Control traffic in VPC Lattice using security groups - Amazon VPC Lattice

Control traffic in VPC Lattice using security groups

AWS security groups act as virtual firewalls, controlling the network traffic to and from the entities that they are associated with. With VPC Lattice, you can create security groups and assign them to the VPC association that connects a VPC to a service network to enforce additional network-level security protections for your service network. If you connect a VPC to a service network using a VPC endpoint, you can assign security groups to the VPC endpoint too. Similarly you can assign security groups to resource gateways that you create to enable access to resources in your VPC.

Managed prefix list

VPC Lattice provides managed prefix lists that includes the IP addresses used to route traffic over the VPC Lattice network when you use a service-network association to connect your VPC to a service network using a VPC association. You can reference the VPC Lattice managed prefix lists in your security group rules. This allows traffic to flow from clients, through the VPC Lattice service network, and to the VPC Lattice service targets.

For example, suppose that you have an EC2 instance registered as a target in the US West (Oregon) Region (us-west-2). You can add a rule to the instance security group that allows inbound HTTPS access from the VPC Lattice managed prefix list, so that the VPC Lattice traffic in this Region can reach the instance. If you remove all other inbound rules from the security group, you can prevent any traffic other than VPC Lattice traffic from reaching the instance.

The names of the managed prefix lists for VPC Lattice are as follows:

  • com.amazonaws.region.vpc-lattice

  • com.amazonaws.region.ipv6.vpc-lattice

For more information, see AWS-managed prefix lists in the Amazon VPC User Guide.

Windows clients

The addresses in the VPC Lattice prefix lists are link-local addresses and non-routable public addresses. If you connect to VPC Lattice from a Windows client, you must update the configuration of the Windows client so that it forwards the link-local addresses used by VPC Lattice to the primary IP address for the client. The following is an example command that updates the configuration of the Windows client, where 169.254.171.0 is the link-local address used by VPC Lattice.

C:\> route add 169.254.171.0 mask 255.255.255.0 primary-ip-address

Security group rules

Using VPC Lattice with or without security groups will not impact your existing VPC security group configuration. However, you can add your own security groups at any time.

Key considerations
  • Security group rules for clients control outbound traffic to VPC Lattice.

  • Security group rules for targets control inbound traffic from VPC Lattice to the targets, including health check traffic.

  • Security group rules for the association between the service network and VPC control which clients can access the VPC Lattice service network.

  • Security group rules for resource gateway control outbound traffic from the resource gateway to resources.

Recommended outbound rules for traffic flowing from resource gateway to a database resource

For traffic to flow from resource gateway to resources, you must create outbound rules for the open ports and accepted listener protocols for the resources.

Destination Protocol Port range Comment
CIDR range for resource TCP 3306 Allow traffic from resource gateway to databases
Recommended inbound rules for service network and VPC associations

For traffic to flow from client VPCs to the services associated with the service network, you must create inbound rules for the listener ports and listener protocols for the services.

Source Protocol Port range Comment
VPC CIDR listener listener Allow traffic from clients to VPC Lattice
Recommended outbound rules for traffic flowing from client instances to VPC Lattice

By default, security groups allow all outbound traffic. However, if you have custom outbound rules, you must allow outbound traffic to VPC Lattice prefix for listener ports and protocols so that client instances can connect to all services associated with the VPC Lattice service network. You can allow this traffic by referencing the ID of the prefix list for VPC Lattice.

Destination Protocol Port range Comment
ID of the VPC Lattice prefix list listener listener Allow traffic from clients to VPC Lattice
Recommended inbound rules for traffic flowing from VPC Lattice to target instances

You can't use the client security group as a source for your target's security groups, because traffic flows from VPC Lattice. You can reference the ID of the prefix list for VPC Lattice.

Source Protocol Port range Comment
ID of the VPC Lattice prefix list target target Allow traffic from VPC Lattice to targets
ID of the VPC Lattice prefix list health check health check Allow health check traffic from VPC Lattice to targets

Manage security groups for a VPC association

You can use the AWS CLI to view, add, or update security groups on the VPC to service network association. When using the AWS CLI, remember that your commands run in the AWS Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the --region parameter with the command.

Before you begin, confirm that you have created the security group in the same VPC as the VPC you want to add to the service network. For more information, see Control traffic to your resources using security groups in the Amazon VPC User Guide

To add a security group when you create a VPC association using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under VPC Lattice, choose Service networks.

  3. Select the name of the service network to open its details page.

  4. On the VPC associations tab, choose Create VPC associations and then choose Add VPC association.

  5. Select a VPC and up to five security groups.

  6. Choose Save changes.

To add or update security groups for an existing VPC association using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under VPC Lattice, choose Service networks.

  3. Select the name of the service network to open its details page.

  4. On the VPC associations tab, select the check box for the association and then choose Actions, Edit security groups.

  5. Add and remove security groups as needed.

  6. Choose Save changes.

To add a security group when you create a VPC association using the AWS CLI

Use the create-service-network-vpc-association command, specifying the ID of the VPC for the VPC association and the ID of the security groups to add.

aws vpc-lattice create-service-network-vpc-association \ --service-network-identifier sn-0123456789abcdef0 \ --vpc-identifier vpc-1a2b3c4d \ --security-group-ids sg-7c2270198example

If successful, the command returns output similar to the following.

{ "arn": "arn", "createdBy": "464296918874", "id": "snva-0123456789abcdef0", "status": "CREATE_IN_PROGRESS", "securityGroupIds": ["sg-7c2270198example"] }
To add or update security groups for an existing VPC association using the AWS CLI

Use the update-service-network-vpc-association command, specifying the ID of the service network and the IDs of the security groups. These security groups override any previously associated security groups. Define at least one security group when updating the list.

aws vpc-lattice update-service-network-vpc-association --service-network-vpc-association-identifier sn-903004f88example \ --security-group-ids sg-7c2270198example sg-903004f88example
Warning

You can't remove all security groups. Instead, you must first delete the VPC association, and then re-create the VPC association without any security groups. Be cautious when deleting the VPC association. This prevents traffic from reaching services that are in that service network.