ENI

The ENI is a virtual network adapter that allows us to connect operating systems, containers, and other components to a VPC. When an EC2 instance is created, a special kind of ENI is created and permanently attached to it. This ENI is also called the primary network interface, and will be shown as eth0 in Linux instances or Local Area Connection in Windows instances. The primary network interface has all the characteristics of an ENI, except it cannot be detached from the instance it was created with.

We also have the ability to create an ENI independently of an EC2 instance and arbitrarily assign its characteristics. When created separately, the ENI is created with a persistent MAC address. Once attached to an instance, this adapter will show up as a secondary network interface and the MAC address will be visible in the operating system. This ENI is completely independent of the EC2 instance it is connected to and its characteristics will persist through stops and starts, and will remain unchanged even when the instance is terminated.

We are also able to detach the ENI and attach it to another instance. This is of great benefit when we use licensing that is tied to a MAC address. Instead of tying the license to the primary network interface and hoping that the instance never fails, we can assign the license to a separately created secondary ENI. In case of a failure of the instance, we simply reattach the ENI to another instance with the same software or recover the instance from an AMI and attach the ENI to the newly created instance.

To create an ENI, we will need to execute the following steps:

1. Navigate to the EC2 management console, scroll down to the NETWORK & SECURITY section, and select the Network Interfaces section. There, we click on the Create Network Interface button:

1. In the Create Network Interface dialogue, we need to specify the following:
   • Description: An optional description of the interface.
   • Subnet: The subnet to attach the ENI to.
   • Private IP: The IP address for the network interface. An IP will be automatically assigned if you leave this blank.
   • Security groups: The security groups to control access to the network interface:

To control security on the ENI adapter, we use security groups. By default, we are able to assign up to five security groups to each ENI, but since this is a soft limit, we can contact AWS support for the soft limit to be raised if required. The absolute maximum is 16 security groups per ENI. However, increasing the number of security groups we can assign will not increase the number of security group rules that we can assign to an ENI since the absolute maximum number of rules per ENI is 300. This is distributed across the security groups so that when we're using five security groups, we can create 60 rules within each security group (for example). 

Once created, we can manage the ENI. For example, we can manage the IP addressing of the ENI separately from the instance it is connected to. In the ENI features, we can specify a primary IP address from the VPC subnet primary IPv4 address pool and any number of available secondary private IPv4 addresses. Additionally, we can assign one or more IPv6 addresses:

Each ENI can also have a public or Elastic IP assigned to it. Assigning an Elastic IP is very useful when we require an unchangeable IP address for any of our instances. To assign a new address navigate to Elastic IPs and select Allocate new address. The dialogue for requesting a new EIP is shown in the following image: 

When troubleshooting and diagnosing network flow issues, we can enable VPC flow logs for each ENI separately. This allows us to diagnose the traffic flow to and from a particular ENI. This is especially valuable when using containers that have an ENI attached as we are able to granularly diagnose and determine the traffic flow pattern to each and every endpoint.

As you can see, the ENI is the virtual connectivity device that gives us the flexibility, performance, and control that we would expect from a modern virtual network device. Now, we will take a look at how any traffic from an ENI can pass outside the subnet and get routed to the internet and other networks.