Amazon VPC Lattice is an application layer networking service that gives you a consistent way to connect, secure, and monitor service-to-service communication without any prior networking expertise. With VPC Lattice, you can configure network access, traffic management, and network monitoring to enable service-to-service communication consistently across VPCs and accounts, regardless of the underlying compute type.
VPC Lattice helps address the following use cases:
Connect services at scale – Connect thousands of services across VPCs and accounts without increasing network complexity.
Apply granular access permissions – Improve service-to-service security and support Zero Trust architectures with centralized access controls, authentication, and context-specific authorization.
Implement advanced traffic controls – Apply granular traffic controls, such as request-level routing and weighted targets, for blue/green and canary deployments.
Observe service-to-service interactions – Monitor and troubleshoot service-to-service communication for request type, traffic volume, errors, response time, and more.
VPC Lattice helps bridge the gap between developers and cloud administrators by providing role-specific features and capabilities. VPC Lattice will appeal to developers who do not want to learn and perform the common infrastructure and networking tasks required to get modern applications running quickly. Developers should be able to focus on building applications, not networks. VPC Lattice will also appeal to cloud and network administrators who are looking to increase their organization’s security posture by enabling authentication, authorization, and encryption in a consistent way across mixed compute environments (instances, containers, serverless), and across VPCs and accounts.
You can use VPC Lattice to create logical application layer networks, called service networks, that enable service-to-service communication across virtual private clouds (VPCs) and account boundaries, abstracting network complexity. It offers connectivity over HTTP/HTTPS and gRPC protocols through a dedicated data plane within VPC. This data plane is exposed through a link-local endpoint that can be accessed only from within your VPC.
Administrators can use AWS Resource Access Manager (AWS RAM) to control which accounts and VPCs can establish communication through a service network. When a VPC is associated with a service network, resources within the VPC can automatically discover and connect to the collection of services in the service network. Service owners can use VPC Lattice compute integrations to onboard their services from Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), and AWS Lambda, and choose one or more service networks to join. Service owners can also configure advanced traffic-management rules to define how a request should be processed to support common patterns such as blue/green and canary-style deployments. In addition to traffic management, service owners and administrators can implement additional access controls by enforcing authentication and authorization through the VPC Lattice Auth policy. Administrators can enforce guardrails at the service network level and apply fine-grained access controls on individual services. VPC Lattice is designed to be non-invasive and work alongside existing architecture patterns, allowing development teams across your organization to incrementally onboard their services progressively over time.
VPC Lattice introduces four key components:
Service – An independently deployable unit of software that delivers a specific task or function. A service can live in any VPC or account and can run on instances, containers, or serverless compute. A service consists of listeners, rules, and targets groups, similar to an AWS Application Load Balancer.
Service directory – A centralized registry of all services that have been registered with VPC Lattice that you have created or have been shared with your account through AWS RAM.
Service network – A logical grouping mechanism to simplify how users enable connectivity and apply common policies to a collection of services. Service networks can be shared across accounts with AWS RAM and associated with VPCs to enable connectivity to a group of services.
Auth policy – Auth policy is an AWS Identity and Access Management (IAM) resource policy that you can associate with a service network and individual services to define access controls. Auth policy uses IAM, and you can specify rich principal-action-resource-condition (PARC)-style questions to enforce context-specific authorization on VPC Lattice services. Typically, an organization would apply coarse-grained Auth policies at the service network, such as “only authenticated requests within my org-id are allowed,” and more granular policies at the service level.
VPC Lattice is currently available in the following AWS Regions: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland), Europe (Frankfurt), Europe (London), Europe (Stockholm), and Canada (Central).