Add a second network interface for a vlan/exclusive network between two EC2 instances in same VPC


Hi, I was asked to provide 2 instances for a development project. One instance will use Windows Server and the other CentOS. They need each of the instances to have two network cards, one for internet connection and the other to be privately connected to the other instance. For example, the second network card of the windows server should be and the second card of the centOS should be and it should be an exclusive connection, but those IPs are out of the range of the primary private IP from each aditional network interface. When adding the extra network cards, I see that they come with a specific private IP but from the instances I can change the IP of each instance: in Windows through CPL and in CentOS from the command line, but I can't ping between them . What would be the simplest way to be able to configure those two extra network cards that the client needs? Thanks in advance. Regards.

1 Answer

First: While you can do what you want in your VPC you don't have to do it that way. Instances within the VPC already have private IP addresses and can communicate with each other. The public IP addresses that they have (assuming they are on a public subnet) are not assigned directly to the instance network interface; instead that access is provided using 1:1 NAT on your Internet Gateway. The instances can transparently (and without further configuration) communicate privately on their private IP addresses with no further action by you.

But let's assume that you absolutely need separate interfaces. You should do the following:

  1. Create a new subnet in your VPC with a new IP range that is within the VPC IP range but different to your existing subnet(s).
  2. Create two network interfaces on that subnet. The interfaces will automatically get IP addresses.
  3. Attach the network interfaces to the instances.
  4. Create a security group and in the inbound rules, allow the security group to communicate with itself. This means that any instances that has been assigned to the security group can communicate with any other instance that has been assigned that security group.
  5. Attach the security group to the two network interfaces.
profile pictureAWS
answered a year ago
  • Hi, Brettski-AWS. Thanks for your help. In the end, I tried to attach a second network interface to each instace, each secondary network interface belongs to the same security group of the corresponding primary network interface. I didn't have to configure nothing, I see the Centos instance and the Windows instance have assigned the corresponding private IP, however I can only ping from Windows instance to the primary private Centos IP, I can't ping to the secondary network interface private IP. And neither can ping from Centos instance to any Windows instance. What extra configuration do you think I need to make? Thanks in advance, and sorry for the bad English.

  • I think you need to look at the built-in Windows firewall - it will allow communications that are initiated by Windows but block anything that is initiated by another host.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions