Control traffic in VPC Lattice using security groups
AWS security groups act as virtual firewalls, controlling the network traffic to and from the entities that they are associated with. With VPC Lattice, you can create security groups and assign them to the VPC association that connects a VPC to a service network to enforce additional network-level security protections for your service network. If you connect a VPC to a service network using a VPC endpoint, you can assign security groups to the VPC endpoint too. Similarly you can assign security groups to resource gateways that you create to enable access to resources in your VPC.
Managed prefix list
VPC Lattice provides managed prefix lists that includes the IP addresses used to route traffic over the VPC Lattice network when you use a service-network association to connect your VPC to a service network using a VPC association. You can reference the VPC Lattice managed prefix lists in your security group rules. This allows traffic to flow from clients, through the VPC Lattice service network, and to the VPC Lattice service targets.
For example, suppose that you have an EC2 instance registered as a target in the
US West (Oregon) Region (us-west-2
). You can add a rule to the instance
security group that allows inbound HTTPS access from the VPC Lattice managed prefix list,
so that the VPC Lattice traffic in this Region can reach the instance. If you remove all
other inbound rules from the security group, you can prevent any traffic other than
VPC Lattice traffic from reaching the instance.
The names of the managed prefix lists for VPC Lattice are as follows:
-
com.amazonaws.
region
.vpc-lattice -
com.amazonaws.
region
.ipv6.vpc-lattice
For more information, see AWS-managed prefix lists in the Amazon VPC User Guide.
Windows clients
The addresses in the VPC Lattice prefix lists are link-local addresses and non-routable public addresses. If you connect to VPC Lattice from a Windows client, you must update the configuration of the Windows client so that it forwards the link-local addresses used by VPC Lattice to the primary IP address for the client. The following is an example command that updates the configuration of the Windows client, where 169.254.171.0 is the link-local address used by VPC Lattice.
C:\>
route add169.254.171.0
mask 255.255.255.0primary-ip-address
Security group rules
Using VPC Lattice with or without security groups will not impact your existing VPC security group configuration. However, you can add your own security groups at any time.
Key considerations
-
Security group rules for clients control outbound traffic to VPC Lattice.
-
Security group rules for targets control inbound traffic from VPC Lattice to the targets, including health check traffic.
-
Security group rules for the association between the service network and VPC control which clients can access the VPC Lattice service network.
-
Security group rules for resource gateway control outbound traffic from the resource gateway to resources.
Recommended outbound rules for traffic flowing from resource gateway to a database resource
For traffic to flow from resource gateway to resources, you must create outbound rules for the open ports and accepted listener protocols for the resources.
Destination | Protocol | Port range | Comment |
---|---|---|---|
CIDR range for resource |
TCP |
3306 |
Allow traffic from resource gateway to databases |
Recommended inbound rules for service network and VPC associations
For traffic to flow from client VPCs to the services associated with the service network, you must create inbound rules for the listener ports and listener protocols for the services.
Source | Protocol | Port range | Comment |
---|---|---|---|
VPC CIDR |
listener |
listener |
Allow traffic from clients to VPC Lattice |
Recommended outbound rules for traffic flowing from client instances to VPC Lattice
By default, security groups allow all outbound traffic. However, if you have custom outbound rules, you must allow outbound traffic to VPC Lattice prefix for listener ports and protocols so that client instances can connect to all services associated with the VPC Lattice service network. You can allow this traffic by referencing the ID of the prefix list for VPC Lattice.
Destination | Protocol | Port range | Comment |
---|---|---|---|
ID of the VPC Lattice prefix list |
listener |
listener |
Allow traffic from clients to VPC Lattice |
Recommended inbound rules for traffic flowing from VPC Lattice to target instances
You can't use the client security group as a source for your target's security groups, because traffic flows from VPC Lattice. You can reference the ID of the prefix list for VPC Lattice.
Source | Protocol | Port range | Comment |
---|---|---|---|
ID of the VPC Lattice prefix list |
target |
target |
Allow traffic from VPC Lattice to targets |
ID of the VPC Lattice prefix list |
health check |
health check |
Allow health check traffic from VPC Lattice to targets |
Manage security groups for a VPC association
You can use the AWS CLI to view, add, or update security groups on the VPC to service
network association. When using the AWS CLI, remember that your commands run in the
AWS Region configured for your profile. If you want to run the commands in a different
Region, either change the default Region for your profile, or use the
--region
parameter with the command.
Before you begin, confirm that you have created the security group in the same VPC as the VPC you want to add to the service network. For more information, see Control traffic to your resources using security groups in the Amazon VPC User Guide
To add a security group when you create a VPC association using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, under VPC Lattice, choose Service networks.
-
Select the name of the service network to open its details page.
-
On the VPC associations tab, choose Create VPC associations and then choose Add VPC association.
-
Select a VPC and up to five security groups.
-
Choose Save changes.
To add or update security groups for an existing VPC association using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, under VPC Lattice, choose Service networks.
-
Select the name of the service network to open its details page.
-
On the VPC associations tab, select the check box for the association and then choose Actions, Edit security groups.
-
Add and remove security groups as needed.
-
Choose Save changes.
To add a security group when you create a VPC association using the AWS CLI
Use the create-service-network-vpc-association command, specifying the ID of the VPC for the VPC association and the ID of the security groups to add.
aws vpc-lattice create-service-network-vpc-association \ --service-network-identifier
sn-0123456789abcdef0
\ --vpc-identifiervpc-1a2b3c4d
\ --security-group-idssg-7c2270198example
If successful, the command returns output similar to the following.
{
"arn": "arn
",
"createdBy": "464296918874",
"id": "snva-0123456789abcdef0",
"status": "CREATE_IN_PROGRESS",
"securityGroupIds": ["sg-7c2270198example"]
}
To add or update security groups for an existing VPC association using the AWS CLI
Use the update-service-network-vpc-association command, specifying the ID of the service network and the IDs of the security groups. These security groups override any previously associated security groups. Define at least one security group when updating the list.
aws vpc-lattice update-service-network-vpc-association --service-network-vpc-association-identifier
sn-903004f88example
\ --security-group-idssg-7c2270198example
sg-903004f88example
Warning
You can't remove all security groups. Instead, you must first delete the VPC association, and then re-create the VPC association without any security groups. Be cautious when deleting the VPC association. This prevents traffic from reaching services that are in that service network.