VPC Lattice Basics
VPC Lattice can be used to link services in one or more AWS Accounts and VPCs. Here we are showing 3 accounts each with 1 VPC -- a provider (Application), a consumer and a Service Network account.
VPC Lattice Service Options
VPC Lattice offers four types of services -- Application Load Balancers (ALBs), Lambda Functions, EC2 Instances or IP Addresses (which can be EKS Pods).
VPC Lattice VPC Association
To enable the consumer account/VPC to access VPC Lattice Services, we create a VPC Association linking the VPC to the Service Network.
VPC Lattice Demo App
Here we stand up an Elastic Container Service (ECS) based application that is fronted by an Application Load Balancer (ALB).
VPC Lattice Demo App Service
Here we create a Service that points at the ALB and associate the Service with the Service Network.
VPC Lattice Service Call
Here we show a service call from an instance in the consumer VPC to the Demo App. There is no native connectivity between the VPCs. VPC Lattice provides all of the connectivity.
On the right we show a DNS lookup for the ALB and the Service name to show their IP addresses.
On the lower left, we can see the response provided by our Demo App which shows the path (IPs) taken to get to the app.
- IP address of the consumer EC2 Instance.
- IP address of the transparent proxy in the Service Network.
- IP address of the ALB in front of the Demo App.
- IP address of the ECS Task that serviced the request.
VPC Lattice Auth Policies
VPC Lattice supports adding Auth Policies to either Service Networks (applying to all Services) or to individual Services.
VPC Lattice auth policies are specified using the same syntax as IAM policies. For more information, see Identity-based policies and resource-based policies in the IAM User Guide.
An auth policy contains the following elements:
-
Principal – The person or application who is allowed access to the actions and resources in the statement. In an auth policy, the principal is the IAM entity who is the recipient of this permission. The principal is authenticated as an IAM entity to make requests to a specific resource, or group of resources as in the case of services in a service network.
You must specify a principal in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services. For more information, see AWS JSON policy elements: Principal in the IAM User Guide.
-
Effect – The effect when the specified principal requests the specific action. This can be either Allow or Deny. By default, when you enable access control on a service or service network using IAM, principals have no permissions to make requests to the service or service network.
-
Actions – The specific API action for which you are granting or denying permission. VPC Lattice supports actions that use the vpc-lattice-svcs prefix. For more information, see Actions defined by Amazon VPC Lattice Services in the Service Authorization Reference.
-
Resources – The services that are affected by the action.
-
Condition – Conditions are optional. You can use them to control when your policy is in effect. For more information, see Condition keys for Amazon VPC Lattice Services in the Service Authorization Reference.
VPC Lattice Security Controls
Here we highlight all the various points at which security controls can be applied. Including Auth Policies, Security Groups and NACLs.