Menu
Amazon Elastic Compute Cloud
User Guide for Linux (API Version 2015-04-15)

Amazon EC2 and Amazon Virtual Private Cloud

Amazon Virtual Private Cloud (Amazon VPC) enables you to define a virtual network in your own logically isolated area within the AWS cloud, known as a virtual private cloud (VPC). You can launch your AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using AWS's scalable infrastructure. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the Internet. You can connect your VPC to your own corporate data center, making the AWS cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists. For more information, see the Amazon VPC User Guide.

Your account may support both the EC2-VPC and EC2-Classic platforms, on a region-by-region basis. If you created your account after 2013-12-04, it supports EC2-VPC only. To find out which platforms your account supports, see Supported Platforms. If your accounts supports EC2-VPC only, we create a default VPC for you. A default VPC is a VPC that is already configured and ready for you to use. You can launch instances into your default VPC immediately. For more information about your default VPC, see Your Default VPC and Subnets in the Amazon VPC User Guide. If your account supports EC2-Classic and EC2-VPC, you can launch instances into either platform.

Benefits of Using a VPC

By launching your instances into a VPC instead of EC2-Classic, you gain the ability to:

  • Assign static private IP addresses to your instances that persist across starts and stops

  • Assign multiple IP addresses to your instances

  • Define network interfaces, and attach one or more network interfaces to your instances

  • Change security group membership for your instances while they're running

  • Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering)

  • Add an additional layer of access control to your instances in the form of network access control lists (ACL)

  • Run your instances on single-tenant hardware

Differences Between EC2-Classic and EC2-VPC

The following table summarizes the differences between instances launched in EC2-Classic, instances launched in a default VPC, and instances launched in a nondefault VPC.

CharacteristicEC2-ClassicDefault VPCNondefault VPC

Public IP address (from Amazon's public IP address pool)

Your instance receives a public IP address.

Your instance launched in a default subnet receives a public IP address by default, unless you specify otherwise during launch, or you modify the subnet's public IP address attribute.

Your instance doesn't receive a public IP address by default, unless you specify otherwise during launch, or you modify the subnet's public IP address attribute.

Private IP address

Your instance receives a private IP address from the EC2-Classic range each time it's started.

Your instance receives a static private IP address from the address range of your default VPC.

Your instance receives a static private IP address from the address range of your VPC.

Multiple private IP addresses

We select a single private IP address for your instance; multiple IP addresses are not supported.

You can assign multiple private IP addresses to your instance.

You can assign multiple private IP addresses to your instance.

Elastic IP address

An EIP is disassociated from your instance when you stop it.

An EIP remains associated with your instance when you stop it.

An EIP remains associated with your instance when you stop it.

DNS hostnames

DNS hostnames are enabled by default.

DNS hostnames are enabled by default.

DNS hostnames are disabled by default.

Security group

A security group can reference security groups that belong to other AWS accounts.

You can create up to 500 security groups in each region.

A security group can reference security groups for your VPC only.

You can create up to 100 security groups per VPC.

A security group can reference security groups for your VPC only.

You can create up to 100 security groups per VPC.

Security group association

You can assign an unlimited number of security groups to an instance when you launch it.

You can't change the security groups of your running instance. You can either modify the rules of the assigned security groups, or replace the instance with a new one (create an AMI from the instance, launch a new instance from this AMI with the security groups that you need, disassociate any Elastic IP address from the original instance and associate it with the new instance, and then terminate the original instance).

You can assign up to 5 security groups to an instance.

You can assign security groups to your instance when you launch it and while it's running.

You can assign up to 5 security groups to an instance.

You can assign security groups to your instance when you launch it and while it's running.

Security group rules

You can add rules for inbound traffic only.

You can add up to 100 rules to a security group.

You can add rules for inbound and outbound traffic.

You can add up to 50 rules to a security group.

You can add rules for inbound and outbound traffic.

You can add up to 50 rules to a security group.

Tenancy

Your instance runs on shared hardware.

You can run your instance on shared hardware or single-tenant hardware.

You can run your instance on shared hardware or single-tenant hardware.

Accessing the InternetYour instance can access the Internet. Your instance automatically receives a public IP address, and can access the Internet directly through the AWS network edge.By default, your instance can access the Internet. Your instance receives a public IP address by default. An Internet gateway is attached to your default VPC, and your default subnet has a route to the Internet gateway.By default, your instance cannot access the Internet. Your instance doesn't receive a public IP address by default. Your VPC may have an Internet gateway, depending on how it was created.

The following diagram shows instances in each platform. Note the following:

  • Instances C1, C2, C3, and C4 are in the EC2-Classic platform. C1 and C2 were launched by one account, and C3 and C4 were launched by a different account. These instances can communicate with each other, can access the Internet directly.

  • Instances V1 and V2 are in different subnets in the same VPC in the EC2-VPC platform. They were launched by the account that owns the VPC; no other account can launch instances in this VPC. These instances can communicate with each other and can access instances in EC2-Classic and the Internet through the Internet gateway.

Amazon EC2 supported platforms

Sharing and Accessing Resources Between EC2-Classic and EC2-VPC

Some resources and features in your AWS account can be shared or accessed between the EC2-Classic and EC2-VPC platforms, for example, through ClassicLink. For more information about ClassicLink, see ClassicLink.

If your account supports EC2-Classic, you might have set up resources for use in EC2-Classic. If you want to migrate from EC2-Classic to a VPC, you must recreate those resources in your VPC. For more information about migrating from EC2-Classic to a VPC, see Migrating from a Linux Instance in EC2-Classic to a Linux Instance in a VPC.

The following resources can be shared or accessed between EC2-Classic and a VPC.

ResourceNotes
AMI 
Bundle task 
EBS volume 
Elastic IP address

You can migrate an Elastic IP address from EC2-Classic to EC2-VPC. You can't migrate an Elastic IP address that was originally allocated for use in a VPC to EC2-Classic. For more information, see Migrating an Elastic IP Address from EC2-Classic to EC2-VPC.

Instance

An EC2-Classic instance can communicate with instances in a VPC using public IP addresses, or you can use ClassicLink to enable communication over private IP addresses.

You can't migrate an instance from EC2-Classic to a VPC. However, you can migrate your application from an instance in EC2-Classic to an instance in a VPC. For more information, see Migrating from a Linux Instance in EC2-Classic to a Linux Instance in a VPC.

Key pair 
Load balancer

If you're using ClassicLink, you can register a linked EC2-Classic instance with a load balancer in a VPC, provided that the VPC has a subnet in the same Availability Zone as the instance.

You can't migrate a load balancer from EC2-Classic to a VPC. You can't register an instance in a VPC with a load balancer in EC2-Classic.

Placement group 
Reserved Instance

You can change the network platform for your Reserved Instances from EC2-Classic to EC2-VPC. For more information, see Modifying Your Reserved Instances.

Security group

A linked EC2-Classic instance can use a VPC security groups through ClassicLink to control traffic to and from the VPC. VPC instances can't use EC2-Classic security groups.

You can't migrate a security group from EC2-Classic to a VPC. You can copy rules from a security group in EC2-Classic to a security group in a VPC. For more information, see Creating a Security Group.

Snapshot 

The following resources can't be shared or moved between EC2-Classic and a VPC:

  • Spot Instances

Instance Types Available Only in a VPC

Instances of the following instance types are not supported in EC2-Classic and must be launched in a VPC:

  • C4

  • M4

  • T2

If your account supports EC2-Classic but you have not created a nondefault VPC, you can do one of the following to launch a VPC-only instance:

  • Create a nondefault VPC and launch your VPC-only instance into it by specifying a subnet ID or a network interface ID in the request. Note that you must create a nondefault VPC if you do not have a default VPC and you are using the AWS CLI, Amazon EC2 API, or Amazon EC2 CLI to launch a VPC-only instance. For more information, see Create a Virtual Private Cloud (VPC).

  • Launch your VPC-only instance using the Amazon EC2 console. The Amazon EC2 console creates a nondefault VPC in your account and launches the instance into the subnet in the first Availability Zone. Note that the console creates the VPC with the following attributes:

    • One subnet in each Availability Zone, with the public IP addressing attribute set to true so that instances receive a public IP address. For more information, see IP Addressing in Your VPC in the Amazon VPC User Guide.

    • An Internet gateway, and a main route table that routes traffic in the VPC to the Internet gateway. This enables the instances you launch in the VPC to communicate over the Internet. For more information, see Internet Gateways in the Amazon VPC User Guide.

    • A default security group for the VPC and a default network ACL that is associated with each subnet. For more information, see Security in Your VPC in the Amazon VPC User Guide.

If you have other resources in EC2-Classic, you can take steps to migrate them to EC2-VPC. For more information, see Migrating from a Linux Instance in EC2-Classic to a Linux Instance in a VPC.

Amazon VPC Documentation

For more information about Amazon VPC, see the following documentation.

GuideDescription

Amazon VPC Getting Started Guide

Provides a hands-on introduction to Amazon VPC.

Amazon VPC User Guide

Provides detailed information about how to use Amazon VPC.

Amazon VPC Network Administrator Guide

Helps network administrators configure your customer gateway.