AWS VPC Lattice is a fully managed application networking service that simplifies service-to-service communication across VPCs and AWS accounts. It enables users to connect, secure, and monitor service-to-service communications without managing complex network topologies.
Key Features
- Cross-VPC and Cross-Account Communication: Enables seamless communication between services across multiple VPCs and AWS accounts.
- Service Discovery and Load Balancing: Provides automatic service discovery and distributes traffic across service instances.
- Centralized Access Management: Integrates with IAM to define access policies.
- Observability and Monitoring: Offers built-in monitoring via AWS CloudWatch and AWS X-Ray.
- Security and Compliance: Supports TLS encryption, authentication, and authorization mechanisms.
AWS VPC Lattice setup consists of:
- Services: Applications deployed in different VPCs.
- VPC Lattice Service Network: A logical boundary to define services and connectivity.
- Target Groups: Define the endpoints where requests are routed.
- Listeners and Rules: Define how traffic is managed and directed
AWS Accounts: service, central, and consumer
Service Account – VPC Lattice service
# VPC Lattice Module
module "vpc_lattice_service" {
source = "aws-ia/amazon-vpc-lattice-module/aws"
version = "0.0.2"
services = {
lambdaservice = {
name = "lambda-service"
auth_type = "AWS_IAM"
auth_policy = local.auth_policy
listeners = {
http_listener = {
name = "httplistener"
port = 80
protocol = "HTTP"
default_action_forward = {
target_groups = {
lambdatarget = { weight = 100 }
}
}
}
}
}
}
target_groups = {
lambdatarget = {
type = "LAMBDA"
targets = {
lambdafunction = { id = aws_lambda_function.lambda.arn }
}
}
}
}
# VPC Lattice service Auth Policy
locals {
auth_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "*"
Effect = "Allow"
Principal = "*"
Resource = "*"
}
]
})
}
*Resource share *
# Resource Share
resource "aws_ram_resource_share" "resource_share" {
name = "Amazon VPC Lattice service"
allow_external_principals = true
}
# Principal Association
resource "aws_ram_principal_association" "principal_association" {
principal = var.central_aws_account
resource_share_arn = aws_ram_resource_share.resource_share.arn
}
# Resource Association - VPC Lattice service
resource "aws_ram_resource_association" "lattice_service_share" {
for_each = module.vpc_lattice_service.services
resource_arn = each.value.attributes.arn
resource_share_arn = aws_ram_resource_share.resource_share.arn
}
Central Account – VPC Lattice service network
# VPC Lattice Module
module "vpclattice_service_network" {
source = "aws-ia/amazon-vpc-lattice-module/aws"
version = "0.0.2"
service_network = {
name = "centralized-service-network"
auth_type = "AWS_IAM"
auth_policy = local.auth_policy
}
services = { for k, v in var.lattice_services: k => { identifier = v } }
depends_on = [aws_ram_resource_share_accepter.share_accepter]
}
# VPC Lattice service network Auth Policy
locals {
auth_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "*"
Effect = "Allow"
Principal = "*"
Resource = "*"
}
]
})
}
# Accepting VPC Lattice services from Service AWS Account
resource "aws_ram_resource_share_accepter" "share_accepter" {
share_arn = local.lattice_services.ram_share
}
*Resource Share *
# Resource Share
resource "aws_ram_resource_share" "resource_share" {
name = "Amazon VPC Lattice service network"
allow_external_principals = true
}
# Principal Association
resource "aws_ram_principal_association" "principal_association" {
principal = var.consumer_aws_account
resource_share_arn = aws_ram_resource_share.resource_share.arn
}
# Resource Association - VPC Lattice service network
resource "aws_ram_resource_association" "lattice_service_network_share" {
resource_arn = module.vpclattice_service_network.service_network.arn
resource_share_arn = aws_ram_resource_share.resource_share.arn
}
Consumer Account – VPC Lattice VPC association
module "vpc_lattice_vpc_association" {
source = "aws-ia/amazon-vpc-lattice-module/aws"
version = "0.0.2"
service_network = { identifier = var.service_network }
vpc_associations = {
vpc1 = {
vpc_id = module.vpc1.vpc_attributes.id
security_group_ids = [aws_security_group.vpc1_lattice_sg.id]
}
}
depends_on = [
aws_ram_resource_share_accepter.share_accepter
]
}
module "vpc1" {
source = "aws-ia/vpc/aws"
version = "4.3.0"
name = "vpc1"
cidr_block = "10.0.0.0/24"
az_count = 2
subnets = {
workload = { netmask = 28 }
endpoints = { netmask = 28 }
}
}
resource "aws_security_group" "vpc1_lattice_sg" {
name = "lattice-sg-vpc1"
description = "VPC Lattice SG - VPC1"
vpc_id = module.vpc1.vpc_attributes.id
ingress {
description = "HTTPS access"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.0/24"]
}
egress {
description = "Any traffic"
from_port = 0
to_port = 0
protocol = egress.value.protocol
cidr_blocks = egress.value.cidr_blocks
}
}
# Accepting VPC Lattice service network from Central AWS Account
resource "aws_ram_resource_share_accepter" "share_accepter" {
share_arn = local.service_network.ram_share
}
VPC Module
module "vpc2" {
source = "aws-ia/vpc/aws"
version = "4.3.0"
name = "vpc2"
cidr_block = "10.0.0.0/24"
az_count = 2
vpc_lattice = {
service_network_identifier = var.service_network_id
security_group_ids = [aws_security_group.vpc2_lattice_sg.id]
}
subnets = {
workload = { netmask = 28 }
endpoints = { netmask = 28 }
}
depends_on = [
aws_ram_resource_share_accepter.share_accepter
]
}
Top comments (0)