Elastic Network Interfaces (ENIs)
Start course
3h 12m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various networking and VPC services currently available in AWS that are relevant to the ANS-C01 exam.

Learning Objectives

  • Identify and describe the various networking services available in AWS
  • Describe how to configure an Amazon Virtual Private Cloud (VPC)
  • Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
  • Describe options for VPC connectivity, subnets, and routing
  • Understand how to share VPC resources using the AWS Resource Access Manager (RAM)
  • Identify how to evaluate the configuration of VPC resources using the VPC Reachability Analyzer


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


Hello and welcome to this lecture, which is going to look at elastic network interfaces, which are commonly known as ENIs.

ENIs are logical virtual network cards within your virtual private cloud, your VPC, that you can create, configure, and attach to your EC2 instances. The configuration is bound to the ENI and not the instance that it is attached to. This means that you can also detach your ENI from one instance, and reconnect it to another instance and the configuration of that ENI would move with it. For example, a private IP address or an elastic IP address or it's MAC address.

You may not have come across ENIs before, because when you create an instance your EC2 instance comes configured with a primary network interface that is already bound to your instance. And this can't be removed or detached. If you look at your EC2 instances, you'll see this primary interface labeled Eth0.

However, there will be occasions where you will need your instances to have multiple network interfaces. For example, if you wanted to create a management network, and in this instance, you can create and use an ENI to attach to your instance in addition to its primary interface of Eth0. This second interface can then be configured with a private IP address to handle any management traffic from within a different subnet.

Much like your Eth0 interface, all traffic originating from and being sent to an ENI can be captured using VPC flow logs. More information on VPC flow logs can be found here.

When designing your solution and any requirements for multiple interfaces being attached to your instances, you'll need to bear in mind that the quantity of interfaces is dependent on the EC2 instance type. To check how many interfaces can be attached to your instance, please check the following AWS documentation.

Let me now provide a quick demonstration on how to create and attach an ENI to existing EC2 instance.

In this demonstration, I have two private subnets within my VPC. These are labeled as production and management. I have an existing instance called Myinstance, within the production subnet. However, I want to implement a management network that will reside within the management subnet. As a result, I will create a new ENI and configure it for the management subnet, and then attach it to my instance. Let's take a look. 

Okay, so I'm logged into my AWS Management Console, and I'm on my VPC dashboard. I'm just looking at my subnets, and I just want you to see the different subnets I've got for this cloud Academy VPC. The two subnets that I'm interested in are the production and the management. So for the production subnet, we have a network. And for the management network, we have a network.

Now I also have an EC2 instance. So if I just go across to EC2, I have an instance called Myinstance. And at the moment, this is residing in the network, which is in the production subnet. Now what I want to do is to add a secondary network interface to this instance, with an IP address that sits on the management network. So at the minute, we can see that it only has this primary Eth0 interface. And we can see that this is the primary network interface, and it has a 10.0.2 address.

So let me go ahead and create a new network interface. So on the left hand side, if you scroll down to Network and Security, and select Network Interfaces, and then Create Network Interface, and add a description here, so I'm going to call it my Management_Interface. And the subnet that I want to associate this with is the management subnet. And I can either auto assign or add a custom IP address. For this demonstration, I'm just going to leave it as auto assigned.

An elastic fabric adapter is a network device that you can attach to your instances to reduce latency and increase throughput for distributed high performance computing and machine learning applications. So we don't need to do that for this demonstration, but I just wanted to show you what the elastic fabric adapter is. And finally you can select any security groups as well. I'm just gonna select a default security group for this demonstration. Select Create, and we now have our new network interface created.

And we can see here under the Description, that it's the Management_Interface that I named it. And currently the status is available is naturally in use. So I've literally just created a network interface. And if we look at the properties down here, and we can see that it resides on the 10.0.3 network, which is correct. So now what I want to do is attach this to our instance.

So once I've selected the interface, if I go to Actions, Attach, select the instance, which is Myinstance, which is running and then select Attach. That interface will then be attached to that EC2 instance. And we can see here that it's now in use. So if we go back to Myinstance, and select it, so we can take a look at the properties, we can see down here that we now have a secondary network interface. So the Eth0 was the primary that sits on the 10.0.2 network. And that's the primary network interface. And now if we look at this interface Eth1, this is our new management interface. And we can see that this sits on the 10.0.3 network. So this EC2 instance now has network interfaces connecting to two different subnets and one of those subnets is the management network.

Now to detach the interface is very easy. We can go back to our network interfaces section, select the Interface and select Detach. We get a confirmation message asking if we want to detach it, we say yes for the detachment. Once that interface is detached, we can then delete that interface as well if we no longer need it. And again, just to reiterate, we can see that the network interface itself retains its configuration. So it's brought the IP address with it. So finally, let me just delete this interface by selecting Delete. Say yes, and that's it.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.