# Local network interfaces for your Outposts servers
With Outposts servers, a *local network interface* is a logical networking component that connects the Amazon EC2 instances in your Outposts subnet to your on-premises network.
A local network interface runs directly on your local area network. With this type of local connectivity, you don't need routers or gateways to communicate with your on-premises equipment. Local network interfaces are named similarly to network interfaces or elastic network interfaces. We distinguish between the two interfaces by always using *local* when we refer to local network interfaces.
After you enable local network interfaces on an Outpost subnet, you can configure the EC2 instances in the Outpost subnet to include a local network interface in addition to the elastic network interface. The local network interface connects to the on-premises network while the network interface connects to the VPC. The following diagram shows an EC2 instance on an Outposts server with both an elastic network interface and a local network interface.
![\[Local network interface\]](http://docs.aws.amazon.com/outposts/latest/server-userguide/images/outposts-server-LNI.png)
You must configure the operating system to enable the local network interface to communicate on your local area network, just as you would for any other on-premises equipment. You can't use DHCP option sets in a VPC to configure a local network interface because a local network interface runs on your local area network.
The elastic network interface works exactly as it does for instances in an Availability Zone subnet. For example, you can use the VPC network connection to access the public Regional endpoints for AWS services, or you can use interface VPC endpoints to access AWS services using AWS PrivateLink. For more information, see [AWS Outposts connectivity to AWS Regions](region-connectivity.md).
**Topics**
+ [Local network interface basics](#limits-lni)
+ [Enabling LNI on your Outpost subnet](enable-lni.md)
+ [Add a local network interface](add-lni.md)
+ [Local connectivity](local-server.md)
## Local network interface basics
Local network interfaces provide access to a physical layer-two network. A VPC is a virtualized layer-three network. Local network interfaces do not support VPC networking components. These components include security groups, network access control lists, virtualized routers or route tables, and flow logs. The local network interface does not provide the Outposts server with visibility into VPC layer-three flows. The host operating system of the instance does have full visibility into frames from the physical network. You can apply standard firewall logic to information within these frames. However, this communication happens inside the instance but outside the purview of the virtualized constructs.
**Considerations**
+ Local network interfaces support ARP and DHCP protocols. They do not support general L2 broadcast messages.
+ Quotas for local network interfaces comes out of your quota for network interfaces. For more information, see [Network interface quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-enis) in the *Amazon VPC User Guide*.
+ Each EC2 instance can have one local network interface.
+ A local network interface can't use the primary network interface of the instance.
+ Outposts servers can host multiple EC2 instances, each with a local network interface.
**Note**
EC2 instances within the same server can communicate directly without sending data outside the Outposts server. This communication includes traffic over a local network interface or elastic network interfaces.
+ Local network interfaces are available only for instances running in an Outposts subnet on an Outposts server.
+ Local network interfaces do not support promiscuous mode or MAC address spoofing.
### Performance
The local network interface of each instance size provides a portion of the physical 10 GbE available bandwidth. The following table lists the network performance for each instance type:
| Instance type | Baseline bandwidth (Gbps) | Burst bandwidth (Gbps) |
| --- | --- | --- |
| c6id.large | 0.15625 | 2.5 |
| c6id.xlarge | 0.3125 | 2.5 |
| c6id.2xlarge | 0.625 | 2.5 |
| c6id.4xlarge | 1.25 | 2.5 |
| c6id.8xlarge | 2.5 | 2.5 |
| c6id.12xlarge | 3.75 | 3.75 |
| c6id.16xlarge | 5 | 5 |
| c6id.24xlarge | 7.5 | 7.5 |
| c6id.32xlarge | 10 | 10 |
| c6gd.medium | 0.15625 | 4 |
| c6gd.large | 0.3125 | 4 |
| c6gd.xlarge | 0.625 | 4 |
| c6gd.2xlarge | 1.25 | 4 |
| c6gd.4xlarge | 2.5 | 4 |
| c6gd.8xlarge | 4.8 | 4.8 |
| c6gd.12xlarge | 7.5 | 7.5 |
| c6gd.16xlarge | 10 | 10 |
### Security groups
By design, the local network interface does not use security groups in your VPC. A security group controls inbound and outbound *VPC traffic*. The local network interface is not attached to the VPC. The local network interface is attached to your local network. To control inbound and outbound traffic on the local network interface, use a firewall or similar strategy, just as you would with the rest of your on-premises equipment.
### Monitoring
CloudWatch metrics are produced for each local network interface, just as they are for elastic network interfaces. For more information, see [Monitor network performance for ENA settings on your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-network-performance-ena.html) in the *Amazon EC2 User Guide*.
### MAC addresses
AWS provides MAC addresses for local network interfaces. Local network interfaces use locally administered addresses (LAA) for their MAC addresses. A local network interface uses the same MAC address until you delete the interface. After you delete a local network interface, remove the MAC address from your local configurations. AWS can reuse MAC addresses that are no longer in use.
# Enabling LNI on your Outpost subnet
To use Local Network Interface (LNI) on your Outposts server, you must first enable LNI on your Outpost subnet. This configuration allows instances launched in the subnet to attach LNI at a specific network device index.
**To enable LNI using the AWS CLI**
Run the following command, replacing the subnet ID with your Outpost subnet:
```
aws ec2 modify-subnet-attribute \
--subnet-id subnet-xxxxxxxxx \
--enable-lni-at-device-index 1
```
**Important**
You must run this command before launching instances that will use LNI. The device index value of 1 means that LNI will be attached as the second network interface (eth1) on your instances.
After enabling LNI on the subnet, you can create network interfaces and attach them to your instances at device index 1 to establish Layer 2 connectivity with your on-premises network.
For a complete walkthrough with architecture diagrams and additional configuration examples, see [Architecting for seamless on-premises connectivity with AWS Outposts servers](https://aws.amazon.com/blogs/networking-and-content-delivery/architecting-for-seamless-on-premises-connectivity-with-aws-outposts-servers/).
# Add a local network interface to an EC2 instance in an Outposts subnet
You can add a local network interface to an Amazon EC2 instance on an Outposts subnet during or after launch. You do so by adding a secondary network interface to the instance, using the device index that you specified when you enabled the Outpost subnet for local network interfaces.
**Consideration**
When you specify the secondary network interface using the console, the network interface is created using device index 1. If this is not the device index that you specified when you enabled the Outpost subnet for local network interfaces, you can specify the correct device index by using the AWS CLI or an AWS SDK instead. For example, use the following commands from the AWS CLI: [create-network-interface](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-network-interface.html) and [attach-network-interface](https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-network-interface.html).
Use the following procedure to add the local network interface after you launch the instance. For information about adding it during instance launch, see [Launch an instance on the Outpost](launch-instance.md#launch-instances).
**To add a local network interface to an EC2 instance**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Network and Security**, **Network Interfaces**.
1. **Create the network interface**
1. Choose **Create network interface**.
1. Select the same Outpost subnet as the instance.
1. Verify that **Private IPv4 address** is set to **Auto-assign**.
1. Select any security group. Security groups do not apply to local network interface, so the security group that you select is not relevant.
1. Choose **Create network interface**.
1. **Attach the network interface to the instance**
1. Select the check box for the newly created network interface.
1. Choose **Actions**, **Attach**.
1. Choose the instance.
1. Choose **Attach**. The network interface is attached at device index 1. If you specified 1 as the device index for the local network interface for the Outpost subnet, this network interface is the local network interface for the instance.
## View the local network interface
While the instance is in the running state, you can use the Amazon EC2 console to view both the elastic network interface and the local network interface for the instances in your Outpost subnet. Select the instance and choose the **Networking** tab.
The console displays a private IPv4 address for the local network interface from the subnet CIDR. This address is not the IP address of the local network interface, and it is not usable. However, this address is allocated from the subnet CIDR, so you must account for it in your subnet sizing. You must set the IP address for the local network interface within the guest operating system, either statically or through your DHCP server.
## Configure the operating system
After you enable local network interfaces, Amazon EC2 instances will have two network interfaces, one of which is a local network interface. Ensure that you configure the operating system of the Amazon EC2 instances that you launch to support a multi-homed networking configuration.
# Local network connectivity for Outposts servers
Use this topic to understand the network cabling and topology requirements for hosting an Outposts server. For more information, see [Local network interfaces for your Outposts servers](local-network-interface.md).
**Topics**
+ [Server topology on your network](#lni-topology)
+ [Server physical connectivity](#lni-physical)
+ [Service link traffic for servers](#lni-sl)
+ [Local network interface link traffic](#lni-al)
+ [Server IP address assignment](#lni-address)
+ [Server registration](#lni-register)
## Server topology on your network
An Outposts server requires two distinct connections to your networking equipment. Each connection uses a different cable and carries a different type of traffic. The multiple cables are for traffic-class isolation only, and not for redundancy. The two cables do not need to connect to a common network.
The following table describes Outposts server traffic types and labels.
| Traffic label | Description |
| --- | --- |
| **2** | **Service link traffic **– This traffic enables communication between the Outpost and the AWS Region for both management of the Outpost and intra-VPC traffic between the AWS Region and the Outpost. Service link traffic includes the service link connection from the Outpost to the Region. The service link is a custom VPN or VPNs from the Outpost to the Region. The Outpost connects to the Availability Zone in the Region that you chose at time of purchase. |
| **1** | **Local network interface link traffic** – This traffic enables communication from your VPC to your local LAN over the local network interface. Local link traffic includes instances running on the Outpost that communicate with your on-premises network. Local link traffic can also include instances communicating with the internet through your on-premises network. |
## Server physical connectivity
Each Outposts server includes non-redundant physical uplink ports. Ports have their own speed and connector requirements as follows:
+ **10Gbe** – connector type QSFP\$1
**QSFP\$1 cable**
The QSFP\$1 cable has a connector that you attach to port 3 on the Outposts server. The other end of the QSFP\$1 cable has four SFP\$1 interfaces that you connect to your switch. Two of the switch-side interfaces are labeled `1` and `2`. Both the interfaces are required for an Outposts server to function. Use the `2` interface for service link traffic and the `1` interface for local network interface link traffic. The remaining interfaces are not used.
## Service link traffic for servers
Configure the service link port on your switch as an untagged access port to a VLAN with a gateway and a route to the following Region endpoints:
+ Service link endpoints
+ Outposts registration endpoint
The service link connection must have public DNS available for the Outpost to discover its registration endpoint in the AWS Region. The connection can have a NAT device between the Outposts server and the registration endpoint. For more information about the public address ranges for AWS, see [AWS IP address ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) in the *Amazon VPC User Guide* and [AWS Outposts endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/outposts_region.html) in the *AWS General Reference*.
To register the server, open the following network ports:
+ TCP 443
+ UDP 443
+ UDP 53
## Local network interface link traffic
Configure the local network interface link port on your upstream network device as a standard access port to a VLAN on your local network. If you have more than one VLAN, configure all the ports on the upstream network device as trunk ports. Configure the port on your upstream network device to expect multiple MAC addresses. Each instance launched on the server will use a MAC address. Some network devices offer port-security features that will shut down a port that reports multiple MAC addresses.
**Note**
AWS Outposts servers do not tag VLAN traffic. If you configure your local network interface as trunk, you must ensure that your OS tags VLAN traffic.
The following example shows how to configure VLAN tagging for your local network interface on Amazon Linux 2023. If you are using another Linux distribution, see the documentation for your Linux distribution about configuring VLAN tagging.
**Example: To configure VLAN tagging for your local network interface on Amazon Linux 2023 and Amazon Linux 2**
1. Ensure that the 8021q module is loaded into the kernel. If not, load it using the `modprobe` command.
```
modinfo 8021q
modprobe --first-time 8021q
```
1. Create the VLAN device. In this example:
+ The interface name of the local network interface is `ens6`
+ The VLAN id is `59`
+ The name assigned for the VLAN device is `ens6.59`
```
ip link add link ens6 name ens6.59 type vlan id 59
```
1. Optional. Complete this step if you want to manually assign the IP. In this example we are assigning the IP 192.168.59.205, where the subnet CIDR is 192.168.59.0/24.
```
ip addr add 192.168.59.205/24 brd 192.168.59.255 dev ens6.59
```
1. Activate the link.
```
ip link set dev ens6.59 up
```
To configure your network interfaces at the OS level and make the VLAN tagging changes persistent, refer to the following resources:
+ If you are using Amazon Linux 2, see [Configure your network interface using ec2-net-utils for AL2](https://docs.aws.amazon.com/linux/al2/ug/ec2-net-utils.html) in the *Amazon Linux 2 User Guide*.
+ If you are using Amazon Linux 2023, see [Networking service](https://docs.aws.amazon.com/linux/al2023/ug/networking-service.html) in the *Amazon Linux 2023 User Guide*.
## Server IP address assignment
You do not need public IP address assignments for the AWS Outposts server's service link and local network interfaces on instances. For the service link, you can assign IP addresses manually or use the Dynamic host control protocol (DHCP). To configure the service link connection, see [Configure and test the connection](https://docs.aws.amazon.com/outposts/latest/install-server/authorize-3.html) in the *AWS Outposts server installation guide*.
To configure the local network interface link, see [Configure the operating system](add-lni.md#os-configuration-lni).
**Note**
Ensure that you use a stable IP address for the Outposts server. IP address changes can cause temporary service disruptions on the Outpost subnet.
## Server registration
When Outposts servers establish a connection on the local network, they use the service link connection to connect to Outpost registration endpoints and register themselves. Registration requires public DNS. When servers register, they create a secure tunnel to their service link endpoint in the Region. Outposts servers use TCP port 443 to facilitate communication with the Region over the public internet. Outposts servers do not support private connectivity through VPC.