Introduction
Today, the catalog of cloud services available in AWS has grown significantly and continues to expand. However, some services remain underused, leading organizations to rely on older solutions. Even though these legacy approaches may work, they are not always the simplest or most efficient way to solve modern networking challenges.
One of these challenges is managing the large number of networks within our cloud environments. As organizations transition from monolithic architectures to microservices, they often create multiple VPCs, accounts, and services across different platforms. This increases the complexity of the network, as each option offers a different method for enabling service-to-service communication.
This growing complexity has resulted in developers spending excessive time dealing with networking concerns instead of focusing on business logic and agile iteration. Ideally, network administrators should handle these networking tasks, freeing developers to work on their core responsibilities. This leads to an important question: How can we enable developers to connect to and monitor services without compromising the security controls and auditing capabilities provided by network administrators?
The common approach is to give developers sandbox environments where they can deploy their services within a controlled VPC. However, this often results in inconsistent networking patterns across AWS (Internet Gateway, Transit Gateway, VPC Peering, PrivateLink). For some developers, this can be overwhelming, as it requires knowledge of advanced networking concepts, even though their primary concern is often limited to OSI Layer 7. Meanwhile, administrators—responsible for security—should be focused on Layer 3.
What Alternatives Exist?
To address this challenge, AWS introduced AWS VPC Lattice at re:Invent 2022. This new service integrates directly with VPCs and other AWS services, allowing you to expose HTTP/gRPC services as private links. Instead of relying on ENIs in subnets, VPC Lattice enables you to segment your VPC into “cells,” each with its own security policies and resources.
VPC Lattice automatically manages connectivity between VPCs and accounts. It applies traffic controls such as load balancing, weighted routing, and blue/green deployments. From a security perspective, it enforces IAM-based policies for service-to-service communication.
There are four key components:
Service:
The application running on an instance, container, or Lambda function. It consists of listeners, rules, and target groups. For example, an HTTP service deployed on an EC2 instance, Lambda, or container—along with its port/path—qualifies as a service.Service Networks:
A logical layer used for automatic service discovery, shared access, observability policies, and access controls over groups of services. It offers connectivity across applications using HTTP/HTTPS and gRPC within a VPC.Authorization Policies:
Used to enforce authentication and authorization for service network communications. With security groups or NACLs, you can create policies and conditions that allow specific networks to consume certain services within VPC Lattice, or restrict access so only certain developers can use specific methods of specific services.Service Directory:
A centralized view of the services you own or that have been shared with you. Using AWS RAM, you can control which accounts or users can communicate with your VPC Lattice services.
Within VPC Lattice, there are two primary roles/responsibilities to consider during implementation:
Service Network Administrator (admin):
Responsible for creating, sharing, and provisioning service networks. This role defines access and monitoring, associates VPCs with service networks, and shares services across networks.Service Owner (developer):
Responsible for creating the service, defining its exposure and authorization, and associating the service to the service network.
Conclusion
Overall, VPC Lattice bridges the gap between developers and cloud/network administrators by providing role-specific features and capabilities. Developers can focus on building applications—not networks—while cloud and network administrators can improve organizational security through consistent authentication, authorization, and encryption across mixed environments.