Description:
The AWS ENI (AWS Elastic Network Interface) is a virtual network card that can be attached to any instance of the Amazon Elastic Compute Cloud (EC2). The purpose of these devices is to enable network connectivity for your instances. An elastic network interface is a logical networking component in a VPC that represents a virtual network card. Every network interface has a security group, which may be the default or a new security group.
Rationale:
A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with.
Impact:
A security group is attached to an ENI; with this approach, we can have multiple routes to the same EC2 instance with different security configurations.
Default value:
By default, security groups are not attached to network interfaces.
Pre-Requisite:
Security group
Remediation:
Test Plan:
AWS Console Process
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Security groups.
- Click on a security group you want to verity if it connected to ENI (Elastic Network Interface).
- Copy the security group ID.
- Now in the navigation pane, choose Network Interfaces.
- In the search pane, select security group IDs filter and paste the security group ID.
Results will show if the security group is attached to Network Interface.
Using AWS CLI:
aws ec2 describe-network-interfaces --filters group-id <value>
Implementation Plan:
AWS Console Process
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Network Interfaces.
- Choose Create network interface.
- (Optional) For Description, enter a descriptive name.
- For Security groups, select desired security groups.
(Optional) For each tag, choose Add new tag and enter a tag key and an optional tag value.
Choose Create network interface.
Using AWS CLI:
This example creates a network interface for the specified subnet.
aws ec2 create-network-interface --subnet-id subnet-9d4a7b6c --description "my network interface" --groups sg-903004f8 --private-ip-address 10.0.2.17
Backout plan:
AWS Console Process
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Network Interfaces.
- Select the desired network interface and click on actions
- Select delete.
Using AWS CLI:
This example deletes the specified network interface. If the command succeeds, no output is returned.
aws ec2 delete-network-interface --network-interface-id eni-e5aa89a3
References:
create-network-interface — AWS CLI 1.27.37 Command Reference (amazon.com)
delete-network-interface — AWS CLI 1.27.37 Command Reference (amazon.com)