Last year’s re:Invent brought a lot of amazing updates to the big family of AWS services. In this blog post, I would like to explain one of such new offerings — Amazon VPC Lattice — an exciting new service that simplifies the networking layer for developers and cloud administrators.
What is Lattice
So what exactly is Amazon VPC Lattice? It is an application layer networking service that enables consistent and secure service-to-service communication without the need for prior networking expertise. With VPC Lattice, you can easily configure network access, traffic management, and network monitoring, making service-to-service communication seamless across VPCs and accounts, irrespective of the underlying compute type.
How it helps
VPC Lattice helps address several use cases, including connecting services at scale, implementing granular access permissions, advanced traffic controls, and observing service-to-service interactions. The service offers connectivity over HTTP/HTTPS and gRPC protocols through a dedicated data plane within VPC. Administrators can use AWS Resource Access Manager (AWS RAM) to control which accounts and VPCs can establish communication through a service network.
What’s more, VPC Lattice is designed to be non-invasive and work alongside existing architecture patterns, allowing development teams across your organization to onboard their services incrementally.
How it works
VPC Lattice introduces four key components: Service, Service Directory, Service Network, and Auth Policy. These components simplify how users enable connectivity and apply standard policies to a collection of services. Service networks can be shared across accounts with AWS RAM and associated with VPCs to allow connectivity to a group of services.
Here is the diagram that illustrates the use of Amazon VPC Lattice and the Service Network Manager to create a service network, define policies, and share cross-account access.
The Service Network Manager subset at the top consists of four icons representing the process flow:
1️⃣ The first step involves creating a service network by choosing a name and authentication type.
2️⃣ The second step consists in defining access and monitoring by setting and managing access policies and selecting log destinations.
3️⃣ The third step involves associating clients and services, allowing resources in associated VPCs to access the benefits associated with the service network.
4️⃣The fourth step consists in adding specific assistance or service networks to AWS RAM shares to facilitate cross-account access.
The Service Owner subset at the bottom consists of three steps:
1️⃣ The first step involves creating a service by identifying the benefit and defining access and monitoring.
2️⃣ The second step consists in defining routing by adding listeners and rules that point to the target groups that store the service.
3️⃣ The third step consists in selecting the networks from the service that receives traffic.
Win-win for Ops and Developers
Overall, VPC Lattice bridges the gap between developers and cloud administrators by providing role-specific features and capabilities. Developers can focus on building applications, not networks, while cloud and network administrators can increase their organization’s security posture by enabling authentication, authorization, and encryption consistently across mixed computing environments.
Currently, Amazon VPC Lattice is in Preview in the US West (Oregon) region. I’m excited to see how VPC Lattice will shape the future of networking and make it even easier for developers to build complex applications. 🚀
Some additional resources to learn more about Lattice:
Presentation at re:Invent 2022
A blog post at AWS with examples Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication