Thursday, July 9, 2020

ENI – Elastic Network Interface


ENI – Elastic Network Interface
-      An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card.

-         by default, Eth0 (the default ENI)  exist is created when EC2 is launched, can't be removed or detached
-         can create an additional ENI - Eth1 during launch. OR once EC2 is up – create a new ENI and attach to instance. Number of ENI's is dependent on instance type
-         Eth1 can be places in a different subnet than the actual EC2, but same AZ as eth0 and EC2 itself
-         If Eth1 is added during launch – both Eth0 and Eth1 do NOT get a public IP. Need to manually assign an Elastic IP to each
-         Eth0 is deleted on EC2 termination – by default
-         Eth1 is NOT deleted on EC2 termination – by default. Can change Instance->Net Interface->Change termination behavior
-      ENI is AZ bound
-         Can specify the IP to be assigned to ENI or have AWS default it
-         Security Group applies per network interface (ENI) not per IP. Multiple IPs on one ENI – all subject to same Security Group rules
-         Hot attach – attach ENI when EC2 is running; Warm attach – when EC2 is stopped; Cold attach – while EC2 is launched
-         Each Eth has:
          §   Description
          §   Primary IPv4 address
          §   One or more secondary IPv4 address. Multiple private IPv4 are good for:
                    §   Hosting multiple websites (let's say one needs ssl/https)
                    §   Hosting security and n/work appliances in VPC
                    §    Each private IPv4 can be associated with an Elastic IP
                    §  Redirecting traffic to a Standby EC2 in case of Primary failure – can reassign the secondary IPv4 to another instance's ENI. If there is an Elastic IP assigned to the IPv4, Elastic IP gets re-assigned automatically (follows IPv4). Remove IPv4 – Elastic IP gets detached.
          §   One Elastic IP per each IPv4
          §   One or more IPv6 address
          §   Up to 5 Security Groups
          §   A MAC address
          §   A source/destination flag
-         Except for Eth0, you can re-assigned an Eth to another EC2 – all of the above gets taken along
 
-         NOTE: if you select to "add a device" for Eth2 (ENI#2) during an EC2 launch, and it is all in a public subnet or IPv4 is set to be assigned by default, AWS will no longer assign an IPv4 to eth0. You will need to use the Elastic IP assigned to eth0 to connect form outside
 
-         Custom created ENI's do not get terminated by default when EC2 is terminated. Can be changed in settings.
 
To reiterate, important points:
-         Eth0 cannot be detached. Any other ENI can be detached and re-attached
-         Private primary/secondary IPv4, IPv6, Elastic IP continue being with same ENI when it is detached or attached to another EC2
-         You can have a NIC in one subnet and EC2 in another – but they have to be in same AZ
 
Nat Review:
-        NAT – port on the Sec Group rules is the DESTINATION port
-        NAT instance is based on a specific NAT-geared flavor of OS. It is not a bastion host.
-        Cannot ssh into a Nat instance – even if Sec G and NACL are set up right. OS allows http/s in only.
-        NAT instance – manages its Sec Groups etc. Needs an Elastic IP to operate. Need to update VPC route tables to point to it.

No comments:

Post a Comment