AWS VPC Lattice: Deep Dive to Service-to-Service Communication

A network is a means of communicating between devices. AWS Networking helps you to build a fast, dependable, and secure network. AWS provides a variety of on-demand, available, and highly scalable cloud services. An AWS network is equipped with several AWS services such as Amazon VPC, Amazon EC2, Amazon Route 53, Load Balancers, Amazon Gateway, and others. But in this article, I want to discuss one of the interesting VPC features named AWS VPC Lattice. In the last part, I will explain a sample scenario for deploying AWS Lattice in the AWS Environment.

As you know, AWS has a different way of communicating between services and resources for deploying backend or frontend applications. These resources can be deployed in different VPCs and accounts by using different services like EKS, ECS, and so on.

Amazon VPC Lattice is a fully managed application networking service that allows you to connect, secure, and monitor the services of your application. VPC Lattice can be used with a single virtual private cloud (VPC) or across several VPCs associated with one or more accounts. Every app in modernized app design consists of multiple small and large modular services which are called microservices.

Like the other features or services in AWS, VPC Lattice consists of key components:

Service

An independently deployable unit of software that performs a specified task or function. A service can be deployed on EC2 instances or ECS containers, or as Lambda functions within an account or a virtual private cloud (VPC). A VPC Lattice service is made up of three components:

• Target Groups: A set of resources, also known as targets, that power your application or service. Targets include EC2 instances, IP addresses, Lambda functions, Application Load Balancers, and Kubernetes pods. These are similar to the target groups available through Elastic Load Balancing, however they are not interchangeable.
• Listeners: A procedure that monitors connection requests and forwards them to targets in a target group. A service can support up to two listeners via the HTTP and HTTPS protocols.
• Rules: A listener's default component for forwarding requests to VPC Lattice target groups. Each rule is composed of a priority, one or more actions, and one or more conditions. Rules specify how the listener will route client requests.

Service Network

A logical boundary for a set of services. A client is any resource installed in a VPC that is linked to the service network. Clients and services on the same service network can communicate with one another if they have the necessary permissions.

Clients in the figure below can communicate with both services because the VPC and services are connected to the same service network.

As you see below, the arrows in the graphic illustrate the relationships between services and service networks, like those between VPCs and service networks. As you can see, there are various services connected with multiple service networks, and each service network has multiple VPCs. However, the red flag symbol in the diagram indicates that each VPC can only have one association with a service network.

Service Directory

A central registry of all VPC Lattice services you own or share with your account through AWS Resource Access Manager (AWS RAM).

Auth Policies

VPC Lattice auth policies are IAM policy documents that you may attach to service networks or services to control whether a specific principal has access to a collection of services or a single service. You can apply a single authentication policy to each service network or service that you want to control access to. Auth policies differ from IAM identity-based policies. IAM identity-based policies apply to IAM users, groups, or roles and specify which actions those identities can take on which resources.

AWS VPC Lattice Features

In the final part of this article, I want to discuss some important features that are used in AWS VPC Lattice.

• Service discovery: End-user clients and services in VPCs linked to the service network can communicate with other services on the same network. DNS routes client-to-service and service-to-service traffic via the VPC Lattice endpoint.
• Connectivity: The VPC Lattice data plane enables client-to-service communication within the AWS network architecture. When you link a VPC to a service network, any client within the VPC can connect to services in the service network as long as they have the relevant permissions.
• Observability: VPC Lattice generates metrics and logs for every request and response that passes through the service network, allowing you to track and debug applications. By default, VPC Lattice sends metrics to the service owner account and offers the option to enable logging.
• Security: VPC Lattice offers a framework for executing a protection strategy across many network layers. The first layer includes the service and the VPC association. Clients can't use the service unless they have a VPC and are associated with it. The second layer enables users to add security groups to the VPC-service network association. The third and fourth layers feature authentication policies that can be applied independently at the service network and service levels.

Scenario

Here is an example for accessing AWS VPC Lattice using the interface endpoint (PrivateLink)

As I mentioned, we can deploy many scenarios with AWS VPC Lattice which can deploy with features of Lattice, like creating an interface VPC endpoint to establish a private connection between our owned VPC and the Amazon VPC Lattice. Interface endpoints are powered by AWS PrivateLink, a technology that allows you to use VPC Lattice APIs without using an internet gateway, NAT GW, VPN connection, or AWS Direct Connect. Instances in your VPC do not require public IP addresses to communicate with VPC Lattice APIs.

Creating an interface VPC endpoint for VPC Lattice

You can set up a VPC endpoint for the VPC Lattice service using either the Amazon VPC UI or the AWS Command Line Interface (CLI). The Amazon VPC User Guide provides more information on creating an interface endpoint. Create a VPC endpoint for VPC Lattice with the following service name. com.amazonaws.region.vpc-lattice If you activate private DNS for the endpoint, you can send API calls to VPC Lattice using the Region's default DNS name, such as vpc-lattice.us-west-2.amazonaws.com.

AWS VPC Lattice Use Cases

As I mentioned above, AWS Lattice allows you to simplify connectivity and network security on AWS. We can connect resources with a lattice service network. It can be across on-premise or cross-region. There are lots of use cases for deploying AWS Lattice, but I will describe some of the important use cases with topology.

• Use-Case 1: Application Connection in an AWS Region

Secure and reliable connection between apps and resources is one of the important requirements of network design. Apps can deployed among various types of resources, like EC2, Lambda, ECS, and EKS. take a look at the figure below.

Like VPC peering we can connect all of the VPC's together. think that you have different workloads and have different VPC for them. So you can use AWS VPC Lattice for this purpose.

• Use-Case 2: Hybrid Connection

Hybrid means connecting your on-premise environment with AWS Cloud. You can access your apps and workload from your hosted data center using Site-to-Site VPN or Direct Connect. You can filter traffic using Security Groups on the service network endpoints.

• Use-Case 3: Internet-based application connection to AWS services

Every Cloud Security Engineer knows that to connect to your private resources in AWS you have to deploy an Internet-facing load balancer, but there is another way for accessing private resources and it is VPC Lattice. For this purpose, you have to use a load balancer but the difference with classic architecture is deploying a Load Balancer in Ingress point VPC and then deploy service network VPC endpoint as the load balancer targets.

Key Takeaways

In conclusion, as I mentioned above, VPC Lattice makes communication between services in the AWS environment easier, reducing complexity for developers and enhancing productivity. It offers a consistent way to connect services across accounts, VPCs, and compute types (instances, containers, serverless). VPC Lattice allows you to implement fine-grained security policies and monitor service interactions to get more control. It eliminates the need to manage sophisticated network configurations like routing tables and VPC peering, saving time and resources. Overall, VPC Lattice is a useful tool for developing secure and scalable application architectures on AWS.

References:

1. AWS VPC Lattice
2. Access VPC Lattice using PrivateLink
3. Build Secure multi-account and multi-vpc with VPC Lattice
4. Amazon VPC Lattice: modernize and simplify your enterprise network architectures

?

?

?