Cloud providers like AWS, GCP, and Azure do a good job of separating components that were traditionally considered tightly coupled to the hardware. This separation provides individual component-level control and great flexibility for the end users. Network interfaces are one such component, that if separated can provide a great deal of flexibility. They are a point of interconnection between a server and a public or private network.
Table of Contents Show
AWS ENI separates the network interface from their instances and removes the tight coupling of instances with their subnets. This modularization helps developers to improve various aspects of their instances and services like robustness, resilience, and security. This article is about elastic network instances, their use cases, and how to implement them.
What Are Elastic Network Interfaces?
AWS Elastic Network Interface is a logical component within a virtual private cloud that abstracts a network card. It is responsible for identifying an instance or service to the outside world or the internal network. All instances are assigned to an elastic network interface by default. This default network interface is called the primary network interface.
AWS allows developers to create secondary network interfaces and assign them to instances. The secondary network instances are not tied to a single instance forever and can be reassigned to other instances or services according to use cases.
An elastic network interface is defined by a set of attributes. This includes a primary IP address, a set of secondary IP V4 and V6 addresses, a MAC address, a security group, a flag to denote the source or destination, and a description.
A network interface can be attached to any instance that resides in the same availability zone. All the attributes of the network interface remain constant even if they are reassigned to other instances.
When a network interface is reassigned, all further network traffic to the original instance is rerouted to the second instance. That said, only the secondary interfaces can be moved this way and the primary interfaces remain tied to the instance for its lifetime. But it is possible to assign an already existing elastic network interface as the primary network interface when an instance is created.
The number of secondary network interfaces that an instance can accommodate varies based on the instance type. The number of IP addresses that a network interface can accommodate also varies according to the instance type it is tied to.
For example, a general purpose a1.medium instance type can hold a maximum of 2 secondary network interfaces, 4 IP V4 addresses, and 4 IPV6 addresses. An a1.large instance can hold up to 3 secondary interfaces and each of the interfaces can accommodate up to 10 IPV4 and IPV6 addresses.
Understanding AWS ENI
To understand elastic network interfaces, one must be aware of the concepts of subnets and virtual private clouds in AWS. A virtual private cloud is a logical network inside the AWS ecosystem. It is similar to a traditional network that organizations have been creating in their data centers. Instances and services inside a VPC are separated from other VPCs. A VPC specifies a range of IP addresses as its identity. VPCs are divided into subnets.
A subnet is a range of IP addresses within a VPC. Subnets in AWS will lie within the same availability zone. Each subnet has an attribute that decides whether the instances created in that subnet have a public IP address or not.
The default public IP is a dynamic one that can undergo changes based on the life cycle events of the instance. AWS allows using a static IP address for dynamic cloud instances through the concept of elastic IP addresses.
When an instance is created, there are two ways in which a network interface is assigned. By default, AWS creates a new network interface and assigns it to the instance. When this happens, the newly created network interface inherits all the attributes of the subnet and the VPC that the instance is created in. Even if the attributes of the subnet are later changed, the network interface still keeps the settings that were available when it was created.
The other option is to specify an existing network instance while creating an instance. In this case, the IP address and other configurations of the instance are defined by the subnet to which the network interface belongs. If there is an elastic IP address already defined for the network interface, the instance inherits it.
AWS provides various options to enable granular control of network interfaces. One can configure the behavior of network interfaces when the connected instance is terminated. This configuration includes an option for automatic termination when the instance is terminated.
Engineers can also control whether the instance acts as the source or destination of the network traffic it is part of. Monitoring traffic to and from the network interface is possible through VPC flow logs.
Working With Elastic Network Interface
Creating and managing elastic network interfaces can be done from within the AWS EC2 management console.
To create a Network Interface, head to the EC2 management console and choose ‘Network Interfaces’ from the left-hand side pane.
Inside the ‘Network Interfaces’ section, select ‘Create Network Interface’
The ‘Create Network Interface’ section requires a description, details of the subnet, and IP address range for the basic setup.
For the IP address range, one can select ‘Auto-assign’ or a custom range. If ‘Auto-assign is selected, AWS will assign a range automatically from the subnet it is created.
The next step is to select a security group. You can select one or more security groups from the already existing list.
Choose ‘Create network interface’ to complete the process. This network interface can be assigned to any of the already existing instances as a secondary interface or as a primary interface for a new EC2 instance. To assign to an existing instance, go to the EC2 management console, click the instance, and choose ‘Actions’.
Then head to Networking and choose ‘Attach Network Interface.
Select a network interface from the list and complete the process.
An existing network interface can be assigned as a primary network interface while creating an instance. One can do this by using the ‘Advanced Network Configuration’ in the ‘Launch Instances’ wizard.
That covers the basics of working with network interfaces.
Elastic Network Interfaces Use cases
Elastic Network Interfaces remove the tight coupling of EC2 instances with their networks. This means the life cycle of a network interface is independent of any instances that it is assigned to. Such flexibility opens up possibilities for many use cases.
Increasing Resilience Through Failover system
A failover system is responsible for quickly switching a failed instance to a working one and bringing back the working order as soon as possible. Elastic Network Instances can help in achieving this.
To build a failover system, one must create a network interface before creating an instance and assign this network interface as the primary one for the new instance.
If the instance goes down, one can assign the same network interface to another working instance and network traffic will be automatically rerouted. Of course, this requires building scripts using AWS CLI commands to perform this reassignment quickly and automatically.
That said, AWS load balancers will do a much better job of this failover implementation compared to this method. But one can opt for this method as a quick and dirty budget-friendly solution.
Improving Security By Separating Admin Tasks From User Networks
Most organizations will have two separate sets of users for their instances. The first one is the administration team who is responsible for maintaining and troubleshooting the instances. This group requires higher levels of access including SSH.
The second group consists of engineers who use the instances and require much lower levels of access. They may also be accessing the instances from public networks.
To delineate between these two sets of users and to ensure security through the network, one can create two network interfaces and assign them to the same instance. One interface can cater to the admin group with higher access levels and the second one can cater to normal users.
The first ENI can be limited to a private network. The second interface can be configured to block ports like 22 to disable SSH access. Since the high-access functions are blocked, the second network interface can be safely exposed to a public network.
Using Network Instances For Identity Transitions
Many use cases involve asserting the identity of an instance using its MAC address. The problem with this approach is that if the instance goes down or if the identity verifier has to be connected to another instance, the verification fails.
AWS ENI can solve this problem by providing the same identity of an instance to another instance through reassignment. Once the same network interface of the original instance is assigned, the second instance assumes the identity of the first one.
Such requirements are common in licensing arrangements where organizations use the MAC address to verify the authenticity of approved licenses.
Conclusion
Elastic Network Interfaces provide much-needed flexibility to the network configurations by separating the network module from the instance configuration. Traditionally a network card was envisioned as one that is tightly coupled with the instance hardware. By abstracting the network card to a logical component defined by code, AWS ensures, the instances are loosely coupled to the subnets.
The relationship between instances and their network is fully defined by elastic network interfaces that can be plugged or assigned to any instance. This helps developers to facilitate use cases that improve resilience, robustness and security of their systems.