Handling Elastic Network Interface(s) (ENIs) in AWS

Shows how we can map single EC2 instances to multiple Network Interfaces via Multiple Elastic IPs

This is an introductory blog on how AWS ENI behaves with EC2 instances. If you are just started studying AWS, you may not use this feature straightaway but can be used in multiple technical use cases. It is always good to understand real concepts behind them.

ENIs can be useful in following key reasons [1].

1. Creating a Management Network
2. Use Network and Security Appliances in your VPC
3. Create dual-homed instances with workloads / roles on distinct subnets
4. Create a low-budget, high available solutions.

Elastic Network Interface (ENI)

ENI is a logical networking component in a VPC that represents a Virtual Network Card. It can have the following attributes.

1. A primary private IPv4 address
2. One or more secondary private IPv4 addresses
3. One Elastic IP Address (IPv4) per private IPV4 address
4. One public IPv4 address
5. One or more IPv6 addresses
6. One or more security groups
7. A MAC address
8. A source/destination check flag

Figure 1 — The default ENI of an EC2 instance

ENI — Key Features

1. Each instance in your VPC has a default network interface (the primary network interface — eth0) that assigns a private IPv4 address from the IPv4 address range of your VPC (See Figure 1).
2. You cannot detach the default (primary) network interface from an instance.
3. You can create an attach an additional/ secondary ENIs to an instance in your VPC. However, these ENIs should be created within the same availability zone of the EC2 instance that you are trying to attach your secondary ENI (See Figure 2). The number of network instances you can attach varies by instance type.
4. A Security Group is attached to an ENI not an EC2 instance. With this approach you can have multiple routes to the same EC2 instance with different security configurations.
5. You can create a network interface, attach it to an instance, detach it from an instance and attach it to another instance within the same Availability Zone. A network interface’s attributes follow it as it is attached or detached from an instance and reattached to another instance. When you move a network interface from one instance to another, network traffic is redirected to the new instance.

Figure 2 — Attaching additional ENIs to an EC2 instance

The Scope

In this blog, we are primarily focusing on how we can create multiple ENIs for a single EC2 instance and attach multiple Elastic IPs for each ENI private IP. Using this approach you can create multiple routes to the same instance application installations.

We will discuss how we attach and detach ENIs to and from EC2 instances in a later blog.

Task 1: Creating an EC2 instance and install Apache

Create an EC2 instance (Amazon Linux, t2.micro) and install Apache on it.

While creating the instance, create a Security Group (my-sg-1) and open port 80(HTTP) for future testing.

When you create an EC2 instance it does attach a default network interface (primary ENI — eth0) to it (See Figure 3).

Figure 3 — The EC2 instance created with the default ENI

Task 2: Allocate an Elastic IP

Now lets allocate a new Elastic IP to the primary ENI. (If your subnet is public and it is configured to have auto generated public IP(s) then this is not needed. But here we are going to showcase, how Elastic IP(s) can be allocated to ENIs)

Go to Elastic IP(s) → Click “Allocate Elastic IP Address” → Select Amazon Pool of IPv4 addresses →Click Allocate (See Figure 4)

Figure 4 —Allocate a new Elastic IP

Task 3: Associate the created Elastic IP to the primary/default ENI

Go to Elastic IP Addresses → Click Actions button and select Associate Elastic IP → Select Resource Type as Network Interface → Select the Primary Network Interface that you have created from the select Network Interface search box → Click Associate.

Figure 5 — Associate Elastic IP to the primary/ default ENI

Task 4: Lets run the EC2 instance Apache installation using the Elastic IP via the primary / default ENI

Lets try to run the instance now with the assigned Elastic IP. You should see something similar to this. Here the index.html has a dummy text “Testing ENI” (See Figure 6).

Figure 6 — Running an application via primary/ default ENI

Now, lets try to create another ENI and attach an Elastic IP with a new Security Group attached to it. This allows us to navigate the same instance via a different network address (new Elastic IP).

Task 5: Create the additional ENI (second ENI)

As a prerequisite, create another Security Group (my-sg-2) without allowing any ports to it.

Now, create the additional ENI.

Go to Network Interfaces → Click Create Network Interface → Select the same subnet that you created the EC2 instance → Select Auto Assign for the IPv4 Private IP → Select the Security Group (my-sg-2) → Create ENI (See Figure 7).

Figure 7 — Creating an additionalENI

Task 6: Create another Elastic IP

Figure 8 — Creating an Elastic IP for the additional ENI

Task 7: Associate the Elastic IP (created under step 6) to the additional ENI

Figure 9 — Associate Elastic IP to the additional ENI

Task 8: Attach the additional ENI to the EC2 instance.

However, in order to attach this additional ENI to the EC2 instance, you are required to do the following configuration.

Go to EC2 instances → Select the EC2 instance → Select Actions → Select Networking → Select Attach Network Interface and select second ENI you have created (See Figure 10).

Figure 10

The Conclusion

Finally, as a result of the above exercise, the EC2 instance is now attached with two ENIs.

1. Default / Primary ENI (eth0)
2. Additional ENI (eth1)

Now you would see something similar to the following.

Figure 10 — The EC2 instance with both eth0 and eth1

References

1. Elastic Network Interfaces: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html