How can I make my secondary network interface work in my CentOS or RHEL Amazon Elastic Compute Cloud (Amazon EC2) instance?

Adding a secondary network interface to a non-Amazon Linux instance causes traffic flow issues. This is because both the primary and the secondary network interfaces are in the same subnet, and there is only one routing table with one gateway. Traffic that comes into the secondary network interface will try to leave the instance using the primary network interface. But this is not allowed, because the secondary IP address does not belong to the MAC address of the primary network interface.

To make the secondary interface work, create a secondary network configuration file, add an additional routing table, and then set up rules in the custom routing table policy database so that traffic for the secondary interface uses the new routing table. To be sure that the new secondary route and rules are brought up in every boot, create and configure a secondary static route file.

Here is a summary of the steps for making the secondary interface work:

  1. Create a configuration file
  2. Create a new routing table
  3. Set rules in the Routing Policy Database
  4. Create a static route file

Note: For Ubuntu instances, see How can I make my secondary network interface work in my Ubuntu EC2 instance?

All procedures must be done with root user privileges. Either become root with `sudo -i` or execute all commands with `sudo`.

Create a secondary network configuration file

1.    Get the name of the primary network interface:

ip a | grep ^[[:digit:]]

You should see something like this: 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

Important: In the previous example, the primary interfaces are named 'eth0', 'eth1' and so on. However, for instances that support enhanced networking, such as the m4 and m5 family type, you might see a naming inconsistency. For example, the primary might be named 'ens3' while the secondary is named 'eth0'. This naming inconsistency happens when the secondary interface is added while the instance is running.

You can avoid a naming inconsistency by adding the interface at launch time, or rebooting the instance. Or, while the interface is running, you can change the name with: 

ip link set eth0 name ens4 && ip link set ens4 up

2.    Create or edit the secondary network interface 'ifcfg-eth1' configuration file. 

vi /etc/sysconfig/network-scripts/ifcfg-eth1

3.    Edit the secondary interface file so it is similar to the following. Adapt the edits to your scenario, including your secondary interface MAC address. You can find the secondary interface MAC address using the `ip a` command.


If you have more than one IP on your secondary interface, configure it as follows: 


4.    For the primary interface to not lose connectivity, be sure that the default gateway remains on the main routing table. To do so, edit the /etc/sysconfig/network file: 

vi /etc/sysconfig/network

Add the following line: 


5.    Restart the network: 

systemctl restart network

Create a new secondary routing table

The main routing table has ID 254 on Linux. By default, interface traffic is routed based on this table. You must create a new routing table for the secondary interface.

1.    Find and take note of your default gateway: 

ip route | grep default

2.    Create a new routing table for the secondary interface, and then add the default gateway route using the IP of the gateway you found on the previous step. In this example, the new table is ID 1000, and the IP is "": 

ip route add default via dev eth1 table 1000

3.    Be sure that table 1000 has a route for every IP present on the secondary interface.

Here's an example for two IPs: 

ip route add dev eth1 table 1000
ip route add dev eth1 table 1000

4.    Review table 1000 and be sure it is correct: 

ip route show table 1000

Set rules in the routing policy database

Set rules for every IP present on the secondary interface in the routing policy database so that traffic coming from these IPs is routed according to table 1000. 

ip rule add from lookup 1000
ip rule add from lookup 1000

Be sure to check the connectivity with these IPs. If you have Elastic IPs pointing to these IPs, they can be accessed from the public network as well.

Create a secondary static route file

1.    To bring the new routes and rules up with every boot, create and configure the 'route-eth1' static route file. 

vi /etc/sysconfig/network-scripts/route-eth1

2.    Enter the same routes as you entered when creating the secondary routing table at the command line. The difference is that you omit the "ip route add". 

default via dev eth1 table 1000 dev eth1 table 1000 dev eth1 table 1000

3.    Create or edit a rule file for rule-eth1: 

vi /etc/sysconfig/network-scripts/rule-eth1

Put in the same routes as you entered on the command line in when creating the new secondary routing table. The difference is that you omit the "ip rule add". 

from lookup 1000
from lookup 1000

After configuring the CentOS or RHEL IP settings, routing and rules will persist when rebooting the interface. 

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-11-09