Mastering Elastic Network Interfaces (ENIs) in AWS

Aug 08, 2025

Core ENI Concepts

ENI = Virtual Network Card
- It’s what connects your EC2 instance to the VPC network.
- Every EC2 instance automatically gets a primary ENI (eth0).
- You can attach additional ENIs (eth1, eth2...) manually.
Each ENI can have:
- 1 Primary Private IPv4
- 0 or more Secondary Private IPv4s
- 1 Elastic IP per private IP (optional)
- 0 or more Public IPv4s (depends on settings)
- Security groups
- MAC address (useful for license-based software)

Failover / High Availability
- Move a secondary ENI from a failed EC2 instance to a standby EC2.
- Keeps private IP and MAC address, useful for fast recovery and static IP use.
MAC-bound Licensing
- Some software requires a static MAC address. Moving ENI keeps the license working.
Multi-Homed EC2s
- EC2 with multiple ENIs to separate public traffic (eth0) from private backend traffic (eth1).
Security Isolation
- Assign different security groups to different ENIs to control traffic paths tightly.

Each instance type has limits on how many ENIs and IPs you can attach.
(E.g., t2.micro has 2 ENIs, up to 2 private IPs per ENI)
ENIs created with EC2 get deleted when instance is terminated (default behavior).
ENIs created manually do not get deleted unless you delete them yourself.
You can only attach ENIs to instances in the same AZ.

📝 Sample Question Types:

How to achieve fast failover between EC2 instances with static private IP?
→ Use a secondary ENI that can be moved.
What happens when you terminate an EC2 with an attached manually created ENI?
→ ENI remains.
Can you move an ENI from us-east-1a to us-east-1b?
→ ❌ No, ENIs are AZ-bound.
You need to attach a second ENI to an EC2 — what do you need to consider?
→ Instance type limits, subnet AZ, IP assignment, and security groups.

Set up:

Observe how: