How Refactor Spaces works - AWS Migration Hub Refactor Spaces

How Refactor Spaces works

When starting to use AWS Migration Hub Refactor Spaces you can use one or more AWS accounts. You can use a single account for testing. However, once you're ready to start refactoring, we recommend that you start with the following three accounts:

  • One account for the existing application.

  • One account for the first new microservice.

  • One account to act as the refactor environment owner, in which Refactor Spaces configures cross-account networking and routes traffic.

First, you create a Refactor Spaces environment in the account chosen as the environment owner. Then, you share the environment with the other two accounts using AWS Resource Access Manager (the Refactor Spaces console does this for you). After you share the environment with another account, Refactor Spaces automatically shares the resources that it creates within the environment with the other accounts. It does so by orchestrating AWS Identity and Access Management (IAM) resource-based policies.

The refactor environment provides unified networking across accounts by orchestrating AWS Transit Gateway, AWS Resource Access Manager, and virtual private clouds (VPCs). The refactor environment contains your existing application and new microservices. After you create a refactor environment, you create a Refactor Spaces application within the environment. The Refactor Spaces application contains services and routes, and it provides a single endpoint to expose the application to external callers.

An application supports routing to services running in containers, serverless compute, and Amazon Elastic Compute Cloud (Amazon EC2) with public or private visibility. Services within an application can have one of two endpoint types: a URL (HTTP and HTTPS) in a VPC, or an AWS Lambda function. After an application contains a service, you add a default route to direct all traffic from the application’s proxy to the service that represents the existing application. As you break out or add new capabilities in containers or serverless compute, you add new services and routes to redirect traffic to the new services.

When created, the default route defaults to an active state. You can stop sending traffic to the default route by toggling the route to the inactive state. To send the traffic to a new route, create a new route in an active state, or activate a route that is inactive.

For services with URL endpoints in a VPC, Refactor Spaces uses Transit Gateway to automatically bridge all service VPCs within the environment. This means that any AWS resources you launch in a service VPC can communicate directly with all other service VPCs added to the environment. You can apply additional cross-account routing constraints using VPC security groups. When creating routes that point to services with Lambda endpoints, Refactor Spaces orchestrates Amazon API Gateway’s Lambda integration to call the function across AWS accounts.