How VPC Lattice works - Amazon VPC Lattice

How VPC Lattice works

VPC Lattice is designed to help you easily and effectively discover, secure, connect, and monitor all of the services within it. Each component within VPC Lattice communicates unidirectionally or bi-directionally within the service network based on its association with the service network and its access settings. Access settings are comprised of authentication and authorization policies required for this communication.

The following summary describes communication between components within VPC Lattice:

  • Services that are associated with the service network can receive requests from clients whose VPCs are also associated with the service network.

  • A client can send requests to services associated with a service network only if it's in a VPC that's associated with the same service network. Client traffic that traverses a VPC peering connection or a transit gateway is denied.

  • A client can't send requests to clients in other VPCs associated with the service network.

  • Targets of services in VPCs that are associated with the service network are also clients and can send requests to other services associated with the service network.

  • Targets of services in VPCs that aren't associated with the service network aren't clients and can't send requests to other services associated with the service network.

The following flow diagram uses an example scenario to explain the flow of information and direction of communication between the components within VPC Lattice. There are two services associated with a service network. Both services and all three VPCs were created in the same account as the service network. Both services are configured to allow traffic from the service network.


    VPC Service Network flow

Service 1 is a billing application running on a group of instances registered with target group 1 in VPC 1. Service 2 is a payment application running on a group of instances registered with target group 2 in VPC 2. VPC 3 is in the same account, and it has clients but no services.

The following list describes, in order, the typical workflow of tasks for VPC Lattice.

  1. Create a service network

    The service network owner creates the service network.

  2. Create a service

    The service owners create their respective services, service 1 and service 2. During creation, the service owner adds listeners and defines rules for routing requests to the target group for each service.

  3. Define routing

    The service owners create the target group for each service (target group 1 and target group 2). They do this by specifying the targeted resources on which the services run; for example, instances. They also specify the VPCs in which these targets reside.

    In the preceding diagram, the dotted arrows that point to the target groups from the services represent traffic flowing from each service to its respective target group. The dotted arrows represent the direction of communication between the service and the target group.

  4. Associate services with the service network

    The service network owner or the service owner associates the services with the service network. The associations are shown as arrows with check marks pointing to the service network from the service. When you associate a service with a service network, that service becomes discoverable to other services and clients in the VPCs that are associated with the service network.

    The bi-directional dotted arrows between the service and the service network represent the two-way communication as a result of the association. The dotted arrows from the service network to the services represent services receiving requests from clients. The dotted arrows in the opposite direction, that is from the services to the service network, represent services responding to client requests through the service network.

  5. Associate VPCs with the service network

    The service network owner associates VPC 1 and VPC 3 with the service network. The associations are shown arrows with check marks pointed to the service network. With these associations, the targets in these VPCs become clients, and can make requests to the associated services. The bi-directional dotted arrow between VPC 3 and the service network represents two-way communication between the clients (for example, instances) in VPC 3 and the service network as a result of the association. Similarly, the dotted arrow pointing from target group 1 to the service network represents clients making requests to other services associated with the service network.

    Notice that VPC 2 does not have an arrow or a check mark that represents an association. This means that the service network owner or the service owner hasn't associated VPC 2 with the service network. This is because service 2, in this example, only needs to receive requests and send responses using the same request. In other words, the targets for service 2 aren't clients and don't need to make requests to other services in the service network.