Local network interfaces - AWS Outposts
Local network interface basicsEnable Outpost subnets for LNIsWork with local network interfaces

Local network interfaces

With AWS Outposts servers, a local network interface (LNI) is a logical networking component that connects the Amazon EC2 instances in your Outposts subnet to your on-premises network.

A local network interface runs directly on your local area network. With this type of local connectivity, you don't need routers or gateways to communicate with your on-premises equipment. Local network interfaces are named similarly to network interfaces or elastic network interfaces. We distinguish between the two interfaces by always using local when we refer to local network interfaces.

After you enable local network interfaces on an Outpost subnet, you can configure the EC2 instances in the Outpost subnet to include a local network interface in addition to the elastic network interface. The local network interface connects to the on-premises network while the network interface connects to the VPC. The following diagram shows an EC2 instance on an Outposts server with both an elastic network interface and a local network interface.

Local network interface

You must configure the operating system to enable the local network interface to communicate on your local area network, just as you would for any other on-premises equipment. You can't use DHCP option sets in a VPC to configure a local network interface because a local network interface runs on your local area network.

The elastic network interface works exactly as it does for instances in an Availability Zone subnet. For example, you can use the VPC network connection to access the public Regional endpoints for AWS services, or you can use interface VPC endpoints to access AWS services using AWS PrivateLink. For more information, see AWS Outposts connectivity to AWS Regions.

Contents

Local network interface basics

Local network interfaces provide access to a physical layer-two network. A VPC is a virtualized layer-three network. Local network interfaces do not support VPC networking components. These components include security groups, network access control lists, virtualized routers or route tables, and flow logs. The local network interface does not provide the Outpost server with visibility into VPC layer-three flows. The host operating system of the instance does have full visibility into frames from the physical network. You can apply standard firewall logic to information within these frames. However, this communication happens inside the instance but outside the purview of the virtualized constructs.

Considerations

  • Local network interfaces support ARP and DHCP protocols. They do not support general L2 broadcast messages.

  • Quotas for local network interfaces comes out of your quota for network interfaces. For more information, see Network interfaces in the Amazon VPC User Guide.

  • Each EC2 instance can have one local network interface.

  • A local network interface can't use the primary network interface (eth0) of the instance.

  • Outposts servers can host multiple EC2 instances, each with a local network interface.

    Note

    EC2 instances within the same server can communicate directly without sending data outside the Outposts server. This communication includes traffic over a local network interface or elastic network interfaces.

  • Local network interfaces are available only for instances running in an Outposts subnet on an Outpost server.

  • Local network interfaces do not support promiscuous mode or MAC address spoofing.

Performance

The LNI of each instance size provides a portion of the physical 10 GbE LNI available bandwidth. The following table lists the LNI network performance for each instance type:

Instance type Baseline bandwidth (Gbps) Burst bandwidth (Gbps)

c6id.large

0.15625

2.5

c6id.large

0.15625

2.5

c6id.xlarge

0.3125

2.5

c6id.2xlarge

0.625

2.5

c6id.4xlarge

1.25

2.5

c6id.8xlarge

2.5

2.5

c6id.12xlarge

3.75

3.75

c6id.16xlarge

5

5

c6id.24xlarge

7.5

7.5

c6id.32xlarge

10

10

c6gd.medium

0.15625

4

c6gd.large

0.3125

4

c6gd.xlarge

0.625

4

c6gd.2xlarge

1.25

4

c6gd.4xlarge

2.5

4

c6gd.8xlarge

4.8

4.8

c6gd.12xlarge

7.5

7.5

c6gd.16xlarge

10

10

Security groups

By design, the local network interface does not use security groups in your VPC. A security group controls inbound and outbound VPC traffic. The local network interface is not attached to the VPC. The local network interface is attached to your local network. To control inbound and outbound traffic on the local network interface, use a firewall or similar strategy, just as you would with the rest of your on-premises equipment.

Monitoring

CloudWatch metrics are produced for each local network interface, just as they are for elastic network interfaces. For more information for Linux instances, see Monitor network performance for your EC2 instance in the Amazon EC2 User Guide for Linux Instances. For Windows instances, see Monitor network performance for your EC2 instance in the Amazon EC2 User Guide for Windows Instances.

MAC addresses

AWS provides MAC addresses for local network interfaces. Local network interfaces use locally administered addresses (LAA) for their MAC addresses. A local network interface uses the same MAC address until you delete the interface. After you delete a local network interface, remove the MAC address from your local configurations. AWS can reuse MAC addresses that are no longer in use.

Enable subnets on Outposts servers for local network interfaces

Use the modify-subnet-attribute command from the AWS CLI to enable an Outpost subnet for local network interfaces. You must specify the position of the network interface on the device index. All instances launched in an enabled Outpost subnet use this device position for local network interfaces. For example, a value of 1 indicates that the secondary network interface (eth1) for an instance in the Outpost subnet is the local network interface.

To enable an Outpost subnet for local network interfaces

At a command prompt, use the following command to specify the device position for the local network interface.

aws ec2 modify-subnet-attribute \
    --subnet-id subnet-1a2b3c4d \
    --enable-lni-at-device-index 1

Work with local network interfaces

Use this section to understand how to work with local network interfaces.

Add a local network interface

You can add a local network interface (LNI) to an Amazon EC2 instance on an Outposts subnet during or after launch. You do so by adding a secondary network interface to the instance, using the device index that you specified when you enabled the Outpost subnet for local network interfaces.

Consideration

When you specify the secondary network interface using the console, the network interface is created using device index 1. If this is not the device index that you specified when you enabled the Outpost subnet for local network interfaces, you can specify the correct device index by using the AWS CLI or an AWS SDK instead. For example, use the following commands from the AWS CLI: create-network-interface and attach-network-interface.

To add an LNI during instance launch

  1. In the launch instance wizard, choose Edit next to Network settings.

  2. Expand Advanced network configuration.

  3. Choose Add network interface. This creates a network interface using device index 1. If you specified 1 as the LNI device index for the Outpost subnet, then this network interface will be the local network interface for the instance.

  4. Choose the Outpost subnet, and update the configuration for the network interface as needed.

  5. Complete the wizard to launch the instance.

To add an LNI after instance launch

  1. In the navigation pane, choose Network and Security, Network Interfaces.

  2. Create the network interface

    1. Choose Create network interface.

    2. Select the same Outpost subnet as the instance.

    3. Verify that Private IPv4 address is set to Auto-assign.

    4. Select any security group. Security groups do not apply to LNIs, so the security group that you select is not relevant.

    5. Choose Create network interface.

  3. Attach the network interface to the instance

    1. Select the check box for the newly created network interface.

    2. Choose Actions, Attach.

    3. Choose the instance.

    4. Choose Attach. The network interface is attached at device index 1. If you specified 1 as the LNI device index for the Outpost subnet, then this network interface is the local network interface for the instance.

View the local network interface

While the instance is in the running state, you can use the Amazon EC2 console to view both the elastic network interface and the local network interface for the instances in your Outpost subnet. Select the instance and choose the Networking tab.

The console displays a private IPv4 address for the LNI from the subnet CIDR. This address is not the IP address of the LNI, and it is not usable. However, this address is allocated from the subnet CIDR, so you must account for it in your subnet sizing. You must set the IP address for the LNI within the guest operating system, either statically or through your DHCP server.

Configure the operating system

After you enable local network interfaces, Amazon EC2 instances will have two network interfaces, one of which is a local network interface. Ensure that you configure the operating system of the Amazon EC2 instances that you launch to support a multi-homed networking configuration.