Elastic network interfaces - Amazon Elastic Compute Cloud

Elastic network interfaces

An elastic network interface is a logical networking component in a VPC that represents a virtual network card. It can include the following attributes:

  • A primary private IPv4 address from the IPv4 address range of your VPC

  • A primary IPv6 address from the IPv6 address range of your VPC

  • One or more secondary private IPv4 addresses from the IPv4 address range of your VPC

  • One Elastic IP address (IPv4) per private IPv4 address

  • One public IPv4 address

  • One or more IPv6 addresses

  • One or more security groups

  • A MAC address

  • A source/destination check flag

  • A description

You can create and configure network interfaces and attach them to instances in the same Availability Zone. Your account might also have requester-managed network interfaces, which are created and managed by AWS services to enable you to use other resources and services. You cannot manage these network interfaces yourself. For more information, see Requester-managed network interfaces.

This AWS resource is referred to as a network interface in the AWS Management Console and the Amazon EC2 API. Therefore, we use "network interface" in this documentation instead of "elastic network interface". The term "network interface" in this documentation always means "elastic network interface".

Network interface basics

You can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow it as it's attached or detached from an instance and reattached to another instance. When you move a network interface from one instance to another, network traffic is redirected to the new instance.

Primary network interface

Each instance has a default network interface, called the primary network interface. You cannot detach a primary network interface from an instance. You can create and attach additional network interfaces. The maximum number of network interfaces that you can use varies by instance type. For more information, see IP addresses per network interface per instance type.

Public IPv4 addresses for network interfaces

In a VPC, all subnets have a modifiable attribute that determines whether network interfaces created in that subnet (and therefore instances launched into that subnet) are assigned a public IPv4 address. For more information, see Subnet settings in the Amazon VPC User Guide. The public IPv4 address is assigned from Amazon's pool of public IPv4 addresses. When you launch an instance, the IP address is assigned to the primary network interface that's created.

When you create a network interface, it inherits the public IPv4 addressing attribute from the subnet. If you later modify the public IPv4 addressing attribute of the subnet, the network interface keeps the setting that was in effect when it was created. If you launch an instance and specify an existing network interface as the primary network interface, the public IPv4 address attribute is determined by this network interface.

For more information, see Public IPv4 addresses.

Elastic IP addresses for network interface

If you have an Elastic IP address, you can associate it with one of the private IPv4 addresses for the network interface. You can associate one Elastic IP address with each private IPv4 address.

If you disassociate an Elastic IP address from a network interface, you can release it back to the address pool. This is the only way to associate an Elastic IP address with an instance in a different subnet or VPC, as network interfaces are specific to subnets.

IPv6 addresses for network interfaces

If you associate IPv6 CIDR blocks with your VPC and subnet, you can assign one or more IPv6 addresses from the subnet range to a network interface. Each IPv6 address can be assigned to one network interface.

All subnets have a modifiable attribute that determines whether network interfaces created in that subnet (and therefore instances launched into that subnet) are automatically assigned an IPv6 address from the range of the subnet. For more information, see Subnet settings in the Amazon VPC User Guide. When you launch an instance, the IPv6 address is assigned to the primary network interface that's created.

For more information, see IPv6 addresses.

Prefix Delegation

A Prefix Delegation prefix is a reserved private IPv4 or IPv6 CIDR range that you allocate for automatic or manual assignment to network interfaces that are associated with an instance. By using Delegated Prefixes, you can launch services faster by assigning a range of IP addresses as a single prefix.

Termination behavior

You can set the termination behavior for a network interface that's attached to an instance. You can specify whether the network interface should be automatically deleted when you terminate the instance to which it's attached.

Source/destination checking

You can enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. Source/destination checks are enabled by default. You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.

Monitoring IP traffic

You can enable a VPC flow log on your network interface to capture information about the IP traffic going to and from a network interface. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. For more information, see VPC Flow Logs in the Amazon VPC User Guide.

IP addresses per network interface per instance type

Each instance type supports a maximum number of network interfaces, maximum number of private IPv4 addresses per network interface, and maximum number of IPv6 addresses per network interface. The limit for IPv6 addresses is separate from the limit for private IPv4 addresses per network interface. Not all instance types support IPv6 addressing.

To retrieve network interface information using the AWS CLI

You can use the describe-instance-types AWS CLI command to display information about an instance type, such as its supported network interfaces and IP addresses per interface. The following example displays this information for all C5 instances.

aws ec2 describe-instance-types --filters "Name=instance-type,Values=c5.*" --query "InstanceTypes[].{Type: InstanceType, MaxENI: NetworkInfo.MaximumNetworkInterfaces, IPv4addr: NetworkInfo.Ipv4AddressesPerInterface}" --output table --------------------------------------- | DescribeInstanceTypes | +----------+----------+---------------+ | IPv4addr | MaxENI | Type | +----------+----------+---------------+ | 30 | 8 | c5.4xlarge | | 50 | 15 | c5.24xlarge | | 15 | 4 | c5.xlarge | | 30 | 8 | c5.12xlarge | | 10 | 3 | c5.large | | 15 | 4 | c5.2xlarge | | 50 | 15 | c5.metal | | 30 | 8 | c5.9xlarge | | 50 | 15 | c5.18xlarge | +----------+----------+---------------+

Work with network interfaces

You can work with network interfaces using the Amazon EC2 console or the command line.

Create a network interface

You can create a network interface in a subnet. You can't move the network interface to another subnet after it's created. You must attach a network interface to an instance in the same Availability Zone.

To create a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Choose Create network interface.

  4. (Optional) For Description, enter a descriptive name.

  5. For Subnet, select a subnet. The options available in the subsequent steps change depending on the type of subnet you select (IPv4-only, IPv6-only, or dual-stack (IPv4 and IPv6)).

  6. For Private IPv4 address, do one of the following:

    • Choose Auto-assign to allow Amazon EC2 to select an IPv4 address from the subnet.

    • Choose Custom and enter an IPv4 address that you select from the subnet.

  7. (Subnets with IPv6 addresses only) For IPv6 address, do one of the following:

    • Choose None if you do not want to assign an IPv6 address to the network interface.

    • Choose Auto-assign to allow Amazon EC2 to select an IPv6 address from the subnet.

    • Choose Custom and enter an IPv6 address that you select from the subnet.

  8. (Optional) If you’re creating a network interface in a dual-stack or IPv6-only subnet, you have the option to Assign Primary IPv6 IP. This assigns a primary IPv6 global unicast address (GUA) to the network interface. Assigning a primary IPv6 address enables you to avoid disrupting traffic to instances or ENIs. Choose Enable if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.

  9. (Optional) To create an Elastic Fabric Adapter, choose Elastic Fabric Adapter, Enable.

  10. (Optional) Under Advanced settings, for Idle connection tracking timeout, modify the default idle connection timeouts. For more information about these options, see Idle connection tracking timeout.

    • TCP established timeout: Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.

    • UDP timeout: Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.

    • UDP stream timeout: Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.

  11. For Security groups, select one or more security groups.

  12. (Optional) For each tag, choose Add new tag and enter a tag key and an optional tag value.

  13. Choose Create network interface.

To create a network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

View details about a network interface

You can view all the network interfaces in your account.

To describe a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. To view the details page for a network interface, select the ID of the network interface. Alternatively, to view information without leaving the network interfaces page, select the checkbox for the network interface.

To describe a network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

To describe a network interface attribute using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Attach a network interface to an instance

You can attach a network interface to any instance in the same Availability Zone as the network interface, using either the Instances or Network Interfaces page of the Amazon EC2 console. Alternatively, you can specify existing network interfaces when you launch instances.

Important

For EC2 instances in an IPv6-only subnet, if you attach a secondary network interface to the instance, the private DNS hostname of the second network interface will resolve to the first IPv6 address on the instance's first network interface. For more information about EC2 instance private DNS hostnames, see Amazon EC2 instance hostname types.

If the public IPv4 address on your instance is released, it does not receive a new one if there is more than one network interface attached to the instance. For more information about the behavior of public IPv4 addresses, see Public IPv4 addresses.

Instances page
To attach a network interface to an instance using the Instances page
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select the checkbox for the instance.

  4. Choose Actions, Networking, Attach network interface.

  5. Choose a VPC. If you are attaching a secondary network interface to the instance, the network interface can reside in the same VPC as your instance or in a different VPC that you own (as long as the network interface is in a subnet that is in the same Availability Zone as your instance). This enables you to create multi-homed instances across VPCs with different networking and security configurations.

  6. Select a network interface. If the instance supports multiple network cards, you can choose a network card.

  7. Choose Attach.

Network Interfaces page
To attach a network interface to an instance using the Network Interfaces page
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Attach.

  5. Choose an instance. If the instance supports multiple network cards, you can choose a network card.

  6. Choose Attach.

To attach a network interface to an instance using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Note

You can attach a network interface that's in another VPC (but in the same Availability Zone) to an instance using the attach-network-interface AWS CLI command. You cannot do this using the AWS Management Console.

Detach a network interface from an instance

You can detach a secondary network interface that is attached to an EC2 instance at any time, using either the Instances or Network Interfaces page of the Amazon EC2 console.

If you try to detach a network interface that is attached to a resource from another service, such as an Elastic Load Balancing load balancer, a Lambda function, a WorkSpace, or a NAT gateway, you get an error that you do not have permission to access the resource. To find which service created the resource attached to a network interface, check the description of the network interface. If you delete the resource, then its network interface is deleted.

Instances page
To detach a network interface from an instance using the Instances page
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select the checkbox for the instance. Check the Network interfaces section of the Networking tab to verify that the network interface is attached to an instance as a secondary network interface.

  4. Choose Actions, Networking, Detach network interface.

  5. Select the network interface and choose Detach.

Network Interfaces page
To detach a network interface from an instance using the Network Interfaces page
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface. Check the Instance details section of the Details tab to verify that the network interface is attached to an instance as a secondary network interface.

  4. Choose Actions, Detach.

  5. When prompted for confirmation, choose Detach.

  6. If the network interface fails to detach from the instance, choose Force detachment, Enable and then try again. We recommend that force detachment only as a last resort. Forcing a detachment can prevent you from attaching a different network interface on the same index until you restart the instance. It can also prevent the instance metadata from reflecting that the network interface was detached until you restart the instance.

To detach a network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Manage IP addresses

You can manage the following IP addresses for your network interfaces:

  • Elastic IP addresses (one per private IPv4 address)

  • IPv4 addresses

  • IPv6 addresses

  • Primary IPv6 address

To manage the Elastic IP addresses of a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. To associate an Elastic IP address, do the following:

    1. Choose Actions, Associate address.

    2. For Elastic IP address, select the Elastic IP address.

    3. For Private IPv4 address, select the private IPv4 address to associate with the Elastic IP address.

    4. (Optional) Choose Allow the Elastic IP address to be reassociated if the network interface is currently associated with another instance or network interface.

    5. Choose Associate.

  5. To disassociate an Elastic IP address, do the following:

    1. Choose Actions, Disassociate address.

    2. For Public IP address, select the Elastic IP address.

    3. Choose Disassociate.

To manage the IPv4 and IPv6 addresses of a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the network interface.

  4. Choose Actions, Manage IP addresses.

  5. Expand the network interface.

  6. For IPv4 addresses, modify the IP addresses as needed. To assign an IPv4 address, choose Assign new IP address and then specify an IPv4 address from the subnet range or let AWS choose one for you. To unassign an IPv4 address, choose Unassign next to the address.

  7. For IPv6 addresses, modify the IP addresses as needed. To assign an IPv6 address, choose Assign new IP address and then specify an IPv6 address from the subnet range or let AWS choose one for you. To unassign an IPv6 address, choose Unassign next to the address.

  8. (Optional) If your modifying a network interface in a dual-stack or IPv6-only subnet, you have the option to Assign Primary IPv6 IP. Assigning a primary IPv6 address enables you to avoid disrupting traffic to instances or ENIs. Choose Enable if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.

  9. Choose Save.

To manage the IP addresses of a network interface using the AWS CLI

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

To manage the IP addresses of a network interface using the Tools for Windows PowerShell

You can use one of the following commands.

Modify network interface attributes

You can change the following network interface attributes:

To change the description of a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Change description.

  5. For Description, enter a description for the network interface.

  6. Choose Save.

To change the security groups of a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Change security groups.

  5. For Associated security groups, select the security groups to use, and then choose Save.

    The security group and network interface must be created for the same VPC. To change the security group for interfaces owned by other services, such as Elastic Load Balancing, do so through that service.

To change the termination behavior of a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Change termination behavior.

  5. Select or clear Delete on termination, Enable as needed, and then choose Save.

To change source/destination checking for a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Change source/dest check.

  5. Select or clear Source/destination check, Enable as needed, and then choose Save.

To change idle connection tracking timeouts:
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. Choose Actions, Modify connection timeout.

  5. Modify the idle connection tracking timeouts. For more information about these options, see Idle connection tracking timeout.

    • TCP established timeout: Timeout (in seconds) for idle TCP connections in an established state. Min: 60 seconds. Max: 432000 seconds (5 days). Default: 432000 seconds. Recommended: Less than 432000 seconds.

    • UDP timeout: Timeout (in seconds) for idle UDP flows that have seen traffic only in a single direction or a single request-response transaction. Min: 30 seconds. Max: 60 seconds. Default: 30 seconds.

    • UDP stream timeout: Timeout (in seconds) for idle UDP flows classified as streams which have seen more than one request-response transaction. Min: 60 seconds. Max: 180 seconds (3 minutes). Default: 180 seconds.

  6. Choose Save.

To modify network interface attributes using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Add or edit tags

Tags are metadata that you can add to a network interface. Tags are private and are only visible to your account. Each tag consists of a key and an optional value. For more information about tags, see Tag your Amazon EC2 resources.

To add or edit tags for a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface.

  4. In Tags tab, choose Manage tags.

  5. For each tag to create, choose Add new tag and enter a key and optional value. When you're done, choose Save.

To add or edit tags for a network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.

Delete a network interface

Deleting a network interface releases all attributes associated with the interface and releases any private IP addresses or Elastic IP addresses to be used by another instance.

You cannot delete a network interface that is in use. First, you must detach the network interface.

To delete a network interface using the console
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Network Interfaces.

  3. Select the checkbox for the network interface, and then choose Actions, Delete.

  4. When prompted for confirmation, choose Delete.

To delete a network interface using the command line

You can use one of the following commands. For more information about these command line interfaces, see Access Amazon EC2.