VPC Lattice Security Group

Question

Dear Team - As per https://aws.amazon.com/blogs/networking-and-content-delivery/build-secure-multi-account-multi-vpc-connectivity-for-your-applications-with-amazon-vpc-lattice/,

**You can reference these prefix lists in the security group on the VPC association with the service network, and in the security groups associated with your VPC resources**

Can anyone confirm,

1- if this Security Group needs to be on Client VPC or on Service network ? If this is on Client VPC, what are we blocking or allowing as it has only one link local prefix block.                                          
2- Does VPC lattice service network generate any traffic towards client VPC ?

Thanks,

Riku_Kobayashi · Answer

Hello.

> 1- if this Security Group needs to be on Client VPC or on Service network ? If this is on Client VPC, what are we blocking or allowing as it has only one link local prefix block.

Recommended security group settings when using VPC Lattice are described in the following document.  
The prefix list is configured in the inbound rules of the security group such as target EC2.  
In the recommended settings, the outbound rules of the client-side EC2 security group are configured with a prefix list.  
However, since the default settings of security groups allow all outbound traffic, I think it's unnecessary to configure this unless you need to strictly control outbound traffic.  
https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html

> 2- Does VPC lattice service network generate any traffic towards client VPC ?

I don't think any particular communication occurs on the client side.  
In other words, I don't think it is necessary to configure settings to allow prefixes in the inbound rules of security groups such as EC2 on the client side.

VPC Lattice Security Group

Add your answer

Relevant content