@2024 - All Rights Reserved.
Home AWS AWS VPC Lattice – a new solution for service to service networking
AWSNetworking

AWS VPC Lattice – a new solution for service to service networking

by Vamsi Chemitiganti
written by Vamsi Chemitiganti

Readers of this blog will remember all the service mesh related posts we did some time ago-https://www.vamsitalkstech.com/?s=Istio. AWS announced the launch of an exciting new service, VPC Lattice, at Reinvent in November 2022. This new service works at the application layer and makes it easier for services that are deployed on VPCs across AWS to connect, monitor the flows, and keep their communication secure.

Introducing VPC Lattice

VPC Lattice is a new service offering from AWS VPC. Its goal is to give VPC-deployed microservices a consistent way to connect and keep their communication secure. It provides a policy-based approach for traffic management, monitoring, and thus interconnecting services, whether they are running on EC2 instances, EKS or EKS/ECS containers, or are running Lambda based serverless architectures.

How does VPC Lattice work?

Excerpted from the AWS blog[1]

With VPC Lattice, you create a logical application layer network, called a service network, that connects clients and services across different VPCs and accounts, abstracting network complexity. A service network is a logical boundary that is used to automatically implement service discovery and connectivity as well as apply access and observability policies to a collection of services. It offers inter-application connectivity over HTTP/HTTPS and gRPC protocols within a VPC.

Once a VPC has been enabled for a service network, clients in the VPC will automatically be able to discover the services in the service network through DNS and will direct all inter-application traffic through VPC Lattice. You can use AWS Resource Access Manager (RAM) to control which accounts, VPCs, and applications can establish communication via VPC Lattice.
A service is an independently deployable unit of software that delivers a specific task or function. In VPC Lattice, a service is a logical component that can live in any VPC or account and can run on a mixture of compute types (virtual machines, containers, and serverless functions). A service configuration consists of:

  • One or two listeners that define the port and protocol that the service is expecting traffic on. Supported protocols are HTTP/1.1, HTTP/2, and gRPC, including HTTPS for TLS-enabled services.
  • Listeners have rules that consist of a priority, which specifies the order in which rules should be processed, one or more conditions that define when to apply the rule, and actions that forward traffic to target groups. Each listener has a default rule that takes effect when no additional rules are configured, or no conditions are met.
  • A target group is a collection of targets, or compute resources, that are running a specific workload you are trying to route toward. Targets can be Amazon Elastic Compute Cloud (Amazon EC2) instances, IP addresses, and Lambda functions. For Kubernetes workloads, VPC Lattice can target services and pods via the AWS Gateway Controller for Kubernetes. To have access to the AWS Gateway Controller for Kubernetes, you can join the preview.

To configure service access controls, you can use access policies. An access policy is an IAM resource policy that can be associated with a service network and individual services. With access policies, you can use the “PARC” (principal, action, resource, and condition) model to enforce context-specific access controls for services. For example, you can use an access policy to define which services can access a service you own. If you use AWS Organizations, you can limit access to a service network to a specific organization.

VPC Lattice also provides a service directory, a centralized view of the services that you own or have been shared with you via AWS RAM.

Using Amazon VPC Lattice

We expect people with different roles can use VPC Lattice. For example:

  • The service network administrator can:
    • Create and manage a service network.
    • Define access and monitoring for the service network.
    • Associate client and services.
    • Share the service network with other AWS accounts.
  • The service owner can:
    • Create and manage service, including access and monitoring.
    • Define routing, for example, configuring listeners and rules that point to the target groups where the service is running.
    • Associate a service to service networks.

Key Features of VPC Lattice

  1. It is a service that operates at the application layer, facilitating connectivity, monitoring, and security for communication between different services. It defines the concept of a service network (more on that below). It can be used to connect compute services in a simple and consistent way across instances, containers, and serverless applications
  2. It handles all network connectivity between applications running on different VPCs and accounts using service networks. Service networks are logical application layer networks, that connect clients and services across different VPCs and accounts
  3. It performs NATing between IPv4, IPv6, and overlapping IP addresses (when customers have various accounts that use the same IP address range)
  4. It provides controls in a service mesh-like fashion to perform traffic management/routing based on weights
  5. It provides an easy way to use PrivateLink by enabling a more flexible approach to service definition, VPCs involved in the process can be managed with ease. It also enables services to be defined using ALB-like rules rather than just NLB, providing greater flexibility for defining services in the VPC
  6. The key idea is that VPC Lattive enables architectures where both monolithic and microservices applications can mix using a centralized approach. This saves the cloud administrator from performing repetitive tasks such as setting endpoints in VPCs and other time-consuming configuration
  7. Being an AWS service, it is well integrated with other AWS services, such as CloudWatch, and CloudFormation, and it can be used to manage microservices running on AWS Fargate or Amazon Elastic Container Service (ECS)

Conclusion

The goal of VPC Lattice is to boost developer productivity by letting them focus on developing applications as opposed to dealing with networking issues. This post introduces readers to VPC Lattice and the next one will discuss the differences between VPC Lattice and Istio.

References

[1] Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication —Danilo Poccia, https://aws.amazon.com/blogs/aws/introducing-vpc-lattice-simplify-networking-for-service-to-service-communication-preview/

Featured Image by Gerd Altmann from Pixabay

Discover more at Industry Talks Tech: your one-stop shop for upskilling in different industry segments!

You may also like

Amazon Q – Systems Use Cases

Industry Talks Tech on “Amazon Q and its...

An Introduction to Amazon Q

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.