Service networks in VPC Lattice - Amazon VPC Lattice
Create a service networkDelete a service network

Service networks in VPC Lattice

A service network is a logical boundary for a collection of services. Services associated with the network can be authorized for discovery, connectivity, accessibility, and observability. To make requests to services in the network, your service or client must be in a VPC that is associated with the service network.

The following diagram shows the key components of a typical service network within Amazon VPC Lattice. Check marks on the arrows indicate that the services and the VPC are associated with the service network. Clients in the VPC associated with the service network can communicate with both services through the service network.

A service network with two services.

You can associate one or more services with multiple service networks. You can also associate multiple VPCs with one service network. However, each VPC can be associated with only one service network.

In the following diagram, the arrows represent the associations between services and service networks, as well as associations between the VPCs and service networks. You can see that multiple services are associated to multiple service networks, and multiple VPCs are associated to each service network. However, the red x mark in the diagram shows that each VPC can have no more than one association to a service network.

A service network with associated services and VPCs.

For more information, see Quotas for Amazon VPC Lattice.

Create a service network

Use the console to create a service network and optionally configure it with services, associations, access settings, and access logs.

To create a service network using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under VPC Lattice, choose Service networks.

  3. Choose Create service network.

  4. For Identifiers, enter a name, an optional description, and optional tags. The name must be between 3 and 63 characters. You can use lowercase letters, numbers, and hyphens. The name must begin and end with a letter or number. Do not use consecutive hyphens. The description can have up to 256 characters. To add a tag, choose Add new tag and specify a tag key and tag value.

  5. (Optional) To associate a service, choose the service from Service associations, Services. The list includes services that are in your account and any services that are shared with you from a different account. If there aren't any services in the list, you can create a service by choosing Create an VPC Lattice service.

    Alternatively, to associate a service after you've created the service network, see Manage service associations.

  6. (Optional) To associate a VPC, choose Add VPC association. Select the VPC to associate from VPC, and select up to five security groups from Security groups. To create a security group, choose Create new security group.

    Alternatively, to associate VPCs after you've created the service network, see Manage VPC associations.

  7. For Network access, you can leave the default auth type, None, if you want the clients in the associated VPCs to access the services in this service network. To apply an auth policy to control access to your services, choose AWS IAM and do one of the following for Auth policy:

    • Enter a policy in the input field. For example policies that you can copy and paste, choose Policy examples.

    • Choose Apply policy template and select the Allow authenticated and unauthenticated access template. This template allows a client from another account to access the service either by signing the request (meaning authenticated) or anonymously (meaning unauthenticated).

    • Choose Apply policy template and select the Allow only authenticated access template. This template allows a client from another account to access the service only by signing the request (meaning authenticated).

  8. (Optional) To turn on access logs, select the Access logs toggle switch and specify a destination for your access logs as follows:

    • Select CloudWatch Log group and choose a CloudWatch Log group. To create a log group, choose Create a log group in CloudWatch.

    • Select S3 bucket and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose Browse S3.

    • Select Kinesis Data Firehose delivery stream and choose a delivery stream. To create a delivery stream, choose Create a delivery stream in Kinesis.

  9. (Optional) To share your service network with other accounts, choose the AWS RAM resource shares from Resource shares. To create a resource share, choose Create a resource share in RAM console.

  10. Review your configuration in the Summary section, and then choose Create service network.

To create a service network using the AWS CLI

Use the create-service-network command. This command creates only the basic service network. To create a fully functional service network, you must also use the commands that create service associations, VPC associations, and access settings.

Delete a service network

Before you can delete a service network, you must first delete all associations that the service network might have with any service or VPC. When you delete a service network, we also delete all resources related to the service network, such as the resource policy, auth policy, and access log subscriptions.

To delete a service network using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under VPC Lattice, choose Service networks.

  3. Select the check box for the service network, and then choose Actions, Delete service network.

  4. When prompted for confirmation, enter confirm, and then choose Delete.

To delete a service network using the AWS CLI

Use the delete-service-network command.