Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Elastic Network Interfaces (ENI)

An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. ENIs are available only for instances running in a VPC.

An ENI can include the following attributes:

  • A primary private IP address.

  • One or more secondary private IP addresses.

  • One Elastic IP address per private IP address.

  • One public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you create an elastic network interface for eth0 instead of using an existing network interface.

  • One or more security groups.

  • A MAC address.

  • A source/destination check flag.

  • A description.

You can create an elastic network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of an elastic network interface follow it as it's attached or detached from an instance and reattached to another instance. When you move an elastic network interface from one instance to another, network traffic is redirected to the new instance.

Each instance in a VPC has a default elastic network interface (the primary network interface) that is assigned a private IP address from the IP address range of your VPC. You cannot detach a primary network interface from an instance. You can create and attach additional elastic network interfaces. The maximum number of elastic network interfaces that you can use varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type.

Attaching multiple elastic network interfaces to an instance is useful when you want to:

  • Create a management network.

  • Use network and security appliances in your VPC.

  • Create dual-homed instances with workloads/roles on distinct subnets.

  • Create a low-budget, high-availability solution.

Private IP Addresses Per ENI Per Instance Type

The following table lists the maximum number of elastic network interfaces (ENI) per instance type, and the maximum number of private IP addresses per ENI. ENIs and multiple private IP addresses are only available for instances running in a VPC. For more information, see Multiple Private IP Addresses.

Instance TypeMaximum Elastic Network InterfacesIP Addresses per Interface

c1.medium

2

6

c1.xlarge

4

15

c3.large

3

10

c3.xlarge

4

15

c3.2xlarge

4

15

c3.4xlarge

8

30

c3.8xlarge

8

30

c4.large

3

10

c4.xlarge

4

15

c4.2xlarge

4

15

c4.4xlarge

8

30

c4.8xlarge

8

30

cc2.8xlarge

8

30

cg1.4xlarge

8

30

cr1.8xlarge

8

30

d2.xlarge

4

15

d2.2xlarge

4

15

d2.4xlarge

8

30

d2.8xlarge

8

30

g2.2xlarge

4

15

g2.8xlarge

8

30

hi1.4xlarge

8

30

hs1.8xlarge

8

30

i2.xlarge

4

15

i2.2xlarge

4

15

i2.4xlarge

8

30

i2.8xlarge

8

30

m1.small

2

4

m1.medium

2

6

m1.large

3

10

m1.xlarge

4

15

m2.xlarge

4

15

m2.2xlarge

4

30

m2.4xlarge

8

30

m3.medium

2

6

m3.large

3

10

m3.xlarge

4

15

m3.2xlarge

4

30

m4.large210
m4.xlarge415
m4.2xlarge415
m4.4xlarge830
m4.10xlarge830
r3.large310
r3.xlarge415
r3.2xlarge415
r3.4xlarge830
r3.8xlarge830

t1.micro

2

2

t2.nano

2

2

t2.micro

2

2

t2.small

2

4

t2.medium

3

6

t2.large

3

12

x1.32xlarge830

Creating a Management Network

You can create a management network using elastic network interfaces. In this scenario, the secondary elastic network interface on the instance handles public-facing traffic and the primary elastic network interface handles back-end management traffic and is connected to a separate subnet in your VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group that allows access to the server from the Internet (for example, allow TCP port 80 and 443 from 0.0.0.0/0, or from the load balancer) while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the Internet, a private subnet within the VPC or a virtual private gateway.

To ensure failover capabilities, consider using a secondary private IP for incoming traffic on an elastic network interface. In the event of an instance failure, you can move the interface and/or secondary private IP address to a standby instance.

Creating a Management Network

Use Network and Security Appliances in Your VPC

Some network and security appliances, such as load balancers, network address translation (NAT) servers, and proxy servers prefer to be configured with multiple elastic network interfaces. You can create and attach secondary elastic network interfaces to instances in a VPC that are running these types of applications and configure the additional interfaces with their own public and private IP addresses, security groups, and source/destination checking.

Creating Dual-homed Instances with Workloads/Roles on Distinct Subnets

You can place an elastic network interface on each of your web servers that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a back-end network (subnet) where the database server resides. Instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end, initiates a connection to the back end, and then sends requests to the servers on the back-end network.

Create a Low Budget High Availability Solution

If one of your instances serving a particular function fails, its elastic network interface can be attached to a replacement or hot standby instance pre-configured for the same role in order to rapidly recover the service. For example, you can use an ENI as your primary or secondary network interface to a critical service such as a database instance or a NAT instance. If the instance fails, you (or more likely, the code running on your behalf) can attach the ENI to a hot standby instance. Because the interface maintains its private IP addresses, Elastic IP addresses, and MAC address, network traffic will begin flowing to the standby instance as soon as you attach the ENI to the replacement instance. Users will experience a brief loss of connectivity between the time the instance fails and the time that the ENI is attached to the standby instance, but no changes to the VPC route table or your DNS server are required.

Monitoring IP Traffic on Your Network Interface

You can enable a VPC flow log on your elastic network interface to capture information about the IP traffic going to and from the interface. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

For more information, see VPC Flow Logs in the Amazon VPC User Guide.

Best Practices for Configuring Elastic Network Interfaces

  • You can attach an elastic network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach).

  • You can detach secondary (ethN) elastic network interfaces when the instance is running or stopped. However, you can't detach the primary (eth0) interface.

  • You can attach an elastic network interface in one subnet to an instance in another subnet in the same VPC; however, both the elastic network interface and the instance must reside in the same Availability Zone.

  • When launching an instance from the CLI or API, you can specify the elastic network interfaces to attach to the instance for both the primary (eth0) and additional elastic network interfaces.

  • Launching an Amazon Linux or Microsoft Windows Server instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.

  • A warm or hot attach of an additional elastic network interface may require you to manually bring up the second interface, configure the private IP address, and modify the route table accordingly. Instances running Amazon Linux or Microsoft Windows Server automatically recognize the warm or hot attach and configure themselves.

  • Attaching another elastic network interface to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance.

  • If you attach two or more network interfaces from the same subnet to an instance, you may encounter networking issues such as asymmetric routing. If possible, use a secondary private IP address on the primary network interface instead. For more information, see Assigning a Secondary Private IP Address.

Configuring Your Network Interface Using ec2-net-utils

Amazon Linux AMIs may contain additional scripts installed by AWS, known as ec2-net-utils. These scripts optionally automate the configuration of your elastic network interfaces (ENIs). These scripts are available for Amazon Linux only.

Use the following command to install the package on Amazon Linux if it's not already installed, or update it if it's installed and additional updates are available:

$ yum install ec2-net-utils

The following components are part of ec2-net-utils:

udev rules (/etc/udev/rules.d)

Identifies network interfaces when they are attached, detached, or reattached to a running instance, and ensures that the hotplug script runs (53-ec2-network-interfaces.rules). Maps the MAC address to a device name (75-persistent-net-generator.rules, which generates 70-persistent-net.rules).

hotplug script

Generates an interface configuration file suitable for use with DHCP (/etc/sysconfig/network-scripts/ifcfg-ethN). Also generates a route configuration file (/etc/sysconfig/network-scripts/route-ethN).

DHCP script

Whenever the elastic network interface receives a new DHCP lease, this script queries the instance metadata for Elastic IP addresses. For each Elastic IP address, it adds a rule to the routing policy database to ensure that outbound traffic from that address uses the correct network interface. It also adds each private IP address to the elastic network interface as a secondary address.

ec2ifup ethN

Extends the functionality of the standard ifup. After this script rewrites the configuration files ifcfg-ethN and route-ethN, it runs ifup.

ec2ifdown ethN

Extends the functionality of the standard ifdown. After this script removes any rules for the elastic network interface from the routing policy database, it runs ifdown.

ec2ifscan

Checks for network interfaces that have not been configured and configures them.

Note that this script isn't available in the initial release of ec2-net-utils.

To list any configuration files that were generated by ec2-net-utils, use the following command:

$ ls -l /etc/sysconfig/network-scripts/*-eth?

To disable the automation on a per-instance basis, you can add EC2SYNC=no to the corresponding ifcfg-ethN file. For example, use the following command to disable the automation for the eth1 interface:

$ sed -i -e 's/^EC2SYNC=yes/EC2SYNC=no/' /etc/sysconfig/network-scripts/ifcfg-eth1

If you want to disable the automation completely, you can remove the package using the following command:

$ yum remove ec2-net-utils

Creating an Elastic Network Interface

You can create an elastic network interface using the Amazon EC2 console or the command line.

To create an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Choose Create Network Interface.

  4. In the Create Network Interface dialog box, provide the following information for the elastic network interface and choose Yes, Create.

    1. For Description, enter a descriptive name.

    2. For Subnet, select the subnet. Note that you can't move the elastic network interface to another subnet after it's created, and you can only attach the interface to instances in the same Availability Zone.

    3. For Private IP, enter the primary private IP address. If you don't specify an IP address, we'll select an available private IP address from within the selected subnet.

    4. For Security groups, select one or more security groups.

To create an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Deleting an Elastic Network Interface

You must first detach an elastic network interface from an instance before you can delete it. Deleting an elastic network interface releases all attributes associated with the interface and releases any private IP addresses or Elastic IP addresses to be used by another instance.

You can delete an elastic network interface using the Amazon EC2 console or the command line.

To delete an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select an elastic network interface and choose Delete.

  4. In the Delete Network Interface dialog box, choose Yes, Delete.

To delete an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Viewing Details about an Elastic Network Interface

You can describe an elastic network interface using the Amazon EC2 console or the command line.

To describe an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface.

  4. View the details on the Details tab.

To describe an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

To describe an elastic network interface attribute using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Attaching an Elastic Network Interface When Launching an Instance

You can attach an additional elastic network interface to an instance when you launch it into a VPC. You can do this using the Amazon EC2 console or the command line.

Note

If an error occurs when attaching an elastic network interface to your instance, this causes the instance launch to fail.

To attach an elastic network interface when launching an instance using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch Instance.

  3. Select an AMI and instance type and choose Next: Configure Instance Details.

  4. On the Configure Instance Details page, select a VPC for Network, and a subnet for Subnet.

    To assign a public IP address to your instance, choose Enable for Auto-assign Public IP (if you selected a default subnet, you can leave the Use subnet setting option). Note that you can't assign a public IP address to your instance if you specify an existing elastic network interface for the primary elastic network interface (eth0) or multiple elastic network interfaces in the next step.

  5. In the Network Interfaces section, the console enables you specify up to 2 elastic network interfaces (new, existing, or a combination) when you launch an instance. You can also enter a primary IP address and one or more secondary IP addresses for any new interface. When you've finished, choose Next: Add Storage.

    Note that you can add additional network interfaces to the instance after you launch it. The total number of network interfaces that you can attach varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type.

  6. On the Add Storage page, you can specify volumes to attach to the instance besides the volumes specified by the AMI (such as the root device volume), and then choose Next: Tag Instance.

  7. On the Tag Instance page, specify tags for the instance, such as a user-friendly name, and then choose Next: Configure Security Group.

  8. On the Configure Security Group page, select an existing security group or create a new one. Choose Review and Launch.

  9. On the Review Instance Launch page, details about the primary and additional network interface are displayed. Review the settings, and then choose Launch to choose a key pair and launch your instance. If you're new to Amazon EC2 and haven't created any key pairs, the wizard prompts you to create one.

To attach an elastic network interface when launching an instance using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Attaching an Elastic Network Interface to a Stopped or Running Instance

You can attach an elastic network interface to any of your stopped or running instances in your VPC using either the Instances or Network Interfaces page of the Amazon EC2 console, or using a command line interface.

Note

If the public IP address on your instance is released, it will not receive a new one if there is more than one elastic network interface attached to the instance. For more information about the behavior of public IP addresses, see Public IP Addresses and External DNS Hostnames.

To attach an elastic network interface to an instance using the Instances page

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Choose Actions, Networking, Attach Network Interface.

  4. In the Attach Network Interface dialog box, select the elastic network interface and choose Attach.

To attach an elastic network interface to an instance using the Network Interfaces page

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Attach.

  4. In the Attach Network Interface dialog box, select the instance and choose Attach.

To attach an elastic network interface to an instance using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Detaching an Elastic Network Interface from an Instance

You can detach a secondary elastic network interface at any time, using either the Instances or Network Interfaces page of the Amazon EC2 console, or using a command line interface.

To detach an elastic network interface from an instance using the Instances page

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Choose Actions, Networking, Detach Network Interface.

  4. In the Detach Network Interface dialog box, select the elastic network interface and choose Detach.

To detach an elastic network interface from an instance using the Network Interfaces page

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Detach.

  4. In the Detach Network Interface dialog box, choose Yes, Detach. If the elastic network interface fails to detach from the instance, choose Force detachment, and then try again.

To detach an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Changing the Security Group of an Elastic Network Interface

You can change the security groups that are associated with an elastic network interface. When you create the security group, be sure to specify the same VPC as the subnet for the interface.

You can change the security group for your elastic network interfaces using the Amazon EC2 console or the command line.

Note

To change security group membership for interfaces owned by other services, such as Elastic Load Balancing, use the console or command line interface for that service.

To change the security group of an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Change Security Groups.

  4. In the Change Security Groups dialog box, select the security groups to use, and choose Save.

To change the security group of an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Changing the Source/Destination Checking of an Elastic Network Interface

The Source/Destination Check attribute controls whether source/destination checking is enabled on the instance. Disabling this attribute enables an instance to handle network traffic that isn't specifically destined for the instance. For example, instances running services such as network address translation, routing, or a firewall should set this value to disabled. The default value is enabled.

You can change source/destination checking using the Amazon EC2 console or the command line.

To change source/destination checking for an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Change Source/Dest Check.

  4. In the dialog box, choose Enabled (if enabling) or Disabled (if disabling), and Save.

To change source/destination checking for an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Associating an Elastic IP Address with an Elastic Network Interface

If you have an Elastic IP address, you can associate it with one of the private IP addresses for the elastic network interface. You can associate one Elastic IP address with each private IP address.

You can associate an Elastic IP address using the Amazon EC2 console or the command line.

To associate an Elastic IP address using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Associate Address.

  4. In the Associate Elastic IP Address dialog box, select the Elastic IP address from the Address list.

  5. For Associate to private IP address, select the private IP address to associate with the Elastic IP address.

  6. Choose Allow reassociation to allow the Elastic IP address to be associated with the specified network interface if it's currently associated with another instance or network interface, and then choose Associate Address.

To associate an Elastic IP address using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Disassociating an Elastic IP Address from an Elastic Network Interface

If the elastic network interface has an Elastic IP address associated with it, you can disassociate the address, and then either associate it with another elastic network interface or release it back to the address pool. Note that this is the only way to associate an Elastic IP address with an instance in a different subnet or VPC using an elastic network interface, as elastic network interfaces are specific to a particular subnet.

You can disassociate an Elastic IP address using the Amazon EC2 console or the command line.

To disassociate an Elastic IP address using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Disassociate Address.

  4. In the Disassociate IP Address dialog box, choose Yes, Disassociate.

To disassociate an Elastic IP address using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Changing Termination Behavior for an Elastic Network Interface

You can set the termination behavior for an elastic network interface attached to an instance so that it is automatically deleted when you delete the instance to which it's attached.

Note

By default, elastic network interfaces that are automatically created and attached to instances using the console are set to terminate when the instance terminates. However, network interfaces created using the command line interface aren't set to terminate when the instance terminates.

You can change the terminating behavior for an elastic network interface using the Amazon EC2 console or the command line.

To change the termination behavior for an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Change Termination Behavior.

  4. In the Change Termination Behavior dialog box, select the Delete on termination check box if you want the elastic network interface to be deleted when you terminate an instance.

To change the termination behavior for an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Adding or Editing a Description for an Elastic Network Interface

You can change the description for an elastic network interface using the Amazon EC2 console or the command line.

To change the description for an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface and choose Actions, Change Description.

  4. In the Change Description dialog box, enter a description for the elastic network interface, and then choose Save.

To change the description for an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.

Adding or Editing Tags for an Elastic Network Interface

Tags are metadata that you can add to an elastic network interface. Tags are private and are only visible to your account. Each tag consists of a key and an optional value. For more information about tags, see Tagging Your Amazon EC2 Resources.

You can tag a resource using the Amazon EC2 console or the command line.

To add or edit tags for an elastic network interface using the console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the elastic network interface.

  4. In the details pane, choose Tags, Add/Edit Tags.

  5. In the Add/Edit Tags dialog box, choose Create Tag for each tag to create, and enter a key and optional value. When you're done, choose Save.

To add or edit tags for an elastic network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon EC2.