© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

NET215

Introducing Amazon VPC Lattice:

Simplifying application networking
Justin Davies (he/him) Sathya Ramaseshan (he/him)
Principal Product Manager, Principal Product Manager,
EC2 Networking, AWS EC2 Networking, AWS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do we make it simple for
developers to connect, secure, and
monitor their services, without
sacrificing the controls admins need
to audit and secure their
environment?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda

Need for service-to-service communication

Current solutions: Overview and pain points

VPC Lattice: Key features and functionality

Use-cases: How Amazon VPC Lattice helps

Next-steps: How to sign up

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The journey from monolith to microservices

VPC 1 VPC 1 VPC 2

Microservice 1 Microservice 3

Monolith Application

Microservice 2 Microservice 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Give service teams their own sandbox
Network and permission boundaries with VPCs and accounts

VPC 1 VPC 2

Service 1 Service 3

Service 2 Service 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But does it match your application boundary?

Service 4
Service 8
Service 2

Service 7

Service 3
Service 1 Service 9

Service 6

Service 5 Service 10
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But does it match your application boundary?

Service 4
Service 8
Service 2

Service 7

Service 3
Service 1 Service 9

Service 6

Service 5 Service 10
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Devs shouldn’t need to be network wizards

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Devs shouldn’t need to be network wizards

Developer

Admin

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The network portion…

VPC 1 VPC 2

Internet gateway

Service 1 Service 3

AWS Transit Gateway

Service 2 Service 4
VPC peering

AWS PrivateLink
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The network portion…

?
VPC 1

?
VPC 2

Internet gateway

AWS Transit Gateway

VPC peering

AWS PrivateLink
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do you handle more than network
connectivity?

Service discovery

?
Service 4
Service 8 Traffic management
Service 2
Load balancing
Service 7
Authentication
Service 1 Service 3
Service 9
Authorization
Observability
Service 6

Service 5 Service 10

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The application portion…

AWS Cloud Map

VPC 1
Amazon Route 53 VPC 2

Network Service 3
Service 1 Amazon API
Load Balancer
Gateway

Health checks, load-balancing, auth, etc.

Service 2 Application Service 4

Load Balancer

Note: Don’t see your favorite service?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Don’t worry. Not an exhaustive list.
Containers:
Basics out of the box…

VPC 1
In VPC network connectivity ✅
Service discovery ✅
Basic round robin load balancing ✅

Service 1 Traffic management ?

Authentication ?
Service 2 Authorization ?
Cluster 1 Observability ?
Amazon EKS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Containers:
Basics out of the box… but cluster local

VPC 1 VPC 2 Cluster 2

Amazon EKS

? Service 3
Cluster 1
Service 1 Amazon EKS

Service 2
? Service 4

Cluster 1

?
Amazon EKS

Service 5

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Containers:
Basics out of the box… but cluster local Elastic Load
Balancing (ELB)

VPC 1 VPC 2 Cluster 2

Amazon EKS

Service 3
Cluster 1
Service 1 Amazon EKS

Service 2 Service 4

Cluster 1
Amazon EKS

Service 5

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Note: Don’t see your favorite service?
Don’t worry. Not an exhaustive list.
Containers:
Basics out of the box… but cluster local AWS Alternative
App Mesh service mesh

VPC 1 VPC 2 Cluster 2

Amazon EKS

Service 3
Cluster 1
Service 1 Amazon EKS

Service 2 Service 4

Cluster 1

?
Amazon EKS

Service 5

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Note: Don’t see your favorite service?
Don’t worry. Not an exhaustive list.
Oh yeah…
the network is still there! ELB AWS Alternative
App Mesh service mesh

VPC 1 VPC 2 Cluster 2

Amazon EKS

Internet gateway
Service 3
Cluster 1
Service 1 Amazon EKS

AWS Transit Gateway

Service 2 Service 4

Cluster 1
Amazon EKS VPC peering

Service 5
AWS PrivateLink
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Note: Don’t see your favorite service?
Don’t worry. Not an exhaustive list.
 SECURITY LAYER (Admin/Dev)
Security applies to the complete
deployment, often in both
application and VPC layers
Service 1
Service 3
Service 2 APPLICATION LAYER (Dev)
Applications deployed across
multiple VPCs and Accounts

NETWORKING LAYER (Admin)

Provides connectivity between
applications throughout the
deployment

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity conundrum

Developer: How do I even

get started?

Admin: Wants to
control the environment
for all their developers

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity conundrum

Admin: What
about IP
overlap?

Developer: Wants
to spin up in their
own cluster

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security conundrum

Developer: How can I use

Lambda for my batch jobs?

Admin: Wants strict

identity and auth
framework

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security conundrum

Admin: How often

is it rotated?

Developer: I have
hard coded my
credentials

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring conundrum

Developer: I would like to

generate logs that best
suits my needs

Admin: Wants to
monitor all traffic in the
network

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring conundrum

Admin: What about

historical logs for
compliance?

Developer: Wants
telemetry for their
application now

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring conundrum

Admin: I can ping Admin: Service

the 192.168.1.1, is fine, It’s the
it’s the Service network

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Persona problem…
Admin*/Cloud, Network, InfoSec
- Wants to empower developers without losing control
- Needs centralized tools to implement and enforce the organization’s
security posture
“I want to empower service owners to have seamless service-to-service communication, but need
the ability to provide oversight and enforce coarse grained access controls. I need observability
that is integrated with my developers’ systems instead of being disjointed with overlays and
today’s service mesh implementations.”

Developer/Service Owner
- Doesn’t want to deal with networks
- Needs advanced telemetry to help optimize and troubleshoot
applications
“Service-to-service communication should just work. I want to focus on building business logic
into my applications, not learning the… what’s it called…OSI Model?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Amazon
Bridging the gap between admins and developers

IN PREVIEW

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Amazon
Combines network connectivity with an
application layer proxy

• Automatically handles connectivity between VPCs and

accounts

• Apply rich traffic control, such as application layer

load-balancing and weighted targets to support blue-
green deployments

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Amazon

Helps implement zero-trust principles

• Integrated with AWS Identity and Access Management

(IAM): Enforce authentication and implement fine-
grained authorization for your own service-to-service
communication

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Amazon
Consistent experience across instances,
containers, and serverless

• Built directly into VPC and natively integrated with

AWS services so you can mix and match your compute
types to meet the needs of each service

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But how?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Amazon

SERVICE SERVICE AUTH POLICIES SERVICE

NETWORK DIRECTORY

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon SERVICE
A unit of application running on instances,
containers, and serverless and consisting of
listeners, rules, and target groups
Targets
Service Rules Target groups
Listener

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon SERVICE NETWORK
A logical boundary that is used to automatically
implement service discovery and connectivity and
apply common access and observability policies to
a collection of services

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon AUTH POLICIES
IAM resource policy that can be associated with a
Service Network and individual Services to support
request level authentication and context specific
authorization

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 ADMIN
AUTH POLICIES

DEVELOPER

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon

SERVICE DIRECTORY
A centralized view of the services that you
own or that have been shared with you
through AWS Resource Access Manager (AWS
RAM)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who does what?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Create a Define access and Associate Share with other
service network monitoring VPCs and services accounts
Admin

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 HTTPS:443

Create a service Define routing Associate to service

and authorization networks
Service
owner

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Something for everyone

Cloud / Network Admin or InfoSec

- Can empower developers without losing control
- Enforce security guardrails
- Centralized tools to monitor service-to-service interactions

Developer / Service Owner

- Simple onboarding – no networking needed
- Compute flexibility to use instances, containers, or serverless
- Request level routing and load balancing to support advanced
deployment patterns (blue-green, canary, etc.)
- Fine grained and context specific authorization
- Detailed metrics and access logs for greater visibility

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But how?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 1.

AWS account

VPC
2.

AWS account

VPC VPC

3.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about security controls?
Defense in depth?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network layer controls
Lock down which resources in a VPC can access the service network with security groups

VPC

SG-123

✅
SG-123
✅ SG-123

X
SG-456

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application layer controls
Apply auth polices at service network and/or service to enforce “AuthNZ”

AWS account

VPC

VPC

Service Network Service

Auth Policy Auth Policy

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 N e t work L a y er
SG-123

SG-123

A ppli ca t ion L a yer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are some use cases?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-cluster, multi-VPC K8s
AWS account AWS account

VPC VPC

VPC
? VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
k8 Gateway API: More than an evolution to ingress
GatewayClass Designed to be generic, expressive,
extensible, and role-oriented

Gateway
ADMIN

HTTPRoute HTTPRoute
Service2
Owner
Service1
Owner K8s Service1-v1 K8s Service1-v2 (Developer)
(Developer)
K8s Service2
K8s Deployment-v1 K8s Deployment-v1

K8s Deployment-v1
Pod1 Pod2 Pod1 Pod2

Pod1 Pod2
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-cluster, Multi-VPC K8s
AWS account AWS account

VPC VPC

VPC VPC

Network connectivity ✅
Service discovery ✅
Load balancing and traffic management ✅
Authentication and authorization ✅

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Observability ✅
Can this help with cluster upgrades?
Can I shift traffic between clusters? VPCs?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Weighted routing and load balancing
AWS account AWS account

VPC VPC

VPC VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mix and match compute targets
AWS account AWS account

VPC VPC

VPC VPC

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reduce scope of impact, and
limit exposure: “tiny bubbles”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 VPC

Service 1

VPC

Service 2

VPC

Services 3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Service 1

VPC

Service 1

Service 2
VPC

Service 2

VPC Service 3

Services 3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Service 1

VPC

Service 1
Resource Access
Manager
Service 2
VPC

Service 2 ADMIN

VPC Service 3

Services 3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 VPC

Service 1
ADMIN

Service 1
VPC Service 2
Service 3

Service 2

VPC

Services 3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 VPC

Service 1
ADMIN

Service 1
VPC Service 2
Service 3

Service 2

VPC

Services 3

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sign me up!

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 For admins and
Amazon developers

• Simplify service-to-service connectivity at scale

• Enhance application layer security

• Implement advanced traffic management

• Gain visibility into service-to-service interactions

Visit: aws.amazon.com/vpc/lattice
to learn more and sign-up
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Justin Davies Sathya Ramaseshan
[email protected] [email protected]
LinkedIn | Twitter: mrjustind@ LinkedIn: sathya-ramaseshan@

Please complete the session

survey in the mobile app

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.