"Security groups (which define what IPs can access what ports, similar to basic IPTables firewall rules) cannot be shared between EC2-Classic and EC2-VPC,"<p>That is no longer true. In December 2014 Amazon launched ClassicLink, which lets you add EC2-Classic instances to VPC security groups.<p><a href="https://aws.amazon.com/blogs/aws/classiclink-private-communication-between-classic-ec2-instances-vpc-resources/" rel="nofollow">https://aws.amazon.com/blogs/aws/classiclink-private-communi...</a><p><a href="http://www.youtube.com/watch?v=HexrVfuIY1k&t=33m33s" rel="nofollow">http://www.youtube.com/watch?v=HexrVfuIY1k&t=33m33s</a>
Similarly, Instagram faced similar issues and developed Neti for the task.<p><a href="https://github.com/Instagram/neti" rel="nofollow">https://github.com/Instagram/neti</a><p>And the blog article:<p><a href="http://instagram-engineering.tumblr.com/post/89992572022/migrating-aws-fb" rel="nofollow">http://instagram-engineering.tumblr.com/post/89992572022/mig...</a><p>Now, Instgram's path was AWS EC2-Classic -> AWS VPC -> FB, however it is still relevant.