gateways (depending on Alibaba Cloud VPN products and association support)<\/li>\n<li>NAT-based outbound Internet for private subnets (EIP on NAT Gateway)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single ECS + EIP for simple services<\/li>\n<li>Active\/passive ECS with EIP failover<\/li>\n<li>Public SLB with EIP (or SLB public endpoint) fronting multiple ECS instances<\/li>\n<li>NAT Gateway with EIP for SNAT\/DNAT patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: commonly used with SLB or NAT gateways, strict IAM, tagging, and logging.<\/li>\n<li><strong>Dev\/test<\/strong>: quick Internet access to a test VM or temporary endpoint; must include cleanup to avoid ongoing charges.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic ways teams use Elastic IP Address (EIP) on Alibaba Cloud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Stable public endpoint for an ECS instance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> ECS public IP changes when instances are rebuilt or replaced.<\/li>\n<li><strong>Why EIP fits:<\/strong> EIP is independent of ECS lifecycle; reattach after rebuild.<\/li>\n<li><strong>Example:<\/strong> A small API server runs on one ECS. You rebuild the instance weekly; EIP remains constant.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Blue\/green deployment with minimal DNS changes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> DNS propagation delays make cutovers risky.<\/li>\n<li><strong>Why EIP fits:<\/strong> You can switch the EIP association from blue to green quickly (with brief interruption).<\/li>\n<li><strong>Example:<\/strong> Two ECS instances (blue\/green) host the same app; EIP is moved during release.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Active\/passive failover for a single public IP<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You want a simple DR method without advanced traffic management.<\/li>\n<li><strong>Why EIP fits:<\/strong> Re-associate EIP to standby instance during incident.<\/li>\n<li><strong>Example:<\/strong> Primary ECS fails health checks; runbook moves EIP to standby ECS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Partner allowlisting for outbound traffic (via NAT Gateway)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> External SaaS only accepts traffic from a fixed IP.<\/li>\n<li><strong>Why EIP fits:<\/strong> Attach EIP to NAT Gateway to provide a stable egress IP for private subnets.<\/li>\n<li><strong>Example:<\/strong> Private app servers call a payment processor; processor allowlists your EIP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Publishing private services via DNAT (NAT Gateway)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You want to expose a service running on a private IP\/port.<\/li>\n<li><strong>Why EIP fits:<\/strong> NAT Gateway can map EIP:port to private IP:port (DNAT).<\/li>\n<li><strong>Example:<\/strong> Expose a private SSH endpoint temporarily through a DNAT rule with strict source IP controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Public load balancer front end with stable IP (when supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You need a consistent IP for enterprise firewall rules.<\/li>\n<li><strong>Why EIP fits:<\/strong> Associate EIP with SLB (if supported for your SLB type\/region).<\/li>\n<li><strong>Example:<\/strong> On-prem partners allowlist the public IP of your SLB front end.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Rapid migration from one ECS to another<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You must migrate workloads without changing the public endpoint.<\/li>\n<li><strong>Why EIP fits:<\/strong> Move EIP to the target ECS after data replication.<\/li>\n<li><strong>Example:<\/strong> Upgrade ECS instance type by building a new node and moving EIP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Temporary incident access (break-glass)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need short-term access to a private resource for investigation.<\/li>\n<li><strong>Why EIP fits:<\/strong> Attach EIP briefly (or use a bastion host EIP) and then remove.<\/li>\n<li><strong>Example:<\/strong> Attach EIP to a troubleshooting ECS for a few hours with strict security group rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Controlled exposure for a self-managed reverse proxy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You need a stable IP for an NGINX reverse proxy.<\/li>\n<li><strong>Why EIP fits:<\/strong> EIP is stable; reverse proxy handles TLS and routing.<\/li>\n<li><strong>Example:<\/strong> One ECS runs NGINX; EIP points to it; upstream services stay private.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) IP-based licensing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Vendor license server binds to a specific public IP.<\/li>\n<li><strong>Why EIP fits:<\/strong> EIP remains stable even if backend changes.<\/li>\n<li><strong>Example:<\/strong> A third-party product license is tied to your public IP; EIP prevents re-licensing events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Safer dev\/test endpoints with predictable teardown<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Developers spin up public endpoints and forget them.<\/li>\n<li><strong>Why EIP fits:<\/strong> EIPs are trackable resources; enforce tagging and scheduled cleanup.<\/li>\n<li><strong>Example:<\/strong> Tag EIPs with <code>env=dev<\/code> and run automation to release unused EIPs nightly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Network segmentation pattern: private app + public ingress<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You want app servers in private subnets, but still need Internet exposure.<\/li>\n<li><strong>Why EIP fits:<\/strong> Put EIP on SLB or NAT Gateway, not on app servers.<\/li>\n<li><strong>Example:<\/strong> Public entry via SLB (or EIP on SLB) to private ECS pool.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by region, account, and product generation. For anything you depend on in production, verify in the official Alibaba Cloud documentation for <strong>Elastic IP Address (EIP)<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Allocate and release public IP addresses<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you create an EIP as a standalone resource and release it when no longer needed.<\/li>\n<li><strong>Why it matters:<\/strong> Public IP lifecycle becomes independent of compute lifecycle.<\/li>\n<li><strong>Practical benefit:<\/strong> Replace ECS instances without changing the public IP.<\/li>\n<li><strong>Caveats:<\/strong> Releasing an EIP returns the IP to the pool; you generally cannot get the same IP back.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Associate\/disassociate EIP with supported resources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Binds an EIP to a supported target (commonly ECS\/SLB\/NAT).<\/li>\n<li><strong>Why it matters:<\/strong> Enables failover and migration patterns.<\/li>\n<li><strong>Practical benefit:<\/strong> Move a production endpoint to a standby system during incidents.<\/li>\n<li><strong>Caveats:<\/strong> Association changes can cause brief connectivity interruptions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Internet charge type (billing method)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> EIP Internet billing commonly supports methods such as <strong>pay-by-traffic<\/strong> or <strong>pay-by-bandwidth<\/strong> (names and options vary).<\/li>\n<li><strong>Why it matters:<\/strong> Matching billing model to traffic profile can significantly change cost.<\/li>\n<li><strong>Practical benefit:<\/strong> Bursty workloads often prefer traffic-based billing; steady workloads may prefer bandwidth-based billing.<\/li>\n<li><strong>Caveats:<\/strong> Billing models and availability vary by region\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Bandwidth cap \/ bandwidth configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Sets a maximum public bandwidth for the EIP (depending on billing model and product rules).<\/li>\n<li><strong>Why it matters:<\/strong> Controls performance and cost exposure.<\/li>\n<li><strong>Practical benefit:<\/strong> Prevent runaway bills from unexpected traffic spikes (within the constraints of the model).<\/li>\n<li><strong>Caveats:<\/strong> A bandwidth cap is not a full DDoS control; also, some regions\/products use separate bandwidth plans.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) (Optional) Shared bandwidth \/ bandwidth plans (where available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows multiple EIPs to share a common bandwidth allocation (Alibaba Cloud provides shared bandwidth constructs in some offerings\u2014verify the current product name and applicability).<\/li>\n<li><strong>Why it matters:<\/strong> Consolidates bandwidth management and can simplify cost control.<\/li>\n<li><strong>Practical benefit:<\/strong> Pool bandwidth across multiple services rather than sizing each EIP individually.<\/li>\n<li><strong>Caveats:<\/strong> Not universally available; ensure it supports your EIP type\/region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) API\/SDK\/CLI automation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Manage EIP resources programmatically (allocate\/associate\/monitor\/release).<\/li>\n<li><strong>Why it matters:<\/strong> Enables repeatable, auditable networking operations.<\/li>\n<li><strong>Practical benefit:<\/strong> Integrate EIP operations into CI\/CD or incident runbooks.<\/li>\n<li><strong>Caveats:<\/strong> Requires proper RAM permissions; be cautious with automation that can accidentally expose resources publicly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Resource tagging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Attach tags (key\/value metadata) for governance and cost allocation.<\/li>\n<li><strong>Why it matters:<\/strong> EIPs are easy to orphan; tags help track owners and environments.<\/li>\n<li><strong>Practical benefit:<\/strong> Implement policies like \u201crelease unassociated EIPs after N days\u201d safely.<\/li>\n<li><strong>Caveats:<\/strong> Tag policy enforcement is an organizational discipline; consider automated checks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Monitoring and event visibility (via platform services)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> EIP-related metrics\/usage and change history can be monitored via Alibaba Cloud monitoring\/audit services.<\/li>\n<li><strong>Why it matters:<\/strong> Helps detect unusual egress, unexpected public exposure, or configuration drift.<\/li>\n<li><strong>Practical benefit:<\/strong> Alert on sudden egress spikes to control cost and reduce incident impact.<\/li>\n<li><strong>Caveats:<\/strong> Metric granularity and available dimensions vary\u2014verify in CloudMonitor and EIP docs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>At a high level, an EIP is a public IPv4 address allocated from Alibaba Cloud\u2019s public IP pool. When associated with a supported resource, traffic destined to the EIP is routed to that resource, and outbound traffic from that resource can use the EIP as its source address (depending on the association type and NAT behavior).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Control flow vs data flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane (management):<\/strong><\/li>\n<li>You allocate, configure, tag, associate, and release EIPs through the console, API, CLI, or IaC tools.<\/li>\n<li>IAM\/RAM permissions govern who can manage EIPs.<\/li>\n<li><strong>Data plane (traffic):<\/strong><\/li>\n<li>Inbound packets to the EIP arrive from the Internet and are forwarded to the associated resource.<\/li>\n<li>Outbound packets from the resource use the EIP for NAT\/public egress (implementation depends on target type).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integration patterns include:\n&#8211; <strong>ECS + Security Group<\/strong>: EIP provides the public endpoint; security group controls allowed inbound\/outbound.\n&#8211; <strong>SLB + ECS pool<\/strong>: EIP (or SLB public addressing) provides stable inbound; SLB distributes to private ECS instances.\n&#8211; <strong>NAT Gateway + Private Subnets<\/strong>: EIP provides stable egress IP (SNAT) or inbound publishing (DNAT).\n&#8211; <strong>CloudMonitor \/ ActionTrail<\/strong>: Monitor traffic patterns and audit EIP association changes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VPC<\/strong> and <strong>vSwitch<\/strong> for the network environment of associated resources<\/li>\n<li><strong>Security Groups<\/strong> (and possibly <strong>Network ACLs<\/strong>) for traffic control<\/li>\n<li><strong>ECS\/SLB\/NAT<\/strong> as association targets<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EIP management operations are governed by <strong>Alibaba Cloud RAM<\/strong> (Resource Access Management).<\/li>\n<li>Least privilege is critical: restrict who can allocate and especially <strong>associate<\/strong> EIPs, because association can instantly expose a private system to the public Internet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The EIP is a public endpoint; the associated resource typically has a private IP inside VPC.<\/li>\n<li>The association mechanism is effectively a form of public routing\/NAT mapping handled by Alibaba Cloud\u2019s networking layer.<\/li>\n<li>For inbound access, you must also allow traffic in the <strong>security group<\/strong> (and NACLs if used). An EIP alone does not open ports; it only provides reachability to the resource.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor:<\/li>\n<li>EIP traffic\/egress to detect abuse or unexpected usage.<\/li>\n<li>Association state to detect orphaned (unassociated) EIPs.<\/li>\n<li>Govern:<\/li>\n<li>Tagging standards (<code>env<\/code>, <code>owner<\/code>, <code>cost-center<\/code>, <code>service<\/code>, <code>expiry<\/code>).<\/li>\n<li>Quota controls and approval workflows for public exposure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Internet((Internet)) --&gt; EIP[Elastic IP Address (EIP)]\n  EIP --&gt; ECS[ECS Instance\\n(private IP in VPC)]\n  ECS --&gt; SG[Security Group Rules]\n  SG --&gt; ECS\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<p>This pattern keeps application instances private and uses an ingress layer. Exact components depend on your design (SLB vs reverse proxy vs NAT); below is a common approach.<\/p>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  Internet((Internet))\n  Internet --&gt; EIP[Elastic IP Address (EIP)]\n\n  subgraph AlibabaCloud[Alibaba Cloud VPC]\n    direction TB\n\n    EIP --&gt; SLB[Server Load Balancer (public entry)\\n(EIP-associated or SLB public endpoint)]\n    SLB --&gt; ECS1[ECS App 1\\nprivate subnet]\n    SLB --&gt; ECS2[ECS App 2\\nprivate subnet]\n\n    ECS1 --&gt; RDS[(RDS \/ DB\\nprivate)]\n    ECS2 --&gt; RDS\n\n    ECS1 --&gt; NAT[NAT Gateway (egress)\\n(optional)]\n    ECS2 --&gt; NAT\n    NAT --&gt; EIP2[EIP for egress (optional)]\n  end\n\n  classDef private fill:#f6f6f6,stroke:#999;\n  class ECS1,ECS2,RDS private;\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with billing enabled (pay-as-you-go is typical for labs).<\/li>\n<li>If your organization uses consolidated billing or resource directories, ensure you have access to the correct account\/project.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions (RAM)<\/h3>\n\n\n\n<p>You typically need RAM permissions that allow:\n&#8211; Creating and managing EIPs (allocate, associate, disassociate, release).\n&#8211; Viewing and managing the association target (ECS\/SLB\/NAT).\n&#8211; Editing security groups (for inbound access tests).<\/p>\n\n\n\n<p>Alibaba Cloud provides managed policies for VPC\/EIP\/ECS; however, production should use <strong>least privilege<\/strong> custom policies. Verify exact RAM actions in official docs for the EIP API and the resources you manage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a region where EIP is available (most commercial regions support it).<\/li>\n<li>Ensure your ECS\/SLB\/NAT resources are in the <strong>same region<\/strong> as the EIP (typical constraint).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EIP quotas exist per account\/region and can limit how many EIPs you can allocate.<\/li>\n<li>Bandwidth limits may apply depending on region\/line type and account level.<\/li>\n<li>Verify current quotas in the console quota center or product docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools (optional but recommended)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alibaba Cloud Console<\/strong> (web UI)<\/li>\n<li><strong>Alibaba Cloud CLI<\/strong> (<code>aliyun<\/code>) for automation<br\/>\n  Documentation: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/li>\n<li><strong>Terraform<\/strong> (optional) with Alibaba Cloud provider for repeatability (verify provider docs for current resource names)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for this lab<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>VPC<\/strong> with a <strong>vSwitch<\/strong><\/li>\n<li>An <strong>ECS instance<\/strong> in that VPC (we\u2019ll create one without a public IP, then attach an EIP)<\/li>\n<li>A <strong>security group<\/strong> allowing SSH (and HTTP if you test a web server)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Alibaba Cloud EIP pricing is <strong>region-dependent<\/strong> and can differ by:\n&#8211; Internet line type (for example, BGP-related options in some regions)\n&#8211; Billing method (pay-by-traffic vs pay-by-bandwidth)\n&#8211; Subscription vs pay-as-you-go (where offered)\n&#8211; Additional constructs (shared bandwidth plans, if used)<\/p>\n\n\n\n<p>Because exact numbers vary, do not rely on fixed price examples. Use the official pricing pages and calculator for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (common)<\/h3>\n\n\n\n<p>Typical dimensions you should expect (verify specifics for your region):\n1. <strong>EIP address fee<\/strong> (may be hourly or monthly, may vary by region).\n2. <strong>Internet bandwidth or Internet data transfer (egress)<\/strong>:\n   &#8211; <strong>Pay-by-bandwidth<\/strong>: billed based on configured bandwidth (Mbps) over time.\n   &#8211; <strong>Pay-by-traffic<\/strong>: billed based on outbound data transfer (GB).\n3. <strong>Shared bandwidth plan fees<\/strong> (if you attach EIPs to a shared bandwidth plan): billed for the plan capacity over time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Alibaba Cloud\u2019s free tier programs change over time and are region-specific. EIP is often not \u201cfree\u201d beyond limited trial promotions. <strong>Verify in official docs and promotional pages<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Main cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How long the EIP remains allocated (even if not used).<\/li>\n<li>Outbound Internet traffic volume (egress).<\/li>\n<li>Configured bandwidth (in pay-by-bandwidth mode).<\/li>\n<li>DDoS\/Firewall add-ons (if you add security products to protect exposed endpoints).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Orphaned EIPs<\/strong>: allocated but unassociated EIPs may still incur charges.<\/li>\n<li><strong>Unexpected egress<\/strong>: misconfigured services (open proxies, exposed logs, or data exfiltration) can generate large traffic bills.<\/li>\n<li><strong>Downstream services<\/strong>: if you use EIP with SLB, NAT Gateway, or Cloud Firewall, those services have their own pricing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Traffic billed is commonly <strong>Internet outbound<\/strong>. Inbound charging rules vary by provider\/region\u2014verify.<\/li>\n<li>Cross-zone or cross-region data transfer (if applicable) may have separate costs (usually handled by the underlying service, not EIP itself).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>pay-by-traffic<\/strong> for spiky workloads; consider <strong>pay-by-bandwidth<\/strong> for steady throughput (verify which options are offered in your region).<\/li>\n<li>Use <strong>shared bandwidth<\/strong> (if available and appropriate) to consolidate bandwidth instead of over-provisioning multiple EIPs.<\/li>\n<li>Implement governance:<\/li>\n<li>Alert on unassociated EIPs.<\/li>\n<li>Auto-release dev\/test EIPs after TTL (time-to-live).<\/li>\n<li>Minimize exposure:<\/li>\n<li>Put EIP on SLB rather than many instances to reduce public endpoints and simplify security controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual, no fabricated numbers)<\/h3>\n\n\n\n<p>A minimal lab often looks like:\n&#8211; 1 EIP allocated for a few hours\n&#8211; Very low outbound traffic (a few MB\/GB depending on patching and tests)\n&#8211; Small bandwidth cap<\/p>\n\n\n\n<p>Cost is typically \u201clow\u201d in absolute terms, but it is still usage-based and region-specific. Use:\n&#8211; Official product page \/ pricing entry point: https:\/\/www.alibabacloud.com\/product\/eip\n&#8211; Alibaba Cloud pricing calculator (if available for your region): https:\/\/www.alibabacloud.com\/pricing (verify the exact calculator path)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, evaluate:\n&#8211; Expected outbound traffic volume and peak throughput requirements.\n&#8211; Whether a shared bandwidth plan reduces cost or improves operability.\n&#8211; Whether EIP should be attached to:\n  &#8211; A load balancer (central entry point) rather than many instances.\n  &#8211; A NAT gateway for controlled egress and partner allowlisting.\n&#8211; Security costs:\n  &#8211; WAF\/CDN (if web workloads)\n  &#8211; Anti-DDoS and firewall services (if you must harden Internet exposure)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Allocate an <strong>Elastic IP Address (EIP)<\/strong> in Alibaba Cloud, associate it with an <strong>ECS instance in a VPC<\/strong>, and publish a simple HTTP service to the Internet with safe security group rules. Then clean up all resources to avoid ongoing costs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create (or reuse) a VPC, vSwitch, and security group\n2. Create an ECS instance <strong>without<\/strong> a public IP\n3. Allocate an EIP (pay-as-you-go) and associate it with the ECS instance\n4. Configure security group rules and install NGINX\n5. Validate access via the EIP\n6. Troubleshoot common issues\n7. Cleanup (release EIP, delete ECS)<\/p>\n\n\n\n<blockquote>\n<p>Notes:\n&#8211; Console screens change over time; follow the same concepts if labels differ slightly.\n&#8211; If your account has policy restrictions (for example, disallow public IPs), you may need admin approval.\n&#8211; Some options (billing model, line type) vary by region\u2014choose the lowest-risk\/lowest-cost option available.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Choose a region and confirm quotas<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to the <strong>Alibaba Cloud Console<\/strong>.<\/li>\n<li>Select a <strong>Region<\/strong> where you will create all resources.<\/li>\n<li>Navigate to the EIP console area:\n   &#8211; You can start from the product page and click \u201cConsole\u201d: https:\/\/www.alibabacloud.com\/product\/eip<\/li>\n<li>Check quota\/limits (often visible in the console or quota center).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have selected one region and confirmed you can allocate at least one EIP.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a VPC and vSwitch (skip if you already have one)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>VPC<\/strong> console.<\/li>\n<li>Create a <strong>VPC<\/strong>:\n   &#8211; Specify IPv4 CIDR (for example, <code>10.0.0.0\/16<\/code>).<\/li>\n<li>Create a <strong>vSwitch<\/strong> in a zone within the selected region:\n   &#8211; CIDR (for example, <code>10.0.1.0\/24<\/code>).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> A VPC and vSwitch exist in your selected region.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a security group with minimal inbound rules<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>ECS<\/strong> console \u2192 <strong>Security Groups<\/strong>.<\/li>\n<li>Create a security group in the same VPC.<\/li>\n<li>Add inbound rules:\n   &#8211; SSH: TCP 22 from <strong>your public IP only<\/strong> (recommended).\n   &#8211; HTTP: TCP 80 from <strong>your public IP<\/strong> (for testing).<br\/>\n     For public demos you can use <code>0.0.0.0\/0<\/code>, but it\u2019s not recommended for SSH.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Security group exists with restrictive inbound access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create an ECS instance without a public IP<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>ECS<\/strong> console \u2192 <strong>Instances<\/strong> \u2192 Create instance.<\/li>\n<li>Choose:\n   &#8211; Region and zone matching your vSwitch\n   &#8211; VPC and vSwitch created above\n   &#8211; The security group created above<\/li>\n<li>Ensure the instance is created <strong>without an automatically assigned public IP<\/strong> (wording varies; look for \u201cPublic IP\u201d options).<\/li>\n<li>Choose a small instance type suitable for lab usage.<\/li>\n<li>Set login method:\n   &#8211; SSH key pair (recommended), or password for lab use (less secure).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> ECS instance is running with only a private IP in the VPC.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Allocate an Elastic IP Address (EIP)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Elastic IP Address (EIP)<\/strong> console.<\/li>\n<li>Click <strong>Create\/Allocate EIP<\/strong>.<\/li>\n<li>Choose:\n   &#8211; <strong>Pay-as-you-go<\/strong> (for lab)\n   &#8211; Internet charge type: choose the lowest-risk option available in your region (often pay-by-traffic for short labs; verify)\n   &#8211; Bandwidth cap: set a small value suitable for testing<\/li>\n<li>Confirm and create.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have an allocated EIP visible in the console (status typically \u201cAvailable\u201d \/ \u201cUnassociated\u201d).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Associate the EIP with the ECS instance<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the EIP list, select your EIP.<\/li>\n<li>Click <strong>Associate<\/strong>.<\/li>\n<li>Choose <strong>ECS instance<\/strong> as the target resource type.<\/li>\n<li>Select the ECS instance you created.<\/li>\n<li>Confirm.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> EIP status changes to \u201cIn Use\/Associated\u201d and shows the ECS instance as the bound resource. The ECS instance now has a reachable public IP (the EIP).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Connect to the instance via the EIP and install a web server<\/h3>\n\n\n\n<p>From your local machine, SSH to the EIP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i \/path\/to\/key.pem root@&lt;YOUR_EIP&gt;\n<\/code><\/pre>\n\n\n\n<p>If your image uses a different default user (for example, <code>ecs-user<\/code>, <code>ubuntu<\/code>, or <code>admin<\/code>), use that user. Verify in the ECS instance details.<\/p>\n\n\n\n<p>Install NGINX (commands depend on OS):<\/p>\n\n\n\n<p><strong>Ubuntu\/Debian:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo apt-get update\nsudo apt-get install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n<p><strong>Alibaba Cloud Linux \/ CentOS \/ RHEL (package manager varies):<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo yum install -y nginx || sudo dnf install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n<p>Create a simple test page:<\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"EIP works on Alibaba Cloud: $(hostname)\" | sudo tee \/usr\/share\/nginx\/html\/index.html\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> NGINX is running and serving a page locally on the instance.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Allow HTTP inbound (if not already) and test from your machine<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ensure security group inbound allows TCP 80 from your IP (or <code>0.0.0.0\/0<\/code> for a temporary public test).<\/li>\n<li>From your laptop:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;YOUR_EIP&gt;\/\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You receive an HTTP 200 response and the page content includes \u201cEIP works on Alibaba Cloud\u201d.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:\n&#8211; EIP console shows EIP is <strong>Associated<\/strong> to the ECS instance.\n&#8211; ECS instance security group inbound allows:\n  &#8211; TCP 22 from your IP (for SSH)\n  &#8211; TCP 80 from your IP (for HTTP test)\n&#8211; From your machine:\n  &#8211; <code>ssh root@&lt;EIP&gt;<\/code> works\n  &#8211; <code>curl http:\/\/&lt;EIP&gt;\/<\/code> returns expected content\n&#8211; On the ECS instance:\n  &#8211; <code>systemctl status nginx<\/code> shows running\n  &#8211; <code>ss -lntp | grep ':80'<\/code> shows NGINX listening (Linux command may vary)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common errors and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>SSH timeout<\/strong>\n   &#8211; Check security group inbound rule for TCP 22.\n   &#8211; Confirm you are using the correct username and key.\n   &#8211; Verify the ECS instance is running and in the correct VPC.\n   &#8211; Confirm the EIP is associated to the correct instance.<\/p>\n<\/li>\n<li>\n<p><strong>HTTP timeout<\/strong>\n   &#8211; Check security group inbound rule for TCP 80.\n   &#8211; Confirm NGINX is running: <code>systemctl status nginx<\/code>.\n   &#8211; Confirm local firewall on the VM (e.g., <code>ufw<\/code>, <code>firewalld<\/code>) allows port 80.\n   &#8211; Verify you\u2019re curling the EIP and not the private IP.<\/p>\n<\/li>\n<li>\n<p><strong>EIP cannot be associated<\/strong>\n   &#8211; EIP and ECS must generally be in the same region.\n   &#8211; The ECS network type (VPC vs legacy\/classic) must be compatible with your EIP (classic networking is legacy\u2014verify support in your region).\n   &#8211; Quotas may be exceeded.<\/p>\n<\/li>\n<li>\n<p><strong>Unexpected costs<\/strong>\n   &#8211; Ensure you release EIP after the lab.\n   &#8211; Avoid downloading large packages or transferring large files over the Internet.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, clean up in this order:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Stop Internet traffic<\/strong>\n   &#8211; Remove wide-open security group rules (especially SSH from <code>0.0.0.0\/0<\/code> if you temporarily added it).<\/p>\n<\/li>\n<li>\n<p><strong>Disassociate the EIP<\/strong>\n   &#8211; EIP console \u2192 select EIP \u2192 <strong>Disassociate<\/strong> from ECS.<\/p>\n<\/li>\n<li>\n<p><strong>Release the EIP<\/strong>\n   &#8211; After it is unassociated, click <strong>Release<\/strong>.<\/p>\n<\/li>\n<li>\n<p><strong>Terminate ECS instance<\/strong>\n   &#8211; ECS console \u2192 Instances \u2192 Release\/Delete instance (and associated disks if not needed).<\/p>\n<\/li>\n<li>\n<p><strong>Delete security group and VPC resources<\/strong> (optional)\n   &#8211; Delete security group, vSwitch, and VPC if they were created only for the lab.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> No EIP remains allocated; lab resources are removed and billing stops for those resources.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>SLB<\/strong> (or an ingress tier) for production web services instead of exposing many ECS instances directly with EIPs.<\/li>\n<li>For stable egress IP, attach EIP to <strong>NAT Gateway<\/strong> and keep workloads in private subnets.<\/li>\n<li>Use EIP move workflows for <strong>active\/passive failover<\/strong>, but design for:<\/li>\n<li>DNS caching<\/li>\n<li>Application health checks<\/li>\n<li>Session persistence (EIP move does not preserve in-memory session state)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong> RAM policies:<\/li>\n<li>Separate \u201callocate\/release EIP\u201d from \u201cassociate EIP to resource\u201d.<\/li>\n<li>Restrict EIP association to approved resource groups or tags where possible (verify if tag-condition policies are supported in your org).<\/li>\n<li>Use MFA and admin approval for public exposure changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tag EIPs with <code>owner<\/code>, <code>env<\/code>, <code>cost-center<\/code>, and <code>expiry<\/code>.<\/li>\n<li>Alert on:<\/li>\n<li>Unassociated EIPs older than N hours\/days<\/li>\n<li>Unexpected egress usage spikes<\/li>\n<li>Evaluate shared bandwidth plans if you operate many EIPs (verify feature\/product availability).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Size bandwidth (or expected egress) according to real needs.<\/li>\n<li>Don\u2019t host high-throughput public services directly on a single EIP+single VM; use load balancing and horizontal scaling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Document an EIP failover runbook:<\/li>\n<li>Preconditions (standby instance ready)<\/li>\n<li>Steps (disassociate\/associate)<\/li>\n<li>Validation (health checks)<\/li>\n<li>Rollback steps<\/li>\n<li>Automate with CLI or IaC when possible, but secure automation credentials.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize logs (app logs, access logs) for any Internet-exposed system.<\/li>\n<li>Track EIP lifecycle events with audit services (ActionTrail or equivalent\u2014verify).<\/li>\n<li>Use naming conventions like:<\/li>\n<li><code>eip-prod-ingress-web-01<\/code><\/li>\n<li><code>eip-dev-bastion-ttl-24h<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standard tags:<\/li>\n<li><code>env=dev|test|prod<\/code><\/li>\n<li><code>owner=email\/team<\/code><\/li>\n<li><code>service=name<\/code><\/li>\n<li><code>cost-center=...<\/code><\/li>\n<li><code>expiry=YYYY-MM-DD<\/code> (for temporary EIPs)<\/li>\n<li>Enforce periodic review:<\/li>\n<li>\u201cWhich EIPs exist, why, and who owns them?\u201d<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed through <strong>Alibaba Cloud RAM<\/strong>.<\/li>\n<li>Key risks:<\/li>\n<li>Anyone who can <strong>associate<\/strong> an EIP can expose a private system to the Internet.<\/li>\n<li>Anyone who can <strong>release<\/strong> an EIP can cause an outage by removing the public endpoint.<\/li>\n<\/ul>\n\n\n\n<p>Recommendations:\n&#8211; Split duties:\n  &#8211; Network team can allocate\/associate EIPs to approved front doors (SLB\/NAT).\n  &#8211; App teams cannot self-expose production instances without a change process.\n&#8211; Use Resource Groups and tagging for access control where possible (verify feature support).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EIP is an IP endpoint; encryption is handled at higher layers:<\/li>\n<li>Use TLS (HTTPS) for web services.<\/li>\n<li>Use SSH keys (not passwords) for admin access.<\/li>\n<li>For web services, consider WAF\/CDN\/TLS termination patterns rather than terminating TLS on a single instance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EIP makes a resource Internet-reachable, but <strong>security groups and NACLs<\/strong> determine allowed ports.<\/li>\n<li>Default-deny inbound and explicitly allow only required ports and source ranges.<\/li>\n<li>For administration, prefer:<\/li>\n<li>Bastion host patterns<\/li>\n<li>VPN access<\/li>\n<li>PrivateLink-type services (if available) rather than public SSH<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t store secrets on an Internet-exposed host in plaintext.<\/li>\n<li>Use Alibaba Cloud secret management services if available in your environment (verify current product name and suitability).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track:<\/li>\n<li>EIP allocate\/release<\/li>\n<li>EIP associate\/disassociate<\/li>\n<li>Security group rule changes<\/li>\n<li>Use ActionTrail (or your org\u2019s audit tooling) and export logs to centralized storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data residency: EIP is regional; ensure region selection meets compliance.<\/li>\n<li>Logging\/retention: keep access logs for Internet endpoints.<\/li>\n<li>Change control: treat EIP association changes as production-impacting changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Opening SSH (22) to <code>0.0.0.0\/0<\/code>.<\/li>\n<li>Associating EIP directly to app instances instead of using SLB.<\/li>\n<li>Forgetting to remove EIP after incident access (\u201ctemporary\u201d becomes permanent).<\/li>\n<li>No monitoring on egress traffic (data exfiltration risk).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put EIP on <strong>SLB<\/strong> for production Internet ingress when possible.<\/li>\n<li>Enable DDoS protection and firewalling appropriate for your threat model (Alibaba Cloud offers Anti-DDoS and firewall products; verify exact options and attach points).<\/li>\n<li>Implement a periodic scan:<\/li>\n<li>Which EIPs exist?<\/li>\n<li>What are they attached to?<\/li>\n<li>Are ports restricted?<\/li>\n<li>Are tags present?<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Always confirm current constraints in the official EIP documentation for your region.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional scope:<\/strong> Standard EIPs are typically regional; you cannot freely move them across regions.<\/li>\n<li><strong>One-to-one association:<\/strong> An EIP is generally associated with one resource at a time.<\/li>\n<li><strong>Brief interruption on reassociation:<\/strong> Moving an EIP causes a short disruption; design failover accordingly.<\/li>\n<li><strong>Quota limits:<\/strong> Per-account and per-region quotas can block allocations during incidents if not planned.<\/li>\n<li><strong>Legacy\/classic networking nuances:<\/strong> If you still use classic networking, EIP workflows may differ or be restricted. Classic is legacy in many clouds; verify current Alibaba Cloud support status.<\/li>\n<li><strong>Cost surprises from egress:<\/strong> Outbound Internet traffic can quickly become expensive if you expose large downloads, logs, backups, or open proxies.<\/li>\n<li><strong>Security group misconfigurations:<\/strong> EIP \u201cdoesn\u2019t work\u201d most often because inbound rules are missing or too restrictive\u2014or because they are too permissive and create risk.<\/li>\n<li><strong>Association target compatibility:<\/strong> Not every resource type supports EIP association in every region or product generation; verify before designing around it.<\/li>\n<li><strong>DNS vs IP strategy:<\/strong> Even with EIP, prefer DNS names for clients; it\u2019s easier to evolve architecture later.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Elastic IP Address (EIP) is one tool in a broader networking toolkit. Consider these alternatives depending on requirements.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Elastic IP Address (EIP)<\/strong><\/td>\n<td>Stable public IP that can move between resources<\/td>\n<td>Portable static IP, supports failover\/migration workflows<\/td>\n<td>Regional, can increase attack surface if attached to instances<\/td>\n<td>When you need a fixed IP for allowlists, migration, or stable endpoints<\/td>\n<\/tr>\n<tr>\n<td><strong>ECS public IP (auto-assigned)<\/strong><\/td>\n<td>Simple Internet access for a VM<\/td>\n<td>Easy, no separate EIP lifecycle<\/td>\n<td>Often tied to instance lifecycle; less portable<\/td>\n<td>For quick dev\/test or simple workloads where IP changes are acceptable<\/td>\n<\/tr>\n<tr>\n<td><strong>Server Load Balancer (SLB) public endpoint<\/strong><\/td>\n<td>Production ingress for web\/services<\/td>\n<td>HA, scales, centralizes exposure<\/td>\n<td>Extra service cost\/complexity<\/td>\n<td>For production HTTP\/TCP services needing HA and scaling<\/td>\n<\/tr>\n<tr>\n<td><strong>NAT Gateway + EIP<\/strong><\/td>\n<td>Stable egress IP and controlled inbound DNAT<\/td>\n<td>Keeps workloads private; centralized Internet gateway<\/td>\n<td>Additional NAT Gateway cost; configuration complexity<\/td>\n<td>When you need private subnets with controlled Internet access<\/td>\n<\/tr>\n<tr>\n<td><strong>Anycast\/global acceleration products (Alibaba Cloud)<\/strong><\/td>\n<td>Global entry point and cross-region acceleration<\/td>\n<td>Better global performance and availability<\/td>\n<td>Different product scope and pricing<\/td>\n<td>When you need global anycast behavior (verify product fit; not standard EIP)<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Elastic IP (EC2)<\/strong><\/td>\n<td>Similar static IP concept on AWS<\/td>\n<td>Familiar portable IP<\/td>\n<td>AWS-specific constraints and pricing<\/td>\n<td>When designing on AWS, not applicable to Alibaba Cloud<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Public IP<\/strong><\/td>\n<td>Static public IP on Azure resources<\/td>\n<td>Rich LB integration<\/td>\n<td>Azure-specific behavior<\/td>\n<td>When designing on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP Static external IP<\/strong><\/td>\n<td>Static IP on Google Cloud<\/td>\n<td>Strong LB integration<\/td>\n<td>GCP-specific<\/td>\n<td>When designing on GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed reverse proxy behind a single IP<\/strong><\/td>\n<td>Centralize ingress with custom routing<\/td>\n<td>Flexible routing and TLS<\/td>\n<td>You manage HA and patching<\/td>\n<td>When you want full control and can run HA proxy tier<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated partner allowlisting + private subnets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A bank integrates with a third-party payment network that requires <strong>source IP allowlisting<\/strong>. The bank also requires app servers to remain in private subnets with controlled egress.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>App ECS instances in private subnets (no public IP)<\/li>\n<li><strong>NAT Gateway<\/strong> for outbound Internet<\/li>\n<li><strong>Elastic IP Address (EIP)<\/strong> associated with NAT Gateway for stable egress IP<\/li>\n<li>Central logging and monitoring; strict RAM control over EIP\/NAT changes<\/li>\n<li><strong>Why Elastic IP Address (EIP) was chosen:<\/strong><\/li>\n<li>Provides a stable, controlled public egress identity for allowlisting.<\/li>\n<li>Decouples egress IP from underlying compute scaling and replacement.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster scaling and patching without partner coordination.<\/li>\n<li>Reduced public exposure (no EIPs directly on app servers).<\/li>\n<li>Clear audit trail for IP changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: simple production endpoint with migration flexibility<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup runs a small API and needs a stable IP for a customer firewall allowlist. They occasionally rebuild servers.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>One ECS instance hosting the API (initially)<\/li>\n<li>One EIP associated to ECS<\/li>\n<li>Security group restricts inbound to required ports; SSH restricted to founders\u2019 IPs<\/li>\n<li>Plan to introduce SLB later as traffic grows<\/li>\n<li><strong>Why Elastic IP Address (EIP) was chosen:<\/strong><\/li>\n<li>Fast to implement and easy to move during instance upgrades.<\/li>\n<li>Minimal architecture overhead at early stage.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Stable customer allowlist IP immediately.<\/li>\n<li>Cleaner migration path to new instances as the product evolves.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Elastic IP Address (EIP) the same as an ECS public IP?<\/strong><br\/>\n   No. An ECS public IP is typically tied to the instance lifecycle or instance configuration. An EIP is a separate resource you can allocate and then associate\/disassociate with supported resources.<\/p>\n<\/li>\n<li>\n<p><strong>Can I move an EIP from one ECS instance to another?<\/strong><br\/>\n   Yes in general: disassociate from the first, associate to the second. Expect a brief connectivity interruption during the switch.<\/p>\n<\/li>\n<li>\n<p><strong>Is EIP global?<\/strong><br\/>\n   Standard EIP is typically <strong>regional<\/strong>. For global anycast-style IPs, Alibaba Cloud may offer separate products (for example Anycast EIP \/ global acceleration). Verify the correct product for global needs.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need a VPC to use EIP?<\/strong><br\/>\n   EIP is commonly used with VPC-based resources. Legacy\/classic networking may have different rules and is generally discouraged; verify current support in your region.<\/p>\n<\/li>\n<li>\n<p><strong>What resources can I associate an EIP to?<\/strong><br\/>\n   Common targets include ECS, SLB, and NAT Gateway, but compatibility varies by region and product type. Verify in the official EIP documentation.<\/p>\n<\/li>\n<li>\n<p><strong>Does associating an EIP automatically open ports to the Internet?<\/strong><br\/>\n   No. Security groups and NACLs control allowed traffic. EIP provides reachability, not permission.<\/p>\n<\/li>\n<li>\n<p><strong>What is the difference between pay-by-traffic and pay-by-bandwidth?<\/strong><br\/>\n   Pay-by-traffic typically bills based on outbound data volume; pay-by-bandwidth bills based on configured bandwidth over time. Availability and exact rules vary by region.<\/p>\n<\/li>\n<li>\n<p><strong>If my EIP is allocated but not associated, do I still pay?<\/strong><br\/>\n   Often yes\u2014many providers charge for allocated public IPs even when idle. Check the Alibaba Cloud billing rules for EIP in your region.<\/p>\n<\/li>\n<li>\n<p><strong>Can I reserve a specific IP address?<\/strong><br\/>\n   Typically you cannot choose an exact IP from the pool. Some enterprise programs may offer reserved IP capabilities; verify in official docs or with Alibaba Cloud support.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use EIP for inbound HTTPS?<\/strong><br\/>\n   Yes, if your associated resource serves HTTPS and security groups allow it. For production, consider terminating TLS on SLB\/WAF\/CDN depending on your needs.<\/p>\n<\/li>\n<li>\n<p><strong>How do I reduce attack surface when using EIP?<\/strong><br\/>\n   Attach EIP to a controlled ingress tier (SLB), restrict inbound rules, use a WAF\/firewall where appropriate, and avoid putting EIPs directly on many instances.<\/p>\n<\/li>\n<li>\n<p><strong>Is EIP IPv4 or IPv6?<\/strong><br\/>\n   Standard EIP is commonly IPv4. IPv6 public addressing is typically handled through separate IPv6 features (for example IPv6 gateways). Verify current IPv6 options in Alibaba Cloud docs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I attach multiple EIPs to one ECS instance?<\/strong><br\/>\n   Usually an ECS instance has constraints; multiple public IPs can require multiple ENIs or different patterns. Verify current ECS\/EIP association rules for your instance type and region.<\/p>\n<\/li>\n<li>\n<p><strong>How do I audit who changed EIP associations?<\/strong><br\/>\n   Use Alibaba Cloud audit services (often ActionTrail) to track API calls and console actions. Verify the exact audit event coverage for EIP operations.<\/p>\n<\/li>\n<li>\n<p><strong>What is the recommended production pattern: EIP on ECS or EIP on SLB\/NAT?<\/strong><br\/>\n   Prefer EIP on <strong>SLB<\/strong> for inbound services and EIP on <strong>NAT Gateway<\/strong> for egress, keeping app instances private. Use EIP directly on ECS mainly for dev\/test, bastions, or very small workloads with tight controls.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Elastic IP Address (EIP)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official product page<\/td>\n<td>Alibaba Cloud Elastic IP Address (EIP)<\/td>\n<td>High-level overview and entry point to console and docs: https:\/\/www.alibabacloud.com\/product\/eip<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Elastic IP Address (EIP) Help Center<\/td>\n<td>Primary reference for features, limits, and how-to guides (navigate to your language\/region): https:\/\/www.alibabacloud.com\/help\/en\/elastic-ip-address<\/td>\n<\/tr>\n<tr>\n<td>Official billing docs<\/td>\n<td>EIP Billing \/ Billing overview<\/td>\n<td>Explains pricing dimensions and billing rules (region-specific; verify): https:\/\/www.alibabacloud.com\/help\/en\/elastic-ip-address (see Billing section)<\/td>\n<\/tr>\n<tr>\n<td>Official API reference<\/td>\n<td>EIP API Reference<\/td>\n<td>Automation details (AllocateEipAddress, AssociateEipAddress, etc.). Verify current location via docs search: https:\/\/www.alibabacloud.com\/help<\/td>\n<\/tr>\n<tr>\n<td>Official CLI docs<\/td>\n<td>Alibaba Cloud CLI<\/td>\n<td>Manage EIP via CLI in scripts\/runbooks: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/td>\n<\/tr>\n<tr>\n<td>Terraform provider docs<\/td>\n<td>Alibaba Cloud Terraform Provider<\/td>\n<td>Infrastructure-as-code for EIP lifecycle (verify current resources): https:\/\/registry.terraform.io\/providers\/aliyun\/alicloud\/latest\/docs<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Alibaba Cloud Architecture Center<\/td>\n<td>Patterns and reference architectures that often include ingress\/egress design: https:\/\/www.alibabacloud.com\/architecture<\/td>\n<\/tr>\n<tr>\n<td>Official networking docs<\/td>\n<td>VPC documentation<\/td>\n<td>Broader context: VPC, routes, NAT, security groups: https:\/\/www.alibabacloud.com\/help\/en\/vpc<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud Community<\/td>\n<td>Practical posts and examples; validate against official docs: https:\/\/www.alibabacloud.com\/blog<\/td>\n<\/tr>\n<tr>\n<td>Video learning<\/td>\n<td>Alibaba Cloud YouTube channel \/ videos<\/td>\n<td>Service walkthroughs and webinars (search EIP\/VPC topics): https:\/\/www.youtube.com\/@AlibabaCloud<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams, beginners<\/td>\n<td>Cloud\/DevOps tooling, operational practices, labs<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Students, engineers learning DevOps foundations<\/td>\n<td>SCM\/CI\/CD basics, DevOps workflows<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams, sysadmins transitioning to cloud<\/td>\n<td>Cloud operations, monitoring, automation<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers, production ops<\/td>\n<td>SRE practices, incident response, observability<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>AIOps concepts, monitoring + automation<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Students, engineers seeking guided learning<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and coaching (verify topics)<\/td>\n<td>DevOps engineers, beginners<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training resources (verify)<\/td>\n<td>Small teams and startups<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify)<\/td>\n<td>Ops\/DevOps teams needing practical help<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service catalog)<\/td>\n<td>Architecture, DevOps automation, migrations<\/td>\n<td>Network baseline design; IaC rollout; cost governance setup<\/td>\n<td>https:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>Training + consulting services (verify)<\/td>\n<td>DevOps transformation, platform enablement<\/td>\n<td>Standardized networking patterns; runbooks; CI\/CD and IaC<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify)<\/td>\n<td>Cloud operations, automation, best practices<\/td>\n<td>Secure public exposure review; monitoring strategy; incident response playbooks<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP addressing basics: public vs private IP, CIDR, routing<\/li>\n<li>VPC fundamentals: subnets (vSwitch), route tables, gateways<\/li>\n<li>Security basics: stateful firewalls\/security groups, least privilege IAM<\/li>\n<li>Linux basics: SSH, package management, service management<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Server Load Balancer (SLB)<\/strong> design (L4\/L7, health checks, TLS)<\/li>\n<li><strong>NAT Gateway<\/strong> (SNAT\/DNAT) patterns for private subnets<\/li>\n<li>Observability: CloudMonitor metrics\/alerts, log pipelines<\/li>\n<li>Security hardening: Cloud Firewall\/WAF\/Anti-DDoS (choose based on workload)<\/li>\n<li>IaC and automation: Terraform modules, CI\/CD pipelines, change management<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer \/ Cloud Network Engineer<\/li>\n<li>DevOps Engineer \/ Platform Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Security Engineer (cloud perimeter and exposure management)<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications and names change over time. Look for Alibaba Cloud certifications covering:\n&#8211; Cloud networking\/VPC fundamentals\n&#8211; Architect-level design including ingress\/egress patterns<br\/>\nVerify current certification tracks here: https:\/\/www.alibabacloud.com\/training\/certification (or the current Alibaba Cloud training portal path).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a private VPC app tier with NAT Gateway egress using an EIP allowlisted by a mock partner service.<\/li>\n<li>Implement active\/passive ECS failover by moving an EIP using a scripted runbook.<\/li>\n<li>Create Terraform modules for EIP allocation, association, tagging, and scheduled cleanup.<\/li>\n<li>Design a production ingress using SLB + private ECS and document threat model and security group policies.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EIP (Elastic IP Address):<\/strong> A standalone public IP resource in Alibaba Cloud that can be associated with supported resources.<\/li>\n<li><strong>VPC (Virtual Private Cloud):<\/strong> A logically isolated network in Alibaba Cloud where you run resources with private IP addressing.<\/li>\n<li><strong>vSwitch:<\/strong> A subnet within a VPC, typically scoped to a zone.<\/li>\n<li><strong>ECS (Elastic Compute Service):<\/strong> Alibaba Cloud virtual machine service.<\/li>\n<li><strong>SLB (Server Load Balancer):<\/strong> Managed load balancing for inbound traffic to multiple backend servers.<\/li>\n<li><strong>NAT Gateway:<\/strong> Managed NAT service for outbound (SNAT) and inbound mapping (DNAT) depending on configuration.<\/li>\n<li><strong>Security Group:<\/strong> Stateful virtual firewall rules applied to ECS network interfaces.<\/li>\n<li><strong>Ingress\/Egress:<\/strong> Inbound\/outbound network traffic.<\/li>\n<li><strong>Pay-by-traffic:<\/strong> Billing method typically based on outbound data volume.<\/li>\n<li><strong>Pay-by-bandwidth:<\/strong> Billing method typically based on configured bandwidth over time.<\/li>\n<li><strong>Association:<\/strong> Binding an EIP to a target resource so it becomes reachable.<\/li>\n<li><strong>Orphaned EIP:<\/strong> An allocated EIP not associated with any resource, often still billable.<\/li>\n<li><strong>Least privilege:<\/strong> Security principle of granting only the permissions needed to perform a task.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Elastic IP Address (EIP) on <strong>Alibaba Cloud<\/strong> (Networking and CDN category) is a portable public IP resource that you allocate independently and associate with supported services like ECS, SLB, or NAT Gateway. It matters because it decouples your public endpoint from underlying compute, enabling safer migrations, faster failover, and stable allowlisting.<\/p>\n\n\n\n<p>Cost is mainly driven by how long the EIP remains allocated and by Internet egress (traffic) or bandwidth configuration depending on your billing model and region\u2014so tagging, monitoring, and cleanup automation are essential. Security-wise, EIP is a direct Internet exposure mechanism; control it with least-privilege RAM policies, restrictive security group rules, and an architecture that prefers centralized ingress\/egress points (SLB\/NAT) over many public instances.<\/p>\n\n\n\n<p>Next step: practice production-ready patterns\u2014attach EIP to SLB for inbound services or NAT Gateway for stable egress\u2014and validate your design against the official Alibaba Cloud Elastic IP Address (EIP) documentation and billing rules for your target region.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking and CDN<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-networking-and-cdn"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=35"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/35\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}