Differences between EC2-Classic and EC2-VPC / EC2-Classic vs EC2-VPC
The following table summarizes the differences between EC2-Classic and EC2-VPC.
EC2-Classic | EC2-VPC |
---|---|
You can create up to 500 security groups per region.
|
You can create up to 500 security groups per VPC.
|
You can add up to 100 rules to a security group.
|
You can add up to 50 rules to a security group.
|
You can add rules for inbound traffic only.
|
You can add rules for inbound and outbound traffic.
|
You can assign up to 500 security groups to an instance.
|
You can assign up to 5 security groups to a network interface.
|
You can reference security groups from other AWS accounts.
|
You can reference security groups from your VPC or from a peer VPC in a VPC peering connection only. The peer VPC can be in a different account.
|
After you launch an instance, you can't change the security groups assigned to it.
|
You can change the security groups assigned to an instance after it's launched.
|
When you add a rule to a security group, you don't have to specify a protocol, and only TCP, UDP, or ICMP are available.
|
When you add a rule to a security group, you must specify a protocol, and it can be any protocol with a standard protocol number, or all protocols (see Protocol Numbers).
|
When you add a rule to a security group, you must specify port numbers (for TCP or UDP).
|
When you add a rule to a security group, you can specify port numbers only if the rule is for TCP or UDP, and you can specify all port numbers.
|
Security groups that are referenced in another security group's rules cannot be deleted. | Security groups that are referenced in another security group's rules can be deleted if the security groups are in different VPCs. If the referenced security group is deleted, the rule is marked as stale. You can use the describe-stale-security-groups AWS CLI command to identify stale rules. |
You cannot specify an IPv6 CIDR block or an IPv6 address as the source or destination in a security group rule. | You can specify an IPv6 CIDR block or an IPv6 address as the source or destination in a security group rule. |
Comments