At Amazon Web Services re:Invent 2022 , Amazon Web Services introduced a preview of Amazon VPC Lattice , a new feature for Amazon Virtual Private Cloud (Amazon VPC) that connects, secures, and monitors services in a consistent manner Communication. With Amazon VPC Lattice, you can define network access, traffic management, and monitoring policies to connect compute services between instances, containers, and serverless applications.
On April 10, Amazon Cloud Technology announced that Amazon VPC Lattice is now officially launched. Compared with the preview version, there are the following new features:
● In addition to the domain name automatically generated by Amazon VPC Lattice, the service can also use a custom domain name. When HTTPS is used, an SSL/TLS certificate matching the custom domain name can be configured.
● Open source AWS Gateway API controller can be deployed , using Amazon VPC Lattice with native Kubernetes experience. The tool uses the Kubernetes Gateway API to connect services across multiple Kubernetes clusters, as well as services running on EC2 instances, containers, and serverless functions.
● You can use an Application Load Balancer (ALB) or Network Load Balancer (NLB) as the target for the service.
● The IP address target type now supports IPv6 connections.
Use Amazon VPC Lattice to realize the connection between services
How to use Amazon VPC Lattice to enable e-commerce application services to communicate with each other. For simplicity, only four services are considered:
● Order service, run as a Lambda function.
● Inventory service, deployed as Amazon Elastic Container Service (Amazon ECS) in a dual-stack Amazon VPC supporting IPv6 .
● Delivery service, which is deployed as an ECS service and uses ALB to distribute traffic to service tasks.
● Payment Services, running on EC2 instances.
First, create a service network. The Order service needs to call the Inventory service (to check if an item is available for purchase), the Fulfillment service (to organize the delivery of the item), and the Payment service (to transfer money). These services run in different Amazon cloud technology accounts and in multiple Amazon VPCs. Amazon VPC Lattice can handle the complexities of setting up connections and cross-account permissions across Amazon VPC boundaries, so communication between services is as simple as HTTP/HTTPS calls.
The order service runs in a Lambda function connected to Amazon VPC. Since all Amazon VPCs in the diagram are associated with the service network, the order service can call other services (inventory, delivery, and payment), even if these services are deployed in different Amazon cloud technology accounts and Amazon VPCs with overlapping IP addresses in this way.
Use a Network Load Balancer (NLB) as a target
Inventory service runs in a dual-stack Amazon VPC. It is deployed as an ECS service with NLB for distributing traffic to tasks in the service. In order to get the IPv6 address of the NLB, look for the network interface used by the NLB in the EC2 console .
When creating a target group for the Inventory service, under Basic Configuration, select IP Address as the target type. Then, select IPv6 as the IP address type.
Use an Application Load Balancer (ALB) as a target
Using an ALB as a target is even easier to manipulate. When creating a target group for the Shipping service, under Basic configuration, select the new Application Load Balancer target type. Choose the Amazon VPC to look for the ALB in and choose the protocol version.
In the next step, select Sign Up Now, and select ALB from the drop-down list. Use the default port used by the target group. Amazon VPC Lattice does not provide additional health checks for ALBs. However, the load balancer is already configured with its own health checks.
Use a custom domain name for your service
To call these services, use a custom domain name. For example, when creating a payment service in the Amazon VPC console , choose Specify a custom domain configuration, enter a custom domain name, and choose an SSL/TLS certificate for the HTTPS listener. The Custom SSL/TLS Certificate dropdown displays available certificates from AWS Certificate Manager (ACM) .
Securing inter-service communication
Now that the target group has been created, let's see how to secure communication between services. For zero-trust authentication and authorization, use AWS Identity and Access Management (IAM) . When creating the service, select AWS IAM as the authentication type.
Select the Allow only authenticated access policy template, so service requests need to be signed using Signature Version 4, which is the same signing protocol used by AWS APIs . In this way, requests between services are authenticated by their IAM credentials, and keys do not have to be managed to secure their communication.
Or, more precisely, an authentication policy that only provides access to certain services or service-specific URL paths. For example, the following authentication policy could be applied to the order service to provide these permissions to the Lambda function:
● Read-only access to the inventory service /stock URL path (GET method).
● Full access to the delivery service /delivery URL path (any HTTP method).
Quickly configure communication between e-commerce application services, including security and monitoring , using Amazon VPC Lattice . Now, you can focus on your business logic instead of managing how services communicate with each other.
Amazon VPC Lattice is now available in the following Amazon Cloud Technology regions: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific ( Tokyo) and Europe (Ireland).
Amazon Cloud Technologies designed Amazon VPC Lattice to allow incremental addition of more teams over time. Each team in your organization can choose whether and when to use Amazon VPC Lattice. Other applications can connect to the Amazon VPC Lattice service using standard protocols such as HTTP and HTTPS. By using Amazon VPC Lattice, you can focus on application logic, increasing productivity and deployment flexibility with consistent support for instances, containers, and serverless computing.
Simplify how you connect, secure, and monitor your services with Amazon VPC Lattice.