Ref: https://learn.cantrill.io/courses/1820301/lectures/41301331

• Summary
• Contents:

EC2 Networking - Architecture

• 🔧 Networking in EC2 is done via ENIs (Elastic Network Interfaces)
  • Diagram
• Every EC2 instance has at least one ENI: the primary ENI
  • 💡 Loosely speaking, an EC2 instance and its primary ENI can be thought of as the same thing when talking networking
    • ❗ but in correct technical terms, NW configs are in the ENI, not in the instance itself!
• Additional secondary ENIs can be attached to an instance
  • They can be in a different subnet, as long as the subnet is in the same AZ
  • Number of possible secondary ENIs depends on instance type & size
  • They can be detached from an instance and reattached to another instance (main difference between primary ENI and secondary ENIs)
• Multiple ENIs can be used for multi-homed systems (different subnets)
  • e.g. Management and data can both be managed by the same instance with an ENI in the Management subnet and an ENI in the Data subnet

ENI Attributes and Configurations per EC2 Instance

‼️ The AWS Management Console UI may show all of these attributes attached/belonging to an EC2 instance, but they're actually attached to its ENI(s)!!

• 1 MAC address
  • HW address of the ENI
  • Can be used for SW licensing
    • A lot of legacy SW is licensed to specific MAC addresses (because MAC address is viewed as something static)
    • EC2 is a virtualized environment → we can swap & change ENIs
    • 👍 Reattach an ENI to a different instance = effectively move licensing to another instance → powerful feature
• 1 Primary private IPv4 address (e.g. 10.16.0.10)
  • Static → doesn't change during lifetime of instance
  • A private DNS name can be associated (e.g. ip-10-16-0-10.ec2.internal)
    • only resolvable inside the VPC
• 0+ secondary private IPv4 addresses
  • Dynamic (can change if you move ENIs)
• 0-1 public IPv4 address (e.g. 3.89.7.136)
  • Dynamic → not fixed
    • Changes if instance is stopped and started again, or moves to new host
      • ‼️ Simple instance restart will NOT change the public IP!
      • When instance is stopped → public IP deallocated
      • When instance starts after being stopped → new public IP allocated
    • If reassigning public IPv4 is to be avoided, use an Elastic IP (EIP) = fixed IPv4
  • A public DNS name can be associated (e.g. ec2-3-89-7-136.compute-1.amazonaws.com)
    • Inside the VPC it will resolve to the primary private IP
      • no need for traffic to go out of the IGW to come back in
    • Outside of the VPC it will resolve to the public IP
    • 👍 Different Inside/outside VPC behavior (useful for hybrid NWing & NW peering)
  • ‼️ Actually stored in the IGW of the VPC, not really attached to the ENI!
    • ❗ Can NOT be seen natively inside the instance OS!
    • ❗ In AWS an ENI never configures a public IPv4 address
• Up to 1 Elastic IP per private IPv4 address
  • An AWS account has a pool of 50 elastic IPs
  • Elastic IP (EIP) = static, public IPv4 address that can be allocated to specific resources
    • Can be associated to a private IPv4 in primary or secondary ENIs
    • Persists even if instance is stopped and started again, or moves to new host
    • If associated to primary ENI → current (non-elastic) public IPv4 removed
    • If disassociated from primary ENI → new public IPv4 assigned
      • ❗ no way to get the old public IP back
    • ❗ You get billed for all allocated EIPs in your account! If you're not using an EIP and don't need to reserve that IP, be sure to deallocate it!
• 0+ IPv6s
• Security Groups (SGs)
  • 🔧 SG permissions impact all the IPs in the ENI
  • ❗ Possible for an instance to have multiple different ENIs with different SGs
    • Allows to establish different rules for different IPs or for different IP accesses
• Source/Destination Check
  • Enabled by default
  • If enabled, discards any traffic that doesn't have SRC or DST equal to one of ENI IPs
  • ❗ Must be disabled to configure e.g. a NAT instance