Tuesday, April 29, 2025

AWS Elastic Network Interface (ENI) | Overview & Hands-On.

An Overview & Hands-On for AWS Elastic Network Interface (ENI).

Focus:

  • Tailored for SRE, DevOps, Cloud, and DevSecOps Engineers

Breakdown:

  • Intro,
  • Key Features and Attributes,
  • Use Cases,
  • Insights,
  • Hands-On.
Intro:

  • An AWS Elastic Network Interface (ENI) is a virtual networking component within an Amazon Virtual Private Cloud (VPC) that functions as a virtual network card for an Amazon EC2 instance. 
  • An AWS Elastic Network Interface (ENI) is a fundamental building block for networking in AWS, enabling connectivity, security, and flexibility for cloud infrastructure.
  • An Elastic Network Interface (ENI) in AWS is basically a virtual network card.
  • It represents a network connection for an EC2 instance, with its own:
    • Private IP address (primary and secondary)
    • Public IP address (if applicable)
    • MAC address (Media Access Control)
    • Security Groups
    • Subnet
    • Description and tags
Key Features and Attributes
Virtual Representation
  • An ENI is a logical component representing a network card, distinct from the physical hardware.
Decoupled Configuration
  • It decouples network settings (such as IP addresses and security groups) from the compute instance itself. 
  • This allows an ENI to be moved between instances, redirecting network traffic to the new instance.
Attributes
  • An ENI can include several attributes:
    • One or more primary and secondary private IPv4 addresses.
    • One or more Elastic IP (EIP) addresses (public IPs).
    • One or more IPv6 addresses.
    • One or more security groups, which act as a virtual firewall to control traffic.
    • A MAC address.
    • Source/destination checking flag.
    • twtech can attach or detach an ENI to/from EC2 instances on the fly (in the same Availability Zone).
    • ENIs are super useful for high availabilityfailover, or moving network interfaces between instances.
    • primary ENI is created by default when twtech launches an EC2.
    • twtech can create additional ENIs manually and attach multiple ENIs to a single EC2 (depending on instance type limits).
    • Trunk interfaces can be used with ENIs for high-scale networking setups (like with containers).
Use Cases

High Availability/Failover
  • The ability to quickly detach an ENI from one instance and attach it to another in a different Availability Zone facilitates rapid failover for high-availability setups.
Multi-homed Instances
  • twtech can attach multiple ENIs to a single EC2 instance to be connected to different subnets (e.g., one to a public subnet and one to a private subnet).
Management Interfaces:
  •  A secondary ENI can be used as a separate management network interface for isolation.
Secure Appliance Migration
  • It is useful for managing network traffic for services like virtual firewalls or load balancers, where the network configuration needs to remain static while the underlying compute instance changes.
Specific Service Requirements:
  •  AWS services such as Lambda, ECS, and App Runner use ENIs for their internal networking to manage communication within the VPC and to the internet.

Common use cases:

  • Network appliances (e.g., firewalls, load balancers)
  • Failover scenarios (move ENI to standby instance)
  • Separation of traffic (different ENIs for front-end and back-end traffic)
  • Multi-homed instances (connect to different subnets/VPCs via routing tricks)
For detailed steps on creating and managing network interfaces, refer to the official Amazon AWS Documentation.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

Insights:

  •  It is the Logical component in a VPC that represents a virtual network card.
  •  The ENI can have the following attributes.
  •  It has one Primary private IPv4 and one or more secondary IPv4.
  •  it has one Elastic IP (IPv4) per private IPv4.
  •  it has one Public IPv4 and One or more security groups.
  •  it has a MAC (Media Access Control) address.
  • Failover happens when a system automatically switches to a backup or standby,
  • The main system fails or goes down.
  • ENI is bound to a specific availability zone (AZ).


Project: Hands-On

How twtech creates and attach an ENI to enabling connectivity, security, and flexibility for its cloud infrastructure.

Step-1:

  • Go to aws ec2 services
  • For this project twtech is Launching  two instances: twtech-db-servers



  • Select one of the instance to configure the network interface and Key pair if twtech would later SSH into the instance


  • Edit nwtework settings.
  • Select a security group or create one.



  • Verify summary and configure the number of instances preferred on launch. 

  • Launch instance

Step-2:

  • Verify on ec2 console that the instances are provisioned:

Step-3:

  • Verify that the instances are created  with default ENI (elastic network interfaces): Yes

NB:

  • Each interface contains:
  • One Public IPv4 address, one Private IPv4 address and one Private IPv4 DNS
  • Each instance has a distinct network interface.

  • The default Elastic network interfaces (created with the instance)  are attached to instances.
Step-4:
  • How, ENI can be managed.


Step-5:

  • How twtech creates a new Elastic Network Interface (ENI)and attach to an existing instance:
  • From Network UI click on: create network Interface


  • Assign a name to the ENI: twtech-db-server1-ENI
  •  Very import:
  • Select the subnet that corresponds to instance AZ  that the instance would be attached later to.
  • Also select the interface type:


  • Auto assign Private IPv4 address:

  • Attach a security group to the ENI:

  • Add a tag and Create network interface:

Step-6:

Verify that the ENI is provision and Status is still available

Step-7:

  • twtech needs to attach ENI to an instance to get it to used:
  • Slectect the ENI created (the tag initially assing to ENI should guide in selection) and navigate to Action,
  • From Action drop-down menu, select: attach

  • Choose an instance to attach the ENI to:

  • At this point  the status of the ENI changes to:  IN-USE:
Step-7:
  • Verify that the ENI has also added Primary Private IPv4 address to the instance:



  • NB:
  • The ENI can be detached from one instance and attached to another instance.
Step-8:
  • twtech detaches ENI from one instance and attach it to another instance:



  • NB: 
  • sometime, the Force detached is needed.

  • Status of ENI changes back to:  Available:

Step-9:

  • Again, twtech can attach the detached ENI to another instance in the same AZ.


  • Successfully, twtech has created an ENI, attached to an instacne, detached the same ENI from an instance and attached to another instance in the same AZ.
  • Status goes back to:  in-sue


twtech-insights:
  • What happens to the ENI if the instance is terminated.?

  • The default ENI that were created with the instances would be automatically detached, and deleted.
  • However, the ENI that was create and attached to instance would stayavailable.
  • NB:  
  • it may take a couple of minutes for twtech to fully detache and delete any unwated ENI

From:


To:

Addendum:

 https://aws.amazon.com/blogs/aws/new-elastic-network-interfaces-in-the-virtual-private-cloud/


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...