Release: Amazon Virtual Private Cloud on 2011-03-14

Release Notes>Amazon VPC>Release: Amazon Virtual Private Cloud on 2011 03 14
Support for VPCs that use an Internet gateway, route tables, Elastic IP addresses, NAT instances, security groups, and network access control lists.

Details

Submitted By: Francis@AWS
Release Date: March 14, 2011 7:00 AM GMT
Latest Version: 2011-01-01
Latest WSDL: http://ec2.amazonaws.com/doc/2011-01-01/AmazonEC2.wsdl
Created On: March 15, 2011 3:47 AM GMT
Last Updated: March 15, 2011 3:47 AM GMT

New Features

FeatureDescription
New API Version With this release, Amazon VPC has a new API version (2011-01-01). The WSDL is at http://ec2.amazonaws.com/doc/2011-01-01/AmazonEC2.wsdl. To get the latest version of the API tools, go to Amazon EC2 API Tools.
Internet Gateway With this release, you can add an Internet gateway to your VPC, enabling instances in your VPC to communicate directly with the Internet. For more information, go to Adding an Internet Gateway to Your VPC in the Amazon Virtual Private Cloud User Guide
IPsec VPN Gateway Now Optional With this release, you are no longer required to have a hardware-based IPsec VPN Gateway in order to communicate with your VPC. Instead, your VPC can be connected to the Internet with an optional Internet gateway, to your data center with an optional VPN gateway, or to both, depending on the configuration and level of privacy you want for your VPC.
Route Tables With this release, your VPC has route tables that you use to direct the traffic leaving the VPC. For more information, go to Route Tables in the Amazon Virtual Private Cloud User Guide.
Amazon VPC Elastic IP Addresses With this release, you can use Elastic IP addresses with Amazon VPC. These are separate from Elastic IP addresses you use with Amazon EC2. Any instance in your VPC that needs to directly communicate with the Internet must have a VPC Elastic IP address. For more information, go to Elastic IP Addresses in the Amazon Virtual Private Cloud User Guide.

The EC2 API actions and commands related to Elastic IP addresses have been updated to accommodate VPC Elastic IP addresses. Unlike EC2 Elastic IP addresses, VPC addresses require the use of allocation IDs and association IDs.
Amazon VPC Security Groups With this release, you can use security groups with Amazon VPC. These are separate from security groups you use with Amazon EC2. VPC security groups have additional enhancements not available with EC2 security groups. For example, VPC security groups have both ingress and egress rules (EC2 security groups have only ingress). Also, you can change the security groups a VPC instance is in after the instance is running (something unavailable to EC2 security groups). For more information, go to Security Groups in the Amazon Virtual Private Cloud User Guide.

The EC2 API actions and commands related to security groups have been updated to accommodate VPC security groups.
Network Access Control Lists (ACLs) With this release, your VPC has optional network access control lists (ACLs) that can provide a second layer of security on top of the security groups. For more information, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.
NAT Instances With this release, AWS provides AMIs that perform Network Address Translation (NAT) for private instances in your VPC. To locate these AMIs, look for AMIs that contain the string ami-vpc-nat in their names. For more information, go to NAT Instances in the Amazon Virtual Private Cloud User Guide.
Amazon DNS Server as a DHCP Option With this release, any new VPC that you create automatically comes with a set of DHCP options that consists only of a DNS server that Amazon provides (169.254.169.253). For more information, go to Using DHCP Options with Your VPC in the Amazon Virtual Private Cloud User Guide.
Redesign of the Amazon VPC Console With this release, the Amazon VPC tab on the AWS Management Console has been redesigned and updated to include the following:
  • A VPC creation wizard that sets up a VPC in one of four common layouts:
    • VPC with a Single Public Subnet Only
    • VPC with Public and Private Subnets
    • VPC with Public and Private Subnets and Hardware VPN Access
    • VPC with a Private Subnet Only and Hardware VPN Access

  • New pages for the following components:
    • Internet gateway
    • Route tables
    • Elastic IP addresses
    • Security groups
    • Network ACLs

  • A new VPN connection wizard that sets up a VPN connection for your VPC with one button

  • A button for deleting a VPC and all its related components (you can use AWS Identity and Access Management to control who in your organization can delete your VPC; for more information go to Controlling VPC Management in the Amazon Virtual Private Cloud User Guide)
Metadata for VPC Instances With this release, new categories of metadata are available to instances (the new metadata version is 2011-01-01). There are new entries specifically for instances running in a VPC. For more information, go to Appendix B: Metadata Categories in the Amazon Elastic Compute Cloud User Guide.
New Instance Attributes With this release, VPC instances have new attributes that you can modify (either when the instance is running or stopped):
  • Whether source/destination checking is enabled on the instance
  • Which security groups the instance belongs to
The first attribute in the list is necessary for NAT instances. For more information, go to NAT Instances in the Amazon Virtual Private Cloud User Guide.

You can modify either attribute using the AWS Management Console. For information about modifying these attributes through the API or command line tools, go to ModifyInstanceAttribute or ec2-modify-instance-attribute.
Documentation The Amazon VPC Getting Started Guide and Amazon VPC User Guide have been rewritten to reflect the new functionality that's available with this release.

Also, the Amazon VPC API reference and command line tools reference have been merged with the Amazon Elastic Compute Cloud API Reference and the Amazon Elastic Compute Cloud Command Line Tools Reference.

Known Issues

IssueDescription

Current Limits

With the current implementation of Amazon VPC:

  • You can have one VPC per AWS account per Region
  • You can assign one IP address range to your VPC
  • You can't change the IP address range of a created VPC or subnet
  • If you plan to have a VPN connection to your VPC: you can have one VPN gateway, one customer gateway, and one VPN connection per AWS account per Region
  • Other VPC resources are limited (go to Appendix B: Limits in the Amazon Virtual Private Cloud User Guide)

Current Service Limitations

With the current implementation of Amazon VPC:

  • Your VPC, subnets, and any instances you launch in the VPC must all reside in a single Availability Zone in the us-east-1 or eu-west-1 region.
  • You can't use either broadcast or multicast within your VPC
  • Amazon EC2 Spot Instances, Cluster Instances, and Micro Instances are not available in a VPC
  • AWS Elastic Beanstalk, Elastic Load Balancing, Amazon Elastic MapReduce, Amazon Relational Database Service (Amazon RDS), and Amazon Route 53 are not available
  • Amazon DevPay paid AMIs are not available in a VPC
Older API Version Clients and Latest Console Display Different Results If you use a client that is based on an older API version of Amazon VPC, but you also use the AWS Management Console to manage your VPC resources, you'll see different results between the two interfaces.
Elastic IP Addresses Not Interchangeable Any EC2 Elastic IP addresses your AWS account has cannot be used with your VPC, and any VPC Elastic IP addresses you have can't be used with EC2.
Security Groups Not Interchangeable Any EC2 security groups your AWS account has cannot be used with your VPC, and any VPC security groups you have can't be used with EC2.
Traffic Sent to Overlapping IP Address Ranges Is Dropped For customers using the optional IPsec VPN gateway: If your VPC's IP address range overlaps with an IP address range in use within your existing IT infrastructure, Amazon VPC will drop any traffic to said range. To avoid this, create your VPC so it does not overlap with current or expected future subnets in your network.
Ordering of DHCP Option Values Not Guaranteed When you specify DHCP options, some options (e.g., DNS servers) accept multiple values. The ordering of these values is not guaranteed. After creating the options, you should use the DescribeDhcpOptions operation (or the ec2-describe-dhcp-options command) to confirm the order in which the options will be delivered to instances.
Tags for Amazon VPC Resources Not Supported in the Console You can tag your Amazon VPC resources using the API or command line tools, but those tags are not available to work with in the AWS Management Console.
Configuration Changes for Windows Server 2008 AMIs If you've created your own Windows Server 2008 AMIs from Amazon's Windows Server 2008 base images prior to v1.02, you need to make a couple of changes to your existing configuration in order to activate your instances' licensing when launching in a VPC. In some cases, you might need to make changes for v1.02 as well, depending on your needs.

Manually Locate VPC Activation Endpoints

If you want to launch a Windows Server 2008 AMI in a VPC, you must manually set the Windows Activation endpoint in your instance if either of the following conditions are true:
  • You have created your own Windows Server 2008 AMI but opted not to Sysprep that image using the Amazon Ec2Config utility (this is true for all Windows Server 2008 AMI versions)
  • You have created your own AMI from Amazon version prior to 1.02 (even if Sysprep was used)

The activation IP address for VPC instances are:

  • 169.254.169.250
  • 169.254.169.251 (backup)

To set the endpoint manually, execute the following commands from the command line:

Slmgr.vbs /skms 169.254.169.250
Slmgr.vbs /ato

Update Ec2Config Service Settings

If you're using an AMI that was created from an Amazon public Windows Server 2008 image prior to v1.02, then you should also make a change to one of the Activation Settings files in the Ec2Config service to reflect the new discovery hierarchy, which includes the preceding endpoints for VPC activation.

To make this change, overwrite the file C:\Program Files\Amazon\Ec2ConfigService\Settings\ActivationSettings.xml with the following XML. Once you do that, anytime your image is Sysprep'd with the Ec2Config service utility, your freshly launched instance will be able to locate its KMS servers in any environment.

<?xml version="1.0" encoding="utf-8"?>
<ActivationSettingsTable>
    <!-- 
	KMS Servers are searched for/activated against based on 
	settings in this file.  Each "methodSettings" section is
	attempted until a KMS server is found and instance is 
	successfully activated.
    -->
    <!-- Try autodiscovery first... -->
    <!-- NOTE: Autodiscover clears any KMS that is already set! -->
    <MethodSettings>
	<SetAutodiscover>true</SetAutodiscover>
	<TargetKMSServer/>    
	<DiscoverFromZone/>
	<ReadFromUserData>false</ReadFromUserData>
	<LegacySearchZones>false</LegacySearchZones>
	<DoActivate>true</DoActivate>
    </MethodSettings>
    <!-- Try the first virtual IP for VPC instances -->
    <MethodSettings>
	<SetAutodiscover>false</SetAutodiscover>
	<TargetKMSServer>169.254.169.250</TargetKMSServer>
	<DiscoverFromZone/>
	<ReadFromUserData>false</ReadFromUserData>
	<LegacySearchZones>false</LegacySearchZones>
	<DoActivate>true</DoActivate>
    </MethodSettings>
    <!-- Try the backup IP for VPC instances... -->
    <MethodSettings>
	<SetAutodiscover>false</SetAutodiscover>
	<TargetKMSServer>169.254.169.251</TargetKMSServer>
	<DiscoverFromZone/>
	<ReadFromUserData>false</ReadFromUserData>
	<LegacySearchZones>false</LegacySearchZones>
	<DoActivate>true</DoActivate>
    </MethodSettings>
    <!-- 
	Now search the DNS suffix list.
	This should already have been set by the SetDNSSuffix plugin,
	controlled by the setting in the primary config file.
    -->
    <MethodSettings>
	<SetAutodiscover>false</SetAutodiscover>
	<TargetKMSServer/>
	<DiscoverFromZone/>
	<ReadFromUserData>false</ReadFromUserData>
	<LegacySearchZones>true</LegacySearchZones>
	<DoActivate>true</DoActivate>
    </MethodSettings>
    <GlobalSettings>
	<LogResultToConsole>true</LogResultToConsole>
    </GlobalSettings>
</ActivationSettingsTable>
©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.