From 985f354a6aeef75c417d11b76735712c06c0c015 Mon Sep 17 00:00:00 2001
From: Leonard O'Sullivan <leonard@firstnode.com.au>
Date: Fri, 27 Feb 2026 07:34:36 +1000
Subject: [PATCH] docs: clarify getPublicENI function purpose

Add doc comment explaining that device index 0 is the primary ENI
where Elastic IPs are attached for NAT instances.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 cmd/lambda/ec2ops.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmd/lambda/ec2ops.go b/cmd/lambda/ec2ops.go
index 9e149fb..bc88a46 100644
--- a/cmd/lambda/ec2ops.go
+++ b/cmd/lambda/ec2ops.go
@@ -293,6 +293,9 @@ func (h *Handler) releaseEIPs(ctx context.Context, eips []ec2types.Address) {
 
 // --- ENI helper ---
 
+// getPublicENI returns the primary network interface (device index 0).
+// For NAT instances launched via our templates, this is the public-facing ENI
+// where the Elastic IP should be attached.
 func getPublicENI(inst *Instance) *ec2types.InstanceNetworkInterface {
 	for i := range inst.NetworkInterfaces {
 		if aws.ToInt32(inst.NetworkInterfaces[i].Attachment.DeviceIndex) == 0 {