About FNIs

Flexible network interfaces (FNIs) are additional virtual network interfaces that you can attach to instances in a Virtual Private Cloud (VPC). They act as virtual network cards that enable you to partition your network and to redirect the network traffic to another instance, as they can be detached and attached to another instance at any time.

FNIs have one or more private IPs assigned, and optionally a public IP.

Primary Network Interface and FNIs

Instances are created with a default network interface, to which a private IP is assigned. This network interface is called the primary network interface and cannot be detached from the instance. The IPs assigned to an instance are actually assigned to this primary network interface.

You can create additional network interfaces that you can attach to and detach from instances in a VPC at any time. These additional network interfaces are called flexible network interfaces (FNIs). FNIs enable instances to be connected to several networks and to partition the instance network. This may be required for security issues if you want to use, for example, different networks for different roles within your organization, or different services for different customers.

FNIs do not increase the instance network bandwidth.

The maximum number of FNIs that you can attach to an instance depends on the instance type. For more information, see Instance Types.

FNIs Attributes

An FNI includes the following attributes:

  • An ID in the eni-XXXXXX format, that is automatically assigned to the FNI when it is created.

  • (optional) A description.

  • A primary private IP, automatically assigned by the DHCP server or that you can manually define.

  • (optional) One or more secondary private IPs. Adding several private IPs partitions the instance network. This also enables you to have multiple IPs for an instance. For more information, see Assigning Secondary Private IPs to an FNI.

    All private IPs (primary and secondary) assigned to an FNI must be in the IP range of the subnet of the FNI.

  • (optional) A public IP, through the use of an External IP (EIP) attached to the FNI. For more information, see Associating an EIP with an Instance or a Network Interface.

    By default, instances in a VPC do not have access to and cannot be accessed from the Internet. To enable access to and from the Internet, you need to attach an EIP to the instance (primary network interface) or to an FNI, a route table to the subnet where the instance or the FNI is, and an Internet gateway to the VPC. The Internet traffic goes from the FNI to the Internet through the corresponding routing table and the Internet gateway. For more information, see Virtual Private Clouds (VPCs).

  • One or more security groups associated with the FNI. As the IPs assigned to an instance are in reality assigned to its primary network interface, the behavior of the security groups is the same for instances and for FNIs. For more information, see Security Groups.

  • A Media Access Control (MAC) address to physically identify the FNI.

  • (optional) A source/destination check flag, to send or receive traffic on behalf of another instance.

A private DNS name associated with the primary private IP is assigned to the FNI. If you assign one or more secondary private IPs, a private DNS name associated with each one of them is also assigned to the FNI. However, the private DNS name used and returned by default is the private DNS name associated with the primary private IP. If you attach an EIP to an FNI, the public DNS name associated with it is also assigned to this FNI.

FNIs Attachment to Instances

You can attach or detach an FNI from an instance at any time, regardless of the state of the instance. For more information, see Attaching an FNI to an Instance and Detaching an FNI from an Instance.

You can also create and attach FNIs to an instance at launch. For more information, see Creating / Launching Instances.

An attachment ID in the eni-attach-XXXXXXXX format is assigned to the FNI each time you attach it to an instance. When you attach an FNI to an instance, you also need to specify a device index for the attachment between 1 and 7 (both included). Device index 0 is reserved for the primary network interface of the instance.

The attributes of an FNI remain when the FNI is detached and attached to another instance. When you attach an FNI to another instance, the traffic related to this FNI is automatically redirected to this instance. An FNI can only be attached to one instance at a time.

While VPCs are available for a Region, FNIs are created in a subnet and are available for the Availability Zone (AZ) of this subnet only. Therefore, you can attach FNIs only to instances placed in subnets within this AZ.

  • Attaching several FNIs placed in the same subnet to an instance may cause networking issues such as asymmetric routing. Whenever possible, use FNIs from different subnets, or secondary private IPs on the primary network interface or on an FNI.

  • FNIs depend on the subnet where they are located. Therefore, the FNI network traffic is routed using the route table associated with this subnet, independently from the instance it is attached to.

The following schema shows:

  • An instance A with two FNIs (FNI 1 and FNI 2) placed in subnet 1 and subnet 2, belonging to the same AZ.

  • An instance B with one FNI (FNI 3) placed in subnet 2.

  • The way traffic is routed from FNI 3 to FNI 1 using the route table 2 associated with subnet 2.

Subnets, Instance and FNIs Infrastructure

sch FNI Infrastructure

  • Traffic between FNIs placed in the same subnet is locally routed.

  • Network interfaces are placed in subnets, but the instances themselves are not. In fact, when creating a VPC infrastructure, placing an instance in a subnet corresponds to placing its primary network interface in this subnet. Attaching additional FNIs placed in different subnets to an instance therefore enables it to be present in different subnets.

An FNI can be in one of the following states:

  • available: The FNI is created and available to be attached to an instance.

  • attaching: The attachment process of the FNI to an instance is in progress.

  • in-use: The FNI is attached to an instance, and can send and receive network traffic.

  • detaching: The detachment process of the FNI from an instance is in progress.

Additionally, an FNI can be in one of the following attachment states:

  • attaching: The attachment process of the FNI to the specified instance is in progress.

  • attached: The attachment process of the FNI to the specified instance is finished.

  • detaching: The detachment process of the FNI from the specified instance is in progress.

  • detached: The detachment process of the FNI from the specified instance is finished.

Related Pages