What is Amazon VPC Lattice? - Amazon VPC Lattice

What is Amazon VPC Lattice?

Amazon VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor the services for your application. You can use VPC Lattice with a single virtual private cloud (VPC) or across multiple VPCs from one or more accounts.

Modern applications can consist of multiple small and modular services, which are often called microservices. While modernization has its advantages, it can also introduce networking complexities and challenges when you connect these microservices. For example, if the developers are spread across different teams, they might build and deploy microservices across multiple accounts or VPCs.

In VPC Lattice, we refer to a microservice as a service. This is the wording that you see in the VPC Lattice documentation.

Key components

To use Amazon VPC Lattice, you should be familiar with its key components.

Service

An independently deployable unit of software that delivers a specific task or function. A service can run on EC2 instances or ECS containers, or as Lambda functions, within an account or a virtual private cloud (VPC). A VPC Lattice service has the following components: target groups, listeners, and rules.

A service with a listener and two target groups.
Target group

A collection of resources, also known as targets, that run your application or service. Targets can be EC2 instances, IP addresses, Lambda functions, Application Load Balancers, or Kubernetes Pods. These are similar to the target groups provided by Elastic Load Balancing, but they are not interchangeable.

Listener

A process that checks for connection requests, and routes them to targets in a target group. You configure a listener with a protocol and a port number.

Rule

A default component of a listener that forwards requests to the targets in a VPC Lattice target group. Each rule consists of a priority, one or more actions, and one or more conditions. Rules determines how the listener routes client requests.

Service network

A logical boundary for a collection of services. A client is any resource deployed in a VPC that is associated with the service network. Clients and services that are associated with the same service network can communicate with each other if they are authorized to do so.

In the following figure, the clients can communicate with both services, because the VPC and services are associated with the same service network.

A service network with servers and clients.
Service directory

A central registry of all VPC Lattice services that you own or are shared with your account through AWS Resource Access Manager (AWS RAM).

Auth policies

Fine-grained authorization policies that can be used to define access to services. You can attach separate auth policies to individual services or to the service network. For example, you can create a policy for how a payment service running on an auto scaling group of EC2 instances should interact with a billing service running in AWS Lambda.

Roles and responsibilities

A role determines who is responsible for the setup and flow of information within Amazon VPC Lattice. There are typically two roles, service network owner and service owner, and their responsibilities can overlap.

Service network owner – The service network owner is usually the network administrator or the cloud administrator in an organization. Service network owners create, share, and provision the service network. They also manage who can access the service network or services within VPC Lattice. The service network owner can define coarse-grained access settings for the services associated with the service network. These controls are used to manage communication between clients and services using authentication and authorization policies. The service network owner can also associate a service with the service network, if the service is shared with the service network owner's account.

Service network owner's role and responsibility

Service owner – The service owner is usually a software developer in an organization. Service owners create services within VPC Lattice, define routing rules, and also associate services with the service network. They can also define fine-grained access settings, which can restrict access to only authenticated and authorized services and clients.

Service owner's role and responsibility

Features

The following are the core features that VPC Lattice provides.

Service discovery

All clients and services in VPCs associated with the service network can communicate with other services within the same service network. DNS directs client-to-service and service-to-service traffic through the VPC Lattice endpoint. When a client wants to send a request to a service, it uses the service’s DNS name. The Route 53 Resolver sends the traffic to VPC Lattice, which then identifies the destination service.

Connectivity

Client-to-service connectivity is established using the VPC Lattice data plane within the AWS network infrastructure. When you associate a VPC with the service network, any client within the VPC can connect with services in the service network, if they have the required access.

Observability

VPC Lattice generates metrics and logs for each request and response traversing the service network, to help you monitor and troubleshoot applications. By default, VPC Lattice publishes metrics in the service owner account, and gives you the option to turn on logging. If the clients are also associated with the same service network, the service network owner receives logs for all services associated with the service network. The service owner receives logs for all clients making requests to their service.

VPC Lattice works with the following tools to help you monitor and troubleshoot your services: CloudWatch log groups, Firehose delivery streams, and S3 buckets.

Security

VPC Lattice provides a framework that you can use to implement a defense strategy at multiple layers of the network. The first layer is the service and VPC association. Without a VPC and service association, clients can't access the service. The second layer enables users to attach security groups to the association between the VPC and the service network. The third and fourth layers are auth policies that can be applied individually at the service network level and the service level.

Accessing VPC Lattice

You can create, access, and manage VPC Lattice using any of the following interfaces:

  • AWS Management Console – Provides a web interface that you can use to access VPC Lattice.

  • AWS Command Line Interface (AWS CLI) – Provides commands for a broad set of AWS services, including VPC Lattice. The AWS CLI is supported on Windows, MacOS, and Linux. For more information about the CLI, see AWS Command Line Interface. For more information about the APIs, see Amazon VPC Lattice API Reference.

  • VPC Lattice Controller for Kubernetes – Manages VPC Lattice resources for a Kubernetes cluster. For more information about using VPC Lattice with Kubernetes, see the AWS Gateway API Controller User Guide.

  • AWS CloudFormation – Helps you to model and set up your AWS resources. For more information, see the Amazon VPC Lattice resource type reference.

Pricing

With VPC Lattice you pay for the time that a service is provisioned, the amount of data transferred through each service, and the number of requests. For more information, see Amazon VPC Lattice Pricing.