I've got many ec2 instances and recently added a Virtual Private Cloud at amazon too. On the VPC subnet 10.0.0.0/8 the host 10.0.0.88 can reach the internet at large through an Internet Gateway Device igw-xxxxxx, but I don't know how to authorize that host to access my non-VPC ec2 instances in the outside-the-VPC security group rules.
I'm used to authorizing specific source IPs or the names of other ec2 security groups to connect to the non-VPC hosts, but I can't figure out how to whitelist the VPC host. Whitelisting 10.0.0.88 doesn't make sense as that IP isn't valid outside the VPC, whitelisting igw-xxxxxx gets me "no such security group". I can whitelist the host if I assign it an Elastic IP, but then the traffic isn't going directly internal to the aws structure.
The FAQ makes this sound possible:
Q. Can Amazon EC2 instances within a
VPC communicate with Amazon EC2
instances not within a VPC?A. Yes. If an
Internet Gateway has been configured,
Amazon VPC traffic bound for Amazon
EC2 instances not within a VPC
traverses the Internet Gateway and
then enters the public AWS network to
reach the EC2 instance.
Best Answer
In order for the 10.0.0.88 instance to access the Internet (or EC2) via the Internet Gateway (IGW), the instance either needs to have an associated Elastic IP Address or needs to be talking through a NAT instance (which has an Elastic IP Address).
To lock down an EC2 security group to allow traffic from the VPC instance, specify the allowed source as the Elastic IP Address from either the instance itself or the NAT instance, as discussed above (ex. 192.0.2.25/32).