security group rules between EC2-classic and VPC server

We are currently using a set of Amazon EC2-classic servers for hosting our live and staging environments. We've got a couple of web servers and a background worker server in each environment. We've then also got a couple of servers for build and deployment.

We've recently decided because of the occasional nature of some of our servers to move them to T2 server types (this is our build and deployment servers). The T2 types can only be started in a VPC though.

So we have set up a VPC and successfully got them running and everything is mostly good.

The problem is that we want to be able to have our deployment server be able to talk to the web servers on a specific port. Previously we had this set up in security groups so those web servers would only listen to the deployment server on that port and nobody else could talk to it.

Now though I am coming to the web servers to edit their security groups to say allow traffic on that port from the VPC-deployment server via its server group. However Amazon tells me that "You may not define rules between a VPC group and a non-VPC group". However I can't think of any other way that I can say allow access from the servers in this VPC. I could obviously hardcode the public IP of my deployment server into the allow list but I would assume that this may change if I were to stop and start the deployment server so this isn't a good solution.

I could also move all my servers to the VPC but I would rather avoid moving all the other servers including our live web servers just to get this working since this seems a lot of work (given that it won't just take a set of security rules and convert them to VPC rules and so on).

So how can I define a rule that says an EC2-classic server can only be connected to on port xyz by a specific server in a VPC?


Amazon announced ClassicLink literally just yesterday.

I haven't had time to try it out yet so I'm not sure exactly what it's capable of but from that blog post:

You can now enable this feature for any or all of your VPCs and then put your existing Classic instances in to VPC security groups.

It sounds like this feature might be ideally suited to solving your problem.