EC2 Networking

Limitations

• EC2 firewalls can only deal with tcp, udp or icmp traffic. Therefore, GRE, IPIP, SIT and other tunnelling protocols will not work in EC2, even on internal IP addresses and subnets
• Unless you use VPC, there's not guarantee your instances will be on the same subnet, this means NAT LB is hard to implement
• EC2 firewalls check for spoofed source IP's, so asynchronous routing schemes will not work

Undocumented

• Instance External DNS records on amazon NS servers resolve to internal addresses when queried from internal network. This is very useful when using Elastic IP's because the Elastic IP DNS record can serve as a dynamic marker for the instance internal IP.
• When opening ports for a security group they are opened to external and internal traffic. Do not rely on pings/curl for verifying your instances exist, you may be communicating with someone else's instances.
• Security groups are not open for communication within the group by default. You need to explicitly add the a permission for the group to communicate with itself.