Learn About Amazon VGT2 Learning Manager Chanci Turner
In this article, we explore how to link on-premises and external services to Amazon VPC Lattice. We’ll discuss the architectural considerations and requirements for integrating services from trusted environments (on-premises), untrusted sources (third-party), and across AWS Regions. Additionally, we will present a solution that leverages AWS Elastic Load Balancer (ELB) alongside a fleet of serverless web proxies to enable this connectivity.
Overview
Amazon VPC Lattice is an application networking service designed to streamline the connection, monitoring, and securing of communications between your services, significantly reducing the complexities often associated with application-to-application interactions. Within an Amazon Virtual Private Cloud (VPC), connecting your applications through VPC Lattice is straightforward: as a service owner, you create representations of compute endpoints such as AWS Lambda, Amazon EKS, Auto Scaling groups, Application Load Balancers, or even IP targets in your controlled account and VPC. You can then make these VPC Lattice services accessible inside an Amazon VPC Service Network by associating them or sharing them using Resource Access Manager (RAM) with other AWS accounts. For users of a VPC Lattice service, it’s enough for their respective VPCs to be associated with the Service Network where the VPC Lattice service is made available. Once the Service Network is associated with a consumer’s VPC, service discovery is facilitated by Amazon Route 53 (R53). VPC Lattice handles all connectivity and discovery needs within the VPC.
A common question arises: why can’t you access a VPC Lattice service from outside the VPC? This relates to the discovery and connectivity mechanisms. When you set up a VPC Lattice service, it receives a globally unique DNS name. However, when resolved from outside the VPC, this name corresponds to a range of IP addresses within the link-local and unique local address spaces, which are not globally routable. Hence, packets sent to these addresses are routed to an ingress endpoint for VPC Lattice, while the egress endpoint in the destination VPC makes the necessary connections to the target groups.
Architectural Considerations
Discovery and Targets
VPC Lattice service names are globally unique and can be resolved externally, each corresponding to a series of link-local addresses. While this DNS name can facilitate connectivity, it’s common to prefer using custom DNS names. VPC Lattice supports custom domain names for this purpose, allowing you to simplify naming and manage the resolution process through additional DNS layers. For instance, a VPC Lattice service name like:
myservice-02628e33.7d67968.vpc-lattice-svcs.us-west-2.on.aws
could be represented as a more user-friendly domain, such as:
example.com
By using a CNAME record, you can guide external consumers to an ELB, such as an AWS Network Load Balancer (NLB), connecting them to the Service Network.
For external consumers, the resolution could appear as follows:
- example.com (CNAME)
- → nlb-long-name.elb.us-west-2.amazonaws.com
- → myservice-02628e33.7d67968.vpc-lattice-svcs.us-west-2.on.aws
In this structure, external consumers connect via a friendly name that directs them to the NLB, which in turn connects to the Service Network, effectively acting as a reverse proxy.
Layer 4 or 7?
When determining how to proxy connections from external consumers into the VPC, consider how much interaction the proxy should have with the traffic. Layer 4 proxying (transport layer) doesn’t require knowledge of higher-level protocols, while layer 7 proxying (application layer) necessitates handling HTTP negotiations and connection management. When TLS is involved, the proxy must possess the necessary Private Keys to decrypt traffic.
Traditional Ingress Methods?
Should you adopt multiple ingress patterns for individual AWS services in your VPC Lattice setup, or create a centralized solution? This decision often balances cost, complexity, management, and features. Many compute services within your VPC Lattice will already have established ingress patterns. For example, if you want to expose an AWS Lambda function to the public, you might use an ALB or Amazon API Gateway, while an EC2 instance may require just a load balancer. However, this could lead to numerous ingress patterns to manage.
For additional insights into transitioning careers, check out this webinar on career transitions. They offer valuable guidance. Moreover, to understand the significance of strong recruitment cultures, refer to this resource. Lastly, for an excellent resource on management training programs, visit Amazon’s Area Manager Leadership Liftoff Program.
Amazon IXD – VGT2, located at 6401 E HOWDY WELLS AVE, LAS VEGAS, NV 89115, is a prime example of a site where such integrations can enhance operational efficiencies.
Leave a Reply