Aws EC2 ENI, ENA, EFA and Encrypted root device volumes and snapshotsq

1. ENI vs ENA vs EFA
&
Encrypted Root Device Volumes
and Snapshots
Alex Carvalho

2. ENI vs ENA vs EFA
ENI - Elastic Network Interface - essentially a virtual network card.
ENA - Enhanced Networking Adapter(EN)- Uses single root I/O virtualization (SR-IOV) to provide
high-performance networking capabilities on supported instance types.
EFA - Elastic Fabric Adapter - A network device that you can attach to your Amazon EC2 instance to
accelerate High Performance Computing (HPC) and machine learning applications.

3. ENI - Elastic Network Interface
Is a logical component in a VPC, represents a virtual network card for your EC2 instances, bounded to a
specific availability zone (AZ)
● Primary private IPv4 , one or more secondary private IPv4
● One Elastic IP address IPv4 per private IPv4
● One public IPv4 address
● One or more IPv6 addresses
● One or more security groups
● A MAC address
● A source/destination check flag
ENI are independently from EC2, you can create and attach them on the fly
Can be used for failover

4. ENA or EN - Enhanced Networking
It uses single root I/O virtualization (SR-IOV) optimized to deliver high throughput and packet per second
(PPS), higher I/O performance and lower CPU utilization, consistently and low latencies without
additional charge.
Intel 82599 Virtual Function Interface (VFI) is part of this (EN), which supports up to 10GBPS only for
supported instance type, used on older instances.
Good for use cases that require higher bandwidth and lower inter-instance latency.

5. EFA - Elastic Fabric Adapter
Is a network interface for EC2 instance that enable to run applications High Performance Computing
(HPC) and machine learning applications.
Its custom-built operating system (OS) bypass hardware interface enhances the performance of
inter-instance communications,
EFA is available as an optional EC2 networking feature that you can enable on any supported EC2
instance at no additional cost.

6. Encrypted Root Device Volumes and Snapshots
When we launch an instance, the root device volume contains the image used to boot the instance.
● Snapshots of encrypted volumes are encrypted automatically.
● Volumes restored from encrypted snapshots are encrypted automatically.
● Only unencrypted snapshots can be share.
● These snapshots can be shared with other AWS accounts or made public.
● You can now encrypt root device volumes upon creation of the EC2 instance.
On creation of instance we can select to encrypt root device or we have make that sequence of steps to
make a unencrypted root device to encrypted:
● Create a Snapshot of the unencrypted root device volume
● Create a copy of the Snapshot and select the encrypt option
● Create an AMI from the encrypted Snapshot
● Use that AMI to launch new encrypted instances

7. that's it
References:
https://aws.amazon.com/pt/blogs/aws/new-elastic-network-interfaces-in-the-virtual-private-cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html
https://cfd.direct/cloud/openfoam-hpc-aws-efa/
https://d1.awsstatic.com/events/reinvent/2019/REPEAT_2_Deep-dive_into_100G_networking_&_Elasti
c_Fabric_Adapter_on_Amazon_EC2_CMP334-R2.pdf