ClassicLink Mirror on AWS
ClassicLink Mirror on AWS


ClassicLink Mirror is an AWS-provided, open-source solution for replicating (mirroring) EC2-Classic security groups to a new environment in Amazon Virtual Private Cloud (Amazon VPC). This solution is especially useful when performing complicated migrations between the two platforms because it mirrors network security settings in EC2 Classic to the corresponding (target) VPC network environment.

Background: Migrating from EC2-Classic to Amazon VPC

Two key challenges arise when planning for migration of an application from one network to another. One is maintaining connectivity, as it is common for cloud applications to consist of multiple services that require interconnectivity within the network, i.e. over private IP addresses. The other is maintaining proper access between applications while the migration is in progress.

One way to complete a migration is to replicate the old network structure in the new network, and then move the entire deployment from one network to the other. However, this requires application downtime and so, for availability reasons, many customers prefer to carry out migration in a more incremental manner.

In January 2015, AWS released a feature called ClassicLink which allows customers to associate (link) EC2-Classic instances with Amazon VPC security groups in the same AWS Region, enabling private communication between the two platforms. This communication facilitates incremental migrations to Amazon VPC, allowing customers to migrate individual components while maintaining communication between older EC2-Classic instances and new EC2 instances running in a virtual private cloud (VPC).

In some cases, the migration is completed rapidly and this association is straightforward. However, over the course of a longer-term migration, the set of EC2-Classic instances might change due to manual capacity adjustments or Auto Scaling rules. Furthermore, EC2-Classic security group rules might be added or removed, and it will be necessary to mirror those changes to the corresponding VPC security groups as well.

The ClassicLink Mirror solution automates these tasks. It monitors appropriately tagged EC2-Classic security groups, and whenever there is change in their rules or instance memberships, it will replicate those changes in the associated VPC to help keep the networks consistent (mirrored) during migration. The mirroring actions are unidirectional: the user need only update the EC2-Classic security groups and ClassicLink Mirror will overwrite/update the Amazon VPC side accordingly. See the Architecture Overview for detailed information.


You are responsible for the cost of the AWS services used while running this solution. There is no additional cost for deploying the automated solution. As of the date of publication, the cost for running this solution is negligible—for most customers the estimated cost will be less than a penny a month.

AWS Lambda pricing is based on invocation count and duration. Therefore, the cost of running ClassicLink Mirror automation depends primarily on the frequency with which relevant Amazon EC2 APIs are called from your account (see the appendix for a complete list). For smaller deployments, each invocation of the Lambda function can be expected to complete in under five (5) seconds. Monitor your monthly AWS Lambda bill for a detailed breakdown of service costs incurred while running this solution.

Prices are subject to change. For full details, see the pricing webpage for each AWS service you will be using in this solution.