|New API Version||With this release, Amazon VPC has a new API version (2011-01-01). The WSDL is at http://ec2.amazonaws.com/doc/2011-01-01/AmazonEC2.wsdl. To get the latest version of the API tools, go to Amazon EC2 API Tools.|
|Internet Gateway||With this release, you can add an Internet gateway to your VPC, enabling instances in your VPC to communicate directly with the Internet. For more information, go to Adding an Internet Gateway to Your VPC in the Amazon Virtual Private Cloud User Guide|
|IPsec VPN Gateway Now Optional||With this release, you are no longer required to have a hardware-based IPsec VPN Gateway in order to communicate with your VPC. Instead, your VPC can be connected to the Internet with an optional Internet gateway, to your data center with an optional VPN gateway, or to both, depending on the configuration and level of privacy you want for your VPC.|
|Route Tables||With this release, your VPC has route tables that you use to direct the traffic leaving the VPC. For more information, go to Route Tables in the Amazon Virtual Private Cloud User Guide.|
|Amazon VPC Elastic IP Addresses||With this release, you can use Elastic IP addresses with Amazon VPC. These are separate from Elastic IP addresses you use with Amazon EC2. Any instance in your VPC that needs to directly communicate with the Internet must have a VPC Elastic IP address. For more information, go to Elastic IP Addresses in the Amazon Virtual Private Cloud User Guide.
The EC2 API actions and commands related to Elastic IP addresses have been updated to accommodate VPC Elastic IP addresses. Unlike EC2 Elastic IP addresses, VPC addresses require the use of allocation IDs and association IDs.
|Amazon VPC Security Groups||With this release, you can use security groups with Amazon VPC. These are separate from security groups you use with Amazon EC2. VPC security groups have additional enhancements not available with EC2 security groups. For example, VPC security groups have both ingress and egress rules (EC2 security groups have only ingress). Also, you can change the security groups a VPC instance is in after the instance is running (something unavailable to EC2 security groups). For more information, go to Security Groups in the Amazon Virtual Private Cloud User Guide.
The EC2 API actions and commands related to security groups have been updated to accommodate VPC security groups.
|Network Access Control Lists (ACLs)||With this release, your VPC has optional network access control lists (ACLs) that can provide a second layer of security on top of the security groups. For more information, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.|
|NAT Instances||With this release, AWS provides AMIs that perform Network Address Translation (NAT) for private instances in your VPC. To locate these AMIs, look for AMIs that contain the string
|Amazon DNS Server as a DHCP Option||With this release, any new VPC that you create automatically comes with a set of DHCP options that consists only of a DNS server that Amazon provides (169.254.169.253). For more information, go to Using DHCP Options with Your VPC in the Amazon Virtual Private Cloud User Guide.|
|Redesign of the Amazon VPC Console||With this release, the Amazon VPC tab on the AWS Management Console has been redesigned and updated to include the following:
|Metadata for VPC Instances||With this release, new categories of metadata are available to instances (the new metadata version is 2011-01-01). There are new entries specifically for instances running in a VPC. For more information, go to Appendix B: Metadata Categories in the Amazon Elastic Compute Cloud User Guide.|
|New Instance Attributes||With this release, VPC instances have new attributes that you can modify (either when the instance is running or stopped):
You can modify either attribute using the AWS Management Console. For information about modifying these attributes through the API or command line tools, go to ModifyInstanceAttribute or ec2-modify-instance-attribute.
|Documentation||The Amazon VPC Getting Started Guide and Amazon VPC User Guide have been rewritten to reflect the new functionality that's available with this release.
Also, the Amazon VPC API reference and command line tools reference have been merged with the Amazon Elastic Compute Cloud API Reference and the Amazon Elastic Compute Cloud Command Line Tools Reference.
With the current implementation of Amazon VPC:
Current Service Limitations
With the current implementation of Amazon VPC:
|Older API Version Clients and Latest Console Display Different Results||If you use a client that is based on an older API version of Amazon VPC, but you also use the AWS Management Console to manage your VPC resources, you'll see different results between the two interfaces.|
|Elastic IP Addresses Not Interchangeable||Any EC2 Elastic IP addresses your AWS account has cannot be used with your VPC, and any VPC Elastic IP addresses you have can't be used with EC2.|
|Security Groups Not Interchangeable||Any EC2 security groups your AWS account has cannot be used with your VPC, and any VPC security groups you have can't be used with EC2.|
|Traffic Sent to Overlapping IP Address Ranges Is Dropped||For customers using the optional IPsec VPN gateway: If your VPC's IP address range overlaps with an IP address range in use within your existing IT infrastructure, Amazon VPC will drop any traffic to said range. To avoid this, create your VPC so it does not overlap with current or expected future subnets in your network.|
|Ordering of DHCP Option Values Not Guaranteed||When you specify DHCP options, some options (e.g., DNS servers) accept multiple values. The ordering of these values is not guaranteed. After creating the options, you should use the DescribeDhcpOptions operation (or the ec2-describe-dhcp-options command) to confirm the order in which the options will be delivered to instances.|
|Tags for Amazon VPC Resources Not Supported in the Console||You can tag your Amazon VPC resources using the API or command line tools, but those tags are not available to work with in the AWS Management Console.|
|Configuration Changes for Windows Server 2008 AMIs||If you've created your own Windows Server 2008 AMIs from Amazon's Windows Server 2008 base images prior to v1.02, you need to make a couple of changes to your existing configuration in order to activate your instances' licensing when launching in a VPC. In some cases, you might need to make changes for v1.02 as well, depending on your needs.
Manually Locate VPC Activation EndpointsIf you want to launch a Windows Server 2008 AMI in a VPC, you must manually set the Windows Activation endpoint in your instance if either of the following conditions are true:
The activation IP address for VPC instances are:
To set the endpoint manually, execute the following commands from the command line:
Slmgr.vbs /skms 169.254.169.250 Slmgr.vbs /ato
Update Ec2Config Service Settings
If you're using an AMI that was created from an Amazon public Windows Server 2008 image prior to v1.02, then you should also make a change to one of the Activation Settings files in the Ec2Config service to reflect the new discovery hierarchy, which includes the preceding endpoints for VPC activation.
To make this change, overwrite the file
<?xml version="1.0" encoding="utf-8"?> <ActivationSettingsTable> <!-- KMS Servers are searched for/activated against based on settings in this file. Each "methodSettings" section is attempted until a KMS server is found and instance is successfully activated. --> <!-- Try autodiscovery first... --> <!-- NOTE: Autodiscover clears any KMS that is already set! --> <MethodSettings> <SetAutodiscover>true</SetAutodiscover> <TargetKMSServer/> <DiscoverFromZone/> <ReadFromUserData>false</ReadFromUserData> <LegacySearchZones>false</LegacySearchZones> <DoActivate>true</DoActivate> </MethodSettings> <!-- Try the first virtual IP for VPC instances --> <MethodSettings> <SetAutodiscover>false</SetAutodiscover> <TargetKMSServer>169.254.169.250</TargetKMSServer> <DiscoverFromZone/> <ReadFromUserData>false</ReadFromUserData> <LegacySearchZones>false</LegacySearchZones> <DoActivate>true</DoActivate> </MethodSettings> <!-- Try the backup IP for VPC instances... --> <MethodSettings> <SetAutodiscover>false</SetAutodiscover> <TargetKMSServer>169.254.169.251</TargetKMSServer> <DiscoverFromZone/> <ReadFromUserData>false</ReadFromUserData> <LegacySearchZones>false</LegacySearchZones> <DoActivate>true</DoActivate> </MethodSettings> <!-- Now search the DNS suffix list. This should already have been set by the SetDNSSuffix plugin, controlled by the setting in the primary config file. --> <MethodSettings> <SetAutodiscover>false</SetAutodiscover> <TargetKMSServer/> <DiscoverFromZone/> <ReadFromUserData>false</ReadFromUserData> <LegacySearchZones>true</LegacySearchZones> <DoActivate>true</DoActivate> </MethodSettings> <GlobalSettings> <LogResultToConsole>true</LogResultToConsole> </GlobalSettings> </ActivationSettingsTable>