VPC Lattice Walk-thru

语言: English
Walk through a demonstration of VPC Lattice
0
Walk through a demonstration of VPC Lattice showing options, security controls and traffic flow.
profile pictureAWS
专家
iBehr
更新于 19 天前3357 查看次数

VPC Lattice Basics

VPC Lattice can be used to link services in one or more AWS Accounts and VPCs. Here we are showing 3 accounts each with 1 VPC -- a provider (Application), a consumer and a Service Network account.

Enter image description here

VPC Lattice Service Options

VPC Lattice offers four types of services -- Application Load Balancers (ALBs), Lambda Functions, EC2 Instances or IP Addresses (which can be EKS Pods).

Enter image description here

VPC Lattice VPC Association

To enable the consumer account/VPC to access VPC Lattice Services, we create a VPC Association linking the VPC to the Service Network.

Enter image description here

VPC Lattice Demo App

Here we stand up an Elastic Container Service (ECS) based application that is fronted by an Application Load Balancer (ALB).

Enter image description here

VPC Lattice Demo App Service

Here we create a Service that points at the ALB and associate the Service with the Service Network.

Enter image description here

VPC Lattice Service Call

Here we show a service call from an instance in the consumer VPC to the Demo App. There is no native connectivity between the VPCs. VPC Lattice provides all of the connectivity.

Enter image description here

On the right we show a DNS lookup for the ALB and the Service name to show their IP addresses.

On the lower left, we can see the response provided by our Demo App which shows the path (IPs) taken to get to the app.

  1. IP address of the consumer EC2 Instance.
  2. IP address of the transparent proxy in the Service Network.
  3. IP address of the ALB in front of the Demo App.
  4. IP address of the ECS Task that serviced the request.

VPC Lattice Auth Policies

VPC Lattice supports adding Auth Policies to either Service Networks (applying to all Services) or to individual Services.

Enter image description here

Control access to VPC Lattice services using auth policies

VPC Lattice auth policies are specified using the same syntax as IAM policies. For more information, see Identity-based policies and resource-based policies in the IAM User Guide.

An auth policy contains the following elements:

  • Principal – The person or application who is allowed access to the actions and resources in the statement. In an auth policy, the principal is the IAM entity who is the recipient of this permission. The principal is authenticated as an IAM entity to make requests to a specific resource, or group of resources as in the case of services in a service network.
    You must specify a principal in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services. For more information, see AWS JSON policy elements: Principal in the IAM User Guide.

  • Effect – The effect when the specified principal requests the specific action. This can be either Allow or Deny. By default, when you enable access control on a service or service network using IAM, principals have no permissions to make requests to the service or service network.

  • Actions – The specific API action for which you are granting or denying permission. VPC Lattice supports actions that use the vpc-lattice-svcs prefix. For more information, see Actions defined by Amazon VPC Lattice Services in the Service Authorization Reference.

  • Resources – The services that are affected by the action.

  • Condition – Conditions are optional. You can use them to control when your policy is in effect. For more information, see Condition keys for Amazon VPC Lattice Services in the Service Authorization Reference.

VPC Lattice Security Controls

Here we highlight all the various points at which security controls can be applied. Including Auth Policies, Security Groups and NACLs.

Enter image description here