Share
Explore

Introduction to Amazon VPC Lattice

Quick Overview & Demo
HA
Hammad Alam
|
AR
Abdul Rahim

TL;DR:

Amazon VPC Lattice aims to provide network connectivity for applications without using traditional networking configurations. VPC Lattice leverages AWS underlay routing via technologies similar to PrivateLink without needing standard VPC Networking. In VPC Lattice, administrators define a Service Network which connects application services being offered and VPCs of the consumers of these services. In addition to connectivity, Service Network also adds authorization to make sure the consumer is authorized to access the service as well.
App owners create application based services (currently HTTP & HTTPS) and authorization policies in their VPCs and offer these service in an administrator created Service Network. App consumers then associate their VPCs to the same Service Network. Once services and consumers are connected to the same Service Network and consumers have correct authorization, consumers will have IP connectivity provisioned using AWS underlay (glorified version of PrivateLink).

Overview

Amazon VPC Lattice is an application networking service designed to consistently connect, monitor, and secure communications between your services without explicitly building connected networks. It provides a consistent way to manage service-to-service communication within AWS, without requiring any prior networking expertise.

Key Components

image.png

Service

A Service is defined much like a Load Balancer Target Group.
image.png

Service Network

You can group Services in a Service Network to apply common connectivity monitoring and access control. You can think of this as a new way to create an application layer boundary that complements (overlays on top of) your existing Network boundaries with VPCs and Accounts. You can share Service Networks and Services across accounts using Resource Access Manager. This lets you create a boundary that actually maps to how your applications are deployed and not how networks are connected.
image.png

Auth Policies

Auth policies define an access level and policy for the associated resource.
image.png
Auth policies can be applied both to the Service and to the Service Network.
image.png

Service Directory

Service Directory is an account level view of all the services you created or were shared with you via Resource Access Manager.
image.png

Workflows

Admin Workflow

As an admin, you will create the Service Network and define its access, authentication, logging, etc. policies. You then associate the newly created Service Networks with the VPCs where Services live. This works easily in a single account setup but for multi account, you need to leverage Resource Access Manager to share the service network with appropriate accounts.
image.png
image.png

Service Owner Workflow

Service Owner will create the service and the Target Groups inside it. For ex, the Service could be Parking and the Target Groups would be a EC2 or K8s service hosting the front-end application.
image.png
image.png
image.png

How it works?

VPC Lattice creates a logical application layer network called a service network, which abstracts the underlying network complexity. It simplifies inter-application communication between clients (consumers) and services (providers) throughout the service network across different AWS accounts and Amazon VPCs.
The service is designed to help you effectively discover, secure, connect, and monitor all of the services within it. Each component within VPC Lattice communicates unidirectionally or bi-directionally within the service network based on its association with the service network and its access settings.
Service owners in their own VPCs create Services and share with the admin account.
image.png
The Admin have already created Service Networks as needed. For ex, a generic Shared Services and a very restrictive PCI Services Network.
image.png
Now the Admin shares the Service Network with the accounts using Resource Access Manager and associates the Service Networks with the VPCs.
image.png
Note:
Each VPC can only associate with a SINGLE Service Network
A Service can associate with multiple Service Networks
Services only have access to the services in their service network
Underneath it uses AWS PrivateLink
Support Overlapping IP
Currently supports HTTP and gRPC. TCP support is on roadmap
VPC lattice offers 10Gbps bandwidth per service per AZ at this time,
Quotas for Amazon VPC Lattice
provide more up to date details.

Example Scenario

The following diagram uses an example scenario to explain the flow of information and direction of communication between the components within VPC Lattice. There are two services associated with a service network. Both services and all three VPCs were created in the same account as the service network.
pasted image 0.png

EKS Support

image.png

Example Usecases

Multi-Cluser and Multi-VPC K8s

image.png

Cross-VPC Connectivity


image.png

Traffic Management

image.png
image.png
image.png
image.png

Visibility Support

image.png

Demo

VPC Lattice Costs:

Three dimensions determine the cost of using Amazon VPC Lattice: number of services provisioned, data processing charges for traffic to and from each service, and number of requests that each service receives.

Pricing dimension per service

Per hour charge: $0.025-$0.0325/hr
Charge per GB data processed: $0.025-$0.0325 per GB
Charge per requests per hour: $0.10-$0.13 per 1 million requests (300K per hour is free)

Sources:

Amazon VPC Lattice
Simplify Application Networking with Amazon VPC Lattice and VMware
How VPC Lattice works
Amazon VPC Lattice FAQs
Re:Invent Session
TL;DR:
Overview
Key Components
image.png
Service
Service Network
Auth Policies
Service Directory
Workflows
Admin Workflow
Service Owner Workflow
How it works?
Example Scenario
EKS Support
Example Usecases
Multi-Cluser and Multi-VPC K8s
Cross-VPC Connectivity
Traffic Management
Visibility Support
Demo
VPC Lattice Costs:
Pricing dimension per service
Sources:
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.