CloudWiki
Resource

ENI

Amazon Web Services
Network
An Elastic Network Interface (ENI) is a virtual network interface that can be attached to an EC2 instance in a Virtual Private Cloud (VPC). ENIs allow EC2 instances to communicate with other resources in the VPC, such as other EC2 instances or databases, and can also be used to connect to the internet or other external networks. They provide a set of attributes, such as a MAC address, IP address, and security group, that allow an instance to access resources securely and reliably. One of the key benefits of ENIs is their ability to be attached and detached from EC2 instances on demand, providing flexibility and scalability in managing network resources. ENIs can also be used to create highly available architectures, such as creating a network interface in multiple availability zones for an EC2 instance to ensure that it is always available even if one availability zone experiences an outage.
Terraform Name
terraform
aws_network_interface
ENI
attributes:

The following arguments are required:

  • subnet_id - (Required) Subnet ID to create the ENI in.

The following arguments are optional:

  • attachment - (Optional) Configuration block to define the attachment of the ENI. See Attachment below for more details!
  • description - (Optional) Description for the network interface.
  • interface_type - (Optional) Type of network interface to create. Set to efa for Elastic Fabric Adapter. Changing interface_type will cause the resource to be destroyed and re-created.
  • ipv4_prefix_count - (Optional) Number of IPv4 prefixes that AWS automatically assigns to the network interface.
  • ipv4_prefixes - (Optional) One or more IPv4 prefixes assigned to the network interface.
  • ipv6_address_count - (Optional) Number of IPv6 addresses to assign to a network interface. You can't use this option if specifying specific ipv6_addresses. If your subnet has the AssignIpv6AddressOnCreation attribute set to true, you can specify 0 to override this setting.
  • ipv6_address_list_enabled - (Optional) Whether ipv6_address_list is allowed and controls the IPs to assign to the ENI and ipv6_addresses and ipv6_address_count become read-only. Default false.
  • ipv6_address_list - (Optional) List of private IPs to assign to the ENI in sequential order.
  • ipv6_addresses - (Optional) One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet. Addresses are assigned without regard to order. You can't use this option if you're specifying ipv6_address_count.
  • ipv6_prefix_count - (Optional) Number of IPv6 prefixes that AWS automatically assigns to the network interface.
  • ipv6_prefixes - (Optional) One or more IPv6 prefixes assigned to the network interface.
  • private_ip_list - (Optional) List of private IPs to assign to the ENI in sequential order. Requires setting private_ip_list_enabled to true.
  • private_ip_list_enabled - (Optional) Whether private_ip_list is allowed and controls the IPs to assign to the ENI and private_ips and private_ips_count become read-only. Default false.
  • private_ips - (Optional) List of private IPs to assign to the ENI without regard to order.
  • private_ips_count - (Optional) Number of secondary private IPs to assign to the ENI. The total number of private IPs will be 1 + private_ips_count, as a primary private IP will be assiged to an ENI by default.
  • security_groups - (Optional) List of security group IDs to assign to the ENI.
  • source_dest_check - (Optional) Whether to enable source destination checking for the ENI. Default true.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Attachment

The attachment block supports the following:

  • instance - (Required) ID of the instance to attach to.
  • device_index - (Required) Integer to define the devices index.

Associating resources with a
ENI
Resources do not "belong" to a
ENI
Rather, one or more Security Groups are associated to a resource.
Create
ENI
via Terraform:
The following HCL creates an Elastic network interface (ENI) resource
Syntax:

resource "aws_network_interface" "test" {
 subnet_id       = aws_subnet.public_a.id
 private_ips     = ["10.0.0.50"]
 security_groups = [aws_security_group.web.id]

 attachment {
   instance     = aws_instance.test.id
   device_index = 1
 }
}

Create
ENI
via CLI:
Parametres:

create-network-interface
[--description <value>]
[--dry-run | --no-dry-run]
[--groups <value>]
[--ipv6-address-count <value>]
[--ipv6-addresses <value>]
[--private-ip-address <value>]
[--private-ip-addresses <value>]
[--secondary-private-ip-address-count <value>]
[--ipv4-prefixes <value>]
[--ipv4-prefix-count <value>]
[--ipv6-prefixes <value>]
[--ipv6-prefix-count <value>]
[--interface-type <value>]
--subnet-id <value>
[--tag-specifications <value>]
[--client-token <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]

Example:

aws ec2 create-network-interface --subnet-id subnet-9d4a7b6c --description "my network interface" --groups sg-903004f8 --private-ip-address 10.0.2.17

aws cost
Costs
The cost of an Elastic Network Interface (ENI) depends on several factors, including the number of ENIs, the region where they are deployed, and the traffic that they generate. Here are some details: ENI usage: AWS charges a fixed hourly rate for each ENI in use, regardless of whether it is attached to an EC2 instance or not. Data transfer: AWS charges for data transfer in and out of ENIs. The cost depends on the amount of data transferred and the region where the data transfer occurs. Elastic IP addresses: If you attach an Elastic IP address to an ENI, there is an hourly charge for the Elastic IP address as well. Cross-AZ data transfer: If you use an ENI in multiple availability zones, there may be additional charges for cross-AZ data transfer.
Direct Cost

--

Indirect Cost
No items found.
Best Practices for
ENI

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services