In public cloud, enterprise IT has a very basic need to protect its network and segment resources in isolated subnets....
In AWS, there were essentially two methods to do this: EC2-Classic and Amazon Virtual Private Cloud. And as the public cloud service evolved, so did its networking options.
EC2-Classic, the original release of Amazon Elastic Compute Cloud (EC2), has instances running in a single, flat network that's shared with other AWS infrastructure tenants and all resources created within it. In recent years, however, Amazon VPC became the default cloud network for every new AWS account.
Amazon VPC is a virtual network that is a logically isolated within the AWS cloud. Users can launch resources, such as EC2 instances, as part of the account's default VPC. In addition, EC2 instances residing within a VPC can connect to the internet or with a specific external site to support a dedicated tunnel to an organization's data center. Figure 1 shows an instance comparison of EC2-Classic to VPC.
A developer can also create a non-default VPC and reallocate resources into it according to the enterprise's cloud network topology preferences. While there is no real issue with connecting a single instance to the public internet, enterprises have more elaborate networks. Therefore, the EC2-Classic default internet access is not sufficient. For non-default VPC, instances cannot access the internet directly unless specified when creating the subnet.
AWS accounts created after December 2013 only support EC2-VPC. So, developers running AWS for more than three years might still have instances running in EC2-Classic, which are easy to find. EC2-Classsic instances do not have VPC ID and Subnet ID attributes like EC2-VPC instances have.
Developers should move all cloud resources to an EC2-VPC network, as they will be running on a more advanced network infrastructure and have access to instance types that can only be launched in a VPC. In addition, with VPC, users have more flexibility and control over their network topology to maintain fine-grained segmentation and security policies.
Developers can access, share and move almost every resource from EC2-Classic to VPC -- except for spot instances. But there are several factors to know before migrating or sharing resources between the two networks:
EC2 instances: It is not possible to migrate an instance from VPC to EC2-Classic, but it is relatively easy to migrate applications from EC2-Classic to VPC.
Elastic IP address: A developer can easily migrate an elastic IP address from EC2-Classic to VPC. But a VPC-allocated elastic IP address cannot migrate to EC2-Classic.
Load balancing: If the VPC and the EC2-Classic instance have a subnet in the same availability zone, they both can be linked with ClassicLink, which connects EC2-Classic to VPC instances within the same account and the same region using private IP addresses. Without ClassicLink, it is not possible to migrate a load balancer from EC2-Classic to a VPC.
ClassicLink: ClassicLink users cannot use the EC2-Classic security groups to control traffic between the Classic and linked VPC. But they can use the connected VPC security groups to control inbound and outbound traffic to the VPC.
Make sense of Amazon VPC, and put it to use
EC2 Security Groups bundle up security for instances
Fix connectivity issues within Amazon VPCs