3.35 What is an AWS ENI

An ENI, or Elastic Network Interface, is a logical VPC component that acts as a virtual network card for an EC2 instance. Consider an instance with a primary network card eth0 attached to a primary ENI providing connectivity. A second ENI can be added to the same instance to give it a second network card with its own private and possibly secondary IPv4 addresses, useful for failover, host migration, and load distribution patterns.

ENI attributes

  • One or more private IPv4 addresses (primary + secondary).
  • An Elastic IPv4 address per private IP for public reachability.
  • A public IPv4 (auto-assigned by the subnet) or none.
  • One or more security groups.
  • A unique MAC address.
  • An optional source/destination check flag.

ENIs can be created independently and attached to an instance later, which is ideal for fast failover. They are tied to a single availability zone: an ENI created in us-west-3a cannot be attached to an instance in another AZ. The primary ENI of an instance cannot be detached, but secondary ENIs can freely move between instances.

In the console, after launching two EC2 instances in the same AZ, we open the Network Interfaces view to see two primary ENIs in use. Creating a third ENI manually, with a chosen subnet and security group, then attaching it to instance 1 adds a second network card to it. Detaching that ENI and reattaching it to instance 2 lets it pick up the same private IP and MAC — a powerful pattern for high-availability designs. ENIs let you decouple the network identity from the EC2 lifecycle.

Summary

An AWS Elastic Network Interface (ENI) is a logical virtual network interface card attached to an EC2 instance that provides network connectivity. An ENI can have one or more private IPv4 addresses, optional secondary IPv4 addresses, elastic IPv4 addresses for public connectivity, and is associated with security groups for traffic control. ENIs can be created independently and attached to or detached from instances, enabling rapid failover and load balancing scenarios across EC2 instances within the same Availability Zone.

Key points

  • An ENI is a virtual network interface card (logical adapter) that provides connectivity to an EC2 instance
  • Each ENI has a primary private IPv4 address and can have multiple secondary IPv4 addresses and elastic IP addresses
  • ENIs are bound to an Availability Zone and cannot be used across different AZs
  • ENIs can be created independently and dynamically attached to or detached from EC2 instances without downtime
  • Security groups are assigned to ENIs to control inbound and outbound traffic
  • Multiple ENIs can be attached to a single instance, enabling different network configurations

FAQ

What is the primary difference between a primary ENI and a secondary ENI?

A primary ENI is the first network interface automatically created with an EC2 instance and cannot be detached; a secondary ENI is created separately and can be attached to or detached from instances, making it ideal for failover scenarios and rapid reconfiguration.

Can an ENI be moved between Availability Zones?

No, an ENI is tied to a specific Availability Zone and cannot be used in other AZs. However, you can create a new ENI in a different AZ and attach it to another instance for geographic failover.

How do security groups relate to ENIs?

Security groups are directly assigned to ENIs and control all inbound and outbound traffic for that network interface, providing the firewall rules for network communication.