AWS Partner Network (APN) Blog

Simplify Application Networking with Amazon VPC Lattice and VMware Cloud on AWS

By Sheng Chen, Sr. Specialist Solutions Architect – AWS

Modern applications are built with modular and distributed components. Customers seek flexible ways to simplify application networking between their service components, especially across a hybrid cloud environment.

VMware Cloud on AWS enables customers to easily migrate their workloads and applications from an on-premises vSphere environment into a software-defined data center (SDDC) with a seamless hybrid cloud experience.

As customers migrate workloads into VMware Cloud on AWS, it has become imperative to address service-to-service connectivity requirements between their existing applications running on SDDCs and new services deployed using native AWS services.

To support service connectivity between different AWS accounts and Amazon Virtual Private Clouds (VPCs), customers are usually required to provision additional networking services and components, such as VPC peering, AWS Transit Gateway, AWS PrivateLink, or service mesh proxies.

In addition, customers with multiple AWS accounts and VPCs often face challenges such as overlapping CIDR blocks and environmental segregation requirements, which impose additional complexity for building underlying IP connectivity between their services.

In this post, I will look at how Amazon VPC Lattice can simplify inter-service communication across your SDDCs and cloud-native environments, while abstracting the underlying networking complexity. I’ll also demonstrate how you can leverage VPC Lattice to seamlessly transform and migrate your applications from VMware Cloud on AWS to cloud-native services.

Amazon VPC Lattice Overview

In March 2023, AWS announced the general availability of Amazon VPC Lattice, an application networking service that facilitates discovery and connectivity of service-to-service communications.

VPC Lattice creates a logical application layer network, called a service network, that abstracts the underlying network complexity. It simplifies inter-application communication between clients (consumers) and services (providers) throughout the service network across different AWS accounts and Amazon VPCs.

Let’s review the key components of Amazon VPC Lattice, as presented in the figure below.

VMC-VPC-Lattice-1.1

Figure 1 – Amazon VPC Lattice key components.

  • Service: A VPC Lattice service represents a customer application that delivers a specific task or function. A service can run on a range of compute options, including Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and serverless functions. You can share a VPC Lattice service with other AWS accounts using AWS Resource Access Manager (RAM). A VPC Lattice service includes the following elements:
    • Target groups – A collection of resources that delivers your application or service. Targets can be EC2 instances, IP addresses, AWS Lambda functions, Application Load Balancers, or Kubernetes pods.
    • Listeners – A process that routes incoming connection requests to targets in a target group, based on defined protocol (HTTP/HTTPs) and port number.
    • Rules – Routing rules that control your application flows with defined priority, conditions, and actions.
  • Service network: A logical boundary for a collection of services. You can associate VPC Lattice services and VPCs with service networks to facilitate service connectivity. You can also share the service network with other accounts using RAM.
  • Service directory: A central registry of all VPC Lattice services you own or are shared with you via RAM.
  • Auth policy: An AWS Identity and Access Management (IAM) policy that can be associated with service networks or services for controlling access to the services.

Once a VPC has been associated with a service network, clients in the VPC will automatically be able to discover the registered services in the service network using domain name system (DNS). Furthermore, all inter-application traffic for registered services will be directed through VPC Lattice.

VPC Lattice also strengthens your security posture for application connectivity with context-specific authorization using an IAM-based auth policy, providing customers with fine-grained traffic controls and end-to-end observability.

To learn more about VPC Lattice, refer to this introductory blog post and the Amazon VPC Lattice reference architectures.

Integrating VPC Lattice with VMware Cloud on AWS

Leveraging Application Load Balancer via SDDC ENI

To integrate applications running on VMware Cloud on AWS with Amazon VPC Lattice, an Application Load Balancer is required. This is because VPC Lattice uses a unique link-local address range 169.254.171.0/24, which is only accessible locally within a VPC and not externally routable to an SDDC.

You can deploy an Application Load Balancer in the connected VPC to first terminate incoming requests from VPC Lattice. This allows you to then route application flows to the workloads hosted on the SDDC as IP targets, using the high-bandwidth and low-latency SDDC Elastic Network Interface (ENI). This is demonstrated in the below sample architecture.

VMC-VPC-Lattice-2.1

Figure 2 – Integration using Application Load Balancer via SDDC ENI.

Data transfer between the SDDC and connected VPC will not incur any egress costs as long as the SDDC and native services are deployed in the same AWS Availability Zone (AZ).

As shown in the screenshot below, once an Internal Application Load Balancer is provisioned in the connected VPC, you can follow this user guide to create a Lattice target group (and service) for your applications running on the SDDC.

VMC-VPC-Lattice-3

Figure 3 – Registering an Application Load Balancer as VPC Lattice target group.

Leveraging Application Load Balancer via VMware Transit Connect

An alternative option is to utilize Application Load Balancers in a separate VPC for building Lattice services, and then pass the application traffic to the SDDC via the VMware Transit Connect, as depicted in the diagram below.

VMC-VPC-Lattice-4

Figure 4 – Integration using Application Load Balancer via VMware Transit Connect.

This could be because the Application Load Balancers are deployed in a centralized ingress VPC for security inspection requirements. The service network could also be located in a different AWS account and is shared with the ingress VPC using AWS RAM.

VMware Transit Connect is a VMware-managed AWS Transit Gateway solution, providing high-speed and resilient connectivity between your SDDCs, cloud-native services, and on-premises resources. Refer to this VMware blog post on how to provision VMware Transit Connect for connecting your SDDCs and Amazon VPCs.

For customers already running AWS Transit Gateway in their environment, it’s possible to terminate incoming service requests using the Application Load Balancer, and deliver application flows to your SDDC via AWS Transit Gateway and VMware Transit Connect using intra-region peering. Refer to the diagram below for this sample architecture.

VMC-VPC-Lattice-5.1

Figure 5 – Integration using Application Load Balancer via intra-region peering.

Simplify Inter-App Connectivity Across SDDCs and Native Services

Now, let’s take a look at some use cases of how VPC Lattice can help VMware Cloud on AWS customers to simplify application networking and accelerate transformation.

In the first example, a customer has just migrated a group of on-premises applications into VMware Cloud on AWS. They are planning to launch a new Software-as-a-Service (SaaS) product, which requires a backend API service (Service1) on SDDC-01 to be integrated with two recently built microservices in their native AWS environment. These microservices are Service2 and Service3 deployed on AWS Lambda and Amazon Elastic Kubernetes Service (Amazon EKS) across different accounts and VPCs, as illustrated in the diagram below.

VMC-VPC-Lattice-6.1

Figure 6 – Integrating SDDC applications into a complex AWS environment.

The customer has the following service integration requirements and challenges:

  • VPC-02 CIDR is partially overlapping with SDDC-01.
  • VPC-03 is deployed under a different AWS Organization that’s owned by an external service provider. As such, it’s not allowed to establish direct IP connectivity with the rest of the network.
  • Service2 and Service3 need to access Service1.
  • Service2 and Service3 need to communicate with each other bi-directionally.

This is where we can leverage VPC Lattice to build secure and private inter-application connectivity across your SDDCs, containers, and serverless functions in a multi-account environment. The unique VPC Lattice link-local address range also eliminates any potential IP address conflicting issues between different VPCs or SDDCs.

First, we need to create an Application Load Balancer for Service1 in the connected VPC attached to SDDC-01. This is to ensure all incoming service requests for Service1 are terminated in the connected VPC, since Lattice services are only accessible within native VPCs.

Second, we’ll create a VPC Lattice service network and share it with the three service accounts (Account 1 to 3) via AWS RAM. This allows us to create individual VPC Lattice services (for Service 1 to 3) in each account and associate them to the service network.

Lastly, we need to associate VPC-02 and VPC-03 with the service network because Service2 and Service3 require bi-directional communication. The connected VPC, however, does not need to be associated with the service network since Service3 is only a backend service.

The architecture below provides an overview of the solution.

VMC-VPC-Lattice-7.1

Figure 7 – Simplifying inter-application networking with VPC Lattice.

With VPC Lattice, you can quickly build inter-service connectivity between your VMware Cloud on AWS applications and cloud-native services in a multi-account and multi-VPC environment. It also eliminates the complexity and management overhead for building additional network infrastructure services such as AWS Transit Gateway, AWS PrivateLink, and Private NAT Gateways.

In addition, VPC Lattice provides built-in DNS-based service discovery by automatically assigning a unique DNS name for each Lattice service. You can also create customized CNAME or Alias records for your services by utilizing Amazon Route 53 private hosted zones.

Accelerate Application Transformation with VPC Lattice

In the next example, we’ll explore how VPC Lattice can help VMware Cloud on AWS customers to seamlessly transform and migrate their applications to cloud-native services.

A customer is in the process of refactoring one of its legacy applications running on an SDDC, and has rebuilt it into a serverless function with AWS Lambda. Prior to shifting service traffic from the legacy application running in the SDDC to the Lambda function, the customer wants to conduct a series of canary testing to investigate any potential impact on other upstream services.

Amazon VPC Lattice supports common deployment patterns like blue/green and canary-style rollout, just like this scenario. You can set up a VPC Lattice service with two different target groups: one using the Lambda function in VPC-02, and another pointing to an Application Load Balancer in the connected VPC that exposes the legacy application running on SDDC-01.

You can then leverage weighted routing to provide precise traffic distribution between the two target groups based on request conditions (path, method, header), as illustrated below.

VMC-VPC-Lattice-8.1

Figure 8 – VPC Lattice facilitates canary rollout across SDDC and AWS Lambda.

Furthermore, VPC Lattice provides granular access logs for service-to-service interactions. The supported log delivery targets include Amazon Simple Storage Service (Amazon S3) buckets, Amazon Kinesis Data Firehose, or Amazon CloudWatch log groups. This allows customers to rapidly retrieve required logging details, and then identify and analyze any potential issues on either a specific service or across the service network.

VPC Lattice facilitates your application transformation and modernization, enabling you to easily try out new ideas and to quickly roll back if required. It helps reduce risks during service migrations and ultimately improves your end user experience.

Additional Considerations

It’s recommended you leverage the AWS managed prefix-list for VPC Lattice in your security groups to enforce network-level protection across your service network. In addition, you can use service-level auth policies to apply strong authentication and context-specific authorization on either individual services or across the service network. Refer to this AWS blog post for more details.

By default, VPC Lattice services are only accessible within a VPC since its link-local address range is not routable. To provide external connectivity to your Lattice services, it’s typically required to use an ingress VPC with Elastic Load Balancing and a fleet of proxies. Refer to this AWS blog post for a sample architecture with an implementation guide.

As per the AWS Shared Responsibility Model, customers are responsible for maintaining control over your content that’s hosted on AWS infrastructure. Follow this user guide to configure Amazon VPC Lattice to meet your security and compliance objectives. In addition, refer to this comprehensive guide on VMware Cloud on AWS network and security. There are also additional resources to help you hardening your VMware Cloud on AWS environment.

Please refer to the Amazon VPC Lattice pricing page for the most up-to-date information on pricing. Here are additional pricing details on AWS Transit Gateway or VMware Transit Connect.

Summary

In this post, I have discussed how Amazon VPC Lattice can help VMware Cloud on AWS customers to simplify application networking and accelerate transformation, including a walkthrough of some common integration architectures and use cases.

To learn more, I recommend you to review these additional resources: