ClassicLink Mirror on AWS
ClassicLink Mirror on AWS

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

        ClassicLink Mirror on AWS

Figure 1: ClassicLink Mirror on AWS

The AWS CloudFormation template creates an Amazon CloudWatch event rule, which invokes the solution’s AWS Lambda function after a relevant Amazon EC2 API call is made (see the appendix).


AWS CloudTrail is necessary to emit a CloudWatch event after an API call, therefore you must manually enable AWS CloudTrail in your account before deploying this solution (see Prerequisites).

After launching the AWS CloudFormation template, the user must create the virtual private cloud (VPC) to migrate to, and enable ClassicLink on that VPC. The user must also identify the EC2-Classic security groups for ClassicLink Mirror to manage, and manually assign them tags that contain the VPC ID (see Step 3. Tag Your EC2-Classic Security Groups). Once ClassicLink Mirror is configured, it will create and manage a set of mirrored security groups in that VPC.

When invoked, the ClassicLink Mirror Lambda function audits the tagged EC2-Classic security groups for any changes (such as rule changes or new instance memberships), and completes the appropriate action to maintain a mirror in the VPC. This includes the following actions:

  • Create an analogous VPC security group if one does not yet exist. ClassicLink Mirror will give the VPC security group the same name as the EC2-Classic security group, and add a tag (classiclinkmirror:mirroredFromClassicSecurityGroupId) that contains the associated EC2-Classic security group ID in the tag value. Likewise, ClassicLink Mirror will add a tag (classiclinkmirror:mirroredToVpcSecurityGroupId) to the original EC2-Classic security group that contains the associated VPC security group ID in the tag value. Thus, you will be able to see the relationships between your EC2-Classic security groups and those that ClassicLink Mirror is managing in your VPC.

  • Identify any differences in security group rules and sync them (on the VPC side). For example, if you recently authorized SSH traffic from to your EC2-Classic security group, ClassicLink Mirror will add the same rule to the VPC security group. Similarly, if you dropped that rule from the EC2-Classic security group, ClassicLink Mirror will revoke that rule on the corresponding VPC security group. If the new rule references another EC2-Classic security group that is also managed by ClassicLink Mirror, ClassicLink Mirror will find the source group’s counterpart in your VPC and authorize a similar relationship in the VPC security group.

    See Implementation Considerations for information about exceptions to this actions (i.e., security group rules that ClassicLink Mirror will not revoke.)

  • Discover any new members of the EC2-Classic security group and link them to the VPC using ClassicLink to make them members of the corresponding VPC security group. Most customers will include ClassicLink in their automatic deployment processes, such as an Auto Scaling group that uses a launch configuration to automatically link new EC2-Classic instances to a VPC at launch. But, we include this action in the solution to serve as a backup check for instances that were provisioned manually.