How can I make my secondary network interface work in my Ubuntu Amazon Elastic Compute Cloud (Amazon EC2) instance? 

Adding a secondary network interface to a non-Amazon Linux EC2 instance causes traffic flow issues. These issues occur because both the primary and the secondary network interfaces are in the same subnet, and there is only one routing table with one gateway. Traffic that comes into the secondary network interface leaves the instance using the primary network interface. But this isn't allowed, because the secondary IP address doesn't belong to the MAC address of the primary network interface.

To make the secondary interface work, create a secondary network configuration file, configure the routing table, and then set up rules in the custom routing table policy database so that traffic for the secondary interface uses the new routing table.

Note: The steps for adding a secondary network interface are different for each of the following Ubuntu versions:

  • Ubuntu 14.04
  • Ubuntu 16.04
  • Ubuntu 18.04

Note: For CentOS or RHEL instances see How can I make my secondary network interface work in my CentOS or RHEL instance?

Configuring Ubuntu 14.04 or 16.04

Creating the secondary interface configuration file, configuring the routing table, and setting routing policy rules for Ubuntu can be done using a single file.

All procedures must be done with root user privileges. Either become the root user with 'sudo -i' or execute all commands with 'sudo'.

1. Get the name of the primary network interface:

ip a | grep ^[[:digit:]]

You should see something like this: 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

Important: In the previous example, the primary interfaces are named 'eth0', 'eth1', and so on. However, for instances that support enhanced networking, such as the m4 and m5 family type, you might see a naming inconsistency. For example, the primary might be named 'ens3' if the secondary is named 'eth0'. This naming inconsistency happens when the secondary interface is added when the instance is running.

You can avoid a naming inconsistency by adding the interface at launch time, or rebooting the instance. Or, if the interface is running, you can change the name with:

ip link set eth0 name ens4 && ip link set ens4 up

2. Create a configuration file for the secondary interface. This example uses a secondary interface of 'eth1'. Be sure to change 'eth1' to match your secondary interface name as found in step 1. 

vi /etc/network/interfaces.d/51-eth1.cfg

The following is an example for a single IP address of 172.31.21.115, and with a gateway of 172.31.16.1 on the secondary interface. Be sure to change the IP address and gateway to your scenario. Also note that your gateway must be the first valid IP address in your subnet. 

auto eth1
iface eth1 inet static 
address 172.31.21.115
netmask 255.255.240.0

# Gateway configuration
up ip route add default via 172.31.16.1 dev eth1 table 1000

# Routes and rules
up ip route add 172.31.21.115 dev eth1 table 1000
up ip rule add from 172.31.21.115 lookup 1000

The following is an example for multiple IP addresses. In this example the IP addresses are 172.31.21.115 and 172.31.18.46, and with a gateway of 172.31.16.1. Be sure to update the IP addresses and gateway to your scenario. 

auto eth1

# Enter one or more IP settings
iface eth1 inet static
address 172.31.21.115
netmask 255.255.240.0

iface eth1 inet static
address 172.31.18.46
netmask 255.255.240.0

# Default gateway for eth1
up ip route add default via 172.31.16.1 dev eth1 table 1000

# A route for every IP
up ip route add 172.31.21.115 dev eth1 table 1000
up ip route add 172.31.18.46 dev eth1 table 1000

# A policy rule for every IP
up ip rule add from 172.31.21.115 lookup 1000
up ip rule add from 172.31.18.46 lookup 1000

3. Create the restrict-default-gw file to prevent the default gateway from being overwritten on the main table:

vi /etc/dhcp/dhclient-enter-hooks.d/restrict-default-gw

4. Add the following lines to the restrict-default-gw file. Be sure to change 'eth0' to your primary interface name as found in step 1.

case ${interface} in
  eth0)
    ;;
  *)
    unset new_routers
    ;;
esac

5. Restart the network:

In Ubuntu 14.04: 

(ifdown eth1 && ifup eth1)

In Ubuntu 16.04 

systemctl restart networking

Configuring Ubuntu 18.04

Ubuntu 18.04 has switched its networking configuration to Netplan. The following example uses the Netplan configuration. Note that Netplan uses YAML format and indentation is crucial. The example below uses a 2-space indentation.

1. Create a configuration file for the secondary interface:

vi /etc/netplan/51-eth1.yaml

2. Add the following lines to the 51-eth1.yaml file.

network:  
  version: 2
  renderer: networkd
  ethernets:
    eth1:
      addresses:
        - 172.31.24.153/20
        - 172.31.28.195/20
        dhcp4: no
        routes:
          - to: 0.0.0.0/0
            via: 172.31.16.1 # Default gateway
            table: 1000
          - to: 172.31.24.153
            via: 0.0.0.0
            scope: link
            table: 1000
          - to: 172.31.28.195
            via: 0.0.0.0
            scope: link
            table: 1000
        routing-policy:
          - from: 172.31.24.153
            table: 1000
          - from: 172.31.28.195
            table: 1000

3. Apply the network configuration: 

netplan --debug apply

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-09-05