How can I make my secondary network interface work in my Ubuntu EC2 instance?

Last updated: 2021-01-19

How can I make my secondary network interface work in my Ubuntu Amazon Elastic Compute Cloud (Amazon EC2) instance?

Short description

Warning: The use of a second elastic network interface is intended for advanced users. Use a second elastic network interface only if you can't use a single network interface and you must attach two network interfaces belonging to the same subnet to a single instance. To avoid asymmetric routing issues, use a single elastic network interface, or place duplicate elastic network interfaces into non-overlapping subnets.

Adding a secondary network interface to a non-Amazon Linux EC2 instance causes traffic flow issues. These issues occur because the primary and secondary network interfaces are in the same subnet, and there is one routing table with one gateway. Traffic that comes into the secondary network interface leaves the instance using the primary network interface. But this isn't allowed, because the secondary IP address doesn't belong to the MAC address of the primary network interface.

To make the secondary interface work after creating it, do the following:

  1. Configure the routing table.
  2. Set up rules in the custom routing table policy database so that traffic for the secondary interface uses the new routing table.

Before you start, understand Amazon EC2 instances are in the AWS Cloud, and as such, not all use-cases benefit from having multiple interfaces. The following are examples when you might not need to use a secondary network interface:

  • Increasing network throughput. Network throughput won't increase, as limits are set based on the instance type and size. For more information, see Amazon EC2 instance types.
  • Increasing Elastic IP addresses. If you're running out of Elastic IP addresses per interface, you might not need to add more interfaces to get more Elastic IP addresses. Most applications work well with the domain name system. For example, Apache can use name-based virtual hosts.

Note: The steps for adding a secondary network interface are different for each of the following Ubuntu versions:

  • Ubuntu 14.04
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu 20.04

Resolution

Note: Although the steps in the following resolution were tested on the listed Linux versions, slight modifications might be needed due to custom settings on your configuration.

Configuring Ubuntu 14.04 or 16.04

Creating the secondary interface configuration file, configuring the routing table, and setting routing policy rules for Ubuntu can be done using a single file.

All procedures must be run with root user privileges. Either become the root user with sudo -i or run all commands with sudo.

1.    Run the following command to get the name of the primary network interface:

ip a | grep ^[[:digit:]]

The output is similar to the following:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

Important: In the previous example, the primary interfaces are named eth0, eth1, and so on. However, for instances that support enhanced networking, such as the m4 and m5 family type, you might see a naming inconsistency. For example, the primary might be named ens3 if the secondary is named eth0. This naming inconsistency happens when the secondary interface is added when the instance is running.

You can avoid a naming inconsistency by adding the interface at launch time, or rebooting the instance. Or, if the interface is running, you can change the name using the following command:

ip link set eth0 name ens4 && ip link set ens4 up

2.    Create a configuration file for the secondary interface. This example uses a secondary interface of 'eth1'. Be sure to change 'eth1' to match your secondary interface name as found in step 1.

vi /etc/network/interfaces.d/51-eth1.cfg

The following is an example for a single IP address of 172.31.21.115, and with a gateway of 172.31.16.1 on the secondary interface. Be sure to change the IP address and gateway to your scenario. Also note that your gateway must be the first valid IP address in your subnet.

auto eth1
iface eth1 inet static 
address 172.31.21.115
netmask 255.255.240.0

# Gateway configuration
up ip route add default via 172.31.16.1 dev eth1 table 1000

# Routes and rules
up ip route add 172.31.21.115 dev eth1 table 1000
up ip rule add from 172.31.21.115 lookup 1000

The following is an example for multiple IP addresses. In this example the IP addresses are 172.31.21.115 and 172.31.18.46, and with a gateway of 172.31.16.1. Be sure to update the IP addresses and gateway to your scenario.

auto eth1

# Enter one or more IP settings
iface eth1 inet static
address 172.31.21.115
netmask 255.255.240.0

iface eth1 inet static
address 172.31.18.46
netmask 255.255.240.0

# Default gateway for eth1
up ip route add default via 172.31.16.1 dev eth1 table 1000

# A route for every IP
up ip route add 172.31.21.115 dev eth1 table 1000
up ip route add 172.31.18.46 dev eth1 table 1000

# A policy rule for every IP
up ip rule add from 172.31.21.115 lookup 1000
up ip rule add from 172.31.18.46 lookup 1000

3.    Create the restrict-default-gw file to prevent the default gateway from being overwritten on the main table:

vi /etc/dhcp/dhclient-enter-hooks.d/restrict-default-gw

4.    Add the following lines to the restrict-default-gw file. Be sure to change 'eth0' to your primary interface name as found in step 1.

case ${interface} in
  eth0)
    ;;
  *)
    unset new_routers
    ;;
esac

5.    Restart the network:

Ubuntu 14.04:

(ifdown eth1 && ifup eth1)

Ubuntu 16.04:

systemctl restart networking

Configuring Ubuntu 18.04 and 20.04

Ubuntu 18.04 and 20.04 use the Netplan networking configuration. The following example uses the Netplan configuration. Note that Netplan uses YAML format, meaning indentation is crucial. The example below uses a 2-space indentation.

Note: Run all commands with root user privileges. Either become the root user with 'sudo -i' or run all commands with 'sudo'.

1.    Create a configuration file for the secondary interface:

vi /etc/netplan/51-eth1.yaml

2.    Add the following lines to the 51-eth1.yaml file. Make sure you edit the following example to match your use case:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth1:
      addresses:
       - 172.31.24.153/20
       - 172.31.28.195/20
      dhcp4: no
      routes:
       - to: 0.0.0.0/0
         via: 172.31.16.1 # Default gateway
         table: 1000
       - to: 172.31.24.153
         via: 0.0.0.0
         scope: link
         table: 1000
       - to: 172.31.28.195
         via: 0.0.0.0
         scope: link
         table: 1000
      routing-policy:
        - from: 172.31.24.153
          table: 1000
        - from: 172.31.28.195
          table: 1000

The preceding example YAML file is configuring two IP addresses on the secondary interface (eth1).

Note: To find the CIDR range to use in the YAML file, do the following

1.    Open the Amazon EC2 console, select Instances, and then select the instance. 

2.    On the Networking tab, scroll to Network interfaces and note the Subnet ID of your secondary network interface.

3.    Open the Amazon Virtual Private Cloud (Amazon VPC) console, select Subnets and then note the IPv4 CIDR range listed for the subnet ID.

4.    Apply the network configuration:

netplan --debug apply

Did this article help?


Do you need billing or technical support?