Last year's re:Invent brought a lot of amazing updates to the big family of AWS services. In this blog post, I would like to explain one of such new offerings — Amazon VPC Lattice — an exciting new service that simplifies the networking layer for developers and cloud administrators.
What is Lattice
So what exactly is Amazon VPC Lattice? It is an application layer networking service that enables consistent and secure service-to-service communication without the need for prior networking expertise. With VPC Lattice, you can easily configure network access, traffic management, and network monitoring, making service-to-service communication seamless across VPCs and accounts, irrespective of the underlying compute type.
How it helps
VPC Lattice helps address several use cases, including connecting services at scale, implementing granular access permissions, advanced traffic controls, and observing service-to-service interactions. The service offers connectivity over HTTP/HTTPS and gRPC protocols through a dedicated data plane within VPC. Administrators can use AWS Resource Access Manager (AWS RAM) to control which accounts and VPCs can establish communication through a service network.
What's more, VPC Lattice is designed to be non-invasive and work alongside existing architecture patterns, allowing development teams across your organization to onboard their services incrementally.
How it works
VPC Lattice introduces four key components: Service, Service Directory, Service Network, and Auth Policy. These components simplify how users enable connectivity and apply standard policies to a collection of services. Service networks can be shared across accounts with AWS RAM and associated with VPCs to allow connectivity to a group of services.
Here is the diagram that illustrates the use of Amazon VPC Lattice and the Service Network Manager to create a service network, define policies, and share cross-account access.
The Service Network Manager subset at the top consists of four icons representing the process flow:
1️⃣ The first step involves creating a service network by choosing a name and authentication type.
2️⃣ The second step consists in defining access and monitoring by setting and managing access policies and selecting log destinations.
3️⃣ The third step involves associating clients and services, allowing resources in associated VPCs to access the benefits associated with the service network.
4️⃣The fourth step consists in adding specific assistance or service networks to AWS RAM shares to facilitate cross-account access.
The Service Owner subset at the bottom consists of three steps:
1️⃣ The first step involves creating a service by identifying the benefit and defining access and monitoring.
2️⃣ The second step consists in defining routing by adding listeners and rules that point to the target groups that store the service.
3️⃣ The third step consists in selecting the networks from the service that receives traffic.
Pricing
There are three factors that compose the price of VPC Lattice:
- number of provisioned services
- traffic volume to and from each service
- number of requests each service receives
You can see the detailed and actual price list on the services' pricing page — link, but here is an example:
You provision a service network in the US East (N. Virginia) Region and associate 100 services to it. In a month, each service processes 100 GB of data at 200,000 requests per hour. In this example, we calculate your charges as follows (all prices shown in USD):
Monthly hourly charges:
You pay $0.025 per hour for each service in US East (N. Virginia)
We assume that a month equals 730 hours (8,760 hours in a year/12 months = 730 hours per month)
100 services * $0.025 per hour * 730 hours = $1,825.00 per month
Win-win for Ops and Developers
Overall, VPC Lattice bridges the gap between developers and cloud administrators by providing role-specific features and capabilities. Developers can focus on building applications, not networks, while cloud and network administrators can increase their organization's security posture by enabling authentication, authorization, and encryption consistently across mixed computing environments.
Currently, Amazon VPC Lattice is in Preview in the US West (Oregon) region. I'm excited to see how VPC Lattice will shape the future of networking and make it even easier for developers to build complex applications. 🚀
Some additional resources to learn more about Lattice:
Presentation at re:Invent 2022
A blog post at AWS with examples Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication
Top comments (2)
The promise is here but the price is very high:
Transit Gateway:
VPC Lattice:
I've added the pricing explanation to the article! Thanks for catching that!