Menu
ClassicLink Mirror on AWS
ClassicLink Mirror on AWS

Implementation Considerations

  • ClassicLink Mirror fully manages the VPCs it creates, specifically any security group with the tag: classiclinkmirror:mirroredFromClassicSecurityGroupId

    If you attempt to authorize or revoke rules on a VPC security group that ClassicLink Mirror manages, those changes will be undone the next time ClassicLink Mirror runs, in order to keep the VPC security group in sync with its corresponding EC2-Classic security group.

    The exception to this is references to VPC security groups that do not have equivalents in EC2-Classic. For example, in EC2 Classic, Elastic Load Balancing instances that are members of a special, shared Elastic Load Balancing security group. However, in Amazon VPC the Elastic Load Balancing network interface has its own customer-managed security group that is attached to a VPC. Therefore, because Elastic Load Balancing configuration is not parallel between the two platforms, ClassicLink Mirror will not revoke an Elastic Load Balancing security group rule on the VPC side.

  • You can create a ClassicLink association only between a single EC2-Classic instance and a single VPC. Therefore, if you have an EC2-Classic instance that is a member of two EC2-Classic security groups, and the ClassicLink Mirror tags on those groups point to two different VPCs, there is no way for ClassicLink Mirror to link the instance to both VPCs, and thus it will not create a ClassicLink association for that instance at all.

  • ClassicLink Mirror deployments are regional: If you have EC2-Classic instances in multiple AWS Regions, you must deploy ClassicLink Mirror independently in each region that has instances you want to automatically manage.

    Note

    Do not deploy ClassicLink Mirror more than once per AWS Region, as you might incur unnecessary AWS Lambda charges. If you wish to link EC2-Classic instances in the same region to different VPCs, you need only identify a different VPC in the instance tag (see Step 3. Tag Your EC2-Classic Security Groups).