What is AWS VPC Lattice?

A network is a means of communicating between devices. AWS Networking helps you to build a fast, dependable, and secure network. AWS provides a variety of on-demand, available, and highly scalable cloud services. An AWS network is equipped with several AWS services such as Amazon VPC, Amazon EC2, Amazon Route 53, Load Balancers, Amazon Gateway, and others. But in this article, I want to discuss one of the interesting VPC features named AWS VPC Lattice.

As you know, AWS has a different way of communicating between services and resources for deploying backend or frontend applications. These resources can be deployed in different VPCs and accounts by using different services like EKS, ECS, and so on.

Amazon VPC Lattice is a fully managed application networking service that allows you to connect, secure, and monitor the services of your application. VPC Lattice can be used with a single virtual private cloud (VPC) or across several VPCs associated with one or more accounts. Every app in modernized app design consists of multiple small and large modular services which are called microservices.

Like the other features or services in AWS, VPC Lattice consists of key components:

Service

An independently deployable unit of software that performs a specified task or function. A service can be deployed on EC2 instances or ECS containers, or as Lambda functions within an account or a virtual private cloud (VPC). A VPC Lattice service is made up of three components:

• Target Groups: A set of resources, also known as targets, that power your application or service. Targets include EC2 instances, IP addresses, Lambda functions, Application Load Balancers, and Kubernetes pods. These are similar to the target groups available through Elastic Load Balancing, however they are not interchangeable.
• Listeners: A procedure that monitors connection requests and forwards them to targets in a target group. A service can support up to two listeners via the HTTP and HTTPS protocols.
• Rules: A listener's default component for forwarding requests to VPC Lattice target groups. Each rule is composed of a priority, one or more actions, and one or more conditions. Rules specify how the listener will route client requests.

Service Network

A logical boundary for a set of services. A client is any resource installed in a VPC that is linked to the service network. Clients and services on the same service network can communicate with one another if they have the necessary permissions.

Clients in the figure below can communicate with both services because the VPC and services are connected to the same service network.

As you see below, the arrows in the graphic illustrate the relationships between services and service networks, like those between VPCs and service networks. As you can see, there are some various services connected with multiple service networks, and each service network has multiple VPCs. However, the red flag symbol in the diagram indicates that each VPC can only have one association with a service network.

Service Directory

A central registry of all VPC Lattice services you own or share with your account through AWS Resource Access Manager (AWS RAM).

Auth Policies

VPC Lattice auth policies are IAM policy documents that you may attach to service networks or services to control whether a specific principal has access to a collection of services or a single service. You can apply a single authentication policy to each service network or service that you want to control access to. Auth policies differ from IAM identity-based policies. IAM identity-based policies apply to IAM users, groups, or roles and specify which actions those identities can take on which resources.

Scenario

Here is an example for accessing AWS VPC Lattice using the interface endpoint (PrivateLink)

As I mentioned, we can deploy many scenarios with AWS VPC Lattice which can deploy with features of Lattice, like creating an interface VPC endpoint to establish a private connection between your owned VPC and the Amazon VPC Lattice. Interface endpoints are powered by AWS PrivateLink, a technology that allows you to use VPC Lattice APIs without using an internet gateway, NAT GW, VPN connection, or AWS Direct Connect. Instances in your VPC do not require public IP addresses to communicate with VPC Lattice APIs.

Creating an interface VPC endpoint for VPC Lattice

You can set up a VPC endpoint for the VPC Lattice service using either the Amazon VPC UI or the AWS Command Line Interface (CLI). The Amazon VPC User Guide provides more information on creating an interface endpoint. Create a VPC endpoint for VPC Lattice with the following service name. com.amazonaws.region.vpc-lattice If you activate private DNS for the endpoint, you can send API calls to VPC Lattice using the Region's default DNS name, such as vpc-lattice.us-west-2.amazonaws.com.

AWS VPC Lattice Features

In the final part of this article, I want to discuss about some important features which are used in AWS VPC Lattice.

Service discovery: End-user clients and services in VPCs linked to the service network can communicate with other services on the same network. DNS routes client-to-service and service-to-service traffic via the VPC Lattice endpoint. When a client makes a request to a service, it uses its DNS name. The Route 53 Resolver directs traffic to the VPC Lattice, which determines the destination service.

Connectivity: The VPC Lattice data plane enables client-to-service communication within the AWS network architecture. When you link a VPC to a service network, any client within the VPC can connect to services in the service network as long as they have the relevant permissions.

Observability: VPC Lattice generates metrics and logs for every request and response that passes through the service network, allowing you to track and debug applications. By default, VPC Lattice sends metrics to the service owner account and offers the option to enable logging. If the customers are also members of the same service network, the network owner receives logs for all services connected to it. The service owner receives logs from all clients who request their services.

Security: VPC Lattice offers a framework for executing a protection strategy across many network layers. The first layer includes the service and the VPC association. Clients can't use the service unless they have a VPC and are associated with it. The second layer enables users to add security groups to the VPC-service network association. The third and fourth layers feature authentication policies that can be applied independently at the service network and service levels.

Key Takeaways

In conclusion, as I mentioned above, VPC Lattice makes communication between services in the AWS environment easier, reducing complexity for developers and enhancing productivity. It offers a consistent way to connect services across accounts, VPCs, and compute types (instances, containers, serverless). VPC Lattice allows you to implement fine-grained security policies and monitor service interactions to get more control. It eliminates the need to manage sophisticated network configurations like routing tables and VPC peering, saving time and resources. Overall, VPC Lattice is a useful tool for developing secure and scalable application architectures on AWS.

References:

1.??????? AWS VPC Lattice

2.??????? Access VPC Lattice using PrivateLink

3.??????? Build Secure multi-account and multi-vpc with VPC Lattice

?

?

?