AWSGlossary

Elastic Network Interface (ENI): What It Is and When to Use It

Definition

An Elastic Network Interface (ENI) is a logical networking component in an Amazon Virtual Private Cloud (VPC) that represents a virtual network card. It provides the fundamental network connectivity for your Amazon Elastic Compute Cloud (EC2) instances, allowing them to communicate with other resources within the VPC and the internet. ENIs are designed to be portable, enabling flexible and resilient network architectures.

How It Works

Think of an ENI as a virtual Network Interface Card (NIC) that you can create, configure, attach to an EC2 instance, detach from it, and attach to another instance. This portability is a key characteristic. The attributes of an ENI—such as its IP addresses, MAC address, and security group associations—follow it as it is moved between instances.

Every EC2 instance launched in a VPC has a primary network interface (eth0) that is created and attached automatically. This primary ENI cannot be detached from the instance. However, you can create and attach additional secondary ENIs to your instances. The number of ENIs and private IP addresses you can attach varies by instance type.

An ENI has the following core attributes:

  • A Primary Private IPv4 Address: Assigned from the address range of your VPC's subnet.
  • One or more Secondary Private IPv4 Addresses: You can assign additional private IPs to an ENI.
  • One Elastic IP Address (EIP) per Private IPv4 Address: An EIP is a static, public IPv4 address that can be associated with an ENI's private IP.
  • One Public IPv4 Address: Can be auto-assigned to the primary ENI (eth0) when an instance is launched.
  • One or more IPv6 Addresses: Can be assigned if the VPC and subnet are enabled for IPv6.
  • A MAC Address: A unique hardware address for the interface.
  • Security Groups: One or more security groups act as a virtual firewall to control inbound and outbound traffic.

An ENI must be created within a specific Availability Zone (AZ) and can only be attached to an instance in that same AZ. You cannot move an ENI to a different AZ or Region.

Key Features and Limits

  • Portability: Secondary ENIs can be detached from one instance and attached to another within the same Availability Zone, enabling rapid failover.
  • Multiple Interfaces: Instances can have multiple ENIs, allowing for the creation of dual-homed instances that connect to different subnets, potentially with different security and routing policies.
  • IP Address Management: ENIs support multiple private IPv4 and IPv6 addresses, as well as Elastic IP addresses. This is useful for hosting multiple websites or applications on a single instance.
  • Security: Each ENI can have its own set of security groups, allowing for granular traffic filtering for different network connections on the same instance.
  • Enhanced Networking: Certain instance types support Enhanced Networking, which uses the Elastic Network Adapter (ENA) to provide higher bandwidth, higher packet-per-second (PPS) performance, and lower inter-instance latency.
  • ENI Trunking: Supported on specific instance types, this feature increases the number of available ENIs for workloads like containers running in awsvpc mode on Amazon Elastic Container Service (ECS), allowing for higher density.
  • Service Limits: The maximum number of ENIs and the number of IP addresses per ENI that can be attached to an instance are determined by the instance type. Always consult the official AWS documentation for the most current limits.

Common Use Cases

  1. High-Availability and Low-Cost Failover: In a failure scenario, you can detach a secondary ENI from a primary instance and attach it to a hot-standby instance in the same AZ. Because the ENI retains its private IPs, EIP, and MAC address, network traffic is redirected to the standby instance almost instantly, minimizing downtime without requiring DNS changes.

  2. Network and Security Appliances: Create virtual appliances like firewalls, intrusion detection/prevention systems, or NAT servers. These instances can have multiple ENIs: one facing the internet (in a public subnet) and another facing your internal network (in a private subnet) to inspect or route traffic.

  3. Dual-Homed Instances and Traffic Segregation: Attach multiple ENIs to an instance to connect it to different subnets. A common pattern is to create a management network, where one ENI handles management traffic (like SSH) on a private, restricted subnet, while another ENI handles public application traffic.

  4. Container Networking (Amazon ECS): When using the awsvpc network mode in Amazon ECS, each task receives its own ENI. This simplifies container networking by giving each task a unique IP address from the VPC, improving security and simplifying service discovery.

  5. Licensing: Some software licenses are tied to a specific MAC address. By using a secondary ENI, you can retain the same MAC address even if you need to move the software to a new underlying EC2 instance.

Pricing Model

  • Elastic Network Interfaces: There is no additional charge for creating or attaching ENIs themselves.
  • Associated Charges: You are billed for the standard usage of other AWS resources associated with your ENIs. These can include:
    • EC2 Instance Hours: For the instances the ENIs are attached to.
    • Public IPv4 Addresses: AWS charges an hourly fee for all public IPv4 addresses, including those on EC2 instances and Elastic IP addresses.
    • Data Transfer: Standard AWS data transfer charges apply for data transferred in and out of your ENIs. Cross-Availability Zone data transfer incurs costs.
    • VPC Endpoints (AWS PrivateLink): If an ENI is created for an interface VPC endpoint, you are charged an hourly rate for the endpoint ENI and a per-GB data processing fee.

Always consult the official AWS Pricing page and the AWS Pricing Calculator for the most up-to-date information.

Pros and Cons

Pros:

  • Flexibility: Decouples network identity from the EC2 instance lifecycle, enabling dynamic and resilient architectures.
  • High Availability: Provides a simple and effective mechanism for instance-level failover within an Availability Zone.
  • Enhanced Security: Allows for fine-grained security controls by applying different security groups to different interfaces on the same instance.
  • Simplified Networking: Enables complex network topologies, such as multi-homed instances and virtual network appliances.

Cons:

  • Availability Zone Limitation: ENIs are scoped to a single Availability Zone. They cannot be attached to instances in other AZs, which limits their use for multi-AZ failover strategies (for which an Elastic Load Balancer is a better choice).
  • Management Complexity: Managing multiple ENIs, their IP addresses, and security groups can add complexity to your network configuration and automation scripts.
  • Instance Type Dependency: The number of ENIs and IPs you can use is constrained by the EC2 instance type, which requires careful planning during instance selection.

Comparison with Alternatives

ENI vs. Elastic IP Address (EIP):

  • An ENI is a virtual network card. It can have multiple private IPs, one or more EIPs, a MAC address, and security groups. It is the object to which IP addresses are attached.
  • An EIP is a static, public IPv4 address that you can allocate to your account. You can associate an EIP with an EC2 instance or, more specifically, with a private IP address on an ENI attached to an instance. While re-associating an EIP is a failover mechanism, moving an entire ENI is more comprehensive as it transfers all network attributes (private IPs, MAC address, etc.) at once.

ENI vs. Elastic Network Adapter (ENA) vs. Elastic Fabric Adapter (EFA):

  • ENI (Elastic Network Interface): The logical networking component, the virtual card itself.
  • ENA (Elastic Network Adapter): A custom network interface hardware and driver combination used for Enhanced Networking on supported EC2 instances. It's the underlying technology that provides higher network performance to an ENI. An ENI on a supported instance type will use ENA.
  • EFA (Elastic Fabric Adapter): A specialized type of ENI designed for High-Performance Computing (HPC) and machine learning workloads. It provides all the functionality of an ENA but adds OS-bypass capabilities, allowing applications to communicate directly with the network hardware for extremely low latency and high throughput.

Exam Relevance

Elastic Network Interfaces are a fundamental networking concept and appear frequently on several AWS certification exams:

  • AWS Certified Solutions Architect – Associate (SAA-C03): Expect questions on use cases for multiple ENIs, such as creating a management network or implementing a NAT instance. Understanding the role of ENIs in high-availability and failover scenarios is crucial.
  • AWS Certified SysOps Administrator – Associate (SOA-C02): Focuses on the operational aspects, such as attaching, detaching, and managing ENIs and their associated security groups.
  • AWS Certified Solutions Architect – Professional (SAP-C02): Requires a deep understanding of how to use ENIs in complex, multi-VPC, and hybrid network architectures for resilience and security.
  • AWS Certified Advanced Networking – Specialty (ANS-C01): This exam requires expert-level knowledge. You'll need to know the intricate details of ENI attributes, performance characteristics (including ENA and EFA), and their role in advanced routing and security patterns.

Frequently Asked Questions

Q: Can I move an ENI to a different Availability Zone or Region?

A: No. An ENI is bound to the Availability Zone in which it was created. You cannot detach it and reattach it to an instance in a different AZ or AWS Region.

Q: What is the difference between a primary and a secondary ENI?

A: Every EC2 instance has one primary ENI (eth0) that is created and deleted with the instance; it cannot be detached. Secondary ENIs are created independently and can be attached to and detached from compatible instances within the same Availability Zone.

Q: How many ENIs can I attach to my EC2 instance?

A: The maximum number of ENIs you can attach, and the maximum number of IP addresses per ENI, depends on the EC2 instance type. You must consult the AWS documentation for the specific limits for each instance family and size.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/13/2026 / Updated: 5/13/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →