Amazon Elastic Compute Cloud
User Guide (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » User Guide » Network and Security » Elastic Network Interfaces (ENI)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Elastic Network Interfaces (ENI)

An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An ENI can include the following attributes:

  • a primary private IP address

  • one or more secondary private IP addresses

  • an Elastic IP address

  • a MAC address

  • one or more associated security groups

  • a source/destination check flag

  • a description

You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow the network interface as it is attached or detached from an instance and reattached to another instance. When you move a network interface from one instance to another, network traffic is redirected to the new instance.

Each instance in a VPC has a default network interface. The default network interface has a primary private IP address in the IP address range of its VPC. You can create and attach additional network interfaces. The maximum number of network interfaces that you can use varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type.

Attaching multiple network interfaces to an instance is useful when you want to:

  • Create a management network.

  • Use network and security appliances in your VPC.

  • Create dual-homed instances with workloads/roles on distinct subnets.

  • Create a low-budget, high-availability solution.

Topics

Creating a Management Network

You can create a management network using network interfaces. In this scenario, the secondary network interface on the instance handles public-facing traffic and the primary network interface handles back-end management traffic and is connected to a separate subnet in your VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group that allows access to the server from the Internet (for example, allow TCP port 80 and 443 from 0.0.0.0/0, or from the load balancer) while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the Internet, a private subnet within the VPC or a virtual private gateway.

To ensure failover capabilities, consider using a secondary private IP for incoming traffic on a network interface. In the event of an instance failure, you can move the interface and/or secondary private IP address to a standby instance.

Creating a Management Network

Use Network and Security Appliances in Your VPC

Some network and security appliances, such as load balancers, network address translation (NAT) servers, and proxy servers prefer to be configured with multiple network interfaces. You can create and attach secondary network interfaces to instances in a VPC that are running these types of applications and configure the additional interfaces with their own public and private IP addresses, security groups, and source/destination checking.

Creating Dual-homed Instances with Workloads/Roles on Distinct Subnets

You can place a network interface on each of your web servers that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a back-end network (subnet) where the database server resides. Instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end, initiates a connection to the back end, and then sends requests to the servers on the back-end network.

Create a Low Budget High Availability Solution

If one of your instances serving a particular function fails, its network interface can be attached to a replacement or hot standby instance pre-configured for the same role in order to rapidly recover the service. For example, you can use an ENI as your primary or secondary network interface to a critical service such as a database instance or a NAT instance. If the instance fails, you (or more likely, the code running on your behalf) can attach the ENI to a hot standby instance. Because the interface maintains its private IP addresses, Elastic IP addresses, and MAC address, network traffic will begin flowing to the standby instance as soon as you attach the ENI to the replacement instance. Users will experience a brief loss of connectivity between the time the instance fails and the time that the ENI is attached to the standby instance, but no changes to the VPC route table or your DNS server are required.

Best Practices for Configuring Network Interfaces

  • You can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach).

  • You can detach secondary (eth-n) network interfaces when the instance is running or stopped. However, you cannot detach the primary (eth0) interface.

  • You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must reside in the same Availability Zone.

  • When launching an instance from the CLI or API, you can specify the network interfaces to attach to the instance for both the primary (eth0) and additional network interfaces.

  • Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance. A warm or hot attach of an additional network interface may require you to manually bring up the second interface, configure the private IP address, and modify the route table accordingly. (Instances running Microsoft Windows Server or Amazon Linux automatically recognize the warm or hot attach and configure themselves.)

  • Attaching another network interface to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance.

Creating a Network Interface

To create a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Click Create Network Interface.

  4. In the Create Network Interface dialog box, provide the following information for the network interface, and then click Yes, Create.

    1. In Description, enter a descriptive name.

    2. In Subnet, select the subnet. Note that you can't move the network interface to another subnet after it's created.

    3. In Private IP, enter the primary private IP address. If you don't specify an IP address, we'll select an available IP address from within the selected subnet.

    4. In Security Groups, select one or more security groups.

    Create Network Interface

Deleting a Network Interface

You must first detach a network interface from an instance before you can delete it. Deleting a network interface releases all attributes associated with the network interface and releases any private IP addresses or Elastic IP addresses to be used by another instance.

To delete a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select a network interface, and then click the Delete button.

  4. In the Delete Network Interface dialog box, click Yes, Delete.

    Delete Network Interface

Viewing Details about a Network Interface

To view details about a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select the network interface.

  4. View the details on the Details tab.

    Network Interface Details

Attaching a Network Interface When Launching an Instance

You can attach an additional network interface, designated as eth1-n, to an instance when you launch it into a VPC.

Note

If an error occurs when attaching a network interface to your instance, this causes the instance launch to fail.

To attach a network interface when launching an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Launch Instance.

  3. On the Create a New Instance page, click Classic Wizard, and then click Continue.

  4. On the CHOOSE AN AMI page, the Quick Start tab displays a list of basic configurations called Amazon Machine Images (AMI). Choose an AMI and click its Select button.

  5. On the INSTANCE DETAILS page, set the number and type of instance to launch. You can select a subnet of let us choose one. Confirm your selections, and then click Continue.

  6. On the next INSTANCE DETAILS page, under Advanced Instance Options, select the number of network interfaces to attach to the instance. The console enables you specify up to 2 network interfaces when you launch an instance. After you launch the instance, click Network Interfaces in the navigation pane to add additional network interfaces. The total number of network interfaces that you can attach varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type. You can also enter an IP address for the primary network interface (eth0). When you've finished, click Continue.

    Advanced Instance Options

  7. On the CREATE KEY PAIR page, select an existing key pair or create a new one. If you create a new key pair, you must download it before you can click Continue.

    If you're new to Amazon EC2 and haven't created any key pairs, the wizard prompts you to create one.

  8. On the CONFIGURE FIREWALL page, select an existing security group for the primary network interface or create a new one, and then click Continue.

    The security group for the additional network interface was previously selected when the network interface was created.

  9. On the REVIEW page, details about the primary and additional network interface are displayed. Review the settings, and then click Launch.

Attaching a Network Interface to a Stopped or Running Instance

You can attach a network interface to any of your stopped or running instances in your VPC from either the Instances page or the Network Interfaces page of the EC2 console.

To attach a network interface to a stopped or running instance using Instances

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Instances in the navigation pane.

  3. Right-click the instance, and then select Attach Network Interface.

  4. In the Attach Network Interface dialog box, select the network interface, and then click Yes, Attach.

To attach a network interface to a stopped or running instance using Network Interfaces

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select the network interface.

  4. Click the Attach button.

  5. In the Attach Network Interface dialog box, select the instance, and then click Yes, Attach.

    Attach Network Interface

Detaching a Network Interface from an Instance

You can detach an secondary network interface at any time, using either the Instances or Network Interfaces pane of the Amazon EC2 console.

To detach a network interface from an instance using Instances

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Instances in the navigation pane.

  3. Right-click the instance, and then select Detach Network Interface.

  4. In the Detach Network Interface dialog box, select the network interface, and then click Yes, Detach.

To detach a network interface from an instance using Network Interfaces

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select the network interface, and then click the Detach button.

  4. In the Detach Network Interface dialog box, click Yes, Detach. If the network interface fails to detach from the instance, select Force, and then try again.

    Detach Network Interface

Changing the Security Group of a Network Interface

You can change the security groups that are associated with a network interface.

Note

You can't change security group membership for interfaces owned by other Amazon Web Services, such as Elastic Load Balancing, using the Amazon EC2 console, command line interface, or API actions. To modify a security group owned by one of these services, use the console, command line interface, or API for that service.

To change the security group of a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select the network interface.

  4. Right-click the network interface, and then select Change Security Groups.

  5. In the Change Security Groups dialog box, select the security groups to use, and then click Save.

    Change Security Groups

Changing the Source/Destination Checking of a Network Interface

The Source/Destination Check attribute controls whether source/destination checking is enabled on the instance. Disabling this attribute enables an instance to handle network traffic that isn't specifically destined for the instance. For example, instances running services such as network address translation, routing, or firewalls should set this value to disabled. The default value is enabled.

To change source/destination checking for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Right-click the network interface, and then select Change Source/Dest Check.

  4. In the Change Source/Dest Checking dialog box, select Enabled (if enabling), or Disabled (if disabling), and then click Save.

    Change Source/Dest Checking

Associating an Elastic IP Address with a Network Interface

To associate an Elastic IP address with a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Right-click the network interface, and then select Associate Address.

  4. In the Associate Address dialog box, select the Elastic IP address to associate with your network interface.

  5. In Associate to private address, select the private IP address to associate with the Elastic IP address.

  6. Click Allow Reassociation to allow the Elastic IP address to be associated with the specified network interface if it's currently associated with another instance or network interface, and then click Yes, Associate.

    Associate Address

Disassociating an Elastic IP Address from a Network Interface

If the network interface has an Elastic IP address associated with it, you can disassociate the address, and then either associate it with another network interface or release it back to the address pool.

To disassociate an Elastic IP address from a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Right-click the network interface, and then select Disassociate Address.

  4. In the Disassociate Address dialog box, click Yes, Disassociate.

    Disassociate Elastic IP Address

Changing Termination Behavior for a Network Interface

You can set the termination behavior for a network interface attached to an instance so that it is automatically deleted when you delete the instance it's attached to.

Note

By default, network interfaces that are automatically created and attached to instances using the EC2 console are set to terminate when the instance terminates. However, network interfaces created using the ec2-create-network-interface command aren't set to terminate when the instance terminates.

To change termination behavior for network interfaces

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Right-click the network interface, and then select Change Termination Behavior.

  4. In the Change Termination Behavior dialog box, select the Delete on termination check box if you want the network interface to be deleted when you terminate an instance.

    Change Termination Behavior

Adding or Editing a Description for a Network Interface

To add or edit a description for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Right-click the network interface, and then select Change Description.

  4. In the Change Description dialog box, enter a description for the network interface, and then click Yes, Change.

    Change Description

Adding or Editing Tags for a Network Interface

Tags are metadata that you can add to a network interface. Tags are private and are only visible to your account. Each tag consists of a key and an optional value. For more information about tags, see Tagging Your Amazon EC2 Resources.

To add or edit tags for a network interface

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Network Interfaces in the navigation pane.

  3. Select the network interface.

  4. In the details pane, click the Tags tab, and then click Add/Edit Tags.

  5. In the Tag Network Interfaces dialog box, enter a key and an optional value for each tag that you want to add, and then click Save Tags.

    Tag Network Interfaces

API and Command Overview

The following table summarizes the available network interface commands and corresponding API actions.

DescriptionCommandAPI Action

Attaches a network interface to an instance.

ec2-attach-network-interface

AttachNetworkInterface

Creates a network interface in the specified subnet.

ec2-create-network-interface

CreateNetworkInterface

Deletes a network interface.

ec2-delete-network-interface

DeleteNetworkInterface

Describes a network interface attribute.

ec2-describe-network-interface-attribute

DescribeNetworkInterfaceAttribute

Describes one or more of your network interfaces.

ec2-describe-network-interfaces

DescribeNetworkInterfaces

Detaches a network interface from an instance.

ec2-detach-network-interface

DetachNetworkInterface

Modifies a network interface attribute.

ec2-modify-network-interface-attribute

ModifyNetworkInterfaceAttribute

Resets a network interface attribute.

ec2-reset-network-interface-attribute

ResetNetworkInterfaceAttribute

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...