AWS: When specifying a security group to an instance, is its ENI specified the security group under the hood?

Question

Here I have an AWS instance that has been specified with two security group default① and my first group②.

Now I would like to make this instance ssh available. Both the following ways work:

• specify this instance with a new security group ssh-available
• Or, find the Elastic Network interface(ENI) of this instance, then specify the ENI with security group ssh-available.

Are they same?

When specifying an security group to an instance, is its eni specified a security group under the hood?

Answer 1

To add to Johns great comment, this makes sense when you think that Security Groups are not just bound to EC2 instances, in fact any resource with an ENI can have a security group attached with examples such as:

• VPC Interface Endpoints
• RDS
• ElastiCache
• ElasticSearch Service
• And many more

By having a single implementation of security group -> ENI, I would imagine it makes it easier for AWS to implement networking security for new VPC based resources over time.

Answer 2

Yes. Security Groups are attached to Elastic Network Interfaces (ENIs). That's why the console shows it under the Networking tab.

This design allows different security settings if there are multiple ENIs. For example, one ENI could be used for external traffic and a different ENI could be used for internal traffic.

Most Amazon EC2 instances only have one ENI, so it is easier to think of the Security Group as being associated with the instance.