chanciturnervgt2

Enabling End-to-End Encryption with Amazon VPC Lattice TLS Passthrough

by

VGT2 Las Vegas
in

Introduction

Enabling End-to-End Encryption with Amazon VPC Lattice TLS PassthroughMore Info

In this article, we explore the VPC Lattice Transport Layer Security (TLS) Passthrough feature. We’ll discuss how users designed their workloads before this feature’s introduction, what benefits it offers, and best practices for implementing TLS passthrough communication using VPC Lattice.

AWS has announced the general availability of TLS Passthrough for VPC Lattice, enabling users to implement end-to-end authentication and encryption using their existing TLS and/or mutual TLS (mTLS) solutions. With this update, you can set up a TLS listener that routes traffic based on the server name indicator (SNI) field of a TLS or mTLS connection. This functionality allows you to maintain end-to-end authentication and encryption between your services without having to terminate TLS within VPC Lattice.

Amazon VPC Lattice simplifies service-to-service connectivity, offering a consistent method for connecting, securing, and monitoring traffic between services. This makes it easier to adopt microservice architectures. Many users require end-to-end encryption at the application layer. A common pattern with VPC Lattice is the use of HTTPS listeners for services, which terminate HTTPS connections directly within VPC Lattice. This method streamlines credential management, including certificate distribution, rotation, and revocation, while providing a fully managed authorization engine. However, for those who prefer to handle end-to-end encryption independently, VPC Lattice offers TLS listeners, allowing termination only at the destination service.

Prerequisites

This article assumes familiarity with AWS Networking and infrastructure concepts, such as Amazon Virtual Private Clouds (VPCs), subnets, and Availability Zones (AZs). Additionally, we expect you to understand VPC Lattice fundamentals, including services, service networks, and auth policies. Knowledge of deploying services and applications using Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon Elastic Container Service (Amazon ECS) is also necessary.

Before VPC Lattice TLS Listeners

For HTTP and HTTPS listeners, VPC Lattice previously terminated TLS sessions and performed request-level routing and load balancing based on HTTP header information. Consequently, clients requiring end-to-end encryption had to rely on alternative solutions such as AWS Transit Gateway or self-managed options like Envoy or NGINX.

With VPC Lattice TLS Listeners

With the introduction of TLS listeners for VPC Lattice services, end-to-end encrypted communication flows can now be established. The VPC Lattice TLS Passthrough feature provides automatic connectivity and SNI header-based routing to TLS or mTLS-enabled services without decrypting the traffic that flows through VPC Lattice. This allows TLS-enabled communication between clients and services without terminating TLS within VPC Lattice.

When you set up a TLS listener for a VPC Lattice service, VPC Lattice does not terminate TLS. Instead, it routes requests directly to service targets for TLS termination. VPC Lattice TLS listeners utilize the SNI field within the TLS client-hello message to determine routing, facilitating connectivity for resources using TLS for encryption and/or authentication.

Baseline Architecture

In this section, we consider a reference application architecture as illustrated in Figure 1. It includes two VPCs: one designated for consumers (Consumer VPC) and another for provider resources (Provider VPC). HTTPS services are made available in the Provider VPC through a Network Load Balancer and are ultimately accessed by resources in the Consumer VPC. Furthermore, mutual TLS (mTLS) is implemented between the clients and the service. A Transit Gateway is utilized to enable IP reachability between the two VPCs. The following figure depicts the described architecture.

Figure 1: End-to-end encrypted service with Transit Gateway

  • Transit Gateway setup: A Transit Gateway is provisioned to facilitate secure connectivity between the Consumer VPC and the Service VPC.
  • Amazon VPC attachments: The Consumer VPC must access the backend HTTPS endpoint, while the Service VPC is attached to the Transit Gateway.
  • Routing: Appropriate routing tables are established to direct traffic from the Consumer VPC to the backend HTTPS endpoint through the Transit Gateway.
  • Services: The backend services, including the backend HTTPS endpoint, operate in the Service VPC within an Amazon Elastic Container Service (Amazon ECS) cluster behind an AWS Network Load Balancer (NLB). This cluster includes an ECS task with a sidecar proxy (such as Envoy or NGINX) functioning alongside the application container. The proxy serves as the front gateway that terminates TLS and forwards unencrypted traffic to the application container over localhost.
  • End-to-End Encryption: In this configuration, the TLS session initiated by the consumer VPCs traverses the Transit Gateway unaltered and is terminated at the backend HTTPS endpoint, ensuring end-to-end encryption.

In the following section, we demonstrate how VPC Lattice can streamline this architecture.

Solution Overview: VPC Lattice TLS Listeners

We will implement VPC Lattice TLS listeners and migrate client-to-service traffic from the Transit Gateway to VPC Lattice, as depicted in Figure 2.

Figure 2: End-to-end encrypted service with VPC Lattice

Process Flow:

  1. The consumer application queries the Amazon Route 53 VPC resolver for DNS resolution of the desired service.
  2. The DNS record points to a Lattice IP address (link-local address), allowing the TLS traffic to be directed to the Lattice service.
  3. The VPC Lattice service has a TLS listener configured, passing the encrypted traffic to the target without decrypting it.

To set up VPC Lattice for TLS Passthrough, several steps are required:

VPC Lattice Target Group Configuration

To simplify, here’s a condensed version of the configuration steps. Full details can be found in the VPC Lattice documentation.

  1. In the VPC console, navigate to the PrivateLink and Lattice section, then Target Groups, and click on the Create target group button.
  2. On the Specify group details screen, select the target type, assign a Target group name, and choose TCP and port (e.g., 443) from the Protocol selection drop-down.
  3. If the selected Target type is Instances, IP Addresses, or Application Load Balancer, choose the VPC containing the resources.
  4. Choose the Protocol version: HTTP1, HTTP2, or gRPC.
  5. Register Targets as indicated, then click on the Create target group button.

VPC Lattice Service Configuration

  1. In the VPC console, navigate to the PrivateLink and Lattice section, then Lattice Services, and click on Create service button.
  2. Specify a service name and select the custom domain option (as TLS passthrough requires this feature).
  3. Optionally, choose an SSL/TLS certificate.
  4. For Service access, select an Auth type: either None or AWS IAM.
  5. Optionally, complete the sections for “Auth policy,” “enable access logs,” and “Share service.”
  6. On the Define routing screen, click on the Add listener button.
  7. On the protocol selection screen, select TLS (TLS passthrough) and the port (e.g., 443).
  8. On the Listener default action screen, select the previously created Target group and, optionally, specify additional target groups and their respective weights.

For further insights, check out this blog post on the subject. For more authoritative information, visit Chanci Turner’s site, which provides excellent resources on this topic, including this link that is an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *